U.S. Cybersecurity and Infrastructure Security Agency has added two critical vulnerabilities affecting Joomla extensions iCagenda and Balbooa Forms to its Known Exploited Vulnerabilities catalog following reports that both flaws have been actively exploited as zero days. The vulnerabilities, tracked as CVE-2026-48939 and CVE-2026-56291, have each received a maximum CVSS severity score of 10.0 due to their ability to enable arbitrary file uploads and remote code execution on vulnerable websites. Security researchers have warned that the flaws are being used in automated attacks targeting Joomla installations across the internet, raising concerns for organizations and website administrators relying on the affected extensions.
According to cloud based website management platform mySites.guru, CVE-2026-48939 has been exploited since at least June 15, 2026, in attacks aimed at Joomla websites running the iCagenda extension. The vulnerability exists within the extension’s “Submit an Event” feature, which allows users to suggest calendar events. Researchers said they first observed the activity in a customer’s access logs, where an automated scanner identified as “icagenda-batch/1.0” obtained a token, uploaded a malicious file, and then accessed the deployed web shell at the location where attachments are stored. The flaw affects iCagenda versions 4.x up to and including version 4.0.7, as well as legacy 3.x versions from 3.2.1 through 3.9.14. Developer JoomliC has since released patches in versions 4.0.8 and 3.9.15 and advised administrators to inspect the images and attachments directory for suspicious PHP files that may indicate a compromise.
Researchers also reported active exploitation of CVE-2026-56291, a critical vulnerability affecting Balbooa Forms versions up to and including version 2.4.0. The issue stems from the extension’s frontend attachment upload functionality, which accepted files from anonymous users without requiring authentication, cross site request forgery protection, or file type validation. This weakness allows attackers to upload malicious PHP files to publicly accessible directories and execute them remotely. The vulnerability was discovered by mySites.guru on July 8, 2026, after one of its customers was targeted in a live attack. Security experts have advised administrators to examine the Balbooa Forms upload directory for unauthorized files, review Joomla administrator accounts for suspicious activity, and audit websites for recently modified or unfamiliar PHP scripts. Balbooa has addressed the issue in version 2.4.1, and Federal Civilian Executive Branch agencies have been instructed to apply the fixes by July 13, 2026.
The disclosure comes as Australian Cyber Security Centre issued a separate alert regarding a large scale global campaign targeting vulnerabilities in content management systems and associated plugins. According to ACSC, attackers are actively scanning websites for weaknesses that allow unauthenticated file uploads, remote code execution, server side request forgery, and deserialization attacks, which are then used to deploy web shells for remote access and control of compromised servers. The campaign affects a range of products, including WordPress plugins such as Sneeit Framework, WPBookit, Gravity Forms, Ninja Forms, Breeze Cache, and WavePlayer, as well as Craft CMS, MaxSite CMS, MetInfo CMS, and Joomla JCE. ACSC noted that the rapid pace of exploitation demonstrates the evolving cyber risks facing organizations and warned that advances in artificial intelligence are accelerating the speed and scale at which attackers can identify and exploit newly disclosed vulnerabilities.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.