The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities affecting plugins for the Joomla Content Management System (CMS) to its Known Exploited Vulnerabilities (KEV) catalog. The action, taken on July 10, 2026, is based on evidence that both flaws are being actively exploited by threat actors in the wild. The vulnerabilities, CVE-2026-48939 and CVE-2026-56291, are unrestricted file upload issues in the iCagenda and Balbooa Forms components, respectively. Exploitation can lead to webshell deployment and complete server compromise. CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies remediate these vulnerabilities by a specified deadline.
Both vulnerabilities are of the same type: unrestricted file upload. This class of vulnerability allows an attacker to upload a file with a dangerous extension (e.g., .php) to the web server, bypassing security checks. Once the malicious file is on the server, the attacker can access it via a URL to execute arbitrary code.
Exploitation of these vulnerabilities directly enables T1190 - Exploit Public-Facing Application and typically results in the installation of a webshell (T1505.003 - Server Software Component: Web Shell).
By adding these CVEs to the KEV catalog, CISA confirms they are being actively exploited by threat actors. While specific campaigns were not detailed in the alert, these types of vulnerabilities are frequently used in mass-scanning campaigns to compromise websites for malware distribution, phishing, or as part of a botnet.
The impact of a successful exploit is severe. An attacker can gain full control over the underlying web server, allowing them to:
For federal agencies and other organizations, a compromise of their public-facing website can undermine public trust and lead to significant data breaches.
To hunt for exploitation of these vulnerabilities, security teams should look for:
/index.php?option=com_icagenda/index.php?option=com_balbooaforms*.phpWeb Server Access LogsD3-FA - File Analysis.M1051 - Update Software.M1022 - Restrict File and Directory Permissions.Updating the affected Joomla components to a patched version is the most direct and effective remediation.
Configuring the web server to disallow script execution in upload directories can prevent webshells from functioning.
CISA adds CVE-2026-48939 and CVE-2026-56291 to the Known Exploited Vulnerabilities (KEV) catalog.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.