CISA Adds Joomla and iCagenda File Upload Flaws to Known Exploited Vulnerabilities Catalog

CISA Adds Two Actively Exploited Joomla Plugin Flaws to KEV Catalog

HIGH
July 12, 2026
4m read
VulnerabilityPatch ManagementRegulatory

Related Entities

Organizations

Products & Tech

Joomla iCagendaBalbooa Forms

CVE Identifiers

Full Report

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities affecting plugins for the Joomla Content Management System (CMS) to its Known Exploited Vulnerabilities (KEV) catalog. The action, taken on July 10, 2026, is based on evidence that both flaws are being actively exploited by threat actors in the wild. The vulnerabilities, CVE-2026-48939 and CVE-2026-56291, are unrestricted file upload issues in the iCagenda and Balbooa Forms components, respectively. Exploitation can lead to webshell deployment and complete server compromise. CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies remediate these vulnerabilities by a specified deadline.

Vulnerability Details

Both vulnerabilities are of the same type: unrestricted file upload. This class of vulnerability allows an attacker to upload a file with a dangerous extension (e.g., .php) to the web server, bypassing security checks. Once the malicious file is on the server, the attacker can access it via a URL to execute arbitrary code.

  • CVE-2026-48939: Affects the iCagenda extension for Joomla, a popular event management tool.
  • CVE-2026-56291: Affects the Balbooa Forms component for Joomla, a form builder.

Exploitation of these vulnerabilities directly enables T1190 - Exploit Public-Facing Application and typically results in the installation of a webshell (T1505.003 - Server Software Component: Web Shell).

Affected Systems

  • Websites using the Joomla CMS with the following components installed:
    • Vulnerable versions of the iCagenda extension.
    • Vulnerable versions of the Balbooa Forms component.

Exploitation Status

By adding these CVEs to the KEV catalog, CISA confirms they are being actively exploited by threat actors. While specific campaigns were not detailed in the alert, these types of vulnerabilities are frequently used in mass-scanning campaigns to compromise websites for malware distribution, phishing, or as part of a botnet.

Impact Assessment

The impact of a successful exploit is severe. An attacker can gain full control over the underlying web server, allowing them to:

  • Steal or destroy all data on the website, including user databases.
  • Deface the website, causing reputational damage.
  • Use the server to host and spread malware or launch further attacks.
  • Pivot into the organization's internal network if the web server is not properly segmented.

For federal agencies and other organizations, a compromise of their public-facing website can undermine public trust and lead to significant data breaches.

Cyber Observables — Hunting Hints

To hunt for exploitation of these vulnerabilities, security teams should look for:

Type
url_pattern
Value
/index.php?option=com_icagenda
Description
The URL path for the iCagenda component. Look for suspicious POST requests.
Type
url_pattern
Value
/index.php?option=com_balbooaforms
Description
The URL path for the Balbooa Forms component. Scrutinize file upload attempts.
Type
file_name
Value
*.php
Description
Search for newly created PHP files in component media or upload directories.
Type
log_source
Value
Web Server Access Logs
Description
Monitor for POST requests to file upload endpoints associated with these components, followed by a GET request to the uploaded file.

Detection Methods

  • Vulnerability Scanning: Regularly scan websites to identify if vulnerable versions of iCagenda or Balbooa Forms are installed.
  • File Integrity Monitoring (FIM): Use FIM to alert on the creation of executable files in web-accessible directories.
  • WAF/IDS: Deploy a Web Application Firewall with rules to inspect file uploads and block those with dangerous file types or content. This is a direct application of D3-FA - File Analysis.

Remediation Steps

  1. Patch or Update: The primary remediation is to update the iCagenda and Balbooa Forms components to a patched version. If a patch is not available, the component should be disabled or uninstalled immediately. This is a critical application of M1051 - Update Software.
  2. Follow BOD 26-04: FCEB agencies are required to remediate these vulnerabilities by the deadline specified in the KEV catalog.
  3. Assume Compromise: CISA advises that organizations running these vulnerable components should assume they are compromised and initiate threat hunting and incident response procedures.
  4. Harden Server: Ensure that web server permissions are hardened to prevent script execution in directories where file uploads are permitted. This aligns with M1022 - Restrict File and Directory Permissions.

Timeline of Events

1
July 10, 2026
CISA adds CVE-2026-48939 and CVE-2026-56291 to the Known Exploited Vulnerabilities (KEV) catalog.
2
July 12, 2026
This article was published

MITRE ATT&CK Mitigations

Updating the affected Joomla components to a patched version is the most direct and effective remediation.

Configuring the web server to disallow script execution in upload directories can prevent webshells from functioning.

Timeline of Events

1
July 10, 2026

CISA adds CVE-2026-48939 and CVE-2026-56291 to the Known Exploited Vulnerabilities (KEV) catalog.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

cisakevjoomlavulnerabilitycve-2026-48939cve-2026-56291patch management

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.