On July 10, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two critical zero-day vulnerabilities affecting Joomla extensions to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerabilities, CVE-2026-48939 in the iCagenda extension and CVE-2026-56291 in Balbooa Forms, are unauthenticated arbitrary file upload flaws that lead to remote code execution (RCE). Both have been assigned a CVSS v3.1 score of 10.0, indicating maximum severity. Reports confirm active, automated exploitation in the wild, with attackers uploading web shells to gain full control of vulnerable servers. Patches are available and immediate remediation is critical for all users of these popular Joomla components.
Both vulnerabilities stem from a failure to properly validate and restrict file uploads from unauthenticated users, creating a critical attack vector on publicly accessible web forms.
CVE-2026-48939 (iCagenda): This vulnerability exists in the "Submit an Event" form of the iCagenda extension. The form allows any anonymous visitor to upload a file without authentication or proper file type validation. Attackers can upload a malicious PHP script disguised as a legitimate file (e.g., an image), which can then be executed on the server, granting them RCE capabilities.
CVE-2026-56291 (Balbooa Forms): This flaw affects Balbooa Forms versions up to and including 2.4.0. The frontend attachment upload feature accepts files from any visitor without checking for authentication or file extension. This allows an attacker to upload a PHP web shell to a publicly accessible directory. Once uploaded, the attacker can navigate to the shell's URL to execute arbitrary commands on the server.
These extensions are used on websites built with the Joomla Content Management System (CMS).
Both vulnerabilities are under active and widespread exploitation. According to mySites.guru, automated attacks exploiting CVE-2026-48939 began as early as June 15, 2026. The inclusion of both CVEs in CISA's KEV catalog confirms evidence of active exploitation. The Australian Cyber Security Centre (ACSC) has also issued warnings about malicious actors actively scanning for these weaknesses to deploy web shells. Due to the ease of exploitation and high potential impact, the number of compromised websites is expected to grow rapidly.
Successful exploitation of either vulnerability results in a full compromise of the web server. An attacker can achieve remote code execution with the permissions of the web server process (e.g., www-data). This allows the threat actor to:
The business impact can be severe, leading to data breach notification costs, regulatory fines, reputational damage, and significant downtime for cleanup and recovery.
No specific file hashes, IP addresses, or domains were provided in the source articles.
The following patterns could indicate related activity:
/index.php?option=com_icagendatask=icform*.php/images, /tmp).access.log, error.logphp, php-fpmwhoami, ls, wget).Security teams should focus on detecting both exploitation attempts and signs of a successful compromise.
.php, .phtml, .php5) to the iCagenda or Balbooa Forms endpoints. This aligns with D3-NTA: Network Traffic Analysis..php, .sh) in a directory meant for images or documents is a high-confidence indicator of compromise. This relates to D3-FA: File Analysis.apache2, nginx, w3wp.exe) spawning shell commands.Response: If a compromise is suspected, immediately isolate the server from the network. Take a forensic snapshot for investigation. Remove the web shell and any other malicious files. Restore from a known-good backup created before the compromise date. After restoring, apply the patches and conduct a thorough audit for any backdoors, such as new admin accounts or scheduled tasks.
.htaccess file with php_flag engine off to disable PHP execution.Specific patch version 2.4.1 identified for iCagenda (CVE-2026-48939), clarifying mitigation details for the actively exploited Joomla flaw.
Immediately apply patches provided by the vendors to fix the vulnerabilities.
Use a Web Application Firewall (WAF) to filter malicious file uploads and block suspicious requests.
Harden web server configurations to prevent script execution in upload directories, effectively sandboxing the uploaded content.
Ensure the web server process runs with least privilege and cannot write to or execute files outside of designated areas.
Automated attacks exploiting CVE-2026-48939 in iCagenda reportedly begin.
Balbooa releases version 2.4.1 of its Forms extension, patching CVE-2026-56291.
CISA adds CVE-2026-48939 and CVE-2026-56291 to its Known Exploited Vulnerabilities (KEV) catalog.
Deadline for U.S. Federal Civilian Executive Branch agencies to apply patches for the two vulnerabilities.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.