Joomla Zero-Days CVE-2026-48939 & CVE-2026-56291 Exploited

CISA Warns of Two Joomla Zero-Days Under Active Exploitation

CRITICAL
July 13, 2026
July 14, 2026
6m read
VulnerabilityCyberattack

Related Entities(initial)

Organizations

CISA Australian Cyber Security Centre

Products & Tech

Joomla iCagendaBalbooa Forms

Other

mySites.guru

CVE Identifiers

CVE-2026-48939
CRITICAL
CVSS:10
CVE-2026-56291
CRITICAL
CVSS:10

Full Report(when first published)

Executive Summary

On July 10, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two critical zero-day vulnerabilities affecting Joomla extensions to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerabilities, CVE-2026-48939 in the iCagenda extension and CVE-2026-56291 in Balbooa Forms, are unauthenticated arbitrary file upload flaws that lead to remote code execution (RCE). Both have been assigned a CVSS v3.1 score of 10.0, indicating maximum severity. Reports confirm active, automated exploitation in the wild, with attackers uploading web shells to gain full control of vulnerable servers. Patches are available and immediate remediation is critical for all users of these popular Joomla components.


Vulnerability Details

Both vulnerabilities stem from a failure to properly validate and restrict file uploads from unauthenticated users, creating a critical attack vector on publicly accessible web forms.

  • CVE-2026-48939 (iCagenda): This vulnerability exists in the "Submit an Event" form of the iCagenda extension. The form allows any anonymous visitor to upload a file without authentication or proper file type validation. Attackers can upload a malicious PHP script disguised as a legitimate file (e.g., an image), which can then be executed on the server, granting them RCE capabilities.

  • CVE-2026-56291 (Balbooa Forms): This flaw affects Balbooa Forms versions up to and including 2.4.0. The frontend attachment upload feature accepts files from any visitor without checking for authentication or file extension. This allows an attacker to upload a PHP web shell to a publicly accessible directory. Once uploaded, the attacker can navigate to the shell's URL to execute arbitrary commands on the server.

Affected Systems

  • iCagenda: All versions containing the vulnerable "Submit an Event" form. A specific patched version has not been detailed in reports, but users should update to the latest available version immediately.
  • Balbooa Forms: Versions up to and including 2.4.0. The vulnerability is patched in version 2.4.1, released on July 9, 2026.

These extensions are used on websites built with the Joomla Content Management System (CMS).

Exploitation Status

Both vulnerabilities are under active and widespread exploitation. According to mySites.guru, automated attacks exploiting CVE-2026-48939 began as early as June 15, 2026. The inclusion of both CVEs in CISA's KEV catalog confirms evidence of active exploitation. The Australian Cyber Security Centre (ACSC) has also issued warnings about malicious actors actively scanning for these weaknesses to deploy web shells. Due to the ease of exploitation and high potential impact, the number of compromised websites is expected to grow rapidly.

Impact Assessment

Successful exploitation of either vulnerability results in a full compromise of the web server. An attacker can achieve remote code execution with the permissions of the web server process (e.g., www-data). This allows the threat actor to:

  • Steal sensitive data from the website's database, including user credentials, personal information, and payment details.
  • Deface the website or replace its content.
  • Use the compromised server as a pivot point to attack other systems within the internal network.
  • Host malware, phishing pages, or use the server as part of a botnet for DDoS attacks.
  • Establish persistent access by creating new administrator accounts or installing backdoors.

The business impact can be severe, leading to data breach notification costs, regulatory fines, reputational damage, and significant downtime for cleanup and recovery.

IOCs — Directly from Articles

No specific file hashes, IP addresses, or domains were provided in the source articles.

Cyber Observables — Hunting Hints

The following patterns could indicate related activity:

Type
url_pattern
Value
/index.php?option=com_icagenda
Description
Potential requests to the vulnerable iCagenda component.
Context
Web server logs, WAF logs
Type
url_pattern
Value
task=icform
Description
Parameter associated with iCagenda form submissions.
Context
Web server logs, WAF logs
Type
file_name
Value
*.php
Description
Look for PHP files in Joomla's public upload directories (e.g., /images, /tmp).
Context
File system monitoring, EDR
Type
log_source
Value
access.log, error.log
Description
Monitor web server logs for unusual POST requests to form endpoints followed by GET requests to newly uploaded PHP files.
Context
SIEM, Log analysis tools
Type
process_name
Value
php, php-fpm
Description
Monitor for child processes spawned by the web server process that are executing suspicious commands (e.g., whoami, ls, wget).
Context
EDR, Host-based IDS

Detection & Response

Security teams should focus on detecting both exploitation attempts and signs of a successful compromise.

  1. Network Traffic Analysis: Use a Web Application Firewall (WAF) to inspect incoming POST requests. Create rules to block or alert on file uploads containing PHP code or suspicious extensions (e.g., .php, .phtml, .php5) to the iCagenda or Balbooa Forms endpoints. This aligns with D3-NTA: Network Traffic Analysis.
  2. File Integrity Monitoring (FIM): Implement FIM on web server directories, particularly upload folders. An alert on the creation of any executable file type (e.g., .php, .sh) in a directory meant for images or documents is a high-confidence indicator of compromise. This relates to D3-FA: File Analysis.
  3. Log Analysis: Proactively search web server logs for patterns of exploitation. Look for a POST request that uploads a file, immediately followed by a GET request to that same file, often resulting in a 200 OK status. Correlate this with logs from EDR/endpoint agents showing the web server process (apache2, nginx, w3wp.exe) spawning shell commands.

Response: If a compromise is suspected, immediately isolate the server from the network. Take a forensic snapshot for investigation. Remove the web shell and any other malicious files. Restore from a known-good backup created before the compromise date. After restoring, apply the patches and conduct a thorough audit for any backdoors, such as new admin accounts or scheduled tasks.

Mitigation

  • Immediate Patching: This is the most critical step. Update Balbooa Forms to version 2.4.1 or later. Update iCagenda to the latest available version. This aligns with D3-SU: Software Update.
  • Disable Vulnerable Features: If patching is not immediately possible, disable the public-facing file upload functionality on both extensions. For iCagenda, disable the "Submit an Event" form for anonymous users. For Balbooa Forms, disable any forms that allow unauthenticated file attachments.
  • Harden Web Server Configuration: Configure the web server to prevent the execution of scripts in upload directories. For example, in Apache, you can use an .htaccess file with php_flag engine off to disable PHP execution.
  • Web Application Firewall (WAF): Deploy a WAF with rulesets that specifically block attempts to upload executable file types and detect common web shell patterns. This is a key compensating control.
  • Principle of Least Privilege: Ensure the web server process runs with the minimum necessary permissions. It should not have write access to directories outside of its designated temporary and upload folders.

Timeline of Events

1
June 15, 2026
Automated attacks exploiting CVE-2026-48939 in iCagenda reportedly begin.
2
July 9, 2026
Balbooa releases version 2.4.1 of its Forms extension, patching CVE-2026-56291.
3
July 10, 2026
CISA adds CVE-2026-48939 and CVE-2026-56291 to its Known Exploited Vulnerabilities (KEV) catalog.
4
July 13, 2026
Deadline for U.S. Federal Civilian Executive Branch agencies to apply patches for the two vulnerabilities.
5
July 13, 2026
This article was published

Article Updates

July 14, 2026

Specific patch version 2.4.1 identified for iCagenda (CVE-2026-48939), clarifying mitigation details for the actively exploited Joomla flaw.

MITRE ATT&CK Mitigations

Immediately apply patches provided by the vendors to fix the vulnerabilities.

Use a Web Application Firewall (WAF) to filter malicious file uploads and block suspicious requests.

Harden web server configurations to prevent script execution in upload directories, effectively sandboxing the uploaded content.

Ensure the web server process runs with least privilege and cannot write to or execute files outside of designated areas.

Timeline of Events

1
June 15, 2026

Automated attacks exploiting CVE-2026-48939 in iCagenda reportedly begin.

2
July 9, 2026

Balbooa releases version 2.4.1 of its Forms extension, patching CVE-2026-56291.

3
July 10, 2026

CISA adds CVE-2026-48939 and CVE-2026-56291 to its Known Exploited Vulnerabilities (KEV) catalog.

4
July 13, 2026

Deadline for U.S. Federal Civilian Executive Branch agencies to apply patches for the two vulnerabilities.

Sources & References(when first published)

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Editorial Standards & Analyst Review

CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.

Tags

JoomlaZero-DayRCEWeb ShellCISAKEVCVE-2026-48939CVE-2026-56291

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.