Mastodon Mastodon Mastodon Mastodon

Critical iCagenda and Balbooa Forms RCE Flaws Actively Exploited

Photo of author

CyberSecureFox Editorial Team

Published:

On July 10, 2026, CISA added two maximum‑severity vulnerabilities to the KEV catalog — CVE-2026-48939 and CVE-2026-56291 — affecting the iCagenda and Balbooa Forms extensions for the Joomla CMS. Both vulnerabilities received a CVSS 10.0 score, allow remote code execution via arbitrary file upload, and are already being exploited in automated attacks. U.S. federal agencies (FCEB) have been given a remediation deadline of July 13, 2026 — only three days from publication. Patches are available: Joomla site owners using these extensions must update immediately and check their servers for indicators of compromise.

Technical analysis of the vulnerabilities

CVE-2026-48939 — iCagenda: code execution via event submission form

The CVE-2026-48939 vulnerability resides in the file attachment handling function of the iCagenda “Submit an Event” form. The component does not properly validate the type of the uploaded file, which allows an attacker to upload a PHP script and execute arbitrary code on the server.

Affected versions:

  • 4.x branch — all versions up to and including 4.0.7
  • Legacy 3.x branch — versions from 3.2.1 through 3.9.14 inclusive

According to researchers at mySites.guru, exploitation of this vulnerability as a zero‑day has been observed since June 15, 2026 — almost a month before it was added to KEV. The attacks were automated: in the access logs of one client, a scanner with the User-Agent icagenda-batch/1.0 was recorded obtaining a token, uploading a malicious file through the form endpoint, and then calling the installed web shell via the predictable attachment storage path. It should be noted that these details of the attack chain come from a single third‑party source and have not been independently confirmed, although inclusion in the CISA KEV catalog itself confirms that active exploitation is taking place.

The developer JoomliC released fixes in versions 4.0.8 and 3.9.15.

CVE-2026-56291 — Balbooa Forms: unauthenticated RCE

The CVE-2026-56291 vulnerability in the Balbooa Forms extension is arguably an even more dangerous case. According to researchers, up to and including version 2.4.0, the front‑end attachment upload mechanism would accept files from any anonymous visitor — with no authentication, no CSRF token, and no file‑type validation. An attacker could upload a PHP file into a public directory and execute it, resulting in full unauthenticated remote code execution.

The vulnerability was discovered on July 8, 2026 during a real‑world attack on a mySites.guru client. A fix is available in Balbooa Forms version 2.4.1.

Indicators of compromise

For both extensions, specific signs to look for have been published:

  • iCagenda: check the images/icagenda/frontend/attachments/ directory for suspicious PHP files
  • Balbooa Forms: check the images/baforms/uploads/ directory for files that are not images or documents, especially those with a .php extension
  • Check the Joomla user list for suspicious accounts with administrator privileges
  • Audit recently modified or unfamiliar PHP files across the entire site
  • In access logs, look for the User-Agent icagenda-batch/1.0

Global campaign against CMS: Australia’s warning

CISA’s publication coincided with a warning from the Australian Cyber Security Centre (ACSC) about a large‑scale global campaign targeting content management systems and their plugins. According to ACSC, attackers are actively scanning websites to deploy web shells by leveraging vulnerabilities related to unauthenticated file uploads, remote code execution, server‑side request forgery (SSRF), and deserialization.

The list of exploited vulnerabilities includes flaws in a wide range of products:

ACSC emphasized that advances in AI are accelerating the speed and scale of cyberattacks, reducing the time between disclosure of a vulnerability and the start of exploitation. This observation is confirmed by the timeline of the Joomla vulnerabilities under discussion: CVE-2026-48939 was exploited as a zero‑day for at least 25 days before a patch became available.

Impact assessment

Both vulnerabilities pose a critical threat for several reasons. First, they do not require authentication — an attacker only needs to know the URL of a site with the vulnerable extension. Second, exploitation is fully automated, which means mass scanning and compromise. Third, Joomla remains one of the most widely used CMS platforms, and iCagenda and Balbooa Forms are popular extensions for event sites and contact forms, including resources of government agencies, educational institutions, and small businesses.

Successful exploitation results in installation of a web shell, giving the attacker full control over the web server: from data theft and content modification to using the server as a foothold for further attacks on internal infrastructure.

Response recommendations

  1. Update immediately iCagenda to version 4.0.8 (or 3.9.15 for the legacy branch) and Balbooa Forms to version 2.4.1
  2. Check the file system along the specified paths for PHP files that should not be present in attachment directories
  3. Audit Joomla accounts — remove unknown accounts with administrator privileges
  4. Analyze web server logs for suspicious requests to file upload endpoints and access to unusual PHP files in attachment directories
  5. If signs of compromise are found, assume the server is compromised: conduct a full investigation, change all credentials, and verify the integrity of CMS files
  6. If updating is not immediately possible, disable file upload features in both extensions or temporarily deactivate them

The three‑day deadline set by CISA for federal agencies reflects the exceptional seriousness of the situation: both vulnerabilities have the maximum CVSS score, are trivially exploitable, and are already being used in mass automated attacks. Joomla site owners using the iCagenda or Balbooa Forms extensions should treat updating as a top‑priority task — every hour of delay increases the likelihood of compromise.


CyberSecureFox Editorial Team

The CyberSecureFox Editorial Team covers cybersecurity news, vulnerabilities, malware campaigns, ransomware activity, AI security, cloud security, and vendor security advisories. Articles are prepared using official advisories, CVE/NVD data, CISA alerts, vendor publications, and public research reports. Content is reviewed before publication and updated when new information becomes available.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.