On July 10, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two zero-day vulnerabilities in Joomla extensions to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies have three days, until July 13, 2026, to apply patches or take affected systems offline. Both flaws carry a CVSS score of 10.0 out of 10.0 and enable unauthenticated remote code execution through arbitrary file upload.
- CISA confirmed active exploitation for CVE-2026-48939 (iCagenda) and CVE-2026-56291 (Balbooa Forms), adding them to the KEV catalog on July 10, 2026, with a remediation deadline of July 13, 2026 for U.S. federal agencies.
- The mySites.guru platform, which discovered both vulnerabilities, detected exploitation of iCagenda starting June 15, 2026 via an automated scanner identified as
icagenda-batch/1.0. - Both flaws are unrestricted file upload vulnerabilities (CWE-434): CVE-2026-48939 in iCagenda's attachment component, CVE-2026-56291 in Balbooa Forms' frontend upload with no authentication, CSRF token, or file-type validation.
- Patched versions are iCagenda 3.9.15 and 4.0.8, and Balbooa Forms 2.4.1; the iCagenda legacy 3.x branch is also vulnerable through 3.9.14.
Automated Scanner and Three Weeks of Invisible Exploitation
Analysis by mySites.guru, cited by The Hacker News, reconstructs an exploitation timeline that predates discovery and patch availability. For CVE-2026-48939, the first signal detected in a customer's access logs dates to June 15, 2026: an automated scanner identifying itself with the user-agent icagenda-batch/1.0 obtained a token, posted a malicious payload to the submit endpoint, and subsequently retrieved the web shell from the predictable path where the component writes attachments.
The zero-day exploitation window spans roughly three weeks before the vendor released fixes. For CVE-2026-56291, discovery occurred on July 8, 2026 during a live attack against a platform customer, with an even tighter interval between first exploitation and patch.
"We first saw it in a client's access log: an automated scanner identifying itself as 'icagenda-batch/1.0' grabbed a token, posted a malicious upload to the submit endpoint, then fetched the planted shell at the exact path the component writes attachments to" — mySites.guru via The Hacker News
The Technical Mechanism: Upload Without Guards
The common technical core of both vulnerabilities is CWE-434 (Unrestricted Upload of File with Dangerous Type), with variants in each component's specific context. For iCagenda, an extension for event and calendar management, the flaw resides in the submit-file attachment functionality: the absence of file-type validation allows direct upload of executable PHP payloads.
Balbooa Forms presents an even broader attack surface. Through version 2.4.0 inclusive, the frontend attachment-upload endpoint accepts files from any anonymous visitor. The discovery source documents three simultaneous absences: no login requirement, no CSRF token, no check on the uploaded file type. The consequence is stated without ambiguity by the same source.
"An attacker could upload a PHP file into a public folder and then run it, which is unauthenticated remote code execution, the worst outcome a web flaw can have" — mySites.guru via The Hacker News
Federal Pressure: Three Days Between Cataloging and Deadline
Inclusion in the KEV catalog on July 10, 2026 triggers Binding Operational Directive 22-01, the instrument through which CISA imposes binding timelines on federal agencies. The deadline set for July 13, 2026 — three calendar days, not three business days — reflects the perception of immediate risk and the ease of exploitation of the vector. BOD 26-04, which replaced the previous 22-01, maintains the same enforcement mechanism.
The KEV catalog, for both entries, lists the status "Known To Be Used in Ransomware Campaigns?" as Unknown: CISA does not currently have evidence linking these specific flaws to ransomware deployment. The dossier does not specify whether the campaigns detected by mySites.guru were aimed at deploying persistent web shells, defacement, exfiltration, or other post-exploitation objectives.
The Forgotten Joomla: When Attention Shifts Elsewhere
The incident fits a broader pattern of CMS exploitation documented in the same period. The Hacker News temporally links these zero-days to an Australian Cyber Security Centre (ACSC) alert on global campaigns compromising content management platforms with web shell deployment. The Joomla ecosystem, while maintaining a significant installed base, routinely receives a fraction of the security attention reserved for WordPress: this asymmetry can translate into less-monitored attack surfaces and longer response times from third-party extension vendors.
The simultaneous discovery of two zero-days in different commercial components (iCagenda by JoomliC, Balbooa Forms by Balbooa) suggests automated scanners are systematically mapping the Joomla ecosystem to identify upload endpoints with insufficient validation. The dossier does not specify whether the same operators are responsible for both campaigns or whether there is infrastructure overlap between the attacks.
What to Do Now
- Check for the presence of iCagenda (versions 3.2.1–3.9.14 and 4.0.0–4.0.7) or Balbooa Forms (through 2.4.0) in your Joomla assets and plan updates to patched versions 3.9.15/4.0.8 and 2.4.1 respectively.
- Search access logs for signs of past exploitation, paying particular attention to the user-agent
icagenda-batch/1.0and POST requests to the affected components' submit endpoints followed by GET requests from attachment paths. - For organizations with Joomla sites managed by third parties, request explicit confirmation of patching status by the July 13, 2026 deadline for assets relevant to U.S. federal compliance.
- Monitor the KEV catalog for any extensions of the case to additional related CVEs or revisions to the remediation deadline.
Frequently Asked Questions
Do the vulnerabilities affect Joomla core?
No. Both flaws reside in third-party extensions: iCagenda (JoomliC) and Balbooa Forms (Balbooa). Joomla core is not affected according to available sources.
Why is the CVSS score 10.0?
According to OpenCVE sources and official CVE records, both vulnerabilities receive the maximum score for remote access, no privileges required, no user interaction, and complete impact on confidentiality, integrity, and availability, with exploitation assessed as actively used (metric E:A in the CVSS 4.0 vector).
Is exploitation still ongoing?
CISA confirmed active exploitation at the time of KEV catalog inclusion on July 10, 2026. The dossier provides no updates on malicious traffic volumes after that date.
Information verified against cited sources and current as of publication.
Sources
- https://thehackernews.com/2026/07/icagenda-and-balbooa-forms-joomla-flaws.html
- https://securityaffairs.com/195164/security/u-s-cisa-adds-icagenda-and-balbooa-forms-flaws-to-its-known-exploited-vulnerabilities-catalog.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/news-events/alerts/2026/07/10/cisa-adds-two-known-exploited-vulnerabilities-catalog
- https://app.opencve.io/cve/CVE-2026-48939
- https://www.cve.org/CVERecord?id=CVE-2026-48939
- https://nvd.nist.gov/vuln/detail/CVE-2025-6389
- https://nvd.nist.gov/vuln/detail/CVE-2025-7852
- https://nvd.nist.gov/vuln/detail/CVE-2025-12352
- https://nvd.nist.gov/vuln/detail/CVE-2025-32432