Urgent Security Alert: Critical Joomla Extensions Vulnerable to Remote Code Execution
July 13, 2026
JoomliC released patches quickly after confirmation of exploitation; these flaws were added to the CISA Known Exploited Vulnerabilities catalog on July 10, triggering urgent remediation guidance for federal agencies and broad advisories for all organizations to patch.
Two critical Joomla extensions, iCagenda and Balbooa Forms, expose unauthenticated arbitrary file upload vulnerabilities that enable remote code execution, with CVE-2026-48939 affecting iCagenda and CVE-2026-56291 affecting Balbooa Forms.
Exploitation has been observed in the wild since mid-June 2026, including automated attacks that upload malicious files and plant a web shell, as reported by MySites.guru.
Security teams, especially in private organizations, are urged to review KEV listings and promptly address these vulnerabilities to reduce risk.
The vulnerabilities carry CVSS scores of 10 for both flaws, underscoring their severity and the urgency of patching.
Affected products include iCagenda, an open-source Joomla event manager, and Balbooa Forms, a commercial Joomla form builder.
Executive and site administrator teams should apply the updates immediately and stay alert for further advisories and patches from the extension developers.
CISA added both vulnerabilities to the Known Exploited Vulnerabilities catalog following reports of active zero-day exploitation in the wild.
The Australian Cyber Security Centre warns this is part of a global exploitation campaign targeting multiple CMSs, with attackers deploying web shells via unauthenticated file uploads and remote code execution.
Indicators of compromise for Balbooa Forms include unusual PHP files in uploads (images/baforms/uploads) and unfamiliar administrator accounts, prompting audits for recently modified or unknown files.
The two CVEs cited by CISA are CVE-2026-48939 (iCagenda Unrestricted Upload of File with Dangerous Type) and CVE-2026-56291 (Balbooa Forms Unrestricted Upload of File with Dangerous Type).
U.S. federal agencies were given a deadline to patch by mid-July 2026 under Binding Operational Directive 22-01; broader guidance urged all organizations to remediate by the same window.
Summary based on 3 sources
Get a daily email with more Tech stories
Sources

The Hacker News • Jul 13, 2026
iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days
Security Affairs • Jul 11, 2026
U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog
SecurityWeek • Jul 13, 2026
Organizations Warned of Exploited Joomla Extension Vulnerabilities