Urgent Security Alert: Critical Joomla Extensions Vulnerable to Remote Code Execution

July 13, 2026
Urgent Security Alert: Critical Joomla Extensions Vulnerable to Remote Code Execution
  • JoomliC released patches quickly after confirmation of exploitation; these flaws were added to the CISA Known Exploited Vulnerabilities catalog on July 10, triggering urgent remediation guidance for federal agencies and broad advisories for all organizations to patch.

  • Two critical Joomla extensions, iCagenda and Balbooa Forms, expose unauthenticated arbitrary file upload vulnerabilities that enable remote code execution, with CVE-2026-48939 affecting iCagenda and CVE-2026-56291 affecting Balbooa Forms.

  • Exploitation has been observed in the wild since mid-June 2026, including automated attacks that upload malicious files and plant a web shell, as reported by MySites.guru.

  • Security teams, especially in private organizations, are urged to review KEV listings and promptly address these vulnerabilities to reduce risk.

  • The vulnerabilities carry CVSS scores of 10 for both flaws, underscoring their severity and the urgency of patching.

  • Affected products include iCagenda, an open-source Joomla event manager, and Balbooa Forms, a commercial Joomla form builder.

  • Executive and site administrator teams should apply the updates immediately and stay alert for further advisories and patches from the extension developers.

  • CISA added both vulnerabilities to the Known Exploited Vulnerabilities catalog following reports of active zero-day exploitation in the wild.

  • The Australian Cyber Security Centre warns this is part of a global exploitation campaign targeting multiple CMSs, with attackers deploying web shells via unauthenticated file uploads and remote code execution.

  • Indicators of compromise for Balbooa Forms include unusual PHP files in uploads (images/baforms/uploads) and unfamiliar administrator accounts, prompting audits for recently modified or unknown files.

  • The two CVEs cited by CISA are CVE-2026-48939 (iCagenda Unrestricted Upload of File with Dangerous Type) and CVE-2026-56291 (Balbooa Forms Unrestricted Upload of File with Dangerous Type).

  • U.S. federal agencies were given a deadline to patch by mid-July 2026 under Binding Operational Directive 22-01; broader guidance urged all organizations to remediate by the same window.

Summary based on 3 sources


Get a daily email with more Tech stories

More Stories