
CISA Flags Active Exploitation of Two Critical Joomla Extension Upload Flaws
CISA added two critical Joomla extension file-upload flaws to its exploited catalog, warning site owners to patch or mitigate quickly.
CISA has added two Joomla extension vulnerabilities to its Known Exploited Vulnerabilities catalog after determining that attackers are actively abusing them. The July 10 update covers Balbooa Forms, tracked as CVE-2026-56291, and iCagenda, tracked as CVE-2026-48939. Both bugs are file-upload flaws that can let an unauthenticated attacker place executable PHP code on a vulnerable site, turning a content-management add-on into a path for remote code execution.
The National Vulnerability Database lists CVE-2026-56291 as affecting Balbooa Forms versions before 2.4.1 and describes the issue as an arbitrary file upload that can lead to full remote code execution. NVD assigns the flaw a CVSS 3.1 base score of 9.8 and shows a critical CVSS 4.0 score from the Joomla Project. The second issue, CVE-2026-48939, affects iCagenda versions from 3.2.1 up to versions before 3.9.15, as well as 4.0.0 through versions before 4.0.8, according to NVD data.
Why it matters
Joomla powers public websites that often rely on third-party extensions for forms, calendars, and attachments. Upload flaws in those components are especially sensitive because attackers do not need to steal an administrator password if the vulnerable endpoint allows a malicious file to be accepted and then executed by the web server. CISA's catalog entry means the agency has enough evidence to treat exploitation as real, not theoretical.
- Federal civilian agencies are directed to apply vendor mitigations or stop using affected products when mitigations are not available.
- CISA lists a July 13, 2026 due date for action under its risk-prioritized patching guidance.
- Site operators outside government should still treat the catalog addition as a practical warning to inventory Joomla installations and extension versions.
The most immediate defensive step is to confirm whether Balbooa Forms or iCagenda is installed, then update to fixed releases where available. Administrators should also review recent uploads, newly created PHP files, web server logs, and unexplained administrator accounts, because patching closes the entry point but does not automatically remove an already planted web shell.
Sources
Cover photo by Brett Sayles on Pexels, used under the Pexels License.
CyberOGZ Team






Comments (0)
Leave a Comment