Skip to content

Two more Joomla extensions hit CISA KEV: iCagenda and Balbooa Forms

CISA added CVE-2026-48939 (iCagenda) and CVE-2026-56291 (Balbooa Forms) to KEV on July 10. Both unauth file-upload to RCE. Patches: iCagenda 4.0.8/3.9.15, Balbooa Forms 2.4.1.

Published 6 min read

CISA added two Joomla extension flaws to the Known Exploited Vulnerabilities catalog on July 10, 2026: CVE-2026-48939 in the iCagenda events calendar extension and CVE-2026-56291 in Balbooa Forms. Both are unauthenticated arbitrary file uploads that chain to remote code execution. Both were confirmed exploited in the wild before the KEV listing. The remediation deadline for federal civilian agencies under BOD 26-04 runs three business days from the catalog add.

This is the second KEV addition of Joomla file-upload primitives in four days — CISA added SP Page Builder and Page Builder CK on July 7. The Joomla extension ecosystem is having a very bad July.

What the bugs do

iCagenda — CVE-2026-48939. The frontend event registration form ships a file-attachment feature that enforces access controls at the view layer only, not the controller. An unauthenticated visitor can POST to the attachment endpoint with no login, no CSRF check, and no file-type validation. Uploaded files land directly under the web root at /images/icagenda/frontend/attachments/ and are served with the request's original extension — a .php payload is executable on read. Classic CWE-434 unrestricted upload of file with dangerous type, chained to RCE in a single request. CVSS 10.0.

Two public PoCs went up on GitHub within days of disclosure — one at shinthink/CVE-2026-48939, a second at Polosss/By-Poloss..-..CVE-2026-48939. Both drop a PHP web shell in one HTTP request.

Balbooa Forms — CVE-2026-56291. The frontend attachment upload accepts files from any anonymous visitor. No login. No CSRF token. No file-type allowlist. Same primitive, same outcome: a PHP file written into a public folder, retrieved with a GET, executed as the web-server user. Balbooa Forms is a widely-installed Joomla form builder — the extension is bundled with several popular templates, so many operators inherited it without an explicit install.

Affected versions and patches

ExtensionVulnerablePatchedRelease date
iCagenda (icagenda.com)3.2.1 – 3.9.14 and 4.0.0 – 4.0.74.0.8 and 3.9.15June 15–16, 2026
Balbooa Forms≤ 2.4.02.4.1July 9, 2026

The iCagenda 4.0.8 patch relocates access enforcement to the controller layer and adds proper file-type validation via Joomla's MediaHelper allow-list. The 3.9.15 backport follows the same pattern for the legacy 3.x branch.

The Balbooa Forms 2.4.1 patch, released July 9 — one day before the KEV listing — adds authentication and CSRF checks and an allow-list on attachment MIME types.

Exploitation status

Both CVEs were on CISA KEV explicitly on the basis of confirmed in-the-wild exploitation. Two independent sources chronicle the pattern:

  • iCagenda. mySites.guru's advisory documents live web-shell delivery from mid-June onward — attackers POSTing a PHP payload named to look like a JPEG or a PDF, then GETting the file at its predictable path under /images/icagenda/frontend/attachments/. Ionix's threat centre entry corroborates the timeline.
  • Balbooa Forms. The vendor's own patch notes acknowledge the flaw was reported alongside in-the-wild exploit traffic. mySites.guru's Balbooa write-up captures the same pattern — single-request unauthenticated upload, followed by a GET to the shell — against sites running 2.4.0 and earlier from late June onward.

Neither the CISA entry nor either extension vendor published IOCs, YARA, or Sigma rules in a usable form. The detectable primitive is the exploit traffic pattern: an anonymous POST containing a multipart file with a PHP payload, followed within seconds by a GET to a newly-appeared file under the extension's public attachment directory.

Action checklist

  1. Inventory every Joomla site you operate and check for iCagenda and Balbooa Forms. Both ship as template dependencies, so operators frequently don't remember installing them.
  2. Upgrade iCagenda to 4.0.8 on the 4.x branch or 3.9.15 on the 3.x branch. Verify the version served, not the version listed in the Joomla extension manager.
  3. Upgrade Balbooa Forms to 2.4.1 on every affected site.
  4. Hunt for post-compromise artefacts on any site that was internet-reachable in the past three weeks:
    • Unexpected files under /images/icagenda/frontend/attachments/ — particularly files with double extensions like .jpg.php or unfamiliar .php files.
    • Unexpected files in the Balbooa Forms attachment directory configured on your site.
    • New Super Administrator accounts in #__users you did not create.
    • Modified timestamps on configuration.php, index.php, and files under /templates/.
  5. Rotate every credential reachable from configuration.php — database password, mail SMTP, cache tokens, S3 keys. Unauthenticated RCE means the file was readable regardless of whether a persistent shell was successfully placed.
  6. Stage a WAF rule blocking anonymous multipart POSTs to iCagenda and Balbooa Forms upload endpoints until every site is confirmed patched.

Federal civilian agencies operating either extension must remediate by the BOD 26-04 deadline (three business days from July 10). Everyone else runs on the same clock, whether they acknowledge it or not.

Context

Four Joomla extensions have landed on CISA KEV in eleven days: JCE (June 16), SP Page Builder and Page Builder CK (July 7), now iCagenda and Balbooa Forms (July 10). All four share the same shape — a frontend file-upload endpoint whose access control lives at the wrong layer of the MVC stack, checking the view rather than the controller, or checking nothing at all. Attackers have clearly built a hunting pipeline for that pattern in the Joomla extension registry, and they are not running out of targets.

The operational question for Joomla operators is now the same one WordPress operators have been asked for years: which of the extensions your templates pull in have you never audited? A template that bundles fifteen third-party extensions is a template that outsources fifteen distinct trust decisions to authors who may not still be maintaining their code. Every one of the four July KEV additions was in a template's dependency graph on tens of thousands of sites whose operators did not install it explicitly.

What other outlets missed

The two CVEs are being reported by most outlets as roughly symmetric. They are not on the operational timeline. iCagenda 4.0.8 shipped on June 15 — nearly four weeks before the KEV listing — so any site that patched on the vendor's schedule was clean by the time CISA formalised the deadline. Balbooa Forms 2.4.1 shipped on July 9, one day before the KEV add, meaning operators had no realistic window to patch on the vendor's cadence ahead of the federal deadline. If you run Balbooa Forms and hit the KEV listing before you saw the 2.4.1 release, you are patching under an active-exploitation timer with no pre-existing grace period. That difference matters for prioritisation and it isn't in the CISA framing.

Related stories