Two critical flaws in the iCagenda and Balbooa Forms extensions for the open-source Joomla CMS are being actively exploited, prompting CISA to add them to its KEV catalog and urge immediate patching.
Two actively exploited vulnerabilities affecting third-party extensions for the open-source Joomla content management system have been added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog, triggering an urgent call for patching. The flaws impact the iCagenda events calendar extension and the Balbooa Forms form builder.
Tracked as CVE-2026-48939 and CVE-2026-56291, respectively, both vulnerabilities carry the maximum CVSS score of 10.0. They allow attackers to upload arbitrary PHP files that can be executed on the server, leading to remote code execution and potential takeover of affected websites.
Joomla powers about 1.2% of all websites, or roughly one million sites worldwide, making the vulnerabilities significant across the open-source web ecosystem. Following the KEV listing, CISA directed U.S. federal civilian agencies to remediate the flaws under its vulnerability management directive, while warning is equally relevant to organisations running public-facing Joomla websites.
The iCagenda flaw exploits the extension’s attachment upload mechanism through its “Submit an Event” feature. Security firm mySites.guru observed attackers exploiting the vulnerability just hours before patched versions 4.0.8 and 3.9.15 were released, with automated scanning and web shell deployment recorded.
The Balbooa Forms flaw stems from an upload endpoint lacking authentication, CSRF protection and effective file-type validation. Version 2.4.1 fixes the issue, but researchers warn that attacks continue against unpatched installations. Security updates are available for both extensions, and immediate deployment is recommended.









































































