Virtual Round Table · Jul 22

View the event
Two Perfect-10 Joomla Extension Bugs Were Live Zero-Days Before Anyone Filed a CVE
Cybersecurity

Two Perfect-10 Joomla Extension Bugs Were Live Zero-Days Before Anyone Filed a CVE

CISA added CVE-2026-48939 in iCagenda and CVE-2026-56291 in Balbooa Forms to its KEV catalog after both hit the maximum 10.0 severity and were exploited as zero-days. Unauthenticated file upload leads straight to remote code execution.

PublishedJuly 18, 2026
Read time5 min read
Share

Two Tens, Both Exploited First

The severity numbers here leave no room for interpretation. CVE-2026-48939 in the iCagenda extension and CVE-2026-56291 in Balbooa Forms both score a flat 10.0 on CVSS, the ceiling of the scale. Both are unauthenticated arbitrary file upload flaws, and both were exploited in the wild as zero-days before patches or CVE identifiers existed. CISA added them to its Known Exploited Vulnerabilities catalog on July 10, 2026, and gave Federal Civilian Executive Branch agencies three days to remediate. When a bug is a maximum-severity, pre-auth path to code execution and it is already being exploited, the ordinary triage debate is over.

We want to be precise about why these earn a 10. The vulnerabilities let an attacker upload a file, place it in a public folder, and then request it to run. As one analysis from mySites.guru put it, "An attacker could upload a PHP file into a public folder and then run it, which is unauthenticated remote code execution, the worst outcome a web flaw can have." No login, no user interaction, no chained secondary bug. That directness is what makes both trivially automatable, and automation is exactly what defenders are seeing in the traffic.

How iCagenda Gets Owned

CVE-2026-48939 lives in the iCagenda extension's file attachment feature, specifically the Submit an Event form functionality that lets ordinary visitors propose calendar events. That form is meant to accept attachments. The flaw is that it accepts the wrong ones, allowing an attacker to upload PHP code and then execute it on the server. Exploitation of this bug began on June 15, 2026, in automated attacks aimed at any Joomla site with iCagenda installed. The patched releases, iCagenda 4.0.8 and 3.9.15, shipped on June 15 and 16, which means exploitation and the fix arrived essentially in lockstep.

That overlap is the uncomfortable part. A patch that lands the same day exploitation starts only protects sites that apply it immediately, and most Joomla extension installs do not update on that cadence. Affected versions span iCagenda 4.x up to 4.0.7 and 3.x from 3.2.1 through 3.9.14, a wide band that covers years of deployments. If you run iCagenda and have not patched since mid-June, the correct assumption is not that you might be exposed. It is that automated scanners have already visited your Submit an Event form.

How Balbooa Forms Gets Owned

CVE-2026-56291 follows the same script through a different door. It is an unauthenticated arbitrary file upload in the Balbooa Forms extension's frontend attachment upload endpoint, leading to remote code execution. This one was discovered during an active attack on July 8, 2026, which tells us defenders found it because someone was already using it, not through routine research. Balbooa Forms versions up to and including 2.4.0 are vulnerable, and the fix arrived in version 2.4.1 on July 9, one day after the attack surfaced.

The pattern across both extensions is worth naming. Frontend forms that accept file attachments are a recurring soft spot in the Joomla ecosystem, because their entire purpose is to take input from anonymous users. When the upload handler fails to constrain file types and destinations, the form becomes a public code-execution endpoint. We would treat any internet-facing Joomla site running community extensions with attachment features as a category worth auditing, regardless of whether these two specific CVEs apply. The class of bug keeps recurring for structural reasons.

The Compromise Assumption and the IOCs

Because both flaws were exploited before disclosure, patching alone is insufficient. If your site ran a vulnerable version during the exposure window, you have to hunt for what may already be planted. The published indicators are concrete. For iCagenda, inspect the images/icagenda/frontend/attachments/ directory for suspicious PHP files. For Balbooa Forms, scan images/baforms/uploads for non-document files, paying particular attention to anything with a PHP extension. In both cases, audit the Joomla user list for administrator accounts you did not create.

That last check matters most. A web shell gives an attacker code execution, but a rogue admin account gives them durable, legitimate-looking control that survives extension updates and casual cleanup. We would rebuild trust from the ground up on any site showing these signs: remove planted files, revoke unknown accounts, rotate every credential and secret the site touches, and review logs for the timeframe. Patching closes the entry point. Hunting closes the persistence. Skipping the second step is how organizations patch a hole and leave the intruder inside it.

The Decision You Own This Week

For most enterprises, Joomla sites are marketing properties, event microsites, or community portals that sit outside the core application estate, which is precisely why they get neglected. That neglect is the risk. An internet-facing server running vulnerable iCagenda or Balbooa Forms is a pre-auth RCE foothold on your perimeter, and attackers do not care that the site only hosts a conference calendar. From that foothold they can pivot, host malware, or use the box as infrastructure. The three-day federal deadline is a signal about urgency that private organizations should borrow directly.

The action is straightforward. Inventory every Joomla instance you run, including the ones a business unit stood up without telling security. Confirm the extension versions, patch to iCagenda 4.0.8 or 3.9.15 and Balbooa Forms 2.4.1, and then run the compromise hunt above whether or not you think you patched in time. Maximum-severity, actively exploited, unauthenticated RCE in a public web component is the exact profile that turns a forgotten microsite into an incident. Close it now, and close it completely.

Tagged#news#security#cybersecurity#breach#cisa#ransomware#zero-day#supply-chain#ai-security#joomla#remote-code-execution#kev