Balbooa and iCagenda CVEs Hit CISA KEV: Patch Joomla RCEs

CISA added Balbooa Forms CVE-2026-56291 and iCagenda CVE-2026-48939 to KEV after active exploitation. Joomla admins should patch, then check upload folders and accounts.

CISA added two Joomla extension vulnerabilities to its Known Exploited Vulnerabilities catalog on July 10, 2026, warning that attackers are already exploiting Balbooa Forms CVE-2026-56291 and iCagenda CVE-2026-48939.[1] Both bugs sit in file-upload paths and can let an unauthenticated attacker place dangerous files on a site, with the practical outcome ranging up to PHP code execution and full server compromise.[2]

The deadline in CISA KEV is July 13, 2026 for U.S. federal civilian agencies, but the risk is not limited to government systems. Joomla sites that expose contact forms, event submissions, or other frontend upload workflows are attractive because a single missed extension update can become a web shell, a hidden administrator account, or a persistence point in shared hosting.

Balbooa Forms is tracked as CVE-2026-56291. NVD lists Balbooa Forms versions up to, but not including, 2.4.1 as affected, with a critical CVSS 3.1 score of 9.8 and a Joomla Project CVSS 4.0 score of 10.0.[2] mySites.guru says the vulnerable frontend upload accepted files from anonymous visitors and could write executable PHP under the extension upload area; Balbooa fixed the issue in version 2.4.1 on July 9, 2026.[3]

iCagenda is tracked as CVE-2026-48939. NVD lists iCagenda 3.2.1 through versions before 3.9.15 and 4.0.0 through versions before 4.0.8 as affected, and CISA updated the record on July 10 to mark exploitation as active.[4] The vendor changelog calls iCagenda 4.0.8 a critical security release and says it fixed a full unauthenticated remote code execution issue.[5]

This is the same class of Joomla extension failure that made the recent Joomla Page Builder CVEs urgent: a public upload feature becomes executable code on the web server. It also fits the broader pattern seen in Joomla JCE exploitation and post-compromise cleanup stories such as the KnowledgeDeliver Godzilla web shell incident.

What Joomla admins should check now

Start with inventory. Search every Joomla site you manage for Balbooa Forms and iCagenda, including client sites, old staging copies, and shared hosting accounts where extensions may have been installed years ago and forgotten. Update Balbooa Forms to 2.4.1 or later. Update iCagenda to 4.0.8 or later on the current branch, or 3.9.15 or later on the legacy branch.[3][5]

Do not stop at patching. CISA added these CVEs because exploitation has been observed, so a vulnerable site may already have been touched. Check upload folders for unexpected PHP files, especially Balbooa attachment paths under images/baforms/uploads/ and iCagenda attachment paths under images/icagenda/frontend/attachments/ where applicable.[3][6] Review recently modified PHP files, new or unfamiliar Joomla Super User accounts, and web-server access logs showing POST requests to extension upload or event-submission endpoints followed by requests for a newly written file.

If you find a suspicious file, treat the site as compromised rather than simply deleting the upload. Preserve logs, rotate Joomla and database credentials, check for persistence in templates and plugins, and compare the site against a clean backup. On shared hosting, inspect neighboring sites too, because a PHP shell on one Joomla install can become a foothold into the wider account.

The practical lesson is simple: form builders and event components are not low-risk add-ons just because they look like content features. They process hostile input from anonymous visitors. When one of those extensions receives an upload-related security fix, especially one now listed in KEV, it deserves the same urgency as an exposed edge-device patch.

References

  1. CISA, “CISA Adds Two Known Exploited Vulnerabilities to Catalog,” July 10, 2026. https://www.cisa.gov/news-events/alerts/2026/07/10/cisa-adds-two-known-exploited-vulnerabilities-catalog
  2. NVD, “CVE-2026-56291 Detail.” https://nvd.nist.gov/vuln/detail/CVE-2026-56291
  3. mySites.guru, “Balbooa Forms Fixes an Unauthenticated File Upload RCE.” https://mysites.guru/blog/balbooa-forms-unauthenticated-file-upload-flaw/
  4. NVD, “CVE-2026-48939 Detail.” https://nvd.nist.gov/vuln/detail/CVE-2026-48939
  5. iCagenda, “iCagenda 4.0.8 (Security Release).” https://www.icagenda.com/docs/changelog/icagenda-4-0-8
  6. mySites.guru, “Zero Day Vulnerability Found in iCagenda Joomla Extension.” https://mysites.guru/blog/icagenda-zero-day-file-upload-rce/

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

Leave a Comment