Baddies caught exploiting extensions bugs with perfect 10 scores on vulnerable Joomla websites
Jump to main content
Search
REG AD
security
Baddies caught exploiting extensions bugs with perfect 10 scores on vulnerable Joomla websites
Flaws in iCagenda, Balbooa Forms extensions can impact open source CMS that powers a million sites worldwide
Carly Page
Carly<br>Page
Published<br>tue 14 Jul 2026 // 12:06 UTC
CISA has added two critical Joomla extension bugs to its Known Exploited Vulnerabilities catalog after attackers were caught exploiting both flaws to upload malicious code onto vulnerable websites.<br>The newly listed bugs affect iCagenda, an events calendar extension for the open source Joomla content management system, and Balbooa Forms, a popular form builder used to collect contact requests, registrations, surveys, and file uploads.<br>Joomla powers roughly 1.2 percent of all websites – around a million sites worldwide – with extensions developed by independent, third-party companies, doing much of the heavy lifting beyond the core platform.
REG AD
Both vulnerabilities carry the maximum CVSS score of 10 and allow attackers to upload arbitrary files that can ultimately be executed as PHP code on the server, handing over remote control of the affected site.
REG AD
CISA added CVE-2026-48939, affecting iCagenda, and CVE-2026-56291, affecting Balbooa Forms, to its KEV catalog this week after confirming in-the-wild exploitation. Federal civilian agencies were ordered to patch against the flaws under the agency's vulnerability management directive, but the warning is equally relevant to the wider Joomla community, given that both extensions are used on public-facing websites.<br>The iCagenda bug allows attackers to upload a malicious PHP file through the extension's attachment feature, turning what should be a simple file upload into remote code execution, CISA said.
MORE CONTEXT
Confidential computing's trust mechanism is broken. The fix may not exist
Red teamers turned Claude Desktop into a double agent to do their evil bidding
Bye-bye, Gemini CLI; Google's gone and swapped you for a closed-source AI
Want more ads on your web pages? Try the AdBoost extension
Security firm mySites.guru said it spotted attackers exploiting the iCagenda bug just hours before patched versions 4.0.8 and 3.9.15 were released in mid-June. The attacks targeted the extension's "Submit an Event" feature, which lets visitors contribute events to a site's calendar. Researchers said they observed automated scanning looking specifically for vulnerable installations before dropping web shells onto compromised servers.<br>The Balbooa Forms bug is much the same story. Researchers said the extension's frontend upload endpoint accepted files from anonymous visitors without authentication, CSRF protection, or meaningful checks on file types. That made it possible to upload a PHP file into a publicly accessible directory and execute it remotely.<br>The researchers said they uncovered the flaw while investigating an abuse report from a customer whose Joomla site was already under attack. Balbooa responded with version 2.4.1 on July 9, but researchers warned that exploitation is continuing against sites that have yet to update.<br>If there's a silver lining, it's that the fixes are already available. If there's a downside, it's that the attackers didn't wait around for release notes. ®
cybersecurity and infrastructure security agency<br>joomla<br>foss<br>security<br>vulnerability
REG AD
os platforms
Microsoft cancels Patch Tuesday for some Dell users over surprise shutdowns, overheating devices
Mega hardware vendor reports problems - but Windows maker isn't yet naming affected models
PUBLIC SECTOR
MPs fear Treasury cold feet could sink Whitehall's £1.15B shared services push
'Do as we fund, not as we do' sends 'very poor reputational signal' says damning report
Gobi X: Creating more energy for AI, not taking it from society
PARTNER CONTENT: How Envision is reversing the datacenter playbook by making computing chase abundant desert power, not the other way around
Security
LegacyHive: 'Bone-shattering' zero-day from Microsoft's serial tormentor not the haymaker that was promised
Experts say it’s a useful post-compromise tool, for those with the brain cells required to put it together
COLUMNISTS
The Star Wars cantina scene shows we need a new hope for the agentic web
'We don't serve their kind here' protects today's publishers, but won't help rebels destroy the monetization Death Stars built by Google and Meta
on-prem
AWS sustainability claims don't hold water, lawsuit alleges
Ex-staffer accuses Amazon's Virginia datacenters of quietly guzzling H20 all year round, despite 'water positive' PR push
MOST POPULAR
Security
GitHub AI agent leaks private repos when asked nicely
applications
Microsoft to switch off OWA Light after nearly two decades
software
Court tosses Microsoft's appeal in pre-owned software licenses battle
ai and ml
Even...