Baddies caught exploiting extensions bugs with perfect 10 on vulnerable Joomla

Bender1 pts0 comments

Baddies caught exploiting extensions bugs with perfect 10 scores on vulnerable Joomla websites

Jump to main content

Search

REG AD

security

Baddies caught exploiting extensions bugs with perfect 10 scores on vulnerable Joomla websites

Flaws in iCagenda, Balbooa Forms extensions can impact open source CMS that powers a million sites worldwide

Carly Page

Carly<br>Page

Published<br>tue 14 Jul 2026 // 12:06 UTC

CISA has added two critical Joomla extension bugs to its Known Exploited Vulnerabilities catalog after attackers were caught exploiting both flaws to upload malicious code onto vulnerable websites.<br>The newly listed bugs affect iCagenda, an events calendar extension for the open source Joomla content management system, and Balbooa Forms, a popular form builder used to collect contact requests, registrations, surveys, and file uploads.<br>Joomla powers roughly 1.2 percent of all websites – around a million sites worldwide – with extensions developed by independent, third-party companies, doing much of the heavy lifting beyond the core platform.

REG AD

Both vulnerabilities carry the maximum CVSS score of 10 and allow attackers to upload arbitrary files that can ultimately be executed as PHP code on the server, handing over remote control of the affected site.

REG AD

CISA added CVE-2026-48939, affecting iCagenda, and CVE-2026-56291, affecting Balbooa Forms, to its KEV catalog this week after confirming in-the-wild exploitation. Federal civilian agencies were ordered to patch against the flaws under the agency's vulnerability management directive, but the warning is equally relevant to the wider Joomla community, given that both extensions are used on public-facing websites.<br>The iCagenda bug allows attackers to upload a malicious PHP file through the extension's attachment feature, turning what should be a simple file upload into remote code execution, CISA said.

MORE CONTEXT

Confidential computing's trust mechanism is broken. The fix may not exist

Red teamers turned Claude Desktop into a double agent to do their evil bidding

Bye-bye, Gemini CLI; Google's gone and swapped you for a closed-source AI

Want more ads on your web pages? Try the AdBoost extension

Security firm mySites.guru said it spotted attackers exploiting the iCagenda bug just hours before patched versions 4.0.8 and 3.9.15 were released in mid-June. The attacks targeted the extension's "Submit an Event" feature, which lets visitors contribute events to a site's calendar. Researchers said they observed automated scanning looking specifically for vulnerable installations before dropping web shells onto compromised servers.<br>The Balbooa Forms bug is much the same story. Researchers said the extension's frontend upload endpoint accepted files from anonymous visitors without authentication, CSRF protection, or meaningful checks on file types. That made it possible to upload a PHP file into a publicly accessible directory and execute it remotely.<br>The researchers said they uncovered the flaw while investigating an abuse report from a customer whose Joomla site was already under attack. Balbooa responded with version 2.4.1 on July 9, but researchers warned that exploitation is continuing against sites that have yet to update.<br>If there's a silver lining, it's that the fixes are already available. If there's a downside, it's that the attackers didn't wait around for release notes. ®

cybersecurity and infrastructure security agency<br>joomla<br>foss<br>security<br>vulnerability

REG AD

os platforms

Microsoft cancels Patch Tuesday for some Dell users over surprise shutdowns, overheating devices

Mega hardware vendor reports problems - but Windows maker isn't yet naming affected models

PUBLIC SECTOR

MPs fear Treasury cold feet could sink Whitehall's £1.15B shared services push

'Do as we fund, not as we do' sends 'very poor reputational signal' says damning report

Gobi X: Creating more energy for AI, not taking it from society

PARTNER CONTENT: How Envision is reversing the datacenter playbook by making computing chase abundant desert power, not the other way around

Security

LegacyHive: 'Bone-shattering' zero-day from Microsoft's serial tormentor not the haymaker that was promised

Experts say it’s a useful post-compromise tool, for those with the brain cells required to put it together

COLUMNISTS

The Star Wars cantina scene shows we need a new hope for the agentic web

'We don't serve their kind here' protects today's publishers, but won't help rebels destroy the monetization Death Stars built by Google and Meta

on-prem

AWS sustainability claims don't hold water, lawsuit alleges

Ex-staffer accuses Amazon's Virginia datacenters of quietly guzzling H20 all year round, despite 'water positive' PR push

MOST POPULAR

Security

GitHub AI agent leaks private repos when asked nicely

applications

Microsoft to switch off OWA Light after nearly two decades

software

Court tosses Microsoft's appeal in pre-owned software licenses battle

ai and ml

Even...

joomla extensions security extension upload exploiting

Related Articles