A single class of bug is walking through the Joomla add-on directory one extension at a time. On July 10, 2026 CISA added two more Joomla extensions to its Known Exploited Vulnerabilities catalog: Balbooa Forms and iCagenda. Both let an anonymous visitor upload a file and run it with no login. That makes five separate Joomla extensions on the exploited list inside a single month, all with the same underlying defect. The extension name keeps changing. The mistake does not, and neither should your response.
The list now reads iCagenda, JCE, SP Page Builder, Page Builder CK, and Balbooa Forms. Five widely installed add-ons, five front-end upload paths reachable with no credentials, all inside about thirty days. We wrote up the two page builders when CISA listed them on July 7, and the JCE editor flaw before that. This post is the next data point, and at five it stops being a run of bad luck and starts being a pattern worth defending against directly.
What just landed on the must-patch list
Both new flaws are unauthenticated file uploads leading to remote code execution. The National Vulnerability Database scores both at CVSS 9.8 and classes them as CWE-434, unrestricted upload of a file with a dangerous type. The CVSS vector on each lists no privileges required, so no account and no session are needed to reach them. Federal agencies have until July 13 to patch.
| Item | Balbooa Forms | iCagenda |
|---|---|---|
| CVE | CVE-2026-56291 | CVE-2026-48939 |
| CVSS (NVD) | 9.8 | 9.8 |
| Affected | Up to and including 2.4.0 | 3.2.1 to 3.9.14 and 4.0.0 to 4.0.7 |
| Fixed in | 2.4.1 (July 9, 2026) | 3.9.15 and 4.0.8 (mid-June 2026) |
| Entry point | Front-end form upload field | Public event submission form |
| Added to CISA KEV | July 10, 2026 | July 10, 2026 |
Balbooa Forms was a true zero-day. According to researcher Phil Taylor of mySites.guru, attacks were already underway when the bug surfaced, with no patch yet available, and the vendor shipped 2.4.1 on July 9. The upload endpoint failed three ways at once: it accepted requests from any visitor, it validated no anti-forgery token, and it derived the file type straight from the caller-supplied filename before writing the result into images/baforms/uploads/. No working exploit code has been posted publicly, though the live attacks make that a minor detail.
iCagenda tells a similar story with a different twist. Its public event submission form let an anonymous user reach the processing controller regardless of the component's configuration, and that controller kept the attacker-supplied extension and wrote to images/icagenda/frontend/attachments/. mySites.guru reported the flaw was found on June 15, 2026, the same day automated attacks began, driven by automated clients that identified as icagenda-batch/1.0, posted to the form, then checked the attachments folder for the .php file each had just dropped. Fixes landed in 4.0.8 and 3.9.15 in mid-June. iCagenda sat patched for roughly three weeks before CISA confirmed the exploitation and listed it; Balbooa was listed the day after its patch shipped. Either way, the window between fix and attack was measured in hours or less.
Five extensions, one defect
Look past the vendor names and every one of these is the same shape: a file handler exposed to the front end, reachable without authentication, that trusts the filename and extension the caller provides. The page builders added their own wrinkle, treating a valid anti-CSRF token as if it were a login. iCagenda skipped an access check on the processing path that its display layer had. Balbooa checked nothing at all. Different code, different vendors, one design failure repeated: user-controlled uploads run before Joomla's own permission model gets a say.
That is the useful conclusion, and it is not a vendor problem you can patch your way out of one CVE at a time. Joomla's largest and least-watched attack surface is its extension upload paths, and someone is clearly working through them. The set of add-ons that expose an anonymous upload handler is finite. Treat the five named so far as the visible part of that set, not the whole of it.
One hunt covers the whole wave
Here is what makes this defensible without chasing each new CVE. The indicator is identical across all five and it is not tied to any single flaw: an executable file, almost always a .php, sitting inside an extension's own upload, media, or attachment directory under images/. Those folders exist to hold documents and pictures. A .php in images/baforms/uploads/ or images/icagenda/frontend/attachments/ has exactly one explanation, and it is not a feature.
So the detection is a single rule, not five: alert on the creation of any .php or other executable file anywhere under the Joomla images/ tree. That rule caught this wave and it will catch the sixth extension before its CVE has a number. Pair it with an audit of the Joomla #__users table for Super User accounts you cannot tie to a real person, since a webshell's first move is usually to mint a hidden administrator.
One correction to the obvious workaround. Disabling or unpublishing the extension is not a reliable shield here. mySites.guru reported that iCagenda's vulnerable controller answered requests regardless of whether the component was published, so turning it off in the admin panel did not close the door. Patch or remove the files; do not assume the published toggle helps.
What to do before the July 13 deadline
The fix is specific and available, so this is a today job, not a this-quarter job.
- Inventory first. List every front-end Joomla extension on your sites that accepts uploads, not just the five in the news. That inventory is your real exposure.
- Patch the named flaws. Update Balbooa Forms to 2.4.1 and iCagenda to 3.9.15 or 4.0.8. If you still run SP Page Builder, Page Builder CK, or JCE, confirm those fixes are in place too.
- Hunt, do not just patch. Search every component's upload and attachment folder under
images/for.phpand other executables, and audit the user table for unexplained Super Users. Both extensions were exploited inside the patch window, so assume any internet-facing site running a vulnerable build was reachable. - If you cannot patch at once, Balbooa's advisory suggests unpublishing public forms that accept attachments as a stopgap, but verify the handler is actually unreachable rather than trusting the toggle, given the iCagenda behavior above.
Expect a sixth name. The extensions that hand an anonymous visitor a file-upload path are a countable list, and the exploited catalog says someone is going down it. The teams that come through this clean will be the ones watching their images/ tree for files that should never appear there, not the ones refreshing the CVE feed and patching after the fact.