Home/ Blog/ Security news/ Article
Blog · Security news

Two more Joomla extensions hit the exploited list. It is the same bug, five times now.

CISA added Balbooa Forms (CVE-2026-56291) and iCagenda (CVE-2026-48939) to its exploited list on July 10, the fourth and fifth Joomla extension with the same

Row of five wall intake slots with one hanging open and faintly glowing

A single class of bug is walking through the Joomla add-on directory one extension at a time. On July 10, 2026 CISA added two more Joomla extensions to its Known Exploited Vulnerabilities catalog: Balbooa Forms and iCagenda. Both let an anonymous visitor upload a file and run it with no login. That makes five separate Joomla extensions on the exploited list inside a single month, all with the same underlying defect. The extension name keeps changing. The mistake does not, and neither should your response.

One bug class, five Joomla extensions, under 30 daysJun 15: iCagenda 0-day. Jun 16: JCE on KEV. Jun 27: Builders fixed. Jul 7: Builders on KEV. Jul 9: Balbooa fixed. Jul 10: 2 more on KEV.One bug class, five Joomla extensions, under 30 daysJun 15iCagenda 0-dayJun 16JCE on KEVJun 27Builders fixedJul 7Builders on KEVJul 9Balbooa fixedJul 102 more on KEV
Sources: CISA KEV catalog; vendor advisories; mySites.guru.

The list now reads iCagenda, JCE, SP Page Builder, Page Builder CK, and Balbooa Forms. Five widely installed add-ons, five front-end upload paths reachable with no credentials, all inside about thirty days. We wrote up the two page builders when CISA listed them on July 7, and the JCE editor flaw before that. This post is the next data point, and at five it stops being a run of bad luck and starts being a pattern worth defending against directly.

What just landed on the must-patch list

Both new flaws are unauthenticated file uploads leading to remote code execution. The National Vulnerability Database scores both at CVSS 9.8 and classes them as CWE-434, unrestricted upload of a file with a dangerous type. The CVSS vector on each lists no privileges required, so no account and no session are needed to reach them. Federal agencies have until July 13 to patch.

ItemBalbooa FormsiCagenda
CVECVE-2026-56291CVE-2026-48939
CVSS (NVD)9.89.8
AffectedUp to and including 2.4.03.2.1 to 3.9.14 and 4.0.0 to 4.0.7
Fixed in2.4.1 (July 9, 2026)3.9.15 and 4.0.8 (mid-June 2026)
Entry pointFront-end form upload fieldPublic event submission form
Added to CISA KEVJuly 10, 2026July 10, 2026
Sources: CISA KEV catalog; NVD; vendor and mySites.guru advisories.

Balbooa Forms was a true zero-day. According to researcher Phil Taylor of mySites.guru, attacks were already underway when the bug surfaced, with no patch yet available, and the vendor shipped 2.4.1 on July 9. The upload endpoint failed three ways at once: it accepted requests from any visitor, it validated no anti-forgery token, and it derived the file type straight from the caller-supplied filename before writing the result into images/baforms/uploads/. No working exploit code has been posted publicly, though the live attacks make that a minor detail.

iCagenda tells a similar story with a different twist. Its public event submission form let an anonymous user reach the processing controller regardless of the component's configuration, and that controller kept the attacker-supplied extension and wrote to images/icagenda/frontend/attachments/. mySites.guru reported the flaw was found on June 15, 2026, the same day automated attacks began, driven by automated clients that identified as icagenda-batch/1.0, posted to the form, then checked the attachments folder for the .php file each had just dropped. Fixes landed in 4.0.8 and 3.9.15 in mid-June. iCagenda sat patched for roughly three weeks before CISA confirmed the exploitation and listed it; Balbooa was listed the day after its patch shipped. Either way, the window between fix and attack was measured in hours or less.

Five extensions, one defect

Look past the vendor names and every one of these is the same shape: a file handler exposed to the front end, reachable without authentication, that trusts the filename and extension the caller provides. The page builders added their own wrinkle, treating a valid anti-CSRF token as if it were a login. iCagenda skipped an access check on the processing path that its display layer had. Balbooa checked nothing at all. Different code, different vendors, one design failure repeated: user-controlled uploads run before Joomla's own permission model gets a say.

That is the useful conclusion, and it is not a vendor problem you can patch your way out of one CVE at a time. Joomla's largest and least-watched attack surface is its extension upload paths, and someone is clearly working through them. The set of add-ons that expose an anonymous upload handler is finite. Treat the five named so far as the visible part of that set, not the whole of it.

One hunt covers the whole wave

Here is what makes this defensible without chasing each new CVE. The indicator is identical across all five and it is not tied to any single flaw: an executable file, almost always a .php, sitting inside an extension's own upload, media, or attachment directory under images/. Those folders exist to hold documents and pictures. A .php in images/baforms/uploads/ or images/icagenda/frontend/attachments/ has exactly one explanation, and it is not a feature.

So the detection is a single rule, not five: alert on the creation of any .php or other executable file anywhere under the Joomla images/ tree. That rule caught this wave and it will catch the sixth extension before its CVE has a number. Pair it with an audit of the Joomla #__users table for Super User accounts you cannot tie to a real person, since a webshell's first move is usually to mint a hidden administrator.

One correction to the obvious workaround. Disabling or unpublishing the extension is not a reliable shield here. mySites.guru reported that iCagenda's vulnerable controller answered requests regardless of whether the component was published, so turning it off in the admin panel did not close the door. Patch or remove the files; do not assume the published toggle helps.

What to do before the July 13 deadline

The fix is specific and available, so this is a today job, not a this-quarter job.

  • Inventory first. List every front-end Joomla extension on your sites that accepts uploads, not just the five in the news. That inventory is your real exposure.
  • Patch the named flaws. Update Balbooa Forms to 2.4.1 and iCagenda to 3.9.15 or 4.0.8. If you still run SP Page Builder, Page Builder CK, or JCE, confirm those fixes are in place too.
  • Hunt, do not just patch. Search every component's upload and attachment folder under images/ for .php and other executables, and audit the user table for unexplained Super Users. Both extensions were exploited inside the patch window, so assume any internet-facing site running a vulnerable build was reachable.
  • If you cannot patch at once, Balbooa's advisory suggests unpublishing public forms that accept attachments as a stopgap, but verify the handler is actually unreachable rather than trusting the toggle, given the iCagenda behavior above.

Expect a sixth name. The extensions that hand an anonymous visitor a file-upload path are a countable list, and the exploited catalog says someone is going down it. The teams that come through this clean will be the ones watching their images/ tree for files that should never appear there, not the ones refreshing the CVE feed and patching after the fact.

Topics

Frequently asked questions

What are CVE-2026-56291 and CVE-2026-48939?

Both are unauthenticated file-upload flaws in Joomla extensions that lead to remote code execution, each scored CVSS 9.8 by the National Vulnerability Database. CVE-2026-56291 is in Balbooa Forms and CVE-2026-48939 is in iCagenda. CISA added both to its Known Exploited Vulnerabilities catalog on July 10, 2026.

Which Balbooa Forms and iCagenda versions are safe?

Balbooa Forms is vulnerable up to and including 2.4.0 and fixed in 2.4.1, released July 9, 2026. iCagenda is vulnerable in 3.2.1 through 3.9.14 and 4.0.0 through 4.0.7, and fixed in 3.9.15 and 4.0.8, both released in mid-June 2026.

Are these flaws being exploited in the wild?

Yes. CISA lists both as actively exploited. Researchers at mySites.guru reported Balbooa Forms was a zero-day already under attack before a patch existed, and that iCagenda was exploited by a bot on the same day it was discovered, June 15, 2026.

How do I check if my Joomla site was already compromised?

Search each extension's upload and attachment folder under the images/ directory for any .php or executable file, which should never live there. Then audit the Joomla user table for Super User accounts you cannot tie to a real person. A new executable in a static-asset folder is a strong sign of a webshell.

Does disabling the extension protect a vulnerable Joomla site?

Not reliably. mySites.guru reported that iCagenda's vulnerable code answered requests regardless of whether the component was published, so unpublishing it in the admin panel did not close the hole. The dependable fix is to patch to a fixed version or remove the extension files.

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.