Threat actors are actively exploiting two critical vulnerabilities in popular Joomla extensions, prompting CISA to add both flaws to its Known Exploited Vulnerabilities (KEV) catalog and order federal agencies to patch within three days.

The first vulnerability, tracked as CVE-2026-56291 (CVSS 10), affects the Balbooa Forms extension. It is an unauthenticated arbitrary file upload flaw in the extension’s frontend attachment upload endpoint, allowing attackers to upload malicious files without any credentials. Balbooa released version 2.4.1 on July 9 to patch the issue, but researchers observed the flaw being exploited in the wild as a zero-day before the fix was available. All websites running Balbooa Forms 2.4.0 or earlier are affected.

The second vulnerability, CVE-2026-48939 (also CVSS 10), impacts the iCagenda extension for Joomla. Discovered in June, the flaw resides in iCagenda’s file attachment feature and similarly enables unauthenticated arbitrary file upload. In both cases, attackers can upload PHP code to a vulnerable site and achieve full remote code execution without authentication.

Exploitation Timeline

JoomliC, the developer of iCagenda, reported observing exploitation of CVE-2026-48939 in the wild starting June 15. The vendor moved quickly, releasing patched versions 4.0.8 and 3.9.15 on June 15 and 16.

On July 10, CISA added both the Balbooa and iCagenda vulnerabilities to its KEV catalog, invoking Binding Operational Directive (BOD) 26-04 guidance that requires federal civilian agencies to remediate known exploited vulnerabilities within a tight window, in this case three days.

What Administrators Should Do

While BOD 26-04 formally applies only to US federal agencies, CISA and security researchers recommend that all organizations running these extensions take immediate action.

  • Update Balbooa Forms to version 2.4.1 or later
  • Update iCagenda to version 4.0.8 or 3.9.15, depending on the branch in use
  • Review server logs for signs of unauthorized file uploads or webshell activity predating the patch
  • Consult CISA’s KEV catalog regularly to prioritize remediation of actively exploited flaws

Given the maximum severity scores, unauthenticated attack vector, and confirmed in-the-wild exploitation as zero-days, organizations running unpatched versions of either extension should treat this as an urgent remediation priority.