Critical Joomla Extensions Flaws Exploited in Active Attacks

Two critical vulnerabilities have been identified in popular Joomla extensions, iCagenda and Balbooa Forms, both of which are actively being exploited in the wild. These flaws allow unauthenticated attackers to upload arbitrary files, leading to remote code execution (RCE) and full control over affected web servers.

Details of the Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, assigning each a maximum severity score of 10.0 on the CVSS scale. The specific vulnerabilities are:

  • CVE-2026-48939: A flaw in the iCagenda extension that permits arbitrary file uploads via the file attachment feature, enabling PHP code execution.
  • CVE-2026-56291: A vulnerability in the Balbooa Forms extension that allows unauthenticated file uploads, leading to remote code execution.

These vulnerabilities affect the following versions:

  • iCagenda: Versions up to and including 4.0.7, and legacy versions from 3.2.1 to 3.9.14.
  • Balbooa Forms: Versions up to and including 2.4.0.

Active Exploitation and Mitigation

Reports indicate that these vulnerabilities have been exploited as zero-days since mid-June 2026. Attackers have been using automated scanners to identify vulnerable Joomla sites, uploading malicious PHP files to gain control over the servers. The exploitation involves leveraging the file attachment features in these extensions to upload web shells, which are then executed to compromise the system.

In response, the developers have released patches to address these issues:

  • iCagenda: Version 4.0.8 and 3.9.15 have been released to fix the vulnerability. Site administrators are advised to update immediately and check the “images/icagenda/frontend/attachments/” directory for any suspicious PHP files.
  • Balbooa Forms: Version 2.4.1 addresses the flaw. Administrators should update to this version and inspect the “images/baforms/uploads” directory for unauthorized files.

Additionally, administrators should review their Joomla user lists for any unauthorized administrator accounts and audit their sites for recently modified or unfamiliar PHP files.

Broader Implications

These incidents underscore the critical importance of timely software updates and vigilant monitoring of web applications. Content Management Systems (CMS) like Joomla are frequent targets due to their widespread use and the potential access they provide to underlying server resources. The active exploitation of these vulnerabilities highlights the need for robust security practices, including regular patching, monitoring for unauthorized changes, and implementing strict access controls.

Organizations using Joomla should prioritize these updates and consider conducting comprehensive security audits to identify and mitigate potential risks. The rapid exploitation of these flaws serves as a stark reminder of the evolving threat landscape and the necessity for proactive defense measures.