Recent reports have identified critical security vulnerabilities in two widely used Joomla extensions: iCagenda and Balbooa Forms. These flaws are actively being exploited by attackers to gain unauthorized access to websites.
iCagenda, a popular event calendar extension for Joomla, has been found to contain a remote code execution (RCE) vulnerability, designated as CVE-2026-48939. This flaw allows unauthenticated users to upload arbitrary files to the server, potentially leading to full remote code execution. The vulnerability affects versions prior to 3.9.15 and 4.0.8. The developers have released an emergency patch with iCagenda version 4.0.8, classifying the update as a “Critical Security release” and urging all administrators to apply it immediately. ([joomlic.com](https://www.joomlic.com/news/icagenda-security-update?utm_source=openai))
Similarly, Balbooa Forms, another Joomla extension, is affected by a critical vulnerability identified as CVE-2026-56291. This flaw enables unauthenticated attackers to upload executable PHP files directly to the server, leading to full remote code execution. The vulnerability affects all versions up to and including 2.4.0. Balbooa has addressed this issue in version 2.4.1, released on July 9, 2026. ([ionix.io](https://www.ionix.io/threat-center/cve-2026-56291/?utm_source=openai))
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both CVE-2026-48939 and CVE-2026-56291 to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the active exploitation of these flaws. CISA has set a remediation deadline of July 13, 2026, for federal agencies, but the risk extends to all Joomla sites utilizing these extensions. ([thecyberexpress.com](https://thecyberexpress.com/cisa-cve-2026-48939-cve-2026-56291/?utm_source=openai))
Administrators are strongly advised to update iCagenda to version 4.0.8 or later and Balbooa Forms to version 2.4.1 or later. Additionally, it’s crucial to inspect upload directories for unexpected PHP files, review recently modified PHP files, and monitor for unauthorized Joomla Super User accounts. If suspicious files are found, it’s recommended to treat the site as compromised and take appropriate remediation steps. ([howtofix.guide](https://howtofix.guide/balbooa-icagenda-cves-cisa-kev-joomla-rce/?utm_source=openai))
These incidents underscore the importance of regular updates and vigilant monitoring of third-party extensions in content management systems. As attackers increasingly target popular plugins, maintaining up-to-date software and conducting routine security audits are essential practices to safeguard websites against potential breaches.