THE U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added vulnerabilities in iCagenda and Balbooa Forms to its Known Exploited Vulnerabilities (KEV) catalog. These include CVE-2026-48939, which involves unrestricted file upload allowing for PHP code execution in iCagenda, and CVE-2026-56291, which permits unauthenticated file uploads in Balbooa Forms, enabling remote code execution (RCE).
CISA mandates that federal agencies remediate these vulnerabilities by July 13, 2026, and advises private organizations to also address these issues in their systems.