www.securityweek.com 7/13/2026, 9:51:53 AM · external

Unauthenticated RCE Flaws Hit Joomla Extensions Balbooa, iCagenda

Unauthenticated RCE Flaws Hit Joomla Extensions Balbooa, iCagenda
Developing story vulnerability 10 articles tracked
Unauthenticated RCE Flaws Hit Joomla Extensions Balbooa, iCagenda
CyberSIXT Evidence Panel
Primary Source cisa.gov
CISA KEV Listed in KEV
Patch Patch Available

RECENT vulnerabilities affecting Joomla extensions Balbooa Forms and iCagenda have been exploited by threat actors, allowing unauthenticated remote code execution (RCE). The Balbooa flaw (CVE-2026-56291) enables file uploads without authentication, with a CVSS score of 10, and affects versions 2.4.0 and earlier. Although patches were released for Balbooa on July 9, active exploitation was noted prior.

Similarly, the iCagenda extension (CVE-2026-48939), found vulnerable in June, also permits RCE through unauthorized file uploads. Patches were issued by its developers shortly after discovery, and both vulnerabilities have been added to CISA's Known Exploited Vulnerabilities catalog, prompting urgent remediation recommendations for federal agencies and all organizations.

View Primary Source Via www.securityweek.com

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline