RECENT vulnerabilities affecting Joomla extensions Balbooa Forms and iCagenda have been exploited by threat actors, allowing unauthenticated remote code execution (RCE). The Balbooa flaw (CVE-2026-56291) enables file uploads without authentication, with a CVSS score of 10, and affects versions 2.4.0 and earlier. Although patches were released for Balbooa on July 9, active exploitation was noted prior.
Similarly, the iCagenda extension (CVE-2026-48939), found vulnerable in June, also permits RCE through unauthorized file uploads. Patches were issued by its developers shortly after discovery, and both vulnerabilities have been added to CISA's Known Exploited Vulnerabilities catalog, prompting urgent remediation recommendations for federal agencies and all organizations.