All incidents

Unauthenticated RCE Flaws Hit Joomla Extensions Balbooa, iCagenda

vulnerabilityopenJul 10, 2026 — Jul 13, 2026
Unauthenticated RCE Flaws Hit Joomla Extensions Balbooa, iCagenda

UNAUTHENTICATED remote code execution flaws affecting two popular Joomla extensions have been exploited in the wild and added to the Known Exploited Vulnerabilities catalog, prompting urgent warnings for site owners.

The Balbooa Forms extension contains CVE-2026-56291, a CVSS 10 vulnerability that permits unauthenticated file uploads leading to arbitrary PHP code execution; it impacts version 2.4.0 and earlier, and a patch was released on 9 July 2026.

The iCagenda extension is affected by CVE-2026-48939, also scored CVSS 10, which allows attackers to upload malicious files without authentication and achieve remote code execution; its developers issued a fix shortly after the flaw was disclosed in June.

Exploitation of both flaws was observed before patches were available, with the threat actor Void Arachne leveraging the upload mechanisms to drop webshells on compromised sites; CISA added CVE-2026-48939 and CVE-2026-56291 to its KEV catalogue and set a 13 July 2026 deadline for federal agencies to apply mitigations.

The addition highlights a broader trend of attackers targeting third‑party Joomla components, demonstrating how a single file upload weakness can be turned into a foothold for full system compromise across many organisations.

Administrators should update Balbooa Forms to the latest release and apply the iCagenda patch immediately, restrict allowed upload extensions to non‑executable types, review web server logs for unexpected file creation, consider disabling the extensions if they are not required and deploy a web application firewall rule that blocks requests containing suspicious file names or extensions.

Intelligence briefing updated Jul 13, 2026

CVE-2026-48939 10.0 KEV CVE-2026-56291 10.0 KEV CVE-2026-24014 9.8 CVE-2026-24013 9.1 CVE-2026-24012 7.5 Void Arachne
Root sourcewww.cisa.gov
Timeline Coverage

Swipe to explore timeline