CISA warns of actively exploited RCE flaws in Joomla extensions
CISA has issued a warning about actively exploited remote code execution (RCE) vulnerabilities in two Joomla extensions: iCagenda and Balbooa Forms. These vulnerabilities allow attackers to upload arbitrary files, including executable PHP scripts, leading to full website compromise. The iCagenda flaw (CVE-2026-48939) affects the file attachment feature, while the Balbooa Forms flaw (CVE-2026-56291) affects the file upload functionality in contact forms. Both vulnerabilities were exploited in the wild before patches were released. Fixes are available in iCagenda versions 4.0.8 and 3.9.15, and Balbooa Forms version 2.4.1. CISA has mandated rapid patching for federal agencies due to the critical nature of these flaws.
AI Analysis
Technical Summary
Two critical remote code execution vulnerabilities in Joomla extensions iCagenda and Balbooa Forms have been actively exploited by attackers. CVE-2026-48939 in iCagenda allows arbitrary file uploads via the file attachment feature, enabling PHP code execution and full site compromise. CVE-2026-56291 in Balbooa Forms permits dangerous file uploads through its drag-and-drop form builder, also leading to RCE and website takeover. Both vulnerabilities were exploited in automated attacks prior to vendor patch releases. iCagenda patches were released in versions 4.0.8 and 3.9.15, and Balbooa Forms patch in version 2.4.1. CISA has classified these as maximum priority vulnerabilities and ordered immediate remediation.
Potential Impact
Successful exploitation of these vulnerabilities enables attackers to upload arbitrary executable files, including PHP scripts, resulting in remote code execution. This can lead to data theft, installation of web shells, and complete compromise of affected Joomla websites. The flaws were actively exploited in the wild before patches were available, increasing the risk of widespread attacks and website takeovers.
Mitigation Recommendations
Patches addressing these vulnerabilities are available: iCagenda versions 4.0.8 and 3.9.15, and Balbooa Forms version 2.4.1. Website administrators should immediately update to these fixed versions. CISA has mandated federal agencies to apply these updates or mitigations within three days of the advisory. No alternative mitigations are specified; applying the official patches is the recommended course of action.
CISA warns of actively exploited RCE flaws in Joomla extensions
Description
CISA has issued a warning about actively exploited remote code execution (RCE) vulnerabilities in two Joomla extensions: iCagenda and Balbooa Forms. These vulnerabilities allow attackers to upload arbitrary files, including executable PHP scripts, leading to full website compromise. The iCagenda flaw (CVE-2026-48939) affects the file attachment feature, while the Balbooa Forms flaw (CVE-2026-56291) affects the file upload functionality in contact forms. Both vulnerabilities were exploited in the wild before patches were released. Fixes are available in iCagenda versions 4.0.8 and 3.9.15, and Balbooa Forms version 2.4.1. CISA has mandated rapid patching for federal agencies due to the critical nature of these flaws.
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Two critical remote code execution vulnerabilities in Joomla extensions iCagenda and Balbooa Forms have been actively exploited by attackers. CVE-2026-48939 in iCagenda allows arbitrary file uploads via the file attachment feature, enabling PHP code execution and full site compromise. CVE-2026-56291 in Balbooa Forms permits dangerous file uploads through its drag-and-drop form builder, also leading to RCE and website takeover. Both vulnerabilities were exploited in automated attacks prior to vendor patch releases. iCagenda patches were released in versions 4.0.8 and 3.9.15, and Balbooa Forms patch in version 2.4.1. CISA has classified these as maximum priority vulnerabilities and ordered immediate remediation.
Potential Impact
Successful exploitation of these vulnerabilities enables attackers to upload arbitrary executable files, including PHP scripts, resulting in remote code execution. This can lead to data theft, installation of web shells, and complete compromise of affected Joomla websites. The flaws were actively exploited in the wild before patches were available, increasing the risk of widespread attacks and website takeovers.
Mitigation Recommendations
Patches addressing these vulnerabilities are available: iCagenda versions 4.0.8 and 3.9.15, and Balbooa Forms version 2.4.1. Website administrators should immediately update to these fixed versions. CISA has mandated federal agencies to apply these updates or mitigations within three days of the advisory. No alternative mitigations are specified; applying the official patches is the recommended course of action.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-rce-flaws-in-joomla-extensions/","fetched":true,"fetchedAt":"2026-07-13T15:47:39.639Z","wordCount":678}
Threat ID: 6a55089b68715ace4361c5c8
Added to database: 07/13/2026, 15:47:39 UTC
Last enriched: 07/13/2026, 15:47:54 UTC
Last updated: 07/13/2026, 19:06:23 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.