Critical Joomla Extension Vulnerabilities Actively Exploited

Critical Joomla extension vulnerabilities diagram, iCagenda and Balbooa Forms exploit overview

Immediate Threat to Joomla Websites

Two critical vulnerabilities in Joomla’s iCagenda and Balbooa Forms extensions face active exploitation. Furthermore, cybercriminals launched these attacks before developers could issue patches. Both flaws permit attackers to upload malicious PHP files seamlessly. Consequently, hackers execute arbitrary code on servers without any user authentication. The Cybersecurity and Infrastructure Security Agency (CISA) added two known exploited vulnerabilities to its catalog, specifically highlighting CVE-2026-48939 and CVE-2026-56291. Notably, each defect commands a maximum severity rating of 10 out of 10.

Breakdown of the iCagenda Vulnerability

The first flaw, CVE-2026-48939, severely impacts the iCagenda calendar extension. Specifically, the danger resides within the “Suggest Event” form. This feature normally allows visitors to submit new activities. However, the attachment mechanism fails to scrutinize uploaded files adequately. Therefore, an attacker easily plants a rogue PHP script inside a public directory and executes it.

Automated Attacks in the Wild

Experts from mySites.guru detected automated strikes against iCagenda installations as early as June 15, 2026. A scanner, identified simply as “icagenda-batch/1.0”, systematically acquired a security token. Afterward, it transmitted a harmful payload via the submission form. Finally, the program accessed the newly established command shell at a predictable path.

Mitigation for iCagenda Users

This weakness affects iCagenda version 4.0.7 and earlier releases. Additionally, it compromises the legacy branch from 3.2.1 through 3.9.14. Fortunately, developers eliminated the issue in versions 4.0.8 and 3.9.15. Site administrators should immediately inspect the “images/icagenda/frontend/attachments/” directory. Ultimately, you must delete any unidentified PHP files found there.

Analyzing the Balbooa Forms Exploit

The second vulnerability, designated CVE-2026-56291, resides within Balbooa Forms version 2.4.0 and older. This extension previously accepted attachments from any unauthenticated visitor. Moreover, it completely bypassed security tokens and file type verification. As a result, malicious actors uploaded PHP scripts into public folders freely. Thus, they executed arbitrary commands directly on the host server.

Detection and Resolution

MySites.guru initially uncovered this issue on July 8, 2026, following a client website compromise. Subsequently, the developers integrated a comprehensive fix into Balbooa Forms version 2.4.1. Webmasters must thoroughly examine the “images/baforms/uploads” folder immediately. Furthermore, you should review the Joomla user roster and recently modified PHP files. Above all, pay special attention to any unfamiliar accounts possessing administrative privileges.

Urgent Call to Action

Federal civilian agencies in the United States must apply these updates by July 13, 2026. Similarly, private Joomla site owners should expedite their patching schedules. Delaying these updates poses immense risks. After all, threat actors already leverage both vulnerabilities in live campaigns.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Leave a Reply