Overview
- Two Joomla extensions—iCagenda (CVE-2026-48939) and Balbooa Forms (CVE-2026-56291)—contain arbitrary-file-upload bugs that allow anonymous users to upload PHP files and run code on the web server.
- iCagenda was observed exploited as a zero-day beginning June 15th, and Balbooa Forms was seen live in attacks on July 8, with vendors issuing fixes in iCagenda 4.0.8/3.9.15 and Balbooa Forms 2.4.1.
- The U.S. Cybersecurity and Infrastructure Security Agency added both CVEs to its Known Exploited Vulnerabilities list and set a rapid remediation expectation for federal agencies with a July 13 deadline.
- mySites.guru published indicators of compromise and practical checks, including scanning upload folders for unexpected PHP files, auditing Joomla admin accounts, and reviewing recently modified PHP pages.
- Australia’s ACSC says these flaws fit a global campaign that scans CMS plugins to drop web shells, a practice that speeds data theft and persistent access and may grow faster as attackers use automation and AI.