Particle.news

Critical Joomla Extension Flaws Exploited for Remote Code Execution

They let unauthenticated attackers upload PHP web shells that give remote control of vulnerable sites and expose data to theft.

Overview

  • Two Joomla extensions—iCagenda (CVE-2026-48939) and Balbooa Forms (CVE-2026-56291)—contain arbitrary-file-upload bugs that allow anonymous users to upload PHP files and run code on the web server.
  • iCagenda was observed exploited as a zero-day beginning June 15th, and Balbooa Forms was seen live in attacks on July 8, with vendors issuing fixes in iCagenda 4.0.8/3.9.15 and Balbooa Forms 2.4.1.
  • The U.S. Cybersecurity and Infrastructure Security Agency added both CVEs to its Known Exploited Vulnerabilities list and set a rapid remediation expectation for federal agencies with a July 13 deadline.
  • mySites.guru published indicators of compromise and practical checks, including scanning upload folders for unexpected PHP files, auditing Joomla admin accounts, and reviewing recently modified PHP pages.
  • Australia’s ACSC says these flaws fit a global campaign that scans CMS plugins to drop web shells, a practice that speeds data theft and persistent access and may grow faster as attackers use automation and AI.