general · BleepingComputer
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two actively exploited remote code execution vulnerabilities to its Known Exploited Vulnerabilities catalog. CVE-2026-48939 affects the iCagenda extension for Joomla (a content management system), allowing attackers to upload arbitrary files including PHP scripts through an unrestricted file upload flaw in the event registration and calendar feature. CVE-2026-56291 affects the Balbooa Forms extension, a drag-and-drop form builder, and similarly permits upload of dangerous file types. According to reports, both flaws were exploited in automated attacks before patches became available; iCagenda was attacked hours before version 4.0.8 released, and Balbooa Forms was exploited as a zero-day starting July 8, one day before the vendor released version 2.4.1.
Organizations relying on Joomla sites—particularly those in regulated sectors hosting sensitive data—should treat this as urgent. Website administrators managing Joomla deployments need immediate visibility into whether iCagenda or Balbooa Forms extensions are installed and must prioritize patching. For SaaS vendors and managed service providers supporting Joomla customers, this reinforces the importance of inventory controls and timely patch deployment frameworks aligned with SOC 2 requirements. For healthcare and fintech organizations with customer-facing Joomla instances, exploitation could expose PHI, PCI data, or other regulated information; an Omniware engagement can scope the risk posture and remediation timeline for your specific environment.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-rce-flaws-in-joomla-extensions/
Source: BleepingComputer
All briefings