CISA Warns of Actively Exploited RCE Flaws in Joomla Extensions
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) has issued a critical warning regarding actively exploited vulnerabilities in two popular **Joomla** extensions: **iCagenda** and **Balbooa Forms**. These flaws allow attackers to achieve remote code execution (RCE) through arbitrary file uploads, posing a significant risk to affected websites.
The **CISA** has categorized these vulnerabilities with maximum priority, mandating federal agencies to apply security updates and mitigations within three days.
### Critical Flaws in Joomla Extensions
The first vulnerability, tracked as **CVE-2026-48939**, affects the **iCagenda** extension, used for event scheduling and calendar creation. This arbitrary file upload flaw enables attackers to upload dangerous file types, including PHP scripts, to the web server. Such an exploit can lead to data theft, installation of web shells, and ultimately, complete website compromise via RCE.
**CISA** explicitly states in its Known Exploited Vulnerabilities (**KEV**) catalog that "**iCagenda** contains an unrestricted upload of file with dangerous type vulnerability that allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution."
The second critical flaw, **CVE-2026-56291**, is an arbitrary file upload issue within the **Balbooa Forms** extension. This popular drag-and-drop form builder, which includes file upload functionality, can be abused by attackers to upload executable files. This directly facilitates RCE and a full website takeover.
### In-the-Wild Exploitation
According to **mySites.guru**, a website management and security platform, both vulnerabilities were exploited in automated attacks even before patches were available. Attacks leveraging **CVE-2026-48939** in **iCagenda** were observed just hours before the release of version 4.0.8, which contained the fix.
Even more concerning, **CVE-2026-56291** in **Balbooa Forms** was exploited as a zero-day, with attacks detected as early as July 8, a full day before the vendor released its fix.
### Immediate Action Required
Website administrators managing **Joomla** sites are urged to immediately check for the presence of **iCagenda** and **Balbooa Forms** extensions. Patches are available:
* **iCagenda**: Fixed in versions 4.0.8 and 3.9.15, released on June 15-16.
* **Balbooa Forms**: Fixed in version 2.4.1, released on July 9.
Applying these updates is crucial to protect assets from ongoing exploitation attempts.