Critical file-upload flaws in Joomla extensions exploited

Attackers used file-upload bugs in Balbooa Forms and iCagenda to upload PHP web shells and execute code. Vendors issued patches and CISA added both CVEs to KEV with a three-day deadline.
Attackers have exploited file-upload vulnerabilities in two Joomla extensions, Balbooa Forms and iCagenda, to upload PHP web shells and gain remote code execution on affected sites. Vendors released patches after researchers and developers observed exploitation in the wild.
Both flaws are unauthenticated arbitrary file-upload issues in the extensions’ attachment features. An attacker can place executable PHP code on a vulnerable site via a public upload endpoint and run commands on the web server hosting the Joomla site.
The Balbooa Forms issue is tracked as CVE-2026-56291 and carries a CVSS score of 10. Balbooa released version 2.4.1 on July 9 to address the defect; installations running version 2.4.0 or earlier remain vulnerable until updated. The iCagenda vulnerability is tracked as CVE-2026-48939 and is also rated 10. JoomliC released iCagenda versions 4.0.8 and 3.9.15 on June 15–16 after observing exploitation on June 15.
On July 10 the U.S. Cybersecurity and Infrastructure Security Agency added both CVEs to its Known Exploited Vulnerabilities catalog. Under Binding Operational Directive 26-04, CISA directed federal civilian agencies to apply patches within three days. The KEV listing reflects observed exploitation and the high severity of the defects.
Administrators who cannot immediately install vendor updates were advised to disable the affected extensions, block or restrict attachment uploads at the web server or application firewall level, and implement rules to prevent execution of uploaded files. Indicators of compromise to look for include unexpected PHP files in upload directories, newly created administrator accounts, and suspicious web requests in server logs. Sites suspected of compromise should have backup integrity checked and may require restoration from clean backups.
Joomla extensions run with the web server’s privileges, so vulnerabilities in them can expose site content and underlying infrastructure. Administrators should verify extension versions against vendor advisories and apply the provided patches. Federal systems must follow the three-day remediation timeline; other organizations were advised to prioritize patching or mitigations to reduce exposure.








