CISA Warns Hackers Are Exploiting iCagenda and Balbooa Forms on Joomla Sites


CISA is warning organizations to patch two critical Joomla extension vulnerabilities that attackers are actively exploiting to upload malicious files and execute code on vulnerable websites.

The flaws affect the iCagenda event management extension and the Balbooa Forms form builder. Both security issues can let remote attackers place executable PHP files on affected servers, potentially giving them full control of a Joomla site.

The agency added CVE-2026-48939 and CVE-2026-56291 to its Known Exploited Vulnerabilities warning on July 10, 2026. Federal agencies received a July 13 deadline to apply vendor fixes, follow required forensic procedures, or stop using affected products when mitigations are unavailable.

Two Joomla extension flaws are under active attack

Both vulnerabilities involve unsafe file-upload features. A vulnerable extension accepts a file from an external user without properly checking whether the file contains executable code.

An attacker can exploit this weakness to upload a PHP web shell into a directory that the web server can access. The attacker can then request the uploaded file through a browser and run commands with the permissions assigned to the website.

CISA has confirmed evidence of active exploitation for both flaws. The agency has not linked either vulnerability to a named threat group, and it lists their use in ransomware campaigns as unknown.

VulnerabilityAffected extensionAffected versionsFixed versionPotential impact
CVE-2026-48939iCagenda3.2.1 to 3.9.14 and 4.0.0 to 4.0.73.9.15 or 4.0.8Unauthorized uploads and PHP code execution on Joomla 6
CVE-2026-56291Balbooa FormsVersions up to and including 2.4.02.4.1Unauthenticated file upload and remote code execution

CVE-2026-48939 affects the iCagenda event extension

iCagenda provides calendars and event management features for Joomla websites. The vulnerable code appears in the frontend event submission process, which can accept file attachments from website visitors.

The CVE-2026-48939 vulnerability record states that the flaw allows arbitrary files to be uploaded through the attachment feature, ultimately leading to PHP code upload and execution.

The issue received a maximum CVSS 4.0 score of 10.0. Exploitation requires no account, no user interaction, and no special attack conditions.

Affected releases include:

  • iCagenda 3.2.1 through 3.9.14
  • iCagenda 4.0.0 through 4.0.7

Users on the current branch should install iCagenda 4.0.8 or later. Sites using the older 3.x branch should install version 3.9.15 or later.

iCagenda remote code execution primarily affects Joomla 6

The practical impact of CVE-2026-48939 depends partly on the Joomla version running beneath the extension.

According to the technical analysis of the iCagenda zero-day, the complete upload-to-web-shell chain works on Joomla 6. Earlier Joomla versions block the dangerous file type through core upload protections.

However, administrators using Joomla 2.5, 3, 4, or 5 should still update iCagenda. A related authorization flaw in the event submission process can allow an unauthenticated visitor to create unapproved events on those versions.

Joomla versionReported iCagenda impact
Joomla 6Unauthenticated PHP file upload and remote code execution
Joomla 2.5, 3, 4, and 5Core protections block the PHP upload, but the event submission access-control bypass remains

Unpublishing the extension or hiding its event submission page does not reliably close the vulnerability. Attackers can send requests directly to the affected processing endpoint.

Researchers saw automated iCagenda attacks before a patch existed

The vulnerability came to light after researchers examined access logs from an actively attacked Joomla website.

The malicious requests used the user agent icagenda-batch/1.0. The sequence collected a session token, submitted a malicious attachment, and then requested the uploaded file from the directory where iCagenda stored frontend attachments.

The researchers reproduced the behavior on a clean Joomla 6 installation using iCagenda 4.0.7. They privately reported the flaw to the developer, which released version 4.0.8 on June 15, 2026. Version 3.9.15 followed on June 16.

Administrators should look for unfamiliar files in this directory:

images/icagenda/frontend/attachments/

That folder should not contain PHP files or other executable scripts. The presence of an unexpected executable file should trigger a full incident investigation.

CVE-2026-56291 affects Balbooa Forms

Balbooa Forms is a Joomla form builder used for contact forms, registration pages, surveys, and other public data collection features.

The CVE-2026-56291 security record describes an unauthenticated arbitrary file-upload vulnerability that can lead to full remote code execution.

The flaw affects Balbooa Forms versions from 1.0 through 2.4.0. Balbooa fixed the vulnerability in version 2.4.1, released on July 9, 2026.

The vulnerable upload handler failed to enforce several important security controls:

  • It did not require the visitor to sign in.
  • It did not require a valid cross-site request forgery token.
  • It did not restrict uploads to an approved list of file extensions.
  • It trusted the filename supplied by the visitor.
  • It stored uploaded files in a web-accessible directory.

This combination allowed an attacker to upload a file with a .php extension and then execute it through the affected website.

Balbooa fixed the vulnerability in version 2.4.1

The vulnerability was discovered after a hosting provider reported suspicious activity coming from a Joomla website. Researchers reviewed the server logs and traced the behavior to the Balbooa Forms upload handler.

The Balbooa Forms vulnerability investigation found that attackers were exploiting the flaw before a security update existed.

Balbooa responded to the private disclosure and released version 2.4.1 the following day. The update adds several layers of protection, including file-extension restrictions, server-generated filenames, MIME-type checks, and token validation.

Administrators should inspect the following default upload location for unexpected files:

images/baforms/uploads/

A legitimate form upload directory may contain images and documents. It should not contain PHP scripts, unfamiliar archives, or files with misleading double extensions.

What attackers can do after uploading a web shell

A web shell gives an attacker a remote interface for issuing commands on the compromised server. The available access depends on the server configuration and the privileges of the web application process.

Even limited web server access can expose Joomla configuration files, database credentials, user records, email addresses, and authentication secrets.

An attacker may use a web shell to:

  • Read or modify Joomla configuration files.
  • Steal database usernames and passwords.
  • Create hidden Joomla administrator accounts.
  • Change website content or redirect visitors.
  • Insert malicious JavaScript into pages.
  • Deploy phishing pages or malware downloads.
  • Access customer or form submission data.
  • Install additional backdoors and scheduled tasks.
  • Send spam from the compromised server.
  • Use the website to attack other systems.

Attackers may also delete the original uploaded file after installing a more discreet persistence mechanism. Finding no obvious web shell does not prove that a previously vulnerable site remains clean.

CISA set a short federal remediation deadline

CISA added both vulnerabilities to the KEV Catalog on July 10 and set July 13 as the required action date for affected Federal Civilian Executive Branch agencies.

The unusually short deadline reflects the flawsโ€™ internet exposure, active exploitation, automated attack potential, and ability to provide complete control of a vulnerable server.

Under CISAโ€™s Joomla extension alert, agencies must follow vendor instructions and comply with Binding Operational Directive 26-04. The directive uses internet exposure and exploitation risk to determine remediation priority.

The federal requirement does not directly apply to most private organizations. However, CISA recommends that all organizations use the KEV Catalog when prioritizing vulnerability remediation.

Updating the extensions may not remove an existing attacker

Installing the latest extension version prevents new attempts from exploiting the known upload flaw. It does not delete files, accounts, or backdoors that an attacker created before the update.

Administrators should therefore combine patching with forensic checks. A site that ran a vulnerable version while connected to the internet should be treated as potentially compromised.

Security teams should review:

  • Recently created or modified PHP files
  • Executable files inside image and upload directories
  • Unexpected Joomla Super User accounts
  • Changes to templates, plugins, and system files
  • New scheduled tasks or cron jobs
  • Modified .htaccess files
  • Unknown database users or altered account privileges
  • Outbound connections to unfamiliar servers
  • Large data transfers or unexpected archive files
  • Access log entries targeting extension upload handlers

How to protect an iCagenda installation

Administrators should identify every Joomla site running iCagenda, including development, staging, and inactive websites that remain publicly accessible.

The official iCagenda vulnerability details list releases through 3.9.14 and 4.0.7 as affected.

Site owners should take these steps:

  1. Update the current iCagenda branch to version 4.0.8 or later.
  2. Update the legacy branch to version 3.9.15 or later.
  3. Do not rely on hiding or unpublishing the event submission page.
  4. Inspect the frontend attachments directory for executable files.
  5. Review access logs for the icagenda-batch/1.0 user agent.
  6. Check for unauthorized events and administrator accounts.
  7. Rotate Joomla, database, hosting, and file-transfer credentials when compromise is suspected.

The iCagenda incident report recommends updating every affected installation, including sites running older Joomla releases where the complete PHP execution chain may not work.

How to protect a Balbooa Forms installation

Every site running Balbooa Forms 2.4.0 or earlier should receive an immediate update to version 2.4.1 or later.

The Balbooa Forms vulnerability description confirms that the flaw requires no authentication and can allow executable files to reach the server.

Administrators should complete the following actions:

  1. Install Balbooa Forms 2.4.1 or a newer release.
  2. Inspect images/baforms/uploads/ for PHP and other executable files.
  3. Search the Joomla installation for recently created scripts.
  4. Review administrator accounts and active sessions.
  5. Check logs for anonymous requests to the upload handler.
  6. Rotate credentials and Joomla secret values after a confirmed compromise.
  7. Restore the website from a verified clean backup when investigators cannot establish its integrity.

The Balbooa Forms technical report also recommends checking patched sites for tampering because attackers exploited the flaw before version 2.4.1 became available.

Organizations should inventory all Joomla extensions

The incidents show why checking only the Joomla core version does not provide a complete view of website risk. Third-party extensions introduce their own code, permissions, upload handlers, and update schedules.

Organizations should maintain an inventory containing each site, Joomla version, installed extension, extension version, owner, public exposure, and support status.

A practical Joomla security program should include:

  • Automatic notifications for extension updates
  • Removal of abandoned and unused extensions
  • Restricted access to administrator interfaces
  • Multifactor authentication for privileged users
  • File integrity monitoring
  • Centralized web server and application logs
  • Regular offline backups
  • External vulnerability scanning
  • Malware and web shell detection
  • A tested incident response process

File-upload features need strict security controls

Public upload forms remain a common attack target because they intentionally accept data from untrusted visitors.

Developers should permit only file types that the application genuinely needs. They should verify extensions, MIME types, and file signatures instead of trusting the browser-supplied filename or content type.

Applications should also generate new filenames, store uploads outside the public web root, disable script execution in upload directories, require authorization where appropriate, and enforce request tokens.

Upload security controlPurpose
Extension allow-listAccepts only explicitly approved file types
MIME and signature validationChecks whether the file content matches its claimed format
Server-generated filenamesPrevents attackers from controlling executable names and paths
Storage outside the web rootPrevents direct browser execution of uploaded content
Authentication and authorizationLimits who can use sensitive upload functions
CSRF protectionRejects requests that lack a valid session token

Joomla administrators should act immediately

Both vulnerabilities provide attackers with a direct path from an unauthenticated web request to code execution under affected conditions.

Automated scanning makes public Joomla sites especially vulnerable. Attackers can identify extension fingerprints, test upload endpoints, and deploy web shells across many websites without manually selecting each target.

Administrators should update iCagenda and Balbooa Forms immediately, then investigate whether attackers exploited the site before remediation. A clean update alone cannot establish that the server remains trustworthy.

FAQ

Which Joomla extensions is CISA warning about?

CISA is warning about actively exploited vulnerabilities in the iCagenda event management extension and the Balbooa Forms form builder. Both flaws can allow dangerous files to reach vulnerable Joomla servers.

Which iCagenda versions are vulnerable to CVE-2026-48939?

The affected versions include iCagenda 3.2.1 through 3.9.14 and 4.0.0 through 4.0.7. Administrators should update to version 3.9.15 or 4.0.8 and later.

Which Balbooa Forms version fixes CVE-2026-56291?

Balbooa fixed the vulnerability in Forms version 2.4.1. All releases through version 2.4.0 should be considered vulnerable and require immediate updating.

Does updating a Joomla extension remove a web shell?

No. An update closes the known vulnerability but does not remove files, accounts, or backdoors created during an earlier attack. Administrators must inspect previously exposed sites for compromise.

What are the signs of a compromised Joomla site?

Warning signs include unfamiliar PHP files in upload folders, unexpected administrator accounts, altered templates, modified system files, unusual outbound traffic, and suspicious requests in web server logs.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages