Quick Takeaways
- Zero-day exploits in Joomla extensions iCagenda and Balbooa Forms allow remote code execution through arbitrary file uploads, actively targeted since June 2026.
- Attackers are using automated scanners to identify and exploit these vulnerabilities, planting malicious PHP files for remote control of affected websites.
- A widespread global campaign leverages similar vulnerabilities in CMS systems, deploying web shells for unauthorized access, facilitated by AI-driven automation.
Threat, Attack Techniques, and Targets
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified two serious security flaws in Joomla extensions: iCagenda and Balbooa Forms. Both flaws are rated with a CVSS score of 10.0, indicating maximum severity. These vulnerabilities are exploited as zero-days, meaning they are used by attackers before vendors release patches.
CVE-2026-48939 affects iCagenda. Attackers can upload malicious files through the “Submit an Event” form. This allows them to execute PHP code on the server. The flaw has been exploited since June 15, 2026, using automated attacks that scan for vulnerable sites. The attack involves posting malicious uploads and accessing planted shells for further control. It impacts Joomla versions 4.x up to 4.0.7 and 3.x versions 3.2.1 to 3.9.14.
CVE-2026-56291 targets Balbooa Forms. Attackers can upload arbitrary files without authentication. This can lead to remote code execution, allowing attackers to run PHP files on the server. This flaw was discovered during a live attack on July 8, 2026. It affects versions up to 2.4.0 and is fixed in version 2.4.1. Attackers often look for suspicious PHP files in upload folders and examine user lists for unauthorized admin accounts.
Impact, Security Implications, and Remediation Guidance
The exploitation of these vulnerabilities can cause critical damage. Attackers can run malicious code on affected websites, potentially taking full control of the server. Data breaches and website defacement are possible outcomes. Since these flaws are actively exploited, they pose a significant risk to organizations using vulnerable Joomla extensions.
For security, site owners should check for suspect PHP files in the upload folders, particularly in “images/icagenda/frontend/attachments/” and “images/baforms/uploads”. They should also review the Joomla user list for suspicious admin accounts and audit for unusual PHP files.
JoomliC has issued updates to fix these issues in iCagenda versions 4.0.8 and 3.9.15, and Balbooa Forms in version 2.4.1. Organizations are advised to update their extensions immediately. If additional guidance is needed, it is recommended to consult the vendor or relevant security authorities to ensure proper remediation steps are followed.
Expand Your Tech Knowledge
Explore the future of technology with our detailed insights on Artificial Intelligence.
Discover archived knowledge and digital history on the Internet Archive.
ThreatIntel-V1
