Balbooa, iCagenda Join KEV: Four Joomla RCEs in Four Days
CISA added Balbooa Forms and iCagenda to KEV on July 10 — two unauthenticated file-upload RCEs in Joomla extensions. Federal due date is July 13.
CISA added two more Joomla extensions to the Known Exploited Vulnerabilities catalog on 2026-07-10 — Balbooa Forms and iCagenda, both unauthenticated file-upload RCEs, both CVSS 9.8, both CWE-434. Federal due date on both is 2026-07-13. That’s three days from KEV add to the deadline, which is the tightest window CISA generally cuts on this class of add.
This is the third and fourth Joomla-extension add to KEV in four days. Monday’s additions — Joomlack Page Builder and JoomShaper SP Page Builder — were the same shape: unauthenticated, arbitrary file upload, PHP execution, 9.8 across the board. Four adds, four days, one CWE.
The two
CVE-2026-56291 — Balbooa Forms (com_baforms), a form-builder extension. Unauthenticated file upload → PHP write → RCE. Affects versions up to 2.4.0. Fixed in 2.4.1. Discovery and coordinated disclosure by Phil E. Taylor at mySites.guru; NVD published the record on 2026-07-09, CISA added it one day later.
CVE-2026-48939 — iCagenda, a Joomla event-calendar extension. The event file-attachment feature accepts arbitrary uploads, so an unauthenticated attacker writes a PHP file and requests it. Fixed in 3.9.15 (3.x line) and 4.0.8 (4.x line). Discovery and PoC by Poloss, technical writeup at mySites.guru. NVD published on 2026-06-20 — the exploitation signal caught up to the disclosure roughly three weeks later.
Two vendors, two extensions, same week. That is not a coincidence — that is what happens when a class of bug lands on somebody’s crawler and it works its way through a market. Same note as Monday’s writeup: whichever of these two extensions you do not run today, look at your other Joomla extensions this week.
What to actually do
Patch first, then audit — do not skip the audit.
- Inventory Joomla extensions on every site you run. Check the admin’s Extensions Manager or query
SELECT extension_id, name, element, folder, enabled FROM #__extensions WHERE type='component'. You cannot patch what you do not know is installed, and shared-hosting Joomla installs frequently pick up extensions from previous administrators. - Upgrade Balbooa Forms to 2.4.1 if
com_baformsis present. - Upgrade iCagenda to 3.9.15 or 4.0.8 if
com_icagendais present. Match the line — don’t jump 3.x to 4.x under time pressure without checking the compatibility notes. - Audit for webshells before assuming clean. If either extension has been installed on an internet-reachable site during the disclosure window (Balbooa: since 2026-07-08; iCagenda: since 2026-06-20), pull a listing of
images/,media/, template upload directories, and any writable path, and flag every.php,.phtml,.php7, or.pharfile you did not put there. A single webshell is enough — do not require finding two before you treat it as an incident. - Widen the audit to your other Joomla extensions this week. The four KEV adds in four days share a class of bug and a class of extension. If you run any user-content or file-attachment extension on a public-facing Joomla site, the same audit against writable paths is cheap insurance.
Do not skip step 4 because “we patched already.” The patches close the door. They do not evict whoever came in before you closed it. A compromised Joomla install turns into a mail-spam relay by the following morning, and the reputational cost of the outbound spam is often larger than the cost of the intrusion itself.
Timeline
- 2026-06-20 — NVD publishes CVE-2026-48939 (iCagenda). Vendor ships fix in the same window per changelog.
- 2026-07-07 — CISA adds CVE-2026-56290 (Joomlack Page Builder), CVE-2026-48908 (JoomShaper SP Page Builder), and a Langflow IDOR to KEV.
- 2026-07-08 — Balbooa ships Forms 2.4.1; mySites.guru publishes writeup.
- 2026-07-09 — NVD publishes CVE-2026-56291 (Balbooa Forms).
- 2026-07-10 — CISA adds CVE-2026-56291 and CVE-2026-48939 to KEV, both with a 2026-07-13 due date.
The federal-deadline note, again
The 2026-07-13 date on both entries is CISA’s BOD 26-04 deadline for federal agencies. If you are not a federal agency, that date is not a calendar rule for you. It is, however, the signal CISA is sending about how urgently exploitation has been observed against these two products — the tighter the due date, the louder the signal. Three days is loud. Treat it that way.
Sources
- CISA. Known Exploited Vulnerabilities catalog, 2026-07-10 additions.
- NVD: CVE-2026-56291, CVE-2026-48939.
- Phil E. Taylor, mySites.guru: Balbooa Forms writeup, iCagenda writeup.
- iCagenda changelog: 3.9.15, 4.0.8.
Found this useful? Share it.


