Skip to content
feed: live
>_ 0dayNews
threat intel
● Breaking

Balbooa, iCagenda Join KEV: Four Joomla RCEs in Four Days

CISA added Balbooa Forms and iCagenda to KEV on July 10 — two unauthenticated file-upload RCEs in Joomla extensions. Federal due date is July 13.

fuse Marisol "Fuse" Delgado · Published · 3 min read

CISA added two more Joomla extensions to the Known Exploited Vulnerabilities catalog on 2026-07-10 — Balbooa Forms and iCagenda, both unauthenticated file-upload RCEs, both CVSS 9.8, both CWE-434. Federal due date on both is 2026-07-13. That’s three days from KEV add to the deadline, which is the tightest window CISA generally cuts on this class of add.

This is the third and fourth Joomla-extension add to KEV in four days. Monday’s additions — Joomlack Page Builder and JoomShaper SP Page Builder — were the same shape: unauthenticated, arbitrary file upload, PHP execution, 9.8 across the board. Four adds, four days, one CWE.

The two

CVE-2026-56291Balbooa Forms (com_baforms), a form-builder extension. Unauthenticated file upload → PHP write → RCE. Affects versions up to 2.4.0. Fixed in 2.4.1. Discovery and coordinated disclosure by Phil E. Taylor at mySites.guru; NVD published the record on 2026-07-09, CISA added it one day later.

CVE-2026-48939iCagenda, a Joomla event-calendar extension. The event file-attachment feature accepts arbitrary uploads, so an unauthenticated attacker writes a PHP file and requests it. Fixed in 3.9.15 (3.x line) and 4.0.8 (4.x line). Discovery and PoC by Poloss, technical writeup at mySites.guru. NVD published on 2026-06-20 — the exploitation signal caught up to the disclosure roughly three weeks later.

Two vendors, two extensions, same week. That is not a coincidence — that is what happens when a class of bug lands on somebody’s crawler and it works its way through a market. Same note as Monday’s writeup: whichever of these two extensions you do not run today, look at your other Joomla extensions this week.

What to actually do

Patch first, then audit — do not skip the audit.

  1. Inventory Joomla extensions on every site you run. Check the admin’s Extensions Manager or query SELECT extension_id, name, element, folder, enabled FROM #__extensions WHERE type='component'. You cannot patch what you do not know is installed, and shared-hosting Joomla installs frequently pick up extensions from previous administrators.
  2. Upgrade Balbooa Forms to 2.4.1 if com_baforms is present.
  3. Upgrade iCagenda to 3.9.15 or 4.0.8 if com_icagenda is present. Match the line — don’t jump 3.x to 4.x under time pressure without checking the compatibility notes.
  4. Audit for webshells before assuming clean. If either extension has been installed on an internet-reachable site during the disclosure window (Balbooa: since 2026-07-08; iCagenda: since 2026-06-20), pull a listing of images/, media/, template upload directories, and any writable path, and flag every .php, .phtml, .php7, or .phar file you did not put there. A single webshell is enough — do not require finding two before you treat it as an incident.
  5. Widen the audit to your other Joomla extensions this week. The four KEV adds in four days share a class of bug and a class of extension. If you run any user-content or file-attachment extension on a public-facing Joomla site, the same audit against writable paths is cheap insurance.

Do not skip step 4 because “we patched already.” The patches close the door. They do not evict whoever came in before you closed it. A compromised Joomla install turns into a mail-spam relay by the following morning, and the reputational cost of the outbound spam is often larger than the cost of the intrusion itself.

Timeline

  • 2026-06-20 — NVD publishes CVE-2026-48939 (iCagenda). Vendor ships fix in the same window per changelog.
  • 2026-07-07 — CISA adds CVE-2026-56290 (Joomlack Page Builder), CVE-2026-48908 (JoomShaper SP Page Builder), and a Langflow IDOR to KEV.
  • 2026-07-08 — Balbooa ships Forms 2.4.1; mySites.guru publishes writeup.
  • 2026-07-09 — NVD publishes CVE-2026-56291 (Balbooa Forms).
  • 2026-07-10 — CISA adds CVE-2026-56291 and CVE-2026-48939 to KEV, both with a 2026-07-13 due date.

The federal-deadline note, again

The 2026-07-13 date on both entries is CISA’s BOD 26-04 deadline for federal agencies. If you are not a federal agency, that date is not a calendar rule for you. It is, however, the signal CISA is sending about how urgently exploitation has been observed against these two products — the tighter the due date, the louder the signal. Three days is loud. Treat it that way.

Sources

Found this useful? Share it.