THREAT BRIEFING · 15.07.2026 DEENFRES

Practice & Implementation

Two Joomla Upload Vulnerabilities Added to CISA KEV

By Alec Chizhik · July 15, 2026 · 4 min read

CISA added on July 10, 2026 two unauthenticated file-upload vulnerabilities from Joomla extensions to the Known Exploited Vulnerabilities Catalog: CVE-2026-48939 (iCagenda) and CVE-2026-56291 (Balbooa Forms). Both lead to remote code execution. For operators, asset discovery comes before a pure patch ticket.

Key Takeaways

  • KEV since 10.07.2026. iCagenda and Balbooa Forms with confirmed active exploitation.
  • Patch level firm. iCagenda 4.0.8 / 3.9.15; Balbooa Forms 2.4.1 or newer.
  • IoCs in upload folders. PHP under images/icagenda and images/baforms is a red flag.
  • Inventory first. Which sites run which extension version? Without a list, the patch is random.

Related:Four Vulnerabilities in KEV  /  Squidex Upload Vulnerability

What CISA Added to KEV on July 10

What is the Joomla Known Exploited Vulnerabilities (KEV) Upload? A third‑party extension with unauthenticated upload of dangerous file types. CVE-2026-48939 affects iCagenda (com_icagenda) via public event submission. CVE-2026-56291 affects Balbooa Forms (com_baforms): frontend upload without login, without CSRF check, and without extension whitelist through version 2.4.0.

Definition · KEV Upload RCE

A publicly reachable upload interface accepts executable files without authentication. The attacker uploads PHP and gains remote code execution on the web server.

Both vulnerabilities are, according to disclosure sources, zero‑days actively exploited. CISA lists them as Unrestricted Upload of File with Dangerous Type. For U.S. federal agencies, BOD 26-04 applies with priority remediation. For DACH operators, KEV is not a legal requirement but a strong priority signal.

Patch Level and Affected Versions

iCagenda: according to mySites.guru affected versions 3.2.1 through 3.9.14 and 4.0.0 through 4.0.7. Fix in 4.0.8 (June 15, 2026) and Legacy 3.9.15 (June 16, 2026). The severity is in the critical range (Finder matrix often 9.8, in parts of the discussion up to 10.0).

Balbooa Forms: affected up to and including 2.4.0. Fix in 2.4.1 (July 9, 2026), Finder designation CVSS 4.0 score 10.0. The changelog initially listed the measures under “Fixed” without a clear security banner. Those who only filter by the word “security” will miss the fix.

Inventory, Indicators of Compromise (IoCs) and Checklist

CMS campaigns rarely hit the core first. They target the extension with a public upload. Agencies with many Joomla sites need an inventory list: site, extension, version, publicly reachable yes/no. Parallel to patching: check the upload folder. Balbooa Forms typically places attachments under images/baforms/uploads/. iCagenda uses paths under images/icagenda. Any unexpected .php file there is a compromise indicator.

Joomla Upload KEV now

  • Scan all sites on iCagenda and Balbooa Forms and export versions
  • Update to the minimum version immediately, not waiting for the maintenance window
  • Check the upload folder for PHP and unknown shells; sift through the super‑user list
  • Inspect logs for POSTs to baforms-/icagenda upload tasks before the patch deadline
  • WAF: block anonymous uploads with executable extensions until the inventory is green

Earlier this week, CISA also added related Joomla builder vulnerabilities to the KEV context (according to a Finder roundup on Page Builder CK and SP Page Builder). The pattern is stable: anonymous form and AJAX endpoints without a strict allowlist. Form builders and event plugins are the attack surface, not just content tools. Primary sources: CISA Alert 10.07.2026, vendor changelogs, technical analyses by mySites.guru.

Frequently Asked Questions

Every question is locked. A tap unlocks the answer.

Is a core update from Joomla sufficient?

No. The gaps are in third-party extensions. Core patches do not replace extension updates.

Are only US authorities affected?

Known Exploited Vulnerabilities (KEV) primarily target the US Federal Civilian Executive Branch (FCEB). Active exploitation applies globally. Every publicly accessible Joomla site with the extensions is in scope.

What to do if an immediate update isn’t possible?

Disable public forms with file upload or take the extension offline. Then conduct a forensic review, then apply patches.

Which IoCs are practical?

Unexpected PHP files were found in the images/baforms and images/icagenda directories, along with new super‑user accounts, an altered configuration.php, and unknown webshell paths.

Where is the primary source?

CISA Known Exploited Vulnerabilities Alert on 10.07.2026 for CVE-2026-48939 and CVE-2026-56291; Changelogs iCagenda 4.0.8/3.9.15 and Balbooa 2.4.1; Analysis, among others, mySites.guru.

Lesetipps der Redaktion

LesetippSharePoint-JWT-Bypass öffnet On-Prem-SitesLesetippBitLocker-Bypass bei physischem ZugriffLesetippVier Lücken im KEV – eine zieht Cloud-Schlüssel ab

Mehr aus dem MBF Media Netzwerk

cloudmagazinAWS Sovereign Cloud: was wirklich getrennt istMyBusinessFutureDigitaler Produktpass: Was Hersteller tun müssenDigital ChiefsToken-OPEX: Inference steuert, nicht das Seat-Budget

Bildquelle: KI-generiert (Juli 2026)

Further reading

Practice & Implementation · July 15, 2026

LegacyHive PoC Meets Latest Windows Patches

Public Windows EoP PoC for LegacyHive surfaces right after Patch Tuesday. Detection focuses on Hive Load and User Profile Service, hardening before exploit chains …

A magazine by Evernine Media GmbH