CRITICAL: iCagenda and Balbooa Forms Joomla Zero-Days Exploited for Unauthenticated RCE
Two Joomla extensions, iCagenda and Balbooa Forms, contain maximum severity CVSS 10.0 arbitrary file upload flaws (CVE-2026-48939 and CVE-2026-56291) that allow unauthenticated remote code execution. Both were exploited as zero-days before patches shipped and now sit in CISA's KEV catalog. Update iCagenda to 4.0.8 or 3.9.15 and Balbooa Forms to 2.4.1 immediately and hunt for planted web shells.