CRITICAL: iCagenda and Balbooa Forms Joomla Zero-Days Exploited for Unauthenticated RCE
Two Joomla extensions, iCagenda and Balbooa Forms, contain maximum severity CVSS 10.0 arbitrary file upload flaws (CVE-2026-48939 and CVE-2026-56291) that allow unauthenticated remote code execution. Both were exploited as zero-days before patches shipped and now sit in CISA's KEV catalog. Update iCagenda to 4.0.8 or 3.9.15 and Balbooa Forms to 2.4.1 immediately and hunt for planted web shells.
If you run a Joomla site with a public form on it, this is the part where you stop reading and go check your version numbers. Two extensions that thousands of small businesses, event organizers, and community sites lean on every day just turned into unauthenticated remote code execution, and attackers were already inside before anyone published a patch. Both flaws carry a CVSS score of 10.0, which is the maximum the scale allows, and both are now sitting in CISA's Known Exploited Vulnerabilities catalog. When two bugs hit a perfect ten in the same week and CISA gives federal agencies three days to fix them, that is not a coincidence. That is a coordinated campaign hunting for soft targets, and Joomla extensions were the soft target.
The first flaw, tracked as CVE-2026-48939, lives in iCagenda, a popular events calendar extension for Joomla. The problem sits in the "Submit an Event" form, the exact feature that makes iCagenda useful in the first place. iCagenda lets visitors attach a file when they submit an event, and somewhere along the way the validation that was supposed to stop them from attaching the wrong kind of file simply was not doing its job. An attacker could upload a PHP script disguised as an event attachment, and the server would happily accept it and then execute it. That is the whole game. No login, no stolen credentials, no clever chain of three smaller bugs strung together. Just a form that trusts whatever a stranger hands it, which is the oldest mistake in web security and somehow still the most common. Every version of iCagenda in the 4.x branch up to and including 4.0.7 is vulnerable, along with the 3.x branch from 3.2.1 all the way through 3.9.14.
The second flaw is almost the same story with a different logo. CVE-2026-56291 affects Balbooa Forms, a drag and drop form builder used to slap contact forms, registration forms, and surveys onto Joomla sites without touching any code. Its frontend attachment upload accepted a file from any anonymous visitor with no login required, no CSRF token to prove the request was legitimate, and no check whatsoever on the file type. If you were designing a deliberately insecure upload handler as a teaching example, you would struggle to make it worse than this. An attacker points a script at the public upload endpoint, drops a PHP web shell into a folder the web server can reach, and then browses to that file to run it. Everything up to and including Balbooa Forms 2.4.0 is affected.
The timeline is the part that should make you uncomfortable. iCagenda was not discovered and then quietly exploited months later. It was being hammered as a zero-day since June 15, 2026, with the exploitation showing up just hours before the vendor, JoomliC, managed to push a fix. Balbooa Forms followed the same grim pattern, with active zero-day exploitation beginning around July 8, a full day before the developers shipped their patch. In both cases the defenders were a step behind the attackers, which is exactly what zero-day means and exactly why these deserve the drop-everything treatment. The monitoring firm mySites.guru watched both flaws get exploited in live attacks against its own customers, which is about as close to ground truth as threat intelligence gets. This was not theoretical.
What makes this campaign feel industrial rather than opportunistic is the tooling. Researchers spotted an automated scanner identifying itself in server logs as "icagenda-batch/1.0," which tells you someone built a purpose-made crawler to find vulnerable iCagenda installations at scale and fire the exploit automatically. Batch is the operative word. These attackers were not hand-picking victims. They were spraying the entire internet, cataloging every Joomla site running the vulnerable extensions, and dropping web shells wherever the upload succeeded. The Australian Cyber Security Centre put out its own warning around the same time about a large-scale exploitation campaign chaining together multiple content management system vulnerabilities specifically to deploy web shells, and the shape of that campaign lines up neatly with what was happening to these two Joomla extensions.
The good news, and there is some, is that patches exist and they are trivial to apply. JoomliC fixed iCagenda in versions 4.0.8 and 3.9.15, released around June 15 and 16. Balbooa shipped the fix for Forms in version 2.4.1 on July 9. If you are on anything older than those numbers, you are vulnerable, and given that automated scanners have been sweeping for these installs for weeks now, you should assume you have been probed. Updating the extension is step one and it is not optional. Step two, which too many people skip, is actually looking to see whether you were already hit before the patch went on. A patched extension does not remove a web shell that an attacker planted last week. The fix closes the door, it does not evict the guest who already walked through it.
That means the real work here is incident response, not just patch management. Go through the upload directories that iCagenda and Balbooa Forms write to and look for anything with a PHP extension that has no business being there, especially recently created files with random or suspicious names. Grep your web server access logs for that "icagenda-batch/1.0" user agent and for POST requests to the form submission and attachment endpoints, particularly ones that returned a 200 followed shortly by a GET request to a strange file path. Any file upload that landed right before someone fetched that same file is the classic web shell signature and it should set off alarms. If you find a shell, the site is compromised, full stop, and you are now cleaning up a breach rather than closing a vulnerability. Rotate the Joomla admin credentials, review any database changes, and check for added admin accounts while you are in there, because an attacker with code execution rarely stops at a single web shell.
For anyone running Joomla at any real scale, this is also a reminder that the core platform is rarely the problem anymore. Joomla itself has gotten reasonably hardened over the years. The extensions bolted onto it are another matter entirely, written by all manner of third-party developers with wildly varying security maturity, and every one of them expands your attack surface. A calendar plugin and a form builder do not sound like crown-jewel infrastructure, right up until one of them hands an anonymous stranger a shell on your web server. The lesson that keeps repeating is that any feature accepting file uploads from the public is a loaded weapon, and it needs authentication, file type validation, and storage outside the web root, or it needs to not exist.
From an MSP standpoint, this is a clean conversation starter with any client running a Joomla, WordPress, or Drupal site, which is a huge slice of the small business web. Most of them have no idea what extensions are installed, let alone which versions, and that visibility gap is exactly what you sell. A recurring CMS patch management and web shell scanning service turns a scary headline like this one into a straightforward monthly retainer, and pairing it with dark web and external attack surface monitoring gives you a natural upsell that costs the client far less than the incident response engagement they will need if one of these shells goes unnoticed for a quarter.
References
- The Hacker News: iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days
https://thehackernews.com/2026/07/icagenda-and-balbooa-forms-joomla-flaws.html
- BleepingComputer: CISA warns of actively exploited RCE flaws in Joomla extensions
https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-rce-flaws-in-joomla-extensions/
- SecurityWeek: Organizations Warned of Exploited Joomla Extension Vulnerabilities
https://www.securityweek.com/organizations-warned-of-exploited-joomla-extension-vulnerabilities/
- CISA Known Exploited Vulnerabilities Catalog
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Concerned about this threat?
Our security team can assess your exposure and recommend immediate actions.
Protect Your Organization
Find vulnerabilities like this in your systems before attackers do.
24/7 monitoring to detect and respond to threats like these in real time.
Block phishing and malware delivery targeting your organization.
Map security controls to 26 frameworks including NIST, SOC 2, and HIPAA.