iCagenda, Balbooa Forms exploited as Joomla zero-days
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two maximum-severity security flaws impacting iCagenda and Balbooa extensions for Joomla to its Known Exploited Vulnerabiliti
What Happened
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two maximum-severity vulnerabilities affecting Joomla extensions - iCagenda and Balbooa Forms - to its Known Exploited Vulnerabilities (KEV) catalog. The flaws are reportedly being exploited as zero-days in active attacks. CVE-2026-48939, an unauthenticated remote code execution (RCE) flaw in iCagenda, has been assigned and a proof-of-concept exploit is already available. A second, as-yet-unnumbered vulnerability in Balbooa Forms is also under active exploitation for unauthenticated RCE.
Why It Matters
Joomla powers over 2 million websites globally, and these two extensions are widely used for event management and contact forms. The exploitation of unpatched vulnerabilities in these extensions gives attackers a direct path to gain full server-level access without any authentication. CISA’s inclusion in the KEV catalog obligates Federal Civilian Executive Branch (FCEB) agencies to remediate by May 13, 2026. For all other organizations, the availability of a PoC for CVE-2026-48939 and confirmed in-the-wild exploitation means the window for proactive patching is effectively closed - defenders are now in a race to contain potential breaches.
Technical Details
CVE-2026-48939 affects iCagenda versions prior to 3.9.4. The vulnerability resides in the com_icagenda component’s file upload functionality, which fails to authenticate users before processing uploads. An unauthenticated attacker can send a crafted HTTP POST request to the vulnerable endpoint, upload a malicious PHP file (e.g., a web shell), and then execute it remotely. The CVSS v3.1 score is 9.8 (Critical). For Balbooa Forms (GA version 3.0.0 and earlier), the RCE vector appears to stem from insecure deserialization or insufficient input validation in form submission handling, allowing attackers to inject and execute arbitrary PHP code. No CVE has been formally assigned for the Balbooa flaw as of this writing.
Immediate Risk
The risk is critical and imminent. Any Joomla site running iCagenda before 3.9.4 or Balbooa Forms before version 3.0.1 should be considered compromised. Attackers are using both vulnerabilities to deploy webshells, exfiltrate databases, and establish persistence. Organizations should immediately check for unusual files in the images/ or media/ directories of the Joomla installation, as well as unknown administrators or user accounts. Shodan scans show over 120,000 publicly exposed Joomla instances with these extensions enabled, many of them unpatched.
Security Insight
The most striking element here is not the exploitation itself, but the signal it sends about the state of Joomla extension ecosystems. Unlike the core CMS, Joomla’s third-party extension market has no mandatory security review process. This mirrors the 2023 MOVEit Transfer zero-day exploitation pattern, where a single third-party component (the managed file transfer module) cascaded into a breach of hundreds of downstream organizations. The iCagenda and Balbooa incidents suggest that attackers are methodically mapping the Joomla extension attack surface, and we should expect more such discoveries in the coming months. Defenders should prioritize scrubbing their Joomla installations of any extension that has not received a security update in the past 12 months - not just patching known flaws.
Further Reading
Never miss a security update
Get real-time security alerts delivered to your preferred platform.
Related News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The
A suspected China-aligned threat activity cluster has been observed exploiting Roundcube webmail software belonging to physics and engineering departments of U.S. and Canadian universities as part of
Threat actors associated with the Anubis ransomware operation have been observed exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to obtain initial access. 'Although tactics differ between
CISA warned on Wednesday that attackers have begun exploiting a high-severity Microsoft SharePoint remote code execution vulnerability patched in May. [...]