Joomla extensions arbitrary file upload (multiple vulnerabilities, actively exploited)
Vulnerability
Summary
Hide ▲
Show ▼
CISA added CVE-2026-48939 and CVE-2026-56291 to the KEV catalog, confirming zero-day exploitation of two Joomla extension flaws that allow arbitrary file upload and code execution. The affected extensions are iCagenda and Balbooa Forms, both rated 10.0 CVSS. The exposed attack path can lead to PHP code execution or unauthenticated remote code execution on internet-facing sites.
Related Happenings
WP-SHELLSTORM webshell access brokerage campaign
Campaign
H score71
First: 10.07.2026 14:30
Last: 10.07.2026 14:30
Sources 1
About this happening:
The **WP-SHELLSTORM** campaign exposed its own infrastructure, revealing a **webshell access brokerage** that targeted **WordPress** and **Joomla** sites at scale and backdoored *...
WP-SHELLSTORM webshell access brokerage campaign
CampaignAbout this happening: The **WP-SHELLSTORM** campaign exposed its own infrastructure, revealing a **webshell access brokerage** that targeted **WordPress** and **Joomla** sites at scale and backdoored *...
CISA KEV remediation order for CVE-2026-48907
Public Sector Action
H score89
First: 17.06.2026 08:50
Last: 17.06.2026 08:50
Sources 1
About this happening:
CISA added **CVE-2026-48907** to the **KEV catalog** and ordered **FCEB agencies** to apply fixes by **June 19, 2026**, forcing federal remediation of an **actively exploited** Jo...
CISA KEV remediation order for CVE-2026-48907
Public Sector ActionAbout this happening: CISA added **CVE-2026-48907** to the **KEV catalog** and ordered **FCEB agencies** to apply fixes by **June 19, 2026**, forcing federal remediation of an **actively exploited** Jo...
Widget Factory Joomla Content Editor JCE actively exploited improper access control security flaw (CVE-2026-48907)
Vulnerability
H score89
First: 17.06.2026 08:50
Last: 17.06.2026 08:50
Sources 1
About this happening:
The **Widget Factory Joomla Content Editor (JCE)** flaw **CVE-2026-48907** has been added to **CISA's KEV catalog** after evidence of **active exploitation**, putting affected Joo...
Widget Factory Joomla Content Editor JCE actively exploited improper access control security flaw (CVE-2026-48907)
VulnerabilityAbout this happening: The **Widget Factory Joomla Content Editor (JCE)** flaw **CVE-2026-48907** has been added to **CISA's KEV catalog** after evidence of **active exploitation**, putting affected Joo...
CISA KEV multi-product active exploitation wave (CVE-2020-7796)
Exploitation Wave
H score53
First: 18.02.2026 08:52
Last: 18.02.2026 08:52
Sources 1
About this happening:
**CISA** expanded its **KEV catalog** with **four actively exploited flaws**, signaling a live exploitation wave across **Chrome, TeamT5 ThreatSonar, Zimbra, and Windows Video Act...
CISA KEV multi-product active exploitation wave (CVE-2020-7796)
Exploitation WaveAbout this happening: **CISA** expanded its **KEV catalog** with **four actively exploited flaws**, signaling a live exploitation wave across **Chrome, TeamT5 ThreatSonar, Zimbra, and Windows Video Act...
CISA adds four actively exploited flaws to KEV with FCEB deadlines
Public Sector Action
H score35
First: 13.02.2026 10:34
Last: 13.02.2026 10:34
Sources 1
About this happening:
CISA added **four vulnerabilities** to the **Known Exploited Vulnerabilities (KEV) catalog** after evidence of **active exploitation**, putting **FCEB agencies** on a forced remed...
CISA adds four actively exploited flaws to KEV with FCEB deadlines
Public Sector ActionAbout this happening: CISA added **four vulnerabilities** to the **Known Exploited Vulnerabilities (KEV) catalog** after evidence of **active exploitation**, putting **FCEB agencies** on a forced remed...
Timeline
-
13.07.2026 08:36 1 articles · 3h ago
Automated attacks exploit iCagenda file attachment flaw
Exploitation ObservedOn June 15, 2026, automated attacks against Joomla sites with iCagenda installed began exploiting CVE-2026-48939 as a zero-day, abusing the Submit an Event file attachment feature to upload malicious files that can lead to PHP code execution and planted shells under images/icagenda/frontend/attachments/.
Show sources
- iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days — thehackernews.com — 13.07.2026 08:36
-
13.07.2026 08:36 1 articles · 3h ago
mySites.guru discovers Balbooa Forms zero-day after live attack
Technical Analysis UpdateOn July 8, 2026, mySites.guru discovered CVE-2026-56291 after a live attack on one of its customers, finding that Balbooa Forms versions up to and including 2.4.0 accepted anonymous frontend attachment uploads with no login, no CSRF token, and no file-type check, enabling arbitrary file upload and unauthenticated remote code execution; the patched version is 2.4.1.
Show sources
- iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days — thehackernews.com — 13.07.2026 08:36
-
13.07.2026 08:36 2 articles · 3h ago
CISA adds Joomla extension flaws to KEV catalog
Legal Policy Action UpdateOn July 13, 2026, CISA added CVE-2026-48939 and CVE-2026-56291 to the Known Exploited Vulnerabilities (KEV) catalog after reports of zero-day exploitation in the wild, while Federal Civilian Executive Branch agencies were ordered to implement fixes by July 13, 2026; the Australian Cyber Security Centre also warned that a global campaign is scanning CMS software and plugins to deploy web shells.
Show sources
- iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days — thehackernews.com — 13.07.2026 08:36
- iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days — thehackernews.com — 13.07.2026 08:36