Find notable cyber news and cases, enriched with sources, timelines, and signals.

Joomla extensions arbitrary file upload (multiple vulnerabilities, actively exploited)

Vulnerability
First reported
Last updated
Happening score
H score 58
1 unique sources, 1 articles

Summary

Hide ▲

CISA added CVE-2026-48939 and CVE-2026-56291 to the KEV catalog, confirming zero-day exploitation of two Joomla extension flaws that allow arbitrary file upload and code execution. The affected extensions are iCagenda and Balbooa Forms, both rated 10.0 CVSS. The exposed attack path can lead to PHP code execution or unauthenticated remote code execution on internet-facing sites.

Related Happenings

WP-SHELLSTORM webshell access brokerage campaign

Campaign
H score71 First: 10.07.2026 14:30 Last: 10.07.2026 14:30 Sources 1

About this happening: The **WP-SHELLSTORM** campaign exposed its own infrastructure, revealing a **webshell access brokerage** that targeted **WordPress** and **Joomla** sites at scale and backdoored *...

CISA KEV remediation order for CVE-2026-48907

Public Sector Action
H score89 First: 17.06.2026 08:50 Last: 17.06.2026 08:50 Sources 1

About this happening: CISA added **CVE-2026-48907** to the **KEV catalog** and ordered **FCEB agencies** to apply fixes by **June 19, 2026**, forcing federal remediation of an **actively exploited** Jo...

Widget Factory Joomla Content Editor JCE actively exploited improper access control security flaw (CVE-2026-48907)

Vulnerability
H score89 First: 17.06.2026 08:50 Last: 17.06.2026 08:50 Sources 1

About this happening: The **Widget Factory Joomla Content Editor (JCE)** flaw **CVE-2026-48907** has been added to **CISA's KEV catalog** after evidence of **active exploitation**, putting affected Joo...

CISA KEV multi-product active exploitation wave (CVE-2020-7796)

Exploitation Wave
H score53 First: 18.02.2026 08:52 Last: 18.02.2026 08:52 Sources 1

About this happening: **CISA** expanded its **KEV catalog** with **four actively exploited flaws**, signaling a live exploitation wave across **Chrome, TeamT5 ThreatSonar, Zimbra, and Windows Video Act...

CISA adds four actively exploited flaws to KEV with FCEB deadlines

Public Sector Action
H score35 First: 13.02.2026 10:34 Last: 13.02.2026 10:34 Sources 1

About this happening: CISA added **four vulnerabilities** to the **Known Exploited Vulnerabilities (KEV) catalog** after evidence of **active exploitation**, putting **FCEB agencies** on a forced remed...

Timeline

  1. 13.07.2026 08:36 1 articles · 3h ago

    Automated attacks exploit iCagenda file attachment flaw

    Exploitation Observed

    On June 15, 2026, automated attacks against Joomla sites with iCagenda installed began exploiting CVE-2026-48939 as a zero-day, abusing the Submit an Event file attachment feature to upload malicious files that can lead to PHP code execution and planted shells under images/icagenda/frontend/attachments/.

    Show sources
  2. 13.07.2026 08:36 1 articles · 3h ago

    mySites.guru discovers Balbooa Forms zero-day after live attack

    Technical Analysis Update

    On July 8, 2026, mySites.guru discovered CVE-2026-56291 after a live attack on one of its customers, finding that Balbooa Forms versions up to and including 2.4.0 accepted anonymous frontend attachment uploads with no login, no CSRF token, and no file-type check, enabling arbitrary file upload and unauthenticated remote code execution; the patched version is 2.4.1.

    Show sources
  3. 13.07.2026 08:36 2 articles · 3h ago

    CISA adds Joomla extension flaws to KEV catalog

    Legal Policy Action Update

    On July 13, 2026, CISA added CVE-2026-48939 and CVE-2026-56291 to the Known Exploited Vulnerabilities (KEV) catalog after reports of zero-day exploitation in the wild, while Federal Civilian Executive Branch agencies were ordered to implement fixes by July 13, 2026; the Australian Cyber Security Centre also warned that a global campaign is scanning CMS software and plugins to deploy web shells.

    Show sources