Find notable cyber news and cases, enriched with sources, timelines, and signals.

Joomla iCagenda and Balbooa Forms active RCE exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 42
1 unique sources, 1 articles

Summary

Hide ▲

Joomla sites were hit by an active exploitation wave against iCagenda and Balbooa Forms upload flaws, enabling remote code execution and full website takeover. The activity used automated attacks before patches were available, raising the risk of web shell installation and data theft across exposed sites.

Related Happenings

CISA KEV directive for Joomla extension flaws

Public Sector Action
H score36 First: 13.07.2026 18:20 Last: 13.07.2026 18:20 Sources 1

How related: The agency has categorized the flaws as a maximum priority, ordering federal agencies to apply available security updates and/or mitigations within three days, with the deadline set for today.

About this happening: **CISA** added the Joomla extension flaws to the **KEV** catalog and ordered **federal agencies** to apply updates or mitigations within **three days**, tightening remediation tim...

Joomla extensions arbitrary file upload (multiple vulnerabilities, actively exploited)

Vulnerability
H score59 First: 13.07.2026 08:36 Last: 13.07.2026 08:36 Sources 1

How related: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that attackers are exploiting vulnerabilities in the iCagenda and Balbooa Forms extensions for Joomla to achieve remote code execution through arbitrary file uploads.

About this happening: **CISA** added **CVE-2026-48939** and **CVE-2026-56291** to the **KEV catalog**, confirming **zero-day exploitation** of two **Joomla** extension flaws that allow arbitrary file u...

WP-SHELLSTORM webshell access brokerage campaign

Campaign
H score71 First: 10.07.2026 14:30 Last: 10.07.2026 14:30 Sources 1

About this happening: The **WP-SHELLSTORM** campaign exposed its own infrastructure, revealing a **webshell access brokerage** that targeted **WordPress** and **Joomla** sites at scale and backdoored *...

JCE Pro 2.9.99.6 patch for CVE-2026-48907

Security Patch Release
H score46 First: 17.06.2026 13:09 Last: 17.06.2026 13:09 Sources 1

About this happening: **JCE security team** released **JCE Pro 2.9.99.6** in **early June 2026** to fix **CVE-2026-48907** in the **Widget Factory Joomla Content Editor (JCE) plugin**. The update addre...

CISA KEV remediation order for CVE-2026-48907

Public Sector Action
H score89 First: 17.06.2026 08:50 Last: 17.06.2026 08:50 Sources 1

About this happening: CISA added **CVE-2026-48907** to the **KEV catalog** and ordered **FCEB agencies** to apply fixes by **June 19, 2026**, forcing federal remediation of an **actively exploited** Jo...

Timeline

  1. 13.07.2026 18:20 2 articles · 8h ago

    Balbooa Forms zero-day exploitation begins

    Exploitation Observed

    Attackers leveraged CVE-2026-56291 in the Balbooa Forms extension for Joomla as a zero-day starting on July 8, using the form builder's file upload capability to deliver dangerous file types that could lead to remote code execution and full website takeover.

    Show sources
  2. 13.07.2026 18:20 1 articles · 8h ago

    CISA orders rapid remediation for exploited Joomla extension flaws

    Legal Policy Action Update

    CISA warns that attackers are exploiting CVE-2026-48939 in iCagenda and CVE-2026-56291 in Balbooa Forms for Joomla through arbitrary file uploads that can enable remote code execution and full website takeover, then marks both flaws as maximum priority in the Known Exploited Vulnerabilities catalog and orders U.S. federal agencies to apply available updates or mitigations within three days.

    Show sources