Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Cybersecurity’s Economics Are Broken. Automation Alone Won’t Fix It

July 17, 2026

The Gentlemen Overtakes Qilin as Most Prolific Ransomware Threat

July 17, 2026

iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days

July 17, 2026
Facebook X (Twitter) Instagram
Friday, July 17
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days
News

iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days

Team-CWDBy Team-CWDJuly 17, 2026No Comments3 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two maximum-severity security flaws impacting iCagenda and Balbooa extensions for Joomla to its Known Exploited Vulnerabilities (KEV) catalog, following reports of zero-day exploitation in the wild.

The vulnerabilities, both rated 10.0 on the CVSS scoring system, are below –

  • CVE-2026-48939 – A vulnerability in the iCagenda extension for Joomla that allows the upload of arbitrary files via the file attachment feature, leading to PHP code upload and execution.
  • CVE-2026-56291 – A vulnerability in the Balbooa Forms extension for Joomla that allows the upload of arbitrary files, leading to remote code execution.

According to mySites.guru, a cloud-based dashboard service for managing WordPress and Joomla websites, CVE-2026-48939 is said to have been exploited as a zero-day since June 15, 2026, in automated attacks aimed at Joomla sites on which iCagenda is installed. It resides in the “Submit an Event” form functionality, which lets users propose events for the calendar.

“We first saw it in a client’s access log: an automated scanner identifying itself as ‘icagenda-batch/1.0’ grabbed a token, posted a malicious upload to the submit endpoint, then fetched the planted shell at the exact path the component writes attachments to,” mySites.guru said.

The flaw impacts the following versions –

  • 4.x versions up to and including 4.0.7
  • Legacy 3.x versions from 3.2.1 up to and including 3.9.14

JoomliC has since released updates to address the issue in iCagenda versions 4.0.8 and 3.9.15. Site owners are advised to check for suspicious PHP files in the “images/icagenda/frontend/attachments/” folder and remove them.

MySites.guru said it also observed zero-day exploitation of CVE-2026-56291, which affects Balbooa Forms versions up to and including 2.4.0. It has been patched in version 2.4.1.

“Up to and including version 2.4.0, its frontend attachment upload had a serious flaw: it accepted a file from any anonymous visitor, with no login, no CSRF token, and no check on the file type,” it said. “An attacker could upload a PHP file into a public folder and then run it, which is unauthenticated remote code execution, the worst outcome a web flaw can have.”

The vulnerability was discovered by mySites.guru on July 8, 2026, following a live attack on one of its customers. It has shared the following indicators of compromise –

  • Look in the Balbooa Forms upload folder (by default “images/baforms/uploads”) for any file that is not an image or document, especially anything ending in PHP
  • Check the Joomla user list for suspicious administrator accounts
  • Audit the set for recently modified or unfamiliar PHP files across the site

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies have until July 13, 2026, to implement the fixes in their networks.

Australia Warns of Global Campaign Targeting Vulnerable CMS Systems

The disclosure comes as the Australian Cyber Security Centre (ACSC) issued an alert warning of a global exploitation campaign targeting various vulnerabilities in content management systems (CMS) and plugins.

“As part of this campaign, malicious cyber actors are actively scanning websites for opportunities to deploy web shells, leveraging various vulnerabilities affecting CMS software and plugins,” the agency said. “These vulnerabilities primarily allow unauthenticated file upload, remote code execution, server side request forgery or deserialization.”

Once deployed, the web shells serve as conduits for remote access and control of the targeted web servers. Some of the identified security vulnerabilities are listed below –

“This highly scaled global exploitation campaign demonstrates the rapidly evolving cyber risk facing organisations,” ACSC said, adding “advances in AI are accelerating the speed and scale of cyber operations, reducing the time between vulnerability disclosure and exploitation.”



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleCISA Mandates Urgent Patch for Actively Exploited Fortinet Flaws
Next Article The Gentlemen Overtakes Qilin as Most Prolific Ransomware Threat
Team-CWD
  • Website

Related Posts

News

The Gentlemen Overtakes Qilin as Most Prolific Ransomware Threat

July 17, 2026
News

CISA Mandates Urgent Patch for Actively Exploited Fortinet Flaws

July 17, 2026
News

Progress Tells ShareFile Customers to Shut Down Storage Zone Controllers Over Security Threat

July 17, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Is Poshmark safe? How to buy and sell without getting scammed

February 19, 2026

Why children’s data is a long-term identity risk

June 3, 2026

2025’s most common passwords were as predictable as ever

January 21, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.