Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Internet Scans Target Exposed AI Models, Claude Credentials, and MCP Servers
July 13, 2026
NSA Warns of Russian Hacking Exploiting Cisco Smart Install Vulnerability
July 13, 2026
Active Directory Accounts Enumerated via PowerShell Script
July 13, 2026
Home/CyberSecurity News/CISA warns of Joomla iCagenda, Balbooa flaws exploited in attacks
CyberSecurity News

CISA warns of Joomla iCagenda, Balbooa flaws exploited in attacks

Key Takeaways The Cybersecurity and Infrastructure Security Agency (CISA) has added two critical Joomla extension flaws to its Known Exploited Vulnerabilities (KEV) Catalog. The vulnerabilities,...

Jennifer sherman
Jennifer sherman
July 13, 2026 3 Min Read
3 0

Key Takeaways

  • The Cybersecurity and Infrastructure Security Agency (CISA) has added two critical Joomla extension flaws to its Known Exploited Vulnerabilities (KEV) Catalog.
  • The vulnerabilities, affecting iCagenda and Balbooa Forms, allow unrestricted file uploads, potentially leading to full website control.
  • Attackers are actively exploiting both CVE-2026-48939 (iCagenda) and CVE-2026-56291 (Balbooa Forms) in real-world attacks.
  • Federal agencies are mandated to patch these flaws, and all organizations using Joomla are urged to apply updates immediately and investigate for signs of compromise.

CISA Flags Actively Exploited Joomla Extension Flaws

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a significant warning, incorporating two high-severity vulnerabilities in popular Joomla extensions into its Known Exploited Vulnerabilities (KEV) Catalog. These flaws, which enable unrestricted file uploads, are currently being leveraged by threat actors to compromise websites.

Table Of Content

  • Key Takeaways
  • CISA Flags Actively Exploited Joomla Extension Flaws
  • Unrestricted File Uploads Pave Way for Site Takeovers
  • The Threat of Web Shells and Persistent Access
  • What You Should Do

The affected extensions, iCagenda and Balbooa Forms, are widely used by Joomla site administrators for event management and web form functionalities, respectively. CISA has confirmed active exploitation of both security issues, indicating an immediate threat to vulnerable installations.

Unrestricted File Uploads Pave Way for Site Takeovers

The core issue in both vulnerabilities lies in their allowance of unrestricted file uploads. This critical weakness permits attackers to upload malicious files, which can then be executed by the web server, potentially granting complete control over the compromised website.

The first identified flaw, designated as CVE-2026-48939, impacts the iCagenda extension. This vulnerability is categorized as an unrestricted file upload of a dangerous type. Depending on the specific configuration of the affected system, an attacker, even without authentication or with low privileges, could upload executable files to the server.

Similarly, the second vulnerability, CVE-2026-56291, targets the Balbooa Forms extension. Much like the iCagenda flaw, this issue stems from the unrestricted upload of potentially dangerous file types, posing an equivalent risk of system compromise.

The Threat of Web Shells and Persistent Access

Successful exploitation of these vulnerabilities can lead to the deployment of web shells or other malicious scripts on a Joomla server. A web shell acts as a backdoor, providing remote access and control over a compromised system.

Once a web shell is established, an attacker gains extensive capabilities. These include executing arbitrary commands, exfiltrating sensitive site data, creating new administrator accounts, altering website content, distributing malware, or using the compromised server as infrastructure for further attacks.

CISA emphasizes that file-upload vulnerabilities remain a frequent entry point for malicious cyber actors. Joomla sites exposed to the internet are particularly susceptible, as attackers can readily scan for vulnerable extensions and automate exploitation attempts at scale.

Under Binding Operational Directive 26-04, Federal Civilian Executive Branch agencies are mandated to address these vulnerabilities promptly. CISA prioritizes patching KEV-listed vulnerabilities, especially those affecting internet-facing systems that could lead to complete system compromise.

While the directive specifically targets federal agencies, CISA strongly advises private-sector organizations, educational institutions, and all Joomla site administrators to adopt the same risk-based approach and take immediate action.

What You Should Do

  • Identify Vulnerable Systems: Immediately ascertain whether your Joomla environments utilize either the iCagenda or Balbooa Forms extensions.
  • Apply Patches: Apply vendor-provided security updates and mitigation guidance without delay.
  • Implement Temporary Mitigations: If immediate patching is not feasible, disable the vulnerable components, restrict upload functionality, and limit public access to affected systems.
  • Investigate for Compromise: Given that exploitation is already occurring, thoroughly investigate for signs of compromise both before and after applying patches. Look for unfamiliar files in web-accessible directories, unexpected script files, suspicious administrator accounts, altered templates, unusual outbound network traffic, and anomalous web server logs.
  • Post-Compromise Actions: If compromise is confirmed, simply applying an update is insufficient. Review logs, scan for web shells, rotate all administrative credentials, and restore affected systems from known-clean backups.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVECybersecurityExploitMalwarePatchSecurityVulnerability

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

AI Worm Could Regenerate Exploits, Adapt to Defenses in Real Time

Next Post

iPhone, MacBook Forensics Expose £113,000 Property Fraud

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
CISA warns of Joomla iCagenda, Balbooa flaws exploited in attacks
July 13, 2026
AI Worm Could Regenerate Exploits, Adapt to Defenses in Real Time
July 13, 2026
Critical WordPress Plugin Bug Lets Attackers Control Websites
July 13, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us