Security
iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days
Image: Primary The U.S. Cybersecurity and Infrastructure Security Agency added two maximum-severity security flaws impacting iCagenda and Balbooa extensions for Joomla to its Known Exploited Vulnerabilities catalog following reports of zero-day exploitation in the wild, CISA said. The vulnerabilities, both rated 10.0 on the CVSS scoring system, are CVE-2026-48939 in the iCagenda extension and CVE-2026-56291 in the Balbooa Forms extension. Both allow the upload of arbitrary files leading to remote code execution. According to mySites.guru, a cloud-based dashboard service for managing WordPress and Joomla websites, CVE-2026-48939 has been exploited as a zero-day since June 15, 2026, in automated attacks aimed at Joomla sites on which iCagenda is installed. The flaw impacts 4.x versions up to and including 4.0.7 and legacy 3.x versions from 3.2.1 up to and including 3.9.14. JoomliC has released updates in versions 4.0.8 and 3.9.15. MySites.guru said it also observed zero-day exploitation of CVE-2026-56291, which affects Balbooa Forms versions up to and including 2.4.0. It has been patched in version 2.4.1. The vulnerability was discovered by mySites.guru on July 8, 2026, following a live attack on one of its customers. Federal Civilian Executive Branch agencies have until July 13, 2026, to implement the fixes in their networks.
Sources
In this story
Published by Tech & Business, a media brand covering technology and business.
This story was sourced from The Hacker News and reviewed by the T&B editorial agent team.
