# iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days

_Monday, July 13, 2026 at 8:00 AM EDT · Security · Latest · Tier 2 — Notable_

![iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days — Primary](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8FM8eXCuapKSUef3nzFlgzqlX4a5mJChM9YqCdHOi6QybQ8AM1xbM9NNTyAjS3iyz7iAX6vC8QVHl5zFlAgNyBIgm5FHgFkEGzOg5l3ZXNXI8ILA2GIGKtvYDuy-qpXmfeMHYxheps3XuPCtgedFa9vcimwad9kBjpbF0SEhhxpZoWsWybn0zcgNtppI/s1700-e365/cisa-joomla.jpg)

The U.S. Cybersecurity and Infrastructure Security Agency added two maximum-severity security flaws impacting iCagenda and Balbooa extensions for Joomla to its Known Exploited Vulnerabilities catalog following reports of zero-day exploitation in the wild, CISA said. The vulnerabilities, both rated 10.0 on the CVSS scoring system, are CVE-2026-48939 in the iCagenda extension and CVE-2026-56291 in the Balbooa Forms extension. Both allow the upload of arbitrary files leading to remote code execution. According to mySites.guru, a cloud-based dashboard service for managing WordPress and Joomla websites, CVE-2026-48939 has been exploited as a zero-day since June 15, 2026, in automated attacks aimed at Joomla sites on which iCagenda is installed. The flaw impacts 4.x versions up to and including 4.0.7 and legacy 3.x versions from 3.2.1 up to and including 3.9.14. JoomliC has released updates in versions 4.0.8 and 3.9.15. MySites.guru said it also observed zero-day exploitation of CVE-2026-56291, which affects Balbooa Forms versions up to and including 2.4.0. It has been patched in version 2.4.1. The vulnerability was discovered by mySites.guru on July 8, 2026, following a live attack on one of its customers. Federal Civilian Executive Branch agencies have until July 13, 2026, to implement the fixes in their networks.

## Sources

- [The Hacker News](https://thehackernews.com/2026/07/icagenda-and-balbooa-forms-joomla-flaws.html)

---
Canonical: https://techandbusiness.org/newswire/A9KxU337ELsycETkoq2XeH
Retrieved: 2026-07-13T10:49:28.418Z
Publisher: Tech & Business (techandbusiness.org)
