The Circuitry
THE CIRCUITRYYour one-stop source for all tech news
HOMETODAYNEWSFEEDEVENTS
BOOKMARKS
RSS
© 2026 The Circuitry
About UsSourcesContactCorrectionsPrivacy
  • Today
  • Feed
  • Events
  • Saved
Scroll for more
Verification
VERIFIEDConfidence: HIGH
Source identified
Claims cross-referenced
No discrepancies found
Fact-check summary

CISA's July 10 addition of CVE-2026-48939 (iCagenda) and CVE-2026-56291 (Balbooa Forms) to the KEV catalog is confirmed by the agency's alert plus Security Affairs, NVD, and mySites.guru reports.

Sourcing
4independent sources

via BleepingComputer

BleepingComputer · track record
65Stories
100%Verified
3230d
All sources →
Home/Tech/CISA warns of actively exploited RCE flaws in Joomla extensions
VERIFIEDBy Xavier Rivera· ·1.5 min read

CISA warns of actively exploited RCE flaws in Joomla extensions

CISA has added two CVSS 10.0 arbitrary file upload flaws in the iCagenda and Balbooa Forms Joomla extensions to its Known Exploited Vulnerabilities catalog after confirmed in-the-wild exploitation. Federal agencies must patch by July 13 while all Joomla administrators are advised to update to the fixed versions released in June and July.

Source:BleepingComputer
Post
CISA warns of actively exploited RCE flaws in Joomla extensions
TL;DRAI · 60 sec read

CISA adds two maximum-severity remote code execution vulnerabilities in Joomla extensions iCagenda and Balbooa Forms to its Known Exploited Vulnerabilities catalog following active exploitation. The flaws permit arbitrary file uploads leading to full site compromise. Federal agencies must patch by July 13. All Joomla operators should update their extensions without delay.

CISA has added two maximum-severity vulnerabilities in popular Joomla extensions to its Known Exploited Vulnerabilities catalog after attackers began exploiting them for remote code execution.

CISA orders federal agencies to patch by July 13. The agency categorized both flaws as maximum priority under Binding Operational Directive 26-04. Federal agencies must apply available security updates or mitigations within three days of the catalog addition on July 10.

The directive requires action by today.
Attackers can upload arbitrary files, including PHP scripts, through the file attachment feature, leading to data theft, web shell installation, and full website compromise.

Arbitrary file uploads enable PHP execution in iCagenda. CVE-2026-48939 affects the iCagenda extension, an open-source tool for event registration, scheduling, and calendar creation. Attackers can upload arbitrary files, including PHP scripts, through the file attachment feature, leading to data theft, web shell installation, and full website compromise.

CISA describes it as an unrestricted upload of file with dangerous type vulnerability. The flaw carries a CVSS score of 10.0.
From The CircuitryThe Feed — live briefs across tech, all day.See what’s happening →
Balbooa Forms flaw also allows unauthenticated RCE. CVE-2026-56291 impacts the Balbooa Forms extension, a drag-and-drop form builder that supports file uploads for contact forms. The vulnerability permits upload of dangerous file types such as executables, resulting in remote code execution and complete site takeover.

This flaw also holds a CVSS score of 10.0. Both vulnerabilities were added to the KEV catalog following confirmed zero-day exploitation.
The vulnerability permits upload of dangerous file types such as executables, resulting in remote code execution and complete site takeover.

Exploitation began before patches were available. According to mySites.guru, automated attacks against iCagenda were observed just hours before version 4.0.8 shipped. The Balbooa Forms vulnerability was exploited as a zero-day since July 8, one day before the vendor released its fix.

iCagenda 4.0.8 and 3.9.15, released June 15-16, address CVE-2026-48939. Balbooa Forms 2.4.1, released July 9, fixes CVE-2026-56291.
Joomla site operators urged to review and update immediately. Administrators should check for the presence of either extension and apply the available patches or implement mitigations. SecurityWeek reports that all organizations, not just federal agencies, should review the KEV catalog entry and act to protect their assets.

EXPERT TAKE

These maximum-severity RCEs via unauthenticated uploads highlight why extension inventories and rapid patching remain non-negotiable for any Joomla deployment.

Why this mattersAI · ~100 words

Tap a lens to see what this story means for you.

Reader-supported
DonateBuy me a coffee →Follow@thecircuitry_ →Follow@thecircuitry.to →

Reader-supported · Daily Brief

Daily brief at 7 AM ET. Top tech stories, every morning. Sourced and fact-checked.

HELP US IMPROVE
From The Circuitry

See what’s happening right now

The Feed runs all day — short, verified briefs the moment they break.

Open the Feed →
From The Circuitry

Follow @thecircuitry_

Every story we publish, as it happens. No noise between.

Follow on X ↗On Bluesky ↗

Reader-supported

The Circuitry is a passion project I've always wanted to build, and I love the work behind it.

Running it costs real money. APIs, hosting, time. To keep improving the site and growing this into something useful for everyone, those costs have to be covered.

Any contribution is appreciated. If not, no pressure. Thanks for reading.

Buy me a coffee
CISAJoomlaVulnerabilitiesRCEKEV
More fromBleepingComputer
  • OpenAI Temporarily Drops 5-Hour Cap on GPT-5.6 Sol

    Tech · 20h
  • Progress tells ShareFile on-premises users to power down servers over reported threat

    Tech · 3d
  • Hackers exploit critical auth bypass in Gitea Docker image

    Tech · 3d
More inTech
  • Philips to replace bricked Hue Bridge Pro devices

    Tech · 2h
  • Tesla Dismantles Model S/X Lines at Fremont for Optimus

    Tech · 3h
  • Apple accuses OpenAI of stealing secrets for AI hardware

    Tech · 3h
SupportThe Work

The Circuitry is reader-supported. If you find the daily brief useful, you can buy me a coffee to keep it going.

Buy a coffee →
SubscribeCircuitry Brief

Daily brief at 7 AM ET. Top tech stories, every morning.

MORE IN TECH

Philips to replace bricked Hue Bridge Pro devices

Philips is replacing fewer than 100 Hue Bridge Pro devices bricked by a specific firmware update scenario and has issued a new update on July 13 to prevent further cases. The replacements are free regardless of warranty but require users to rebuild their smart lighting setups from scratch since configuration backups are unavailable.

Tesla Dismantles Model S/X Lines at Fremont for Optimus

Tesla has torn down its original Model S and Model X assembly lines at the Fremont factory in 46 days to begin Optimus robot production. The move prepares the site for up to 1 million units per year while larger volumes are planned for Texas.

Apple accuses OpenAI of stealing secrets for AI hardware

Apple has filed a 41-page lawsuit accusing OpenAI and three former employees of stealing confidential documents and trade secrets to aid development of the startup's first AI hardware device. The claims include retaining company computers, exploiting network vulnerabilities, and coaching staff on evading security to obtain unreleased product details.