The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-48939 and CVE-2026-56291 to its Known Exploited Vulnerabilities (KEV) catalog after reports confirmed active zero-day attacks targeting the iCagenda and Balbooa extensions for Joomla. Both flaws carry the maximum CVSS severity score of 10.0 and can allow attackers to upload malicious files that ultimately lead to remote code execution.
CVE-2026-48939 in iCagenda and CVE-2026-56291 in Balbooa Actively Exploited
According to the cloud-based website management platform, mySites.guru, CVE-2026-48939 has been exploited in automated attacks since June 15, 2026. The vulnerability affects the iCagenda Joomla extension through its “Submit an Event” feature, enabling attackers to upload arbitrary PHP files and execute malicious code.
“We first saw it in a client’s access log: an automated scanner identifying itself as ‘icagenda-batch/1.0’ grabbed a token, posted a malicious upload to the submit endpoint, then fetched the planted shell at the exact path the component writes attachments to,” mySites.guru said.
The flaw impacts iCagenda versions 4.0.7 and earlier in the 4.x branch, along with legacy 3.x releases from 3.2.1 through 3.9.14. Developer JoomliC addressed CVE-2026-48939 in versions 4.0.8 and 3.9.15. Administrators are advised to inspect the “images/icagenda/frontend/attachments/” directory for suspicious PHP files and remove any unauthorized uploads.
mySites.guru also reported active exploitation of CVE-2026-56291, which affects Balbooa Forms versions up to and including 2.4.0. The issue was patched in version 2.4.1.
“Up to and including version 2.4.0, its frontend attachment upload had a serious flaw: it accepted a file from any anonymous visitor, with no login, no CSRF token, and no check on the file type,” the company said. “An attacker could upload a PHP file into a public folder and then run it, which is unauthenticated remote code execution, the worst outcome a web flaw can have.”
Discovered on July 8, 2026, during an attack against one of its customers, CVE-2026-56291 prompted mySites.guru to recommend checking the default “images/baforms/uploads” directory for non-image or non-document files, reviewing Joomla administrator accounts for suspicious additions, and auditing recently modified PHP files across affected websites.
Broader CMS Exploitation Campaign Raises Concerns
Following the addition of CVE-2026-48939 and CVE-2026-56291 to the KEV catalog, Federal Civilian Executive Branch agencies have until July 13, 2026, to apply available patches.
Separately, the Australian Cyber Security Centre (ACSC) warned of a global campaign targeting vulnerable CMS platforms and plugins, including iCagenda, Balbooa, Sneeit Framework (CVE-2025-6389), WPBookit (CVE-2025-7852), Gravity Forms (CVE-2025-12352), Craft CMS (CVE-2025-32432), Ninja Forms (CVE-2026-0740), MaxSite CMS (CVE-2026-3395), Breeze Cache (CVE-2026-3844), WavePlayer (CVE-2025-12057), MetInfo CMS (CVE-2026-29014), and Joomla JCE (CVE-2026-48907).
As part of this campaign, malicious cyber actors are actively scanning websites for opportunities to deploy web shells,” ACSC said, adding that attackers are exploiting vulnerabilities enabling unauthenticated file uploads, remote code execution, server-side request forgery, and deserialization. The agency further warned that “advances in AI are accelerating the speed and scale of cyber operations, reducing the time between vulnerability disclosure and exploitation.”
