Full Report
Flaws in iCagenda, Balbooa Forms extensions can impact open source CMS that powers a million sites worldwide
Analysis Summary
This summary is based on the security advisories and reported exploitation regarding critical vulnerabilities in the iCagenda and Balbooa Forms extensions for the Joomla CMS.
# Vulnerability: Arbitrary File Upload leading to RCE in Joomla Extensions
## CVE Details
- **CVE ID:** CVE-2026-48939 (iCagenda), CVE-2026-56291 (Balbooa Forms)
- **CVSS Score:** 10.0 (Critical)
- **CWE:** CWE-434 (Unrestricted Upload of File with Dangerous Type)
## Affected Systems
- **Products:**
1. iCagenda (Events calendar extension for Joomla)
2. Balbooa Forms (Form builder extension for Joomla)
- **Versions:**
- iCagenda: Versions prior to 3.9.15 and 4.0.8
- Balbooa Forms: Versions prior to 2.4.1
- **Configurations:** Systems where these extensions are installed and the "Submit an Event" or "Frontend Upload" features are enabled for public or anonymous access.
## Vulnerability Description
Both vulnerabilities are Unrestricted File Upload flaws. In both extensions, the upload endpoints failed to adequately validate file types or monitor the destination directory.
- **iCagenda:** The flaw exists in the attachment feature of the "Submit an Event" function. Attackers can upload PHP files instead of intended media or document files.
- **Balbooa Forms:** The frontend upload endpoint lacked authentication and CSRF protection, allowing anonymous visitors to upload PHP files into publicly accessible directories.
## Exploitation
- **Status:** Exploited in the wild (Confirmed by CISA KEV Catalog).
- **Complexity:** Low (Automated scanning and unauthenticated endpoints).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** Total (Full access to server files and database).
- **Integrity:** Total (Ability to modify site content or inject malicious code).
- **Availability:** Total (Potential for site takeover or deletion).
## Remediation
### Patches
It is recommended to update the extensions to the following versions immediately:
- **iCagenda:** Update to version **4.0.8** or **3.9.15** (depending on the major version branch in use).
- **Balbooa Forms:** Update to version **2.4.1** or higher.
### Workarounds
- Disable the "Submit an Event" feature in iCagenda if not strictly necessary.
- Disable file upload fields in Balbooa Forms or restrict them to authenticated users only until patches are applied.
## Detection
- **Indicators of Compromise:** Presence of unauthorized PHP shells (web shells) in the `/media/` or `/uploads/` directories of the Joomla installation.
- **Detection Methods:** Review web server access logs for unusual POST requests to the iCagenda event submission or Balbooa form submission endpoints, particularly from unknown IP addresses followed by access to newly created `.php` files.
## References
- **CISA KEV Catalog:** hxxps[://]www.cisa.gov/known-exploited-vulnerabilities-catalog
- **Vendor Advisory (iCagenda):** hxxps[://]mysites.guru/blog/icagenda-zero-day-file-upload-rce/
- **Vendor Advisory (Balbooa):** hxxps[://]www.balbooa.com/joomla-forms-documentation/release-notes-history