Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two maximum-severity security flaws impacting iCagenda and Balbooa extensions for Joomla to its Known Exploited Vulnerabilities (KEV) catalog, following reports of zero-day exploitation in the wild. The vulnerabilities, both rated 10.0 on the CVSS scoring system, are below - CVE-2026-48939 - A vulnerability in the
Analysis Summary
# Vulnerability: iCagenda and Balbooa Forms Arbitrary File Upload
## CVE Details
- **CVE ID:** CVE-2026-48939 (iCagenda), CVE-2026-56291 (Balbooa Forms)
- **CVSS Score:** 10.0 (Critical)
- **CWE:** CWE-434 (Unrestricted Upload of File with Dangerous Type)
## Affected Systems
- **Products:**
- JoomliC iCagenda (Joomla extension)
- Balbooa Forms (Joomla extension)
- **Versions:**
- **iCagenda:** 4.x up to 4.0.7; Legacy 3.x from 3.2.1 up to 3.9.14.
- **Balbooa Forms:** All versions up to and including 2.4.0.
- **Configurations:**
- iCagenda: Systems with the "Submit an Event" form enabled.
- Balbooa Forms: Systems with the frontend attachment upload feature enabled (accessible to anonymous visitors).
## Vulnerability Description
Both vulnerabilities are critical file upload flaws that allow unauthenticated attackers to bypass security checks and upload arbitrary files to the web server.
- **CVE-2026-48939 (iCagenda):** The "Submit an Event" functionality fails to properly validate file attachments. Attackers can upload PHP shells to the attachment directory and execute them to gain control of the site.
- **CVE-2026-56291 (Balbooa Forms):** The extension’s frontend attachment upload feature lacks login requirements, CSRF tokens, and file-type verification. This allows an anonymous visitor to upload a PHP file directly into a public folder for Remote Code Execution (RCE).
## Exploitation
- **Status:** **Exploited in the wild** as zero-days (confirmed since June 15, 2026). Added to CISA KEV catalog.
- **Complexity:** Low
- **Attack Vector:** Network (Unauthenticated)
## Impact
- **Confidentiality:** Total (Risk of full data exfiltration)
- **Integrity:** Total (Risk of website defacement or unauthorized modifications)
- **Availability:** Total (Risk of complete server takeover or service disruption)
## Remediation
### Patches
- **iCagenda:** Update to version **4.0.8** or **3.9.15** (Legacy).
- **Balbooa Forms:** Update to version **2.4.1**.
### Workarounds
- Disable the "Submit an Event" feature in iCagenda.
- Disable frontend file upload capabilities in Balbooa Forms if patches cannot be immediately applied.
- Implement a Web Application Firewall (WAF) to block requests to known upload paths containing PHP extensions.
## Detection
- **Indicators of Compromise (IoC):**
- User Agent: `icagenda-batch/1.0` (associated with automated scanning).
- Presence of PHP files in: `images/icagenda/frontend/attachments/`
- Presence of non-image/non-document files in: `images/baforms/uploads/`
- **Detection Methods:**
- Audit Joomla user lists for unauthorized administrator accounts.
- Review server access logs for POST requests to submit endpoints followed by GET requests to the attachment directories.
- Scan for recently modified PHP files across the entire site installation.
## References
- CISA KEV Catalog: hxxps://www.cisa[.]gov/known-exploited-vulnerabilities-catalog
- JoomliC Security Advisory: hxxps://www.joomlic[.]com/news/icagenda-security-update
- Balbooa Changelog: hxxps://www.balbooa[.]com/help/joomla-forms-documentation/basics/changelog
- mySites.guru Research: hxxps://mysites[.]guru/blog/icagenda-zero-day-file-upload-rce/