🚨 CRITICAL ALERT: Active Zero-Day Exploits
Operational security teams must immediately patch or disable two CISA KEV-mandated Joomla extensions as active, unauthenticated exploits are already compromising servers with full Remote Code Execution (RCE). These vulnerabilities carry a maximum CVSS score of 9.8/10, allowing attackers to upload and execute arbitrary PHP files without any login credentials, resulting in complete system takeover.
Critical Vulnerabilities (CVSS >= 8.0)
- CVE-2026-48939 (CVSS: 9.8): A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution. Automated scanners using the identifier
icagenda-batch/1.0have been actively exploiting this flaw since June 15, 2026, targeting Joomla 6 sites to deploy web shells and backdoors [1][2][3][4]. View NVD | CISA KEV - CVE-2026-56291 (CVSS: 9.8): The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE. This flaw permits attackers to bypass authentication entirely and execute malicious code on the server [2]. View NVD | CISA KEV
âš¡ Immediate Actions Required
Because these vulnerabilities are actively exploited in the wild and included in the CISA Known Exploited Vulnerabilities catalog, organizations must execute the following steps immediately:
- Patch iCagenda Immediately: Upgrade to version 4.0.8 (current) or 3.9.15 (legacy) to fix the unauthenticated file upload flaw affecting all versions up to 4.0.7 [4].
- Update or Disable Balbooa Forms: Apply the vendor patch for CVE-2026-56291 immediately; if no patch is available, disable the extension or restrict access to the file upload feature via a Web Application Firewall (WAF) [5].
- Audit Web Servers: Search for newly uploaded .php files in public directories (especially event submission forms) and check for web shells or backdoors, as attackers have already deployed executable code [4].
- Block Scanners: Monitor logs for requests containing
icagenda-batch/1.0and block traffic from associated IP addresses to halt automated exploitation attempts [4].

