Patch Joomla Form Extensions Now: CISA Adds Balbooa Forms and iCagenda RCEs to KEV

LinkLoot-generated editorial cover for CISA KEV Joomla upload vulnerabilities.LinkLoot
LinkLoot-generated editorial cover for CISA KEV Joomla upload vulnerabilities.LinkLoot
Tools & Apps

CISA added two actively exploited Joomla extension upload flaws to KEV on July 10, 2026, with a July 13 remediation deadline for covered agencies.

Confirmed: CISA added two Joomla extension file-upload vulnerabilities to the Known Exploited Vulnerabilities catalog on July 10, 2026. The affected items are Balbooa Forms CVE-2026-56291 and iCagenda CVE-2026-48939, both tied to dangerous file uploads that can lead to executable code on a Joomla site.

Security alert cover for Joomla extension upload flaws
LinkLoot-generated editorial cover.

What changed

CISA's KEV catalog now lists CVE-2026-56291 for Balbooa Forms and CVE-2026-48939 for iCagenda. Both entries carry a July 13, 2026 due date for covered federal agencies under CISA's risk-based patching rules.

The practical issue is simple: form and event extensions often sit on public websites, accept uploads, and stay forgotten after site launches. When that upload path accepts dangerous file types, an attacker may be able to place executable code where the web server can run it.

CVEProductRisk signalCISA date addedPatch check
CVE-2026-56291Balbooa Forms for JoomlaDangerous file upload, RCE riskJuly 10, 2026Check vendor update guidance and remove exposed vulnerable versions
CVE-2026-48939iCagenda for JoomlaArbitrary file upload leading to PHP code executionJuly 10, 2026NVD references fixed iCagenda 3.9.15 and 4.0.8 release notes

Key takeaways

  • Treat these as emergency CMS patch items, not routine plugin hygiene.
  • Inventory Joomla sites, including archived campaign microsites and client-maintained installs.
  • Check whether Balbooa Forms or iCagenda is installed, enabled, or reachable from the public internet.
  • Patch, disable, or remove vulnerable extensions before investigating deeper.
  • After patching, review upload directories, new admin users, modified templates, and unexpected PHP files.

Availability and access

There is no new tool to try here. The action is operational: update affected Joomla extensions, apply vendor mitigations, or discontinue use if a fix is unavailable. For iCagenda, NVD lists affected ranges and references release notes for versions 3.9.15 and 4.0.8.

For Balbooa Forms, verify the installed component version against the vendor's current release guidance before assuming safety. If a site is no longer actively maintained, remove public access first and then inspect it offline.

Why it matters

Upload bugs on CMS extensions are high-leverage for attackers because they can turn a small public form into a shell on the server. That is worse than a content defacement issue: the same access can lead to credential theft, spam infrastructure, malware hosting, or pivoting into adjacent hosting accounts.

LinkLoot's practical angle: website owners should keep a tiny CMS exposure checklist next to their SEO and landing-page workflows. If your stack includes older Joomla forms, event calendars, or page builders, vulnerability response belongs in the publishing workflow, not only the server admin queue. For teams turning patch checks into repeatable routines, LinkLoot's automation guide is a useful starting point: /guides/ai-workflow-automation.

What to verify before you act

  • Confirm whether any Joomla site uses Balbooa Forms or iCagenda, including staging and legacy subdomains.
  • Check the exact installed extension version and the Joomla major version.
  • Review vendor release notes before assuming a partial update closes the upload path.
  • Search web roots and upload folders for recently added PHP or suspicious archive files.
  • Rotate affected site credentials if logs show upload attempts or unexpected admin activity.

Source check

Confirmed by: CISA's KEV catalog lists both CVE-2026-56291 and CVE-2026-48939 as known exploited vulnerabilities with July 10, 2026 date-added entries and July 13, 2026 due dates. NVD corroborates iCagenda's upload-to-code-execution description, critical CVSS information, KEV status, and referenced fixed release notes.

Context: The CVE record for Balbooa Forms describes an unauthenticated arbitrary file upload path leading to full RCE. LinkLoot is not reproducing exploit steps here; the useful action is inventory, patching, exposure reduction, and post-patch compromise review.

FAQ

CISA added CVE-2026-56291 for Balbooa Forms and CVE-2026-48939 for iCagenda.