Japan’s largest taxi operator shuts systems after cyberattack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that attackers are exploiting vulnerabilities in the iCagenda and Balbooa Forms extensions for Joomla to achieve remote code execution through arbitrary file uploads.

The agency has categorized the flaws as a maximum priority, ordering federal agencies to apply available security updates and/or mitigations within three days, with the deadline set for today.

The first flaw, tracked as CVE-2026-48939, is an arbitrary file upload flaw impacting the iCagenda extension used for registering and scheduling events and creating calendars.

An attacker can exploit the vulnerability to upload arbitrary files to the web server, including PHP scripts, which can lead to data theft, web shell installation, and complete website compromise by achieving remote code execution (RCE).

“iCagenda contains an unrestricted upload of file with dangerous type vulnerability that allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution,” CISA warns in its entry in the Known Exploited Vulnerabilities (KEV) catalog.

The second flaw added to KEV is CVE-2026-56291, an arbitrary file upload issue in the Balbooa Forms extension for Joomla.

Balbooa Forms is a drag-and-drop form builder for creating contact forms on Joomla sites, with file upload support.

According to CISA, this functionality can be used to upload dangerous file types, such as executable files, leading to RCE and full website takeover.

According to website management and security platform mySites.guru, both flaws were exploited in automated attacks before vendors released a patch.

For iCagenda, attacks were observed just a few hours before the release of version 4.0.8, which addressed CVE-2026-48939.

The management service says that the CVE-2026-56291 vulnerability in Balbooa Forms was exploited as a zero-day, leveraged in attacks since July 8, a day before the vendor released a fix for the issue.

Website administrators managing Joomla sites should check for the presence of iCagenda and Balbooa Forms and take action where needed to protect their assets.

The flaws are fixed in iCagenda version 4.0.8 and 3.9.15, released on June 15-16, and Balbooa Forms version 2.4.1, released on July 9.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

CISA orders feds to prioritize patching Langflow auth bypass flaw

Critical Langflow RCE flaw exploited to hack AI app servers

CISA warns of max severity Ubiquiti flaws exploited in attacks

CISA sets urgent deadline to fix Cisco flaw exploited in attacks

CISA orders feds to patch max severity Joomla plugin flaw by Friday

Claude Fable 5 stays free for paid users until July 19 as Anthropic buys more time

Australia warns of global campaign targeting vulnerable CMS platforms

‘Ghostcommit’ hides prompt injection in images to fool AI agents, steal secrets

AI is a data-breach time bomb: Read the new report?utm_source=bleepingcomputer&utm_medium=referral&utm_campaign=bleepingcomputer_referral&utm_content=article

How Mature Is Your AI Security Program? Take the Free AI Maturity Assessment.

Overdue a password health-check? Audit your Active Directory for free

#1 MSP Benchmark report 2026: Insights from 1,000+ MSPs on growth, security, artificial intelligence, and key 2026 trends.

Your Scanners Are Green. Your Pipeline Might Not Be. Here’s How to Close the Gap.

Terms of Use – Privacy Policy – Ethics Statement – Affiliate Disclosure

Read our posting guidelinese to learn what content is prohibited.