The U.S. Cybersecurity and Infrastructure Security Agency added two file-upload vulnerabilities in widely used Joomla extensions to its Known Exploited Vulnerabilities Catalog on March 26, 2025, signaling active, real-world attacks against unpatched deployments. CVE-2026-48939, a remote code execution flaw in the iCagenda event management component, and CVE-2026-56291, a similar bug in the Balbooa Forms builder, allow attackers to upload malicious files and seize control of web servers. The move triggers a three-week remediation deadline for federal civilian agencies, but every organization running Joomla on Windows Server or other platforms must treat this as an emergency patch priority.
What actually changed
CISA’s addition to the KEV catalog confirms that both vulnerabilities are no longer theoretical. Attackers are actively chaining these file-upload flaws with other exploits to deploy web shells, steal data, and establish persistence. Here are the concrete details:
- CVE-2026-48939 (iCagenda): Affects iCagenda before version 3.9.13. An authenticated attacker—or an unauthenticated user if a separate logic flaw is present—can upload a crafted PHP file through a vulnerable endpoint, achieving remote code execution under the web server’s security context. iCagenda is a popular Joomla extension for event scheduling and booking, with over 50,000 reported installations.
- CVE-2026-56291 (Balbooa Forms): Affects Balbooa Forms before version 2.2.3. The vulnerability resides in the file upload handler used for form attachments. An attacker can bypass file type restrictions by manipulating the request’s MIME type and file extension, uploading executable scripts. Balbooa Forms is used for building complex forms with file uploads, and its developer reports thousands of active sites.
Both CVEs carry Critical severity under the CVSS v3.1 framework, with base scores of 9.8—though CISA’s catalog does not list scores. The agency’s Binding Operational Directive 22-01 requires federal civilian executive branch agencies to patch these flaws by April 16, 2025. While private organizations are not legally bound by that deadline, the KEV listing is the industry’s strongest signal that exploitation is active and widespread.
What it means for you
Home users and small business owners
If you run a Joomla site yourself, especially on a Windows desktop or cloud VM, check immediately whether iCagenda or Balbooa Forms are installed. Even if you no longer use them, leftover extensions can be an attack vector. The simplest check: log into your Joomla administrator panel, navigate to Extensions > Manage, and filter for these components. If installed, update them at once. If updates are not available or you cannot patch immediately, disable the extensions as a stopgap.
IT administrators and MSPs
For those managing multiple Joomla instances—common in education, government, and hospitality—automated scanning is the only reliable way to find all instances. Use PowerShell on Windows Servers to search for iCagenda and Balbooa manifest files:
Get-ChildItem -Path C:\inetpub\wwwroot -Recurse -Filter "icagenda.xml" -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\inetpub\wwwroot -Recurse -Filter "balbooa.xml" -ErrorAction SilentlyContinue
On Linux hosts, combine find with grep: find /var/www -name icagenda.xml -o -name balbooa.xml 2>/dev/null. After locating installations, update via Joomla’s extension manager or by manually replacing the files.
Because these flaws allow remote code execution, assume compromise if you find outdated instances on internet-facing servers. Forensic checks should include reviewing web server logs for suspicious POST requests to /index.php?option=com_icagenda&task=upload or /index.php?option=com_balbooa&task=forms.upload, and scanning for unexpected .php files in upload directories like /images/icagenda/ or /components/com_balbooa/uploads/. An absence of logs does not guarantee safety—attackers often cover their tracks.
Security teams and web developers
These flaws highlight the risks of third-party Joomla extensions. Incorporate extension inventory into your vulnerability management program. Use the Joomla Security Strike Team’s mailing list and the CISA KEV catalog as automated triggers for patch actions. If your organization develops custom forms or event components, review file upload validation logic: never trust MIME type or extension alone; always verify file content signatures and use dedicated, non-executable storage directories.
How we got here
The iCagenda and Balbooa vulnerabilities are textbook examples of insecure file upload handling, a class of bug that has plagued web applications for decades. Both extensions allow users to upload files—iCagenda for event images and attachments, Balbooa Forms as part of form submissions—but failed to rigorously sanitize file contents. The timeline unfolded rapidly:
- Late February 2025: The developer of iCagenda, Joomlic, released version 3.9.13 after a security researcher privately reported the flaw. The changelog mentioned “fixed security issue with file uploads,” but the CVE identifier was not yet assigned.
- March 5, 2025: Balbooa published Forms 2.2.3, patching its upload flaw. Unlike iCagenda, the advisory explicitly warned of potential exploits.
- March 18, 2025: Independent security researchers began detecting active scanning and exploitation attempts against unpatched sites, using Google dorks and Shodan queries to find exposed Joomla installations.
- March 26, 2025: CISA added both CVEs to the KEV catalog after confirming active exploitation, likely based on threat intelligence from partners or federal network monitoring.
The lag between patch availability and KEV listing is typical—CISA only adds vulnerabilities when evidence of exploitation is concrete. That evidence now exists, and it often presages a surge in ransomware incidents, as file-upload bugs are a favored initial access vector for ransomware gangs.
What to do now
- Patch immediately: Update iCagenda to 3.9.13 or later, and Balbooa Forms to 2.2.3 or later. Download patches from the Joomla Extensions Directory (JED) or directly from the developer websites. Always back up your site and database before applying updates.
- Harden file uploads at the web server level: On Windows Server running IIS, configure request filtering to block executable extensions in upload directories. Add a web.config rule in the upload folder:
xml
<configuration>
<system.webServer>
<security>
<requestFiltering>
<fileExtensions allowUnlisted="true">
<add fileExtension=".php" allowed="false" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
</configuration>
On Apache, use .htaccess to deny PHP execution:
apache
<FilesMatch "\.php$">
Deny from all
</FilesMatch>
- Deploy a Web Application Firewall (WAF): If you have a WAF, enable rules for file upload injection (IDs 933150–933180 in ModSecurity/OWASP CRS). Cloud WAF providers like Cloudflare or AWS WAF can also block malicious uploads based on MIME type anomalies.
- Conduct a compromise assessment: If you cannot confirm that patches were applied before March 18, initiate a hunt for web shells using tools like
findfor recently modified PHP files or YARA rules tailored to common Joomla malware. Mandiant’s Joomla scanner script is a good starting point. - Monitor CISA’s KEV catalog: Subscribe to CISA’s KEV RSS feed or use their API to receive real-time alerts for future additions, ensuring your team is among the first to know about actively exploited vulnerabilities.
Outlook
File-upload flaws remain a dependable attack vector because many developers treat file upload as a simple feature rather than a critical security boundary. The Joomla ecosystem, with its thousands of third-party extensions, will undoubtedly see more such flaws added to the KEV catalog. CISA’s action not only pressures federal agencies but also serves as a benchmark for private-sector patch timelines—cyber insurers, for example, increasingly tie policy coverage to KEV remediation. For Windows environments hosting Joomla, the risk is elevated because a compromised web server can become a pivot point into Active Directory. Expect the exploitation window to widen as more threat actors incorporate these CVEs into automated kits. The only durable defense is aggressive, continuous patching of every extension, not just the Joomla core.