Top/Articles/Two Joomla extensions under active attack: Balbooa Forms & iCagenda RCE
joomla-extensions-cve-cover-en

Two Joomla extensions under active attack: Balbooa Forms & iCagenda RCE

Joomla extensions Balbooa Forms and iCagenda have critical unauthenticated RCE flaws (severity 9.8), already exploited and on CISA's KEV list. Update to the fixed versions now.

NewsPublished July 11, 2026 Updated today
Table of contents
Key takeaways

Joomla extensions Balbooa Forms and iCagenda have critical unauthenticated RCE flaws (severity 9.8), already exploited and on CISA's KEV list. Update to the fixed versions now.

Two popular extensions for the website-building system "Joomla" β€” the form builder "Balbooa Forms" and the event calendar "iCagenda" β€” have serious flaws that could let a third party who is not logged in send in a malicious file and take over the whole site along with its server. The identifiers are CVE-2026-56291 and CVE-2026-48939, and both carry a severity of 9.8 out of 10, in the top tier.

What matters most is that both are already being used in actual attacks. The U.S. government's cyber-defense agency CISA has added both to its "Known Exploited Vulnerabilities catalog (KEV)," a list of vulnerabilities confirmed to be exploited in the wild. Fixes have already been released. If you run a Joomla site and use either of these, update to the latest version right now. You also need to check whether you have already been taken over.

What are Balbooa Forms and iCagenda

Joomla is a website-building system (CMS) widely used around the world alongside WordPress. An extension (plugin) is a part that adds functionality to Joomla after the fact. The two at issue here are both popular Joomla extensions. Balbooa Forms is a form builder for creating inquiry and application forms by drag and drop. iCagenda is an event-calendar extension for posting and accepting events, including a feature that lets visitors submit their own events.

Both share a feature that lets users or visitors attach and submit files. A "window that receives files from outside," like a form attachment or an event submission, can become an entry point for taking over a server if the receiving side checks too loosely and a program file is sent in. RCE (remote code execution) in Joomla page-building tools was just reported in the vulnerability in two page builders such as SP Page Builder, and on the WordPress side the same pattern recurs, as with the takeover vulnerability in the form builder plugin Super Forms.

What is dangerous, and how far can the damage spread

Both are flaws specialists call "arbitrary file upload." These features should only accept certain kinds of files, such as images or PDFs, but they were receiving files without checking their type. As a result, an attacker can send in a program file (a PHP file) that can execute commands on the server, and have it run as-is. The U.S. National Institute of Standards and Technology (NIST) classifies this as unrestricted upload of dangerous file types (CWE-434).

Once the planted program runs on the server, the attacker seizes the site's admin rights and can do virtually anything β€” defacing pages, exfiltrating member information and inquiry data, even using the server as a springboard to attack other sites. Exploitation requires no login; the attacker just sends crafted requests to a public form or event-submission page. The severity of 9.8 reflects the fact that a server can be seized without any special privileges or user action.

The most serious point is that these are already being actively exploited. The iCagenda flaw was a "zero-day" (an attack before a fix existed), with an automated program identifying itself as "icagenda-batch/1.0" reported to be scanning for and attacking unprotected sites. Balbooa Forms likewise had confirmed exploitation before the fix was released. Vulnerabilities confirmed to be exploited become targets of urgent CISA warnings, as with the takeover vulnerability in Oracle EBS and the SharePoint Server vulnerability.

Who targets these holes, and what happens

Exploiting these are attackers who deface sites to use as springboards for fake pages and spam, and ransomware groups that take over servers to demand a ransom. Because it can be done without even logging in, they automatically scan for vulnerable Joomla sites and attack them en masse once found. In fact, for iCagenda, an automated scanner named "icagenda-batch/1.0" has been observed indiscriminately crawling sites and sending in PHP files, showing that this technique is active right now.

The flow of attack is startlingly simple. Attackers send a program file disguised as an image or the like to a public form or event-submission window, then run it on the server to seize control of the site. All it takes is a few requests, with no click or action required from the victim. Sites left un-updated after being outsourced make especially easy targets.

As a result, the individuals and businesses running the sites have their public pages defaced, or the personal data collected through forms and events stolen wholesale. A hijacked site is turned, without the owner's knowledge, into a base for phishing or malware distribution, and visitors can be harmed too. Once control is lost, recovery costs time and money, and the site's very credibility is damaged.

What is happening from a technical standpoint

Each of the two flaws, reported in quick succession, has an identifier assigned.

CVE-2026-56291: Balbooa Forms, site takeover via unauthenticated file upload (severity 9.8)

The form-submission processing in Balbooa Forms (internal name com_baforms) was missing the mechanism to validate the type of attached files. As a result, an attacker who is not logged in can send an executable PHP file into a public folder and call it directly from the web to run it. Once the planted file executes, the attacker's commands run on the server. Affected are versions 1.0 through 2.4.0, and the vendor fixed it in 2.4.1, released on July 9, 2026. This flaw is reported to have been exploited before the fix was released, and it is listed in CISA's Known Exploited Vulnerabilities catalog (KEV).

CVE-2026-48939: iCagenda, PHP execution from the event-submission form (severity 9.8, actively exploited)

In iCagenda, the file-attachment feature used when visitors submit an event had the same flaw of receiving files without checking their type. Without any login, an attacker can send a PHP program (a "web shell," a back door for remote control) through the event-submission form and take over the server. Affected are 3.2.1 through 3.9.14, and 4.0.0 through 4.0.7; the vendor released 4.0.8 on June 15, 2026, and 3.9.15 the next day for the legacy branch. Exploitation by an automated scanner identifying as "icagenda-batch/1.0" has been observed, and a proof-of-concept reproducing the attack has been published. Because it was targeted before the fix was released, this is a high-urgency case.

Affected versions and countermeasures

The affected and fixed versions for each are as follows. Because they are actively exploited, update with top priority if you are affected.

ExtensionIdentifierSeverityAffectedFixed in
Balbooa FormsCVE-2026-562919.81.0–2.4.02.4.1
iCagendaCVE-2026-489399.83.2.1–3.9.14
4.0.0–4.0.7
3.9.15
4.0.8

As a stopgap if you cannot update immediately, temporarily disabling the affected extension or temporarily taking the form or event-submission page offline can narrow the entry points. But since they are already being widely targeted, these are only time-buying measures. Fundamentally, you need to update to the latest version and check whether you have been breached.

What is confirmed, and what is still unknown

βœ“ Confirmed facts

  • βœ“Both allow file upload without login or user action, leading to RCE (server takeover). Severity 9.8 each (NVD: Balbooa / NVD: iCagenda)
  • βœ“They are already being exploited in actual attacks and are listed in the U.S. CISA Known Exploited Vulnerabilities catalog (KEV). For iCagenda, exploitation by an automated scanner identifying as "icagenda-batch/1.0" has been observed
  • βœ“Fixes are released (Balbooa Forms 2.4.1 / iCagenda 4.0.8 and 3.9.15). The cause in both is unvalidated file type (CWE-434)

? Not yet confirmed

  • ?Specific damage counts for domestic sites and details of exploitation in particular regions are not clear as of publication
  • ?When and how far an already-breached environment was abused must be checked on a site-by-site basis (check the latest KEV status here)
  • ?Because they are unauthenticated and under active exploitation, it is safest to inspect un-updated sites on the assumption they may already be breached

What you can do right now

The core countermeasure is clear. The top priority is to update Balbooa Forms to 2.4.1 and iCagenda to 4.0.8 (3.9.15 for the legacy branch). Because exploitation is already confirmed, every bit of delay raises the risk of takeover. Check for extension updates from the Joomla admin panel and apply the latest version.

Beyond updating, checking whether you have already been breached is important. See whether unfamiliar PHP files have been placed in the server's upload folder, whether unknown admin accounts have appeared, and whether any pages have been defaced. Suspicious access such as "icagenda-batch" in your access logs is also a clue. If you suspect a breach, consider restoring from a backup or consulting a security professional. Flaws in features that receive files recur regardless of product, as with the vulnerability in the booking plugin LatePoint, so deleting unused extensions and keeping only the active ones up to date is the basic principle.

Who you areWhat you can do nowPriority
Site operatorUpdate to the latest version
Check for signs of a breach
Top priority
If you build sites for othersCheck clients' extensions and versions
Inspect for suspicious files
High
Suspect a breachDelete suspicious PHP, investigate the entry path
Consider restoring from backup
High

Frequently asked questions

Q. How do I check whether my site uses Balbooa Forms or iCagenda?

A. Log in to the Joomla admin panel and check the list of installed extensions under "System" β†’ "Manage Extensions." If Balbooa Forms or iCagenda is present and its version is in the affected range, it needs updating. If a web agency manages your site, ask them to check the extensions and update.

Q. What does "already being attacked" mean?

A. It means the U.S. cyber-defense agency CISA added these two to its "Known Exploited Vulnerabilities catalog (KEV)," a list of vulnerabilities confirmed to be exploited. In other words, this is not a theoretical risk β€” attackers are actively using these holes to try to take over sites. Treat un-updated sites on the assumption they may already be targeted.

Q. Am I safe once I update?

A. Updating closes the hole itself, but if you were already breached before updating, a back door (web shell) may remain. Even after updating, check for unfamiliar PHP files or admin accounts and any defaced pages. If worried, restoring from a clean backup is the sure course.

Q. Am I safe if I don't use the form or event-submission feature?

A. If the extension is installed and enabled, the attack window may be exposed even if you do not actively use the feature. The sure thing is to update to the latest version. Deleting unused extensions rather than merely disabling them reduces this kind of risk.

Summary

This case is about how the popular Joomla extensions Balbooa Forms and iCagenda were receiving files without checking their type, so that a third party who is not logged in could send in a program file and take over the site and its server. Both are severity 9.8, and moreover they are already being used in actual attacks and are listed in CISA's Known Exploited Vulnerabilities catalog. This is not a theoretical risk but an ongoing threat.

The saving grace is that fixes have already been released for both. Updating Balbooa Forms to 2.4.1 and iCagenda to 4.0.8 (3.9.15 for the legacy branch) closes the hole. But because exploitation came first, it is important to update and, at the same time, check whether you have already been breached. Working on the assumption that features receiving files are prime targets, it is worth building the habit of keeping extensions promptly up to date. If there is any new sign of exploitation, we will report it again.

References

avatar-m-1

Makoto Horikawa

Backend Engineer / AWS / Django