Cookie Consent by Free Privacy Policy Generator

CISA Adds Exploited Joomla Extension Vulnerabilities to KEV Catalogue

On 10 July 2026, CISA added two maximum-severity vulnerabilities to its Known Exploited Vulnerabilities catalogue following reports of active exploitation. CVE-2026-48939 affects the iCagenda extension for Joomla, and CVE-2026-56291 affects the Balbooa Forms extension. Both vulnerabilities are rated 10.0 on the CVSS scale and involve unrestricted file upload, allowing attackers to upload and execute malicious code on vulnerable Joomla installations. The Hacker News reported that both flaws were exploited as zero-days before patches were available, indicating that attackers were actively scanning for and targeting vulnerable Joomla sites.

Why this matters for UK organisations

For UK organisations running Joomla-based websites, particularly in the public sector, education, charities and small businesses where Joomla remains a popular content management platform, this represents a direct and immediate risk. Unrestricted file upload vulnerabilities are among the most reliably exploited weaknesses because they provide attackers with a straightforward path to remote code execution, allowing them to take control of the web server, steal data or deploy ransomware. The fact that both vulnerabilities were exploited as zero-days suggests that attackers are actively targeting Joomla installations with these extensions. Many organisations may not have visibility into which third-party extensions are installed on their Joomla sites, particularly where websites are managed by external agencies or have been in place for several years without regular review. This lack of visibility creates significant patch management challenges.

What to review

Organisations should identify which Joomla extensions are installed across their web estate, ensure that patches for CVE-2026-48939 and CVE-2026-56291 are applied immediately, and review whether unused or unmaintained extensions should be removed to reduce the attack surface. Consider whether web application firewalls or other compensating controls are in place to detect and block file upload attacks, and whether there is a process for monitoring security advisories related to Joomla and its extensions. It is also worth reviewing whether responsibility for patching third-party extensions is clearly assigned, particularly where websites are managed by external agencies or contractors. Ensure that there is a clear process for responding quickly when vulnerabilities are disclosed, and that testing and deployment procedures do not create unnecessary delays in applying critical security patches.

Source: CISA

News and blog posts
Today's brief highlights four areas where security discipline matters most:...
On 11 July 2026, Socket reported that version 8.14.0 of the jscrambler npm...
The U.S. Cybersecurity and Infrastructure Security Agency published a forensic...
On 10 July 2026, CISA added two maximum-severity vulnerabilities to its Known...