← Back to blog

Joomla Extensions Exploited as Zero-Days Added to CISA KEV Catalog

Two critical Joomla extensions, iCagenda and Balbooa Forms, are under active exploitation as zero-days. CISA has added these vulnerabilities to its Known Exploited Vulnerabilities catalog.

TL;DR

  • CISA adds two critical Joomla extension flaws to its KEV list.
  • Both CVE-2026-48939 and another unnamed flaw are being exploited in the wild.
  • The vulnerabilities carry a maximum CVSS score of 10.0.
  • Organizations using these plugins should patch or disable them immediately.
  • Exploitation allows remote code execution and full site compromise.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog with two high-severity flaws affecting popular Joomla extensions. These vulnerabilities, found in iCagenda and Balbooa Forms, are reportedly being exploited as zero-days, posing a significant risk to websites running these plugins.

Both issues are rated with a maximum CVSS score of 10.0, indicating critical severity. Organizations leveraging these Joomla components are strongly advised to take immediate mitigation steps, including applying patches if available or disabling the affected extensions until remediation can be completed.

Vulnerability Details

  • CVE-2026-48939 affects the iCagenda extension for Joomla.
  • The second flaw impacts Balbooa Forms, another widely-used Joomla plugin.
  • Both vulnerabilities allow unauthenticated remote attackers to execute arbitrary code.
  • They have been observed actively exploited in real-world attacks.
  • CISA added these entries to the KEV catalog to highlight urgency for federal agencies and private sector organizations alike.

Impact and Recommendations

  • Successful exploitation grants attackers full control over affected Joomla websites.
  • Attackers can deface sites, steal sensitive data, or deploy backdoors.
  • Organizations should audit their Joomla installations for use of iCagenda or Balbooa Forms.
  • Immediate actions include disabling the plugins, applying vendor patches, or migrating to secure alternatives.
  • Monitoring server logs for suspicious activity related to these extensions is also recommended.

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

Joomla Extensions Exploited as Zero-Days Added to CISA KEV Catalog — Agent Breach Blog | Agent Breach