Two arbitrary file-upload flaws in third-party Joomla extensions have landed in CISA’s Known Exploited Vulnerabilities catalog, both carrying the maximum CVSS score of 10.0, and both exploited in the wild before a patch existed. Neither flaw is in Joomla core. Both sit in the extension layer that most asset inventories never reach — which is the real story for anyone still treating CMS patching as a core-version problem.
Two uploads, no authentication, no validation
The first, CVE-2026-48939, affects the iCagenda event-calendar extension across the 4.x branch through 4.0.7 and the 3.x branch from 3.2.1 to 3.9.15. Per The Hacker News, it has been exploited as a zero-day since June 15, 2026, in automated campaigns — defenders have observed a scanner identifying itself as icagenda-batch/1.0 sweeping for vulnerable installs. The vulnerable path is the extension’s attachment feature, which accepts uploaded files that ultimately land in a web-reachable directory.
The second, CVE-2026-56291, affects Balbooa Forms up to version 2.4.0. The reported mechanism is about as bad as web application bugs get: an unauthenticated file upload with neither a CSRF token nor file-type validation. It was discovered on July 8, 2026 only after a live customer attack — meaning the vendor learned about the bug from an incident, not from a researcher.
Patches exist for both. iCagenda is fixed in 4.0.8 and 3.9.15; Balbooa Forms is fixed in 2.4.1. Federal civilian agencies were given a remediation deadline of July 13, 2026, and both flaws arrived alongside a broader KEV batch that also swept in an Adobe ColdFusion path-traversal flaw, CVE-2026-48282, itself rated 10.0.
The extension layer is the attack surface
The pattern across both bugs matters more than either bug. Joomla core was not the entry point. The upload handlers of two independently maintained community extensions were, and neither was likely to be enumerated by a scanner keyed on the core CMS version string. An organization can be fully current on Joomla itself and still be running a 10.0 unauthenticated RCE because a marketing team installed a calendar plugin in 2021.
The Australian Cyber Security Centre has warned of a wider global campaign hitting more than ten CMS platforms, which suggests the operators here are not Joomla specialists — they are running commodity automation against whatever plugin ecosystem yields the cheapest webshell.
For detection, the indicators are refreshingly concrete. Both extensions write into predictable locations: check images/icagenda/frontend/attachments/ and images/baforms/uploads for unexpected executable content, then audit the Joomla user table for administrator accounts nobody remembers creating. Given the June 15 exploitation start date, a patch alone is insufficient — anything running a vulnerable iCagenda build for the past four weeks should be treated as potentially compromised until the upload directories and admin roster are cleared.
What this means
For practitioners, this is a reminder that CMS risk lives one layer below the version number you actually track. If your asset inventory records “Joomla 5.x, patched” and stops there, you have no coverage of the code that is actually being exploited. The remediation is unglamorous: enumerate installed extensions per site, map them to a maintainer and a version, subscribe to the ones that handle file uploads, and enforce a policy that any extension accepting uploads writes outside the webroot or is not installed at all. Zero-days in core get attention. Zero-days in the plugin nobody owns get four weeks of quiet exploitation.