What Happened
CISA added two maximum-severity vulnerabilities in widely-used Joomla content management system extensions to its Known Exploited Vulnerabilities (KEV) catalog on July 10, 2026, with a federal patching deadline of today, July 13, 2026.
CVE-2026-48939 affects iCagenda, a popular Joomla event calendar extension. The flaw resides in the file attachment feature and allows any unauthenticated visitor to upload arbitrary files — including PHP scripts — to the server, leading to remote code execution. CVSS score: 10.0. Active exploitation in automated attacks has been confirmed since June 15, 2026, discovered by web security firm mySites.guru following a live attack on a customer site on July 8, 2026.
CVE-2026-56291 affects Balbooa Forms, a Joomla form-builder extension. The flaw similarly allows unauthenticated arbitrary file upload leading to RCE. It affects all versions of Balbooa Forms up to and including 2.4.0 and is patched in version 2.4.1. CVSS score: 10.0.
The Federal Civilian Executive Branch (FCEB) deadline to patch both vulnerabilities was July 13, 2026. SecurityWeek and The Hacker News have both confirmed active exploitation across unpatched Joomla deployments globally.
Why This Matters for Canadian Organizations
Joomla is one of the three most-deployed open-source content management systems globally and remains common in Canadian municipal government websites, post-secondary institutions, non-profit organizations, and small-to-medium enterprises. iCagenda in particular is deployed on thousands of community, events, and government websites in Canada. A CVSS 10.0 unauthenticated RCE vulnerability on a public-facing web server carries the highest possible risk: an attacker exploiting this flaw gains full code execution on the underlying server without needing credentials of any kind.
Automated attack tools have been probing for this vulnerability since mid-June, meaning many sites were already compromised before the public disclosure on July 8. For operators of Canadian government and municipal websites, exploitation of a public-facing Joomla server triggers breach assessment obligations under PIPEDA if any personal information was accessible on or through the affected system. Post-secondary institutions subject to provincial privacy legislation face equivalent obligations.
Web hosting providers serving Canadian customers running Joomla on shared infrastructure should check for indicators of web shell deployment — the most common post-exploitation payload in file-upload vulnerability attacks of this type.
What to Do
Update iCagenda immediately to the latest patched version. Update Balbooa Forms to version 2.4.1 or later. If updates were not applied prior to today, treat the server as potentially compromised: scan for newly uploaded PHP files in web-accessible directories, review server access logs for POST requests to attachment-upload endpoints dating back to June 15, and consider engaging a forensic review before restoring clean service. Disable any Joomla file upload extensions if not actively needed. Implement a web application firewall rule to block PHP file uploads at the WAF level as a defence-in-depth measure.
Source: The Hacker News | SecurityWeek






