CybersecurityJuly 12, 2026· via Security Affairs

CISA flags critical Joomla flaws with 10.0 severity scores

CISA flags critical Joomla flaws with 10.0 severity scores

Image : Security Affairs

Two Joomla extensions with perfect severity scores are now on the U.S. government’s must-patch list. CISA has added iCagenda and Balbooa Forms to its Known Exploited Vulnerabilities catalog, citing flaws that let attackers upload and execute arbitrary PHP code without authentication. The agency warns federal agencies to fix the issues by July 13, 2026, and urges all organizations to review their exposure.

Critical paths to code execution

The iCagenda flaw (CVE-2026-48939, CVSS 10.0) sits in the extension’s file attachment feature. Because uploads are unrestricted, an attacker can drop a malicious PHP file and trigger remote execution. Balbooa Forms’ similar flaw (CVE-2026-56291, also CVSS 10.0) enables unauthenticated file uploads that lead to full remote code execution on Joomla sites running the extension.

Why defenders must act now

CISA’s Binding Operational Directive 22-01 requires federal civilian executive branch agencies to remediate cataloged flaws within set deadlines. Private organizations are encouraged to treat these vulnerabilities with the same urgency, since public proof-of-concept exploits often follow catalog additions. Hosting providers and site administrators running Joomla with either extension should patch immediately or consider disabling the components until updates are applied.

Why it matters

Joomla powers millions of websites, and extensions with remote-code-execution flaws are prime targets for ransomware gangs and cryptominers. A 10.0 severity score signals near-certain exploitation in the wild, so delaying patches risks compromise within hours of public disclosure. For MSPs and SMBs, these catalog additions serve as a reminder: check third-party components against CISA’s KEV list regularly, and prioritize vulnerabilities with the highest severity regardless of vendor size.


Source: Security Affairs. AI-assisted editorial synthesis — TechnoExpress.

Read the original source on Security Affairs →

← Back to home