U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini July 11, 2026

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities (KEV) catalog.

The flaws added to the catalog are:

  • CVE-2026-48939 (CVSS score of 10.0) iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability
  • CVE-2026-56291 Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability

iCagenda is an open-source event management extension for Joomla. It allows website administrators to create, organize, and display events on Joomla-powered websites without custom development.

The vulnerability CVE-2026-48939 allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.

The second flaw added to the catalog, tracked as CVE-2026-56291, is an unauthenticated arbitrary file upload in Balbooa Forms that allows uploading executable files and leads to full RCE.

Balbooa Forms is a commercial form builder extension for Joomla that lets administrators create advanced web forms without coding.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to urgently fix the vulnerabilities by July 13, 2026.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)



you might also like

leave a comment