Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1876+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. CISA Warns of Actively Exploited RCE Flaws in Joomla Extensions
CISA Warns of Actively Exploited RCE Flaws in Joomla Extensions
NEWS

CISA Warns of Actively Exploited RCE Flaws in Joomla Extensions

CISA has added two Joomla extension vulnerabilities to its KEV catalog after attackers began exploiting arbitrary file upload flaws in iCagenda and Balbooa Forms to achieve remote code execution on vulnerable websites.

Dylan H.

News Desk

July 13, 2026
4 min read

What Happened

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two critical vulnerabilities in popular Joomla CMS extensions to its Known Exploited Vulnerabilities (KEV) catalog, warning that attackers are actively exploiting both flaws to gain remote code execution on affected web servers.

The two affected extensions are:

  • iCagenda — A calendar and event management plugin used widely across Joomla installations
  • Balbooa Forms — A form builder extension for creating contact forms, surveys, and data capture pages

Both vulnerabilities stem from arbitrary file upload flaws that bypass extension validation, allowing attackers to upload malicious scripts (such as PHP webshells) and execute them on the underlying server.

How the Exploitation Works

Arbitrary file upload vulnerabilities in web application plugins follow a well-understood attack pattern:

  1. An attacker identifies a Joomla installation running a vulnerable version of iCagenda or Balbooa Forms
  2. They craft a malicious file (typically a PHP script disguised with a permitted extension or via bypassed validation)
  3. The extension processes the upload without properly verifying file type or content
  4. The attacker accesses the uploaded file via HTTP, triggering server-side code execution
  5. From there, they can deploy webshells, establish persistence, pivot to internal systems, or exfiltrate data

This class of vulnerability is particularly dangerous because it requires no authentication in many configurations and gives attackers direct command execution on the web server.

Why This Matters

Joomla is one of the most widely deployed content management systems in the world, powering government portals, non-profit websites, educational institutions, and commercial platforms. Extensions significantly expand Joomla's functionality but also dramatically increase the attack surface — extension code quality and security practices vary widely across the ecosystem.

The KEV listing means federal civilian executive branch (FCEB) agencies are required under BOD 22-01 to remediate these vulnerabilities within defined deadlines. The addition also signals to the broader security community that exploitation is confirmed and widespread, not merely theoretical.

Affected Systems

Any Joomla installation running vulnerable versions of either extension is at risk, particularly those that:

  • Allow unauthenticated users to submit content (public-facing forms, event registrations)
  • Have not been updated recently
  • Run on shared hosting environments with limited monitoring

Remediation Steps

Immediate Actions

  1. Identify affected installations — Audit all Joomla sites in your environment for the presence of iCagenda and Balbooa Forms extensions.

  2. Update immediately — Apply the latest patched versions of both extensions from the Joomla Extensions Directory or the respective developers' sites.

  3. Review uploaded content — If you cannot rule out prior exploitation, audit recently uploaded files in the Joomla media manager and extension upload directories for unexpected PHP files or webshells.

  4. Restrict upload functionality — Where possible, disable public-facing file upload capabilities until patches are applied and the environment is verified clean.

  5. Implement file type validation at the server level — Web Application Firewalls (WAF) and server-level rules can block uploads of executable file types regardless of application-level validation.

  6. Review web server logs — Look for unusual POST requests to extension upload endpoints, followed by GET requests to uploaded file paths — a common webshell deployment pattern.

Detection Indicators

  • Unexpected PHP or script files in the Joomla /uploads/, /media/, or extension-specific directories
  • Outbound network connections from the web server process to external IPs
  • Anomalous system calls from the web server user account

Context

This marks the latest in a series of CISA KEV additions targeting popular CMS plugins and extensions. Attackers increasingly target CMS extension ecosystems because they offer a high-volume, low-effort path to server compromise — a single vulnerable extension across thousands of installations provides a large pool of targets.

Website administrators and managed security providers should treat KEV-listed CMS extension flaws as urgent, not routine maintenance items.

References

  • BleepingComputer Coverage
  • CISA KEV Catalog
#Joomla#RCE#CISA KEV#Web Security#BleepingComputer#Vulnerability

Related Articles

CISA Adds Wing FTP Server Flaw to KEV as RCE Chain Exploits

CISA added CVE-2025-47813 to its Known Exploited Vulnerabilities catalog on March 16, warning that the medium-severity path disclosure flaw is being...

4 min read

SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation

CISA has added a high-severity Microsoft SharePoint Server remote code execution vulnerability to its Known Exploited Vulnerabilities catalog following...

5 min read

Critical Kirki Flaw Exploited to Hijack WordPress Admin Accounts

Hackers are actively exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the widely-used Kirki Customizer Framework plugin for…

4 min read
Back to all News