Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1868+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. iCagenda and Balbooa Forms Joomla Flaws Exploited as Zero-Days
iCagenda and Balbooa Forms Joomla Flaws Exploited as Zero-Days
NEWS

iCagenda and Balbooa Forms Joomla Flaws Exploited as Zero-Days

CISA has added two maximum-severity flaws in iCagenda and Balbooa Forms Joomla extensions to its KEV catalog following confirmed zero-day exploitation in the wild. Administrators should patch or mitigate immediately.

Dylan H.

News Desk

July 13, 2026
4 min read

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two maximum-severity security vulnerabilities affecting popular Joomla extensions to its Known Exploited Vulnerabilities (KEV) catalog, confirming active zero-day exploitation in the wild.

The affected extensions — iCagenda (an event management plugin) and Balbooa Forms (a form builder) — are used across thousands of Joomla-powered websites globally. Both vulnerabilities are rated at the highest possible severity, making immediate action critical for any Joomla site running these plugins.


What Was Disclosed

CISA's KEV addition confirms that threat actors have been actively exploiting these flaws before patches were widely available or known to defenders — the definition of a zero-day. While the agency has not attributed the attacks to a specific group, the KEV listing signals that exploitation is not theoretical: real attacks are underway.

Both vulnerabilities affect the extension components themselves rather than the Joomla core. Sites running the vulnerable versions of either plugin are at risk regardless of their Joomla core version.

iCagenda Vulnerability

iCagenda is a widely used event management and calendar extension for Joomla. The vulnerability allows unauthenticated attackers to perform actions that should be restricted to authenticated administrators. The exact technical details have been withheld in some advisories to limit further exploitation, but the severity rating (maximum) indicates the potential for remote code execution or full administrative compromise.

Balbooa Forms Vulnerability

Balbooa Forms is a drag-and-drop form builder for Joomla used by businesses to create contact, registration, and data-collection forms. The flaw in this extension similarly carries a maximum severity rating. Form-builder plugins are a historically attractive target because they typically process and store user-submitted data and often run with elevated CMS privileges.


Why KEV Listings Matter

CISA's KEV catalog is not a theoretical risk register — it documents vulnerabilities with confirmed, real-world exploitation. When a flaw appears on the KEV list:

  • Federal civilian agencies are mandated to patch within a set deadline
  • The listing signals that the broader threat landscape is actively targeting the flaw
  • Exploitation tooling or proof-of-concept code is likely in circulation

For private sector organizations, a KEV listing should be treated with the same urgency as a federal mandate.


Recommended Actions

1. Identify Exposed Sites

Audit all Joomla installations in your environment for the presence of iCagenda and Balbooa Forms:

# Check installed Joomla extensions (run from Joomla root)
find . -type d -name "com_icagenda" 2>/dev/null
find . -type d -name "mod_balbooa*" 2>/dev/null
 
# Or check via Joomla CLI (Joomla 4+)
php cli/joomla.php extension:list

2. Apply Available Patches

Check the official extension pages and developer advisories for both iCagenda and Balbooa Forms. If patches are available, apply them immediately through the Joomla Extension Manager or via package upload.

3. Disable if Not in Active Use

If either extension is installed but not actively required, disable and uninstall it until a patch is confirmed applied:

  1. Navigate to Extensions > Manage > Manage in the Joomla administrator panel
  2. Locate the affected extension
  3. Select and Disable, then Uninstall if not needed

4. Deploy a Web Application Firewall

A WAF can block known exploit patterns at the network edge while patches are being applied:

  • Cloudflare WAF — managed rulesets include CMS-specific protections
  • Wordfence (Joomla equivalent: RSFirewall, Akeeba Admin Tools) — application-level WAF
  • ModSecurity — open-source WAF with OWASP CRS

5. Monitor for Indicators of Compromise

# Check Joomla logs for unusual activity
tail -n 500 /var/log/apache2/access.log | grep -i "icagenda\|balbooa"
 
# Look for unauthorized admin accounts
# In Joomla DB:
# SELECT * FROM #__users WHERE usertype='Administrator' ORDER BY registerDate DESC LIMIT 10;
 
# Check for recently modified PHP files
find /path/to/joomla/ -name "*.php" -newer /path/to/joomla/index.php -type f

Broader Context: CMS Extension Risk

This incident follows a pattern of CMS extensions being exploited as easier entry points than hardened core software. Attackers specifically target:

  • Event and calendar plugins — often installed and forgotten, infrequently updated
  • Form builders — process untrusted user input and frequently have file upload functionality
  • E-commerce and payment extensions — high-value targets for card skimming

The Joomla ecosystem, like WordPress, has thousands of third-party extensions with varying maintenance quality. Any extension that hasn't received a security update in 12+ months should be considered a risk factor.


References

  • CISA KEV Catalog
  • The Hacker News — iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days
#Zero-Day#Joomla#CISA#KEV#Web Security#CMS

Related Articles

CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

CISA has added a maximum-severity vulnerability in the Joomla Content Editor (JCE) plugin to its Known Exploited Vulnerabilities catalog, warning that the...

5 min read

CISA Gives Feds 3 Days to Patch Check Point VPN Bug Exploited as Zero-Day

CISA ordered federal agencies to patch a critical Check Point Remote Access VPN flaw within 3 days after Qilin ransomware affiliates were confirmed...

6 min read

CISA Gives Federal Agencies Four Days to Patch Actively

CISA has added a high-severity Ivanti Endpoint Manager Mobile vulnerability to the Known Exploited Vulnerabilities catalog and issued an emergency...

4 min read
Back to all News