CISA added two CVSS 10.0 zero-day vulnerabilities affecting widely deployed Joomla extensions to its Known Exploited Vulnerabilities catalog, imposing a same-day federal remediation deadline that gives U.S. government agencies no grace period. Both CVE-2026-48939 in the iCagenda scheduling extension and CVE-2026-56291 in Balbooa Forms allow unauthenticated attackers to upload and execute malicious files — and both were being actively exploited in the wild before patches were publicly available.
CVE-2026-48939 and CVE-2026-56291: Two Unauthenticated File Upload Flaws at Maximum Severity
Both vulnerabilities carry a CVSS base score of 10.0, the highest possible rating, reflecting that neither requires authentication, user interaction, or any special privileges to exploit. The attack surface is any internet-accessible Joomla site running an unpatched version of either extension. Threat actors were already scanning for and exploiting vulnerable installations before the vulnerabilities received public disclosure, placing the affected extensions in zero-day territory at the time of the KEV addition.
CVE-2026-48939: How iCagenda’s Unauthenticated File Upload Enables Remote Code Execution
CVE-2026-48939 affects iCagenda, a Joomla extension used for event scheduling and calendar management. The vulnerability allows an unauthenticated attacker to upload arbitrary files to the server hosting the extension and then execute those files. A successful upload of a web shell or a malicious script gives the attacker persistent remote access to the underlying server, the ability to read or modify site content and databases, and a foothold for lateral movement into connected internal systems. Because the exploit requires no credentials, any internet-facing Joomla installation running iCagenda is reachable without prior reconnaissance.
CVE-2026-56291: Unrestricted File Upload in Balbooa Forms Enabling Unauthenticated RCE
CVE-2026-56291 affects Balbooa Forms, a Joomla form-builder extension. The flaw stems from unrestricted file upload handling that allows an unauthenticated attacker to upload and execute malicious files, achieving remote code execution on the host server. The attack mechanism is structurally similar to CVE-2026-48939 but applies to a different extension and a distinct user base. Organizations running both extensions face compounded exposure — two separate CVSS 10.0 attack surfaces on the same Joomla installation.
The BOD 26-04 Same-Day Deadline and Pre-Disclosure Exploitation Pattern
CISA added both vulnerabilities to the KEV catalog under Binding Operational Directive 26-04, which requires U.S. federal agencies to remediate KEV-listed vulnerabilities by the specified deadline. In this case, the deadline was set to the same day as the KEV additions. Federal agencies received no grace period, and the same-day deadline reflects the severity of active exploitation already underway. Private organizations are not legally bound by BOD 26-04, but CISA treats KEV listings as actionable guidance for the broader critical infrastructure community.
Pre-Patch Exploitation of CVE-2026-48939 and CVE-2026-56291 Makes Patching Alone Insufficient
Both vulnerabilities carried zero-day status at the time of KEV listing — meaning threat actors were exploiting them before defenders had patches available. The window between the start of exploitation and public disclosure is unknown, which means organizations running affected versions of iCagenda or Balbooa Forms may have been compromised before learning a vulnerability existed. Patching alone is therefore insufficient: organizations should also audit web server file systems for recently added PHP files or scripts in directories associated with Joomla extensions, review server logs for unusual file upload requests or outbound connections consistent with webshell activity, and examine for signs of credential harvesting or lateral movement from the affected host.
The Broader CMS Extension Risk Both Zero-Days Reflect
The simultaneous listing of two CVSS 10.0 zero-days in Joomla extensions on the same day is not a coincidence of timing — it reflects a structural challenge in the Joomla ecosystem, where third-party extensions are often developed by small teams with limited security review cycles and where organizations may run dozens of extensions across a single installation. Unlike the Joomla core, which receives coordinated security releases, individual extensions vary widely in patch cadence. An organization that keeps Joomla core current but does not monitor extension-specific security advisories remains exposed to the full attack surface that extensions present.
Threat actors are actively scanning for unpatched versions of both extensions. Any organization with public-facing Joomla installations should verify current versions of iCagenda and Balbooa Forms immediately and prioritize patching over any scheduled maintenance window.
