The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two critical security flaws in Joomla extensions to its Known Exploited Vulnerabilities catalog this month [1].
These vulnerabilities are significant because they allow attackers to execute remote code and upload arbitrary PHP files, potentially giving hackers full control over affected websites [2].
The flaws affect the iCagenda and Balbooa Forms extensions [1]. Both vulnerabilities received a maximum CVSS severity rating of 10.0 [1]. CISA moved to include these two [1] issues in its catalog after reports surfaced that they were being used as zero-day exploits [3].
One of the specific vulnerabilities, identified as CVE-2026-48939, affects the iCagenda extension [1]. The nature of these flaws enables remote code execution, which is one of the most dangerous types of security breaches for web applications [3].
CISA's catalog is designed to prioritize the remediation of vulnerabilities that have been actively exploited in the wild [2]. By adding these flaws to the list, the agency signals to organizations worldwide that these specific Joomla extensions are under active attack [3].
Security experts recommend that administrators using these extensions update their software immediately to prevent unauthorized access. The agency's warning emphasizes that the ability to upload PHP files allows an attacker to install backdoors, or steal sensitive data from the server [2].
“Both vulnerabilities received a maximum CVSS severity rating of 10.0”
The inclusion of these vulnerabilities in the KEV catalog underscores a shift toward targeting specific third-party plugins rather than the core Joomla framework. Because these flaws carry the highest possible severity score, they represent a critical risk to any organization using these specific forms or agenda tools, as the barrier for entry for attackers is low while the potential for total system compromise is high.



