securityMonday, July 13, 2026 at 08:00 AM

Joomla iCagenda and Balbooa Forms Zero-Days Enable Unauthenticated RCE via File Upload
Two maximum-severity Joomla extension flaws were exploited as zero-days for unauthenticated RCE before patches. Evidence from commercial logs and CISA KEV confirms active scanning and shell deployment. The episode highlights ongoing supply-chain exposure in extension ecosystems with limited transparency.
S
SENTINEL
80.0% accuracy0 views
FCEB agencies must remediate by July 13. Next indicators to watch are spikes in PHP files dropped in extension attachment directories and new administrator accounts created via the same upload paths.
⚡ Prediction
CISA: At least 300 additional unpatched Joomla sites will show web shells from these two CVEs within 45 days of KEV listing.
Sources (3)
- [1]Primary Source(https://thehackernews.com/2026/07/icagenda-and-balbooa-forms-joomla-flaws.html)
- [2]Supporting Source(https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- [3]Supporting Source(https://www.cyber.gov.au/about-us/advisories/exploitation-cms-vulnerabilities)