Two 10.0 CVSS Joomla Zero-Days Hit KEV, FCEB Deadline Is Today
Two CVSS 10.0 vulnerabilities, the maximum score the scoring system allows, landed in CISA's Known Exploited Vulnerabilities catalog this week, both in third-party Joomla extensions. One of them, CVE-2026-48939 in the iCagenda calendar plugin, has been under active zero-day exploitation since June 15, 2026, which means attackers had a roughly four-week head start on defenders before the KEV listing forced the issue into the open.
The Numbers
Start with the severity floor. A 10.0 CVSS score requires network-attack vector, no authentication, no user interaction, and full impact on confidentiality, integrity, and availability. Both CVE-2026-48939 (iCagenda) and CVE-2026-56291 (Balbooa Forms) clear that bar, as The Hacker News reported. Two 10.0s in the same KEV batch, in the same CMS ecosystem, in the same week, is unusual. For comparison, the vast majority of KEV additions in a typical week sit in the 7.x to 9.x range where at least one exploitation prerequisite constrains the blast radius.
The iCagenda flaw affects 4.x versions up to and including 4.0.7, plus legacy 3.x versions from 3.2.1 through 3.9.14. JoomliC has shipped fixes in 4.0.8 and 3.9.15. That is a version range spanning years of installs, and the "Submit an Event" endpoint is exactly the kind of feature site owners forget is even publicly reachable. The Balbooa Forms bug affects everything up to and including 2.4.0, patched in 2.4.1, and the mySites.guru writeup is blunt: the frontend upload accepted files "from any anonymous visitor, with no login, no CSRF token, and no check on the file type." Unauthenticated RCE via file upload is the worst-case web vulnerability class, and OWASP has flagged unrestricted upload as a top server-side risk for years (OWASP Top 10).
Timeline matters. CVE-2026-48939 exploitation began June 15. CVE-2026-56291 was discovered on July 8, following a live attack on a mySites.guru customer. The FCEB deadline in the KEV catalog is July 13, 2026, the same day the article was published. That is a zero-day-of-remediation window for federal civilian agencies, which in practice means most of them are not going to hit it. The source does not disclose how many Joomla installs run iCagenda or Balbooa Forms in FCEB environments, which matters because the actual compliance burden is a function of install count, not CVE count. Bounded guess: if even one percent of FCEB Joomla sites carry either extension, we should see follow-up CISA advisories referencing incident tickets within 30 days.
What's Actually New
The technical class of bug is not new. Arbitrary file upload leading to PHP shell execution has been the bread and butter of CMS compromise since the phpBB era. What's genuinely different here is the operational fingerprint mySites.guru observed: an automated scanner self-identifying as "icagenda-batch/1.0" that grabbed a token, posted a malicious upload to the submit endpoint, then fetched the planted shell at the exact path the component writes attachments to. That is not opportunistic scanning. That is a purpose-built exploit module with knowledge of iCagenda's internal file-write paths, deployed at scale before public disclosure.
The Australian Cyber Security Centre's parallel alert sharpens the picture. ACSC describes a "highly scaled global exploitation campaign" targeting a shopping list of CMS bugs: Sneeit Framework (CVE-2025-6389), WPBookit (CVE-2025-7852), Gravity Forms (CVE-2025-12352), Craft CMS (CVE-2025-32432), Ninja Forms (CVE-2026-0740), MaxSite CMS (CVE-2026-3395), Breeze Cache (CVE-2026-3844), WavePlayer (CVE-2025-12057), MetInfo CMS (CVE-2026-29014), and Joomla JCE (CVE-2026-48907). That is ten CVEs spanning at least four CMS ecosystems, all funneling into the same web-shell deployment TTP. Mapped to MITRE ATT&CK, this is T1190 (Exploit Public-Facing Application) into T1505.003 (Web Shell), which is well-trodden ground, but the aggregation is what's interesting.
ACSC's framing is the tell: "advances in AI are accelerating the speed and scale of cyber operations, reducing the time between vulnerability disclosure and exploitation." The agency does not quantify that acceleration, which is a gap worth flagging. We do not know whether AI-generated exploit tooling actually compressed the June-15-to-July-13 window here, or whether this is a case of a competent human researcher writing a fuzzer that happened to hit. The bound is this: if AI-assisted exploit development is the driver, we should see the mean time-to-exploit across new CMS CVEs drop below seven days within the next two quarters. That's a testable prediction.
What's Priced In for Security Teams
Security engineers running Joomla or WordPress fleets already assume plugins are the attack surface, not the core CMS. Both Joomla and WordPress cores have hardened considerably over the last decade; the extension marketplaces have not. That much is priced in.
What is probably not priced in: the speed at which niche extensions get weaponized. iCagenda is a calendar plugin. Balbooa Forms is a form builder. Neither has the install base of, say, Elementor or Gravity Forms. Attackers are not just chasing the top ten plugins by market share anymore. They are running broad reconnaissance across the long tail of CMS extensions, and the moment a vulnerable file-upload endpoint appears in an access log somewhere, it goes into the scanner rotation. The "icagenda-batch/1.0" user agent is a giveaway that someone is running per-plugin exploitation tooling as a portfolio.
Also underpriced: the IOC hygiene burden. Site owners are told to inspect images/icagenda/frontend/attachments/ and images/baforms/uploads for stray PHP files, plus audit Joomla admin accounts for unfamiliar entries. That's fine for a small agency. For a hosting provider running tens of thousands of Joomla instances, or a shared-services team at a large org, it's a scripting exercise nobody has budgeted for. The source does not disclose whether any hosting provider has published a fleet-wide scan result, which would be the fastest way to size the actual compromise count. Expected bound: if a major shared host reports data within two weeks, compromised-site counts land in the low thousands. If nobody reports, assume the number is uncomfortably higher.
Contrarian View
The obvious read is that CMS extensions are irredeemably dangerous and enterprises should migrate off Joomla and WordPress. I'd push back on that. The vulnerability class here, unauthenticated file upload with no MIME check and no CSRF token, is a first-year web-security mistake. It's not a Joomla problem, it's a specific-plugin problem, and JoomliC and Balbooa both shipped patches within the disclosure window. The core Joomla project is not implicated.
The contrarian question is whether pulling every CMS out of production actually reduces risk, or just relocates it into custom-built web apps that carry the same OWASP-category bugs without the benefit of a public CVE process that surfaces them. A patched, monitored Joomla install with a disciplined extension policy is likely safer than an unaudited bespoke CMS written by a three-person agency in 2019. The real fix is a plugin allowlist plus automated patch pipelines, not a rip-and-replace. What we do not know from the source is whether either mySites.guru customer had an automated update policy in place when they got hit; that data would settle the argument.
Key Takeaways
- Two CVSS 10.0 Joomla extension flaws are in active exploitation; patch iCagenda to 4.0.8 or 3.9.15, and Balbooa Forms to 2.4.1, immediately.
- CVE-2026-48939 has been exploited since June 15, 2026, roughly four weeks before the KEV listing. Assume any unpatched instance is already compromised and hunt for shells in the documented upload paths.
- The ACSC campaign spans ten CVEs across Joomla, WordPress, Craft, MaxSite, and MetInfo. Long-tail extensions are being weaponized at portfolio scale, not just top-market-share plugins.
- Unanswered question with a testable bound: if AI-assisted exploit tooling is genuinely driving faster weaponization, mean time-to-exploit for new CMS CVEs should fall below seven days within two quarters. Track it.
- Compliance signal: the FCEB deadline of July 13, 2026, is same-day-of-publication. Expect follow-up CISA guidance within 30 days if federal Joomla installs are non-trivial.
Frequently Asked Questions
Q: What are CVE-2026-48939 and CVE-2026-56291?
They are two maximum-severity (CVSS 10.0) vulnerabilities in Joomla extensions. CVE-2026-48939 is an arbitrary file upload flaw in the iCagenda calendar extension's "Submit an Event" form, and CVE-2026-56291 is an unauthenticated file upload flaw in Balbooa Forms, both leading to remote code execution.
Q: Which versions are affected and where are the fixes?
CVE-2026-48939 affects iCagenda 4.x up to 4.0.7 and legacy 3.x from 3.2.1 through 3.9.14, fixed in 4.0.8 and 3.9.15 by JoomliC. CVE-2026-56291 affects Balbooa Forms up to and including 2.4.0, patched in 2.4.1.
Q: How should site owners check for compromise?
Inspect the iCagenda attachments folder at images/icagenda/frontend/attachments/ and the Balbooa Forms upload folder at images/baforms/uploads for any suspicious PHP files. Also audit the Joomla user list for unfamiliar administrator accounts and review recently modified PHP files across the site.
DHS Database Breach and Adobe's New Patch Cadence Reshape Security Week
A $15 million Ryuk affiliate plea, 7 million records lifted from AssuranceAmerica, and Adobe doubling its patch cadence. The week AI shifted the defender's clock.
AI Gateways Become the New Cloud Attack Surface
A compromised LiteLLM proxy on AWS handed attackers cryptomining revenue and possibly Bedrock access. The unit economics of AI gateway security just changed.
Lone Attacker Breaches AWS in 72 Hours With Agentic AI
Sygnia says a single financially motivated attacker chained AWS weaknesses with agentic AI workflows to extort a global enterprise in 72 hours. Here's what changes for defenders.




