Two Joomla Extensions Hit by Maximum-Severity Zero-Day Exploits
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two maximum-severity vulnerabilities in popular Joomla extensions to its Known Exploited Vulnerabilities (KEV) catalog, following confirmed reports of zero-day exploitation in the wild. Both flaws carry a CVSS score of 10.0, the highest possible rating. The additions were published on July 13, 2026.
What Happened
CISA confirmed that two Joomla third-party extensions, iCagenda (an event management component) and Balbooa Forms (a form builder component), contain critical security vulnerabilities that attackers have already exploited before patches were widely applied. One of the confirmed CVEs is CVE-2026-48939, affecting iCagenda. The details for the Balbooa Forms CVE were not fully disclosed in the source at time of publication.
A CVSS score of 10.0 means the vulnerability is remotely exploitable, requires no authentication, and leads to full compromise of the affected system. CISA's KEV catalog lists flaws with confirmed real-world exploitation, which means these are not theoretical risks. Attackers are actively targeting Joomla sites running these extensions right now.
Why This Matters to Small Teams
Joomla powers a significant portion of the web, and its extension ecosystem is a common way small teams and solo developers add functionality quickly. Event calendars and contact forms, exactly what iCagenda and Balbooa Forms provide, are among the most commonly installed components on small business and startup sites. If you or a client uses either of these extensions, your site may already be compromised.
Run the exact check on your domain
See your security score, grade, and a breakdown of what's exposed. Free. Takes under 2 minutes.
Scan my site free →Small teams are disproportionately exposed to this kind of vulnerability. Unlike enterprise organizations with dedicated security staff, a solo developer or a two-person startup is unlikely to have automated update monitoring in place for every installed plugin or extension. Zero-day exploits are particularly dangerous because they are actively used before a fix is even available, meaning being one update cycle behind can be enough to get hit.
A CVSS 10.0 vulnerability with active exploitation typically means attackers can take full control of the web server, inject malicious code into your site, steal form submissions and user data, or pivot to attack your hosting infrastructure. The consequences range from SEO spam injection to full data breaches, all of which carry real business and legal costs for small operators.
How to Stay Protected
-
Check your Joomla installations immediately. Log into every Joomla admin panel you manage and verify whether iCagenda or Balbooa Forms is installed. Do not wait for your next scheduled maintenance window.
-
Apply patches as soon as they are available. Monitor the official extension pages for iCagenda and Balbooa Forms, as well as the Joomla Vulnerable Extensions List, for patched releases. Install updates the same day they drop for any extension flagged in the CISA KEV catalog.
-
Disable the extension if a patch is not yet available. If no fix exists yet, deactivate and uninstall the affected extension until a patched version is released. A broken feature is always preferable to a compromised server.
-
Audit your extension inventory. List every third-party Joomla extension across all sites you manage. Remove anything that is unused, unmaintained, or not sourced from a reputable developer.
-
Review server and application logs for signs of compromise. Look for unusual POST requests to form endpoints, new admin accounts you did not create, unexpected file changes, or outbound connections to unfamiliar IP addresses.
-
Subscribe to CISA KEV alerts. CISA offers RSS feeds and email updates for new KEV additions. Set up monitoring so you are notified the same day a vulnerability in software you use is confirmed as actively exploited.
How UNPWNED Helps
UNPWNED scans your site for outdated software signals, missing security headers, and exposed configuration indicators that raise overall risk. While our scanner does not perform authenticated Joomla extension version checks, it can surface publicly visible risk indicators, such as missing content security policies, exposed admin paths, and other hygiene gaps that make exploitation easier and recovery harder. Running a scan gives you a baseline security score and a prioritized list of issues to address before attackers find them first.
This post was drafted with AI assistance based on authoritative security sources, then published under editorial review.
Source
The Hacker NewsDiscussion (0)
Is your site exposed to issues like these?
SCAN YOUR SITE FREE