The U.S. Cybersecurity and Infrastructure Security Agency added two vulnerabilities affecting popular Joomla extensions to its Known Exploited Vulnerabilities catalog on July 12, 2026. The flaws impact iCagenda, an event management component, and Balbooa Forms, a form builder plugin widely used on Joomla-powered websites.
The iCagenda vulnerability allows unauthenticated attackers to execute arbitrary PHP code through improper input sanitization in event registration handlers. Balbooa Forms similarly enables remote code execution by bypassing file upload restrictions. Both extensions are maintained by third-party developers outside core Joomla.
CISA’s KEV catalog inclusion means federal civilian executive branch agencies must remediate these flaws by the binding operational directive deadline. Exploitation in the wild has been confirmed. Joomla site operators should update iCagenda and Balbooa Forms to patched versions immediately and review server logs for signs of compromise.

