{"id":240761,"date":"2026-07-14T00:36:55","date_gmt":"2026-07-14T05:36:55","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2026\/07\/cisa-warns-of-actively-exploited-rce-flaws-in-joomla-extensions"},"modified":"2026-07-14T00:36:55","modified_gmt":"2026-07-14T05:36:55","slug":"cisa-warns-of-actively-exploited-rce-flaws-in-joomla-extensions","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2026\/07\/cisa-warns-of-actively-exploited-rce-flaws-in-joomla-extensions","title":{"rendered":"CISA warns of actively exploited RCE flaws in Joomla extensions"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/cisa-warns-of-actively-exploited-rce-flaws-in-joomla-extensions.jpg\"><\/a><\/p>\n<p>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that attackers are exploiting vulnerabilities in the iCagenda and Balbooa Forms extensions for Joomla to achieve remote code execution through arbitrary file uploads.<\/p>\n<p>The agency has categorized the flaws as a <a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2026\/07\/10\/cisa-adds-two-known-exploited-vulnerabilities-catalog\" rel=\"nofollow noopener\">maximum priority<\/a>, ordering federal agencies to apply available security updates and\/or mitigations within three days, with the deadline set for today.<\/p>\n<p>The first flaw, tracked as CVE-2026\u201348939, is an arbitrary file upload flaw impacting the <a href=\"https:\/\/extensions.joomla.org\/extension\/icagenda\/\" rel=\"nofollow noopener\">iCagenda<\/a> extension used for registering and scheduling events and creating calendars.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that attackers are exploiting vulnerabilities in the iCagenda and Balbooa Forms extensions for Joomla to achieve remote code execution through arbitrary file uploads. The agency has categorized the flaws as a maximum priority, ordering federal agencies to apply available security updates and\/or mitigations within three [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34],"tags":[],"class_list":["post-240761","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/240761","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=240761"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/240761\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=240761"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=240761"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=240761"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}