US Cyber Agency Flags Two Joomla Add-On Flaws Already Being Exploited

CISA says attackers are actively abusing critical bugs in the iCagenda and Balbooa extensions, both scored a perfect 10 on the severity scale.

ThreatVectr Newsdesk· 4 min read
A dimly lit server room with rows of dark racks, one panel glowing red with warning indicator lights, thin blue fibre-optic cables running along the ceiling, sh
Share

Key points

  • The U.S. Cybersecurity and Infrastructure Security Agency added two Joomla extension flaws to its Known Exploited Vulnerabilities catalog after reports of live attacks.
  • Both vulnerabilities, CVE-2026-48939 in iCagenda and a matching flaw in Balbooa, carry the maximum CVSS score of 10.0.
  • Federal civilian agencies must patch or stop using the affected extensions under Binding Operational Directive 22-01.
  • The bugs were exploited as zero-days, meaning attackers found and used them before fixes were widely available.
  • Website owners running either extension should assume compromise is possible and check server logs now.

Two add-ons for the popular Joomla website builder are under active attack, and the U.S. government wants them fixed fast.

On Monday, the Cybersecurity and Infrastructure Security Agency (CISA) added flaws in the iCagenda calendar plugin and the Balbooa forms plugin to its Known Exploited Vulnerabilities catalog. That catalog is Washington's running list of security holes that criminals are already using in real attacks, not just ones that might be dangerous in theory.

Both bugs scored a 10.0 on the CVSS scale, which runs from 0 to 10. A 10 means the flaw is trivial to abuse, needs no login, and hands the attacker deep access. There is no worse rating.

What is Joomla and why does this matter?

Joomla is a content management system, which is software that lets people build and run websites without writing code from scratch. Think of it as a rival to WordPress, used by tens of thousands of small businesses, universities, and community groups.

Extensions are the add-on tools that give a Joomla site extra features. iCagenda handles event calendars. Balbooa builds contact forms and page layouts. When an extension has a critical flaw, every site running it becomes a target, even if the core Joomla software is fully patched.

How did attackers exploit these bugs?

One of the tracked flaws, CVE-2026-48939, sits inside iCagenda. According to the initial write-up by The Hacker News, both flaws were exploited as zero-days. A zero-day is a bug the software's maker had not yet fixed when criminals started using it, so defenders had zero days to prepare.

CISA has not published the technical details of how the attacks work. That is normal while patching is still under way, because full details make it easier for copycats to pile in.

What we do know: a 10.0 score on a web plugin almost always means remote code execution, which is jargon for an attacker running their own commands on your server from anywhere in the world. From there, they can steal customer data, plant backdoors, or hijack the site to serve malware to visitors.

Who has to act, and by when?

Under a rule called Binding Operational Directive 22-01, every U.S. federal civilian agency must fix any vulnerability on the KEV list within a set deadline. If a patch is not available, the agency has to stop using the affected product.

CISA also "strongly urges" private companies to follow the same process. That is not a legal order for a coffee shop in Ohio or a charity in Leeds, but it is the closest thing to an official siren the U.S. government issues about a specific bug.

Regulatory exposure does not stop at the U.S. border. A breached site holding personal data on European visitors could trigger notification duties under the UK Information Commissioner's Office or an EU data protection authority under GDPR.

What should site owners do now?

If you run a Joomla site, log in to your admin panel and check whether iCagenda or Balbooa extensions are installed. Update them to the latest available versions immediately. If no fixed version exists yet, disable the extension until one ships.

Then check your server logs for unusual POST requests to the extension's URLs, unexpected new admin users, or files you did not upload. If you find anything odd, treat the site as breached and rotate all passwords and API keys tied to it.

For ordinary visitors, there is nothing to install or change. But if you gave your name, email, or phone number to a small site running Joomla in recent months, watch for a rise in targeted phishing emails, which are fake messages designed to trick you into clicking or paying.

© 2026 Threat Vectr