CISA added CVE-2026-56291 to its Known Exploited Vulnerabilities catalog after the flaw was disclosed as an unauthenticated arbitrary file upload bug in the Balbooa Forms extension for Joomla. The vulnerability affects versions 1.0 through 2.4.0 and allows attackers to upload executable files, leading to full remote code execution. The issue is tracked as CWE-434 and was assigned a high-severity CVSS v4 vector reflecting network-based exploitation, low attack complexity, and high impact across confidentiality, integrity, and availability.
The same KEV update also added CVE-2026-48939 in iCagenda, another unrestricted file upload flaw that can enable arbitrary file upload and PHP code execution. CISA's catalog update raised the total KEV count from 1,635 to 1,637 entries and set a 2026-07-13 remediation deadline for both vulnerabilities, while noting that known ransomware use is currently unknown.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
On 2026-07-10, CISA updated its Known Exploited Vulnerabilities catalog and added CVE-2026-56291 in Balbooa Forms as a newly cataloged exploited vulnerability. CISA assigned a remediation due date of 2026-07-13 for the entry.
A new CVE entry, CVE-2026-56291, was received by security@joomla.org on 2026-07-09 for an unauthenticated arbitrary file upload vulnerability in Balbooa Forms versions 1.0 through 2.4.0. The flaw can allow upload of executable files and lead to full remote code execution.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
github.com
Open sourcecvefeed.io
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.