The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two file-upload vulnerabilities, affecting iCagenda and Balbooa Forms, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation in the wild.
The alert was issued on July 10, 2026, identifying these flaws as vulnerabilities that allow unrestricted file uploads of dangerous types.
Such vulnerabilities can enable threat actors to upload malicious scripts or executable files to exposed web servers, potentially leading to remote code execution, persistence, website defacement, data theft, or lateral movement within networks.
The newly listed vulnerabilities are:
- CVE-2026-48939: Unrestricted file upload vulnerability in iCagenda
- CVE-2026-56291: Unrestricted file upload vulnerability in Balbooa Forms
CISA did not disclose specific details regarding the technical exploitation, affected version ranges, or attribution information in its advisory. However, the inclusion of these vulnerabilities in the KEV Catalog confirms that CISA has received credible evidence indicating malicious actors are exploiting them.
CISA Warns of Exploited iCagenda and Balbooa
Unrestricted file upload vulnerabilities occur when an application fails to properly validate uploaded content, filenames, extensions, MIME types, or upload destinations.
According to CISA, attackers may exploit these lax validation processes by submitting web shells disguised as image files, documents, or other seemingly harmless content.
If a malicious file is uploaded to a web-accessible directory and executed by the server, the attacker can gain control of the affected application environment.
Common follow-on activities include deploying persistent backdoors, harvesting credentials, modifying website content, and using the compromised server as an initial point of entry into a broader network.
Public-facing content management system extensions and form-building components are particularly appealing targets since they often accept files from unauthenticated or low-privileged users.
CISA’s Binding Operational Directive (BOD) 2626-0404, Prioritizing Security Updates Based on Risk, mandates that Federal Civilian Executive Branch agencies prioritize remediation of KEV-listed vulnerabilities based on their risk levels.
The directive stresses the need for rapid action for vulnerabilities affecting publicly accessible assets, as successful exploitation could grant attackers total control of a system. It also requires agencies to assess whether systems may have been compromised before applying security updates.
While the directive specifically applies to federal civilian agencies, CISA has urged all organizations that use iCagenda or Balbooa Forms to adopt a risk-based vulnerability management process and to treat these newly identified issues as urgent.
Recommended Actions
Organizations should promptly identify any internet-facing systems running iCagenda or Balbooa Forms and review vendor advisories for available security updates or mitigations. Security teams should also take the following actions:
- Apply vendor-provided patches or remove vulnerable components if patches are unavailable.
- Restrict file uploads to authenticated and authorized users only.
- Implement allowlists for file extensions and validate file contents on the server-side.
- Store uploaded files outside of web-accessible directories wherever possible.
- Conduct searches for suspicious files, web shells, unexpected administrator accounts, and unusual outbound connections.
- Examine web server and application logs for any unusual upload activities before and after remediation.
CISA encourages all organizations to prioritize remediating KEV-listed vulnerabilities, as their status indicates a credible and immediate threat.
Interact with Cyber Threats in Windows, Linux, macOS VMs to Trigger Full Attack Chain - Analyse Malware & Phishing with ANY RUN

