A researcher-driven Joomla extension file-upload wave produced four unauthenticated RCE disclosures this week — several exploited as zero-days before a patch existed
If you did nothing this week: any internet-facing Joomla site your constituency runs with SP Page Builder, Balbooa Forms, iCagenda, RSFiles! or Phoca Download installed should now be treated as potentially compromised — several of these flaws were exploited in the wild before a patch shipped, and the observed payload gives the attacker a hidden Joomla super-admin.
Across 2026-W28 the specialist Joomla-security researcher mySites.guru disclosed the same bug class — CWE-434 arbitrary file upload leading to remote code execution — in four separate third-party extensions in quick succession, and CISA moved several onto the Known Exploited Vulnerabilities catalog within days. The mechanism is consistent: an upload handler that fails to enforce a server-side extension allow-list, does not block .php, and does not verify the declared content type, letting an attacker write an executable script into a web-reachable directory. In SP Page Builder the exploited path was index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon, driven by an HTTP POST (The Hacker News, 2026-07-08); the researcher observed that "the payload plants a hidden Super Administrator account, usually with an @secure.local email" (mySites.guru, 2026-07-08). Balbooa Forms (CVE-2026-56291) was likewise found under live exploitation before any fix existed — "it was already being exploited in the wild when we found it, before any patch existed" (mySites.guru, 2026-07-09) — and iCagenda (CVE-2026-48939) reached KEV as an unauthenticated file-upload-to-RCE (mySites.guru, 2026-07-10). The week closed with two more from the same wave: RSFiles! (CVE-2026-57827, unauthenticated, CVSS 4.0 10.0, fixed 1.17.12) and Phoca Download (CVE-2026-57828, member-authenticated allow-list bypass, fixed 6.1.3), with no confirmed exploitation of that pair yet (mySites.guru, 2026-07-11).
Why this is the week's operational reality for the constituency: Joomla is disproportionately common on cantonal, communal and small-agency public-sector sites across Switzerland and the EU, and the ecosystem's risk lives in its third-party extensions, not the core. A wave of unauthenticated, pre-auth-exploited RCEs against exactly that surface, several with a public exploitation record and a self-installing super-admin payload, is a patch-and-hunt priority the normal monthly cadence does not cover.
CVE-2026-48908, on the other hand, is said to have been exploited as a zero-day to upload a PHP file by means of an HTTP POST request to the 'index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon' endpoint.
Already exploited in the wild. The payload plants a hidden Super Administrator account, usually with an @secure.local email.
This was a zero-day: it was already being exploited in the wild when we found it, before any patch existed, and those attacks are still going on now against sites that have not updated.
Defender actions
- Inventory every internet-facing Joomla site for the affected extensions (SP Page Builder, Balbooa Forms, iCagenda, RSFiles!/com_rsfiles ≤ 1.17.11, Phoca Download/com_phocadownload ≤ 6.1.2) and update to the fixed builds; where no fix is available, take the component offline.
- Hunt every Joomla estate for the wave's post-exploitation artifacts: newly created Super Administrator accounts (notably @secure.local addresses) and .php files written into extension upload/download web-root folders.
Sources
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.