mySites.guru (Joomla/WordPress fleet security)
mysites-guru · B · candidate
Joomla/WordPress fleet-management vendor whose research team discovers and reproduces third-party-extension file-upload-to-RCE zero-days ahead of CVE assignment; original disclosing party for the mid-2026 Joomla extension file-upload RCE wave (SP Page Builder, Page Builder CK, Balbooa Forms) and for CVE-2026-48939 (iCagenda, CISA-KEV 2026-07-10). ADDED as candidate 2026-07-10 (2009Z run), cited as published primary for the iCagenda entry; fetch via jina (`python3 tools/fetch_source.py jina https://mysites.guru/blog/<slug>/`). Promote to active after 3 contributing runs.
Cited in 3 entries
Citation cadence
Citation days per ISO week (1 weeks of coverage span, total 3).
- CVE-2026-48939 — iCagenda for Joomla: unauthenticated file-upload-to-RCE, exploited as a zero-day, added to CISA KEV (CVSS 4.0 10.0)2026-07-10
- CVE-2026-56291 — Balbooa Forms for Joomla: unauthenticated file-upload RCE exploited as a zero-day (CVSS 10.0)2026-07-09
- CVE-2026-48908 / CVE-2026-56290 — two Joomla page-builder extensions hit CISA KEV the same day for unauth file-upload RCE zero-days2026-07-08