Back to Blog
high severity July 10, 2026 · scope unconfirmed

CISA Adds Two Vulnerabilities to KEV Catalog

⚠ Were you caught in this breach?
Check your email against 15.4B+ leaked records in 15 seconds — free, no signup.
Scan my email — free → Instant · no account

CISA published an alert adding CVE-2026-48939 (iCagenda unrestricted file upload) and CVE-2026-56291 (Balbooa Forms unrestricted file upload) to the Known Exploited Vulnerabilities catalog based on evidence of active exploitation. These additions represent the first public authoritative disclosure of confirmed in-the-wild exploitation.

CISA Adds Two Vulnerabilities to KEV Catalog

On July 10, 2026, the Cybersecurity and Infrastructure Security Agency added two vulnerabilities to its Known Exploited Vulnerabilities catalog after confirming both are being used by attackers in the wild. The flaws, CVE-2026-48939 in the iCagenda Joomla extension and CVE-2026-56291 in Balbooa Forms, allow unrestricted file uploads that can lead to full server compromise. Any organization or individual whose website runs either component may have already been breached, exposing databases, configuration files, and user information that attackers can use for identity theft or further intrusions.

Confirmed Details from CISA

Confirmed Details from CISA

The official CISA alert states that evidence of active exploitation exists for both vulnerabilities, marking the first public authoritative disclosure of their real-world use. The agency added CVE-2026-48939 (iCagenda unrestricted file upload) and CVE-2026-56291 (Balbooa Forms unrestricted file upload) to the KEV catalog on July 10, 2026. The listing does not disclose the number of victims, specific threat actors involved, or the volume of data stolen. It simply establishes that these flaws are now part of the catalog organizations must address under federal binding operational directives.

Why This Matters for You and Your Family

Why This Matters for You and Your Family

These vulnerabilities target widely used content-management extensions. If your doctor’s office, school, local sports club, or any site you register accounts on uses Joomla with iCagenda or Balbooa Forms, your personal details may already sit on an attacker’s server. High-severity file-upload flaws typically let intruders upload web shells, exfiltrate entire databases, and move laterally into connected systems. Even if the site owner has not notified you, the data may already be circulating in criminal channels. For ordinary families this means names, addresses, email addresses, phone numbers, and sometimes dates of birth or account credentials could be exposed without any warning.

Doxxing and Identity-Chain Risks

Once attackers gain server access through these vulnerabilities they rarely stop at one dataset. They harvest every stored credential, session token, and user profile, then cross-reference the information across other breaches. A single leaked email and password from an event-registration site can unlock your work account, online banking recovery portal, or your child’s gaming profile. These identity chains grow quickly: one exposed handle leads to linked social-media accounts, home addresses, and family relationships. The result is doxxing that can escalate to harassment, targeted phishing, or SIM-swapping attacks against you or your children.

What to Do

  • Run a DoxxScan to map every link between your handles, emails, phone numbers, and real identity, then use the no-subscription cleanup of Warden to remove what you can.
  • Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next exposure that touches your family is caught in hours rather than months.
  • Rotate every password you have ever used on a Joomla site or any service that shares those credentials, and switch to 2FA through an authenticator app instead of SMS.
  • Cover the household with DoxxScan family protection that extends to dependents and children’s gaming accounts, which frequently become entry points when credential leaks cascade into account takeovers.
  • Let remediation specialists handle ongoing takedown requests across data brokers and leak sites so you do not have to chase every new appearance of your information.

The addition of these two vulnerabilities to the KEV catalog is a clear signal that exploitation is already occurring and that website operators are often slow to patch. Ordinary people cannot control every site they interact with, which is why continuous visibility and expert remediation have become essential. DoxxScan by GalaxyWarden delivers that visibility through continuous monitoring across 15.4 billion breach records and more than 100 platforms, AI-powered identity-chain mapping, hands-on remediation by specialists, and full household coverage that includes children’s gaming accounts. Start your DoxxScan trial today and treat every new breach as an event you detect and neutralize instead of one you discover after the damage is done.

Sources: CISA
Share this Post on X Reddit Email
Why this isn’t just another breach checker

A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.

Free checker Tells you the breach happened. End of story. You’re still on 800+ broker sites.
$129+/yr Broker-removal services scrub the address but don’t see the breach — next leak re-exposes you.
GalaxyWarden Maps the chain. Cleans both halves. $19 one-shot. Closed loop.

⚠ Were you in this breach?

Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.

Check my email — free →
Close the chain attack

Both halves of the chain, cleaned once.

A breach put your credentials in 15.4B+ leaked records. Hackers chain that data to your address on 800+ broker sites. GalaxyWarden closes both halves for $19 once — no subscription required.

Clean both halves — $19 →
Free breach scan + 800+ broker letters + 30-day proof · one payment, no subscription
W Warden Plus — ongoing monitoring $9.99/mo
Warden Plus ($9.99/mo or $99/yr): weekly re-scans, breach alerts, AI Concierge, auto re-files on relisted brokers.