CISA Adds Two Vulnerabilities to KEV Catalog
CISA published an alert adding CVE-2026-48939 (iCagenda unrestricted file upload) and CVE-2026-56291 (Balbooa Forms unrestricted file upload) to the Known Exploited Vulnerabilities catalog based on evidence of active exploitation. These additions represent the first public authoritative disclosure of confirmed in-the-wild exploitation.
On July 10, 2026, the Cybersecurity and Infrastructure Security Agency added two vulnerabilities to its Known Exploited Vulnerabilities catalog after confirming both are being used by attackers in the wild. The flaws, CVE-2026-48939 in the iCagenda Joomla extension and CVE-2026-56291 in Balbooa Forms, allow unrestricted file uploads that can lead to full server compromise. Any organization or individual whose website runs either component may have already been breached, exposing databases, configuration files, and user information that attackers can use for identity theft or further intrusions.
Confirmed Details from CISA
The official CISA alert states that evidence of active exploitation exists for both vulnerabilities, marking the first public authoritative disclosure of their real-world use. The agency added CVE-2026-48939 (iCagenda unrestricted file upload) and CVE-2026-56291 (Balbooa Forms unrestricted file upload) to the KEV catalog on July 10, 2026. The listing does not disclose the number of victims, specific threat actors involved, or the volume of data stolen. It simply establishes that these flaws are now part of the catalog organizations must address under federal binding operational directives.
Why This Matters for You and Your Family
These vulnerabilities target widely used content-management extensions. If your doctor’s office, school, local sports club, or any site you register accounts on uses Joomla with iCagenda or Balbooa Forms, your personal details may already sit on an attacker’s server. High-severity file-upload flaws typically let intruders upload web shells, exfiltrate entire databases, and move laterally into connected systems. Even if the site owner has not notified you, the data may already be circulating in criminal channels. For ordinary families this means names, addresses, email addresses, phone numbers, and sometimes dates of birth or account credentials could be exposed without any warning.
Doxxing and Identity-Chain Risks
Once attackers gain server access through these vulnerabilities they rarely stop at one dataset. They harvest every stored credential, session token, and user profile, then cross-reference the information across other breaches. A single leaked email and password from an event-registration site can unlock your work account, online banking recovery portal, or your child’s gaming profile. These identity chains grow quickly: one exposed handle leads to linked social-media accounts, home addresses, and family relationships. The result is doxxing that can escalate to harassment, targeted phishing, or SIM-swapping attacks against you or your children.
What to Do
- Run a DoxxScan to map every link between your handles, emails, phone numbers, and real identity, then use the no-subscription cleanup of Warden to remove what you can.
- Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next exposure that touches your family is caught in hours rather than months.
- Rotate every password you have ever used on a Joomla site or any service that shares those credentials, and switch to 2FA through an authenticator app instead of SMS.
- Cover the household with DoxxScan family protection that extends to dependents and children’s gaming accounts, which frequently become entry points when credential leaks cascade into account takeovers.
- Let remediation specialists handle ongoing takedown requests across data brokers and leak sites so you do not have to chase every new appearance of your information.
The addition of these two vulnerabilities to the KEV catalog is a clear signal that exploitation is already occurring and that website operators are often slow to patch. Ordinary people cannot control every site they interact with, which is why continuous visibility and expert remediation have become essential. DoxxScan by GalaxyWarden delivers that visibility through continuous monitoring across 15.4 billion breach records and more than 100 platforms, AI-powered identity-chain mapping, hands-on remediation by specialists, and full household coverage that includes children’s gaming accounts. Start your DoxxScan trial today and treat every new breach as an event you detect and neutralize instead of one you discover after the damage is done.
Related breaches
Crunchbase Massive Personal Records Leak — January 2026
ShinyHunters exfiltrated approximately 2 million records from the business-intelligence platform Cru…
149 Million Credential Mega-Exposure — January 2026
Security researchers discovered a publicly exposed 96 GB database with 149 million unique logins cov…
Brightspeed Fiber Broadband Incident — January 2026
Crimson Collective ransomware group allegedly stole personal data of over 1 million Brightspeed cust…
A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.
⚠ Were you in this breach?
Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.
Check my email — free →