Eleven confirmed Joomla extension vulnerabilities disclosed around July 2026 affect popular page builders, forms, download managers, calendar tools and email extensions. Four are listed by CISA as known exploited vulnerabilities, making a complete extension inventory, prompt updates and post-update checks an immediate priority for site owners and agencies.
Joomla administrators should treat this group of extension disclosures as an operational patching task, not a reason for alarm. The first priority is to establish which extensions and versions are installed across every site, then update the four vulnerabilities confirmed as exploited before working through the remaining high-severity issues.
Joomla extension vulnerabilities: the immediate priority
Eleven CVEs in this roundup affect Joomla extensions. The most urgent four are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog: CVE-2026-48908 in SP Page Builder, CVE-2026-48939 in iCagenda, CVE-2026-56290 in Page Builder CK, and CVE-2026-56291 in Balbooa Forms. Inclusion in KEV means CISA has confirmed observed exploitation of those specific vulnerabilities.
That distinction matters. A CVSS score estimates technical severity under a defined scoring model; it does not, by itself, establish that a vulnerability has been exploited. Conversely, KEV status is evidence of observed exploitation, not a replacement for severity scoring. The seven other CVEs below remain serious patching priorities, but exploitation of them is not confirmed in the authoritative sources reviewed.
The CISA due dates associated with the four KEV records were three days after their additions to the catalog. Those deadlines apply to relevant U.S. federal civilian executive branch agencies; they are not legal deadlines for every Joomla site owner. They are nevertheless a useful indication of the urgency appropriate for any exposed site.
Confirmed affected extensions and fixed versions
The table uses the documented affected-version boundaries. “Before” a version means that version itself is outside the affected range. CVSS 4.0 is shown where available; Helix3 has only a CVSS 3.1 score in the reviewed material. A KEV entry is explicitly marked “Yes” only for the four CVEs confirmed exploited in the wild.
| Extension | CVE | Authentication | Affected versions | Recommended version or action | CVSS | KEV |
|---|---|---|---|---|---|---|
| SP Page Builder | CVE-2026-48908 | None | Before 6.6.2 | 6.6.2 or later | 10.0 Critical (v4.0); 9.8 Critical (v3.1) | Yes |
| iCagenda | CVE-2026-48939 | None | 3.2.1 and later, before 3.9.15; 4.0.0 and later, before 4.0.8 | 3.9.15 or 4.0.8, by branch | 10.0 Critical (v4.0); 9.8 Critical (v3.1) | Yes |
| Helix3 | CVE-2026-49049 | None | 1.0 through 3.1.1 | Consult current vendor guidance; no fixed release is specified in the reviewed records | 7.5 High (v3.1) | No |
| Page Builder CK | CVE-2026-56290 | None | Before 3.6.0 | 3.6.0 or later | 10.0 Critical (v4.0); 9.8 Critical (v3.1) | Yes |
| Balbooa Forms | CVE-2026-56291 | None | Before 2.4.1 | 2.4.1 or later | 10.0 Critical (v4.0); 9.8 Critical (v3.1) | Yes |
| AcyMailing | CVE-2026-56292 | None | 6.0.0 and later, before 10.11.1 | 10.11.1 or later | 9.2 Critical (v4.0); 7.5 High (v3.1) | No |
| RSFiles | CVE-2026-57827 | None | Before 1.17.12 | 1.17.12 or later | 10.0 Critical (v4.0); 9.8 Critical (v3.1) | No |
| Phoca Download | CVE-2026-57828 | Required | Before 6.1.3 | 6.1.3 or later | 9.0 Critical (v4.0); 8.8 High (v3.1) | No |
| DP Calendar | CVE-2026-57831 | None | 8.18.0 through 10.11.1 | 10.11.2 or 8.19.4 or later, by branch | 8.7 High (v4.0) | No |
| EDocman | CVE-2026-57832 | None | Up to 3.8 | 3.9.0 or later | 8.7 High (v4.0) | No |
| Quix Page Builder Pro | CVE-2026-58078 | None | Up to 6.2.0 | 6.2.1 or later | 8.7 High (v4.0) | No |
For the entries with a documented fixed version, update to that release or a later supported release after taking a verified backup or snapshot. The CVE record for SP Page Builder and its NVD entry illustrate why version boundaries should be read carefully rather than replaced with vague statements such as “update when convenient.”
What the vulnerabilities allow
Five of the listed issues involve unauthenticated file upload leading to remote code execution: SP Page Builder, iCagenda, Page Builder CK, Balbooa Forms and RSFiles. In affected versions, an unauthenticated visitor can upload files in a way that may lead to code execution on the server. Page Builder CK, SP Page Builder, iCagenda and Balbooa Forms are also the four KEV-listed issues and therefore deserve immediate attention.
Phoca Download, CVE-2026-57828, is different in one crucial respect: an attacker requires authentication and upload permissions. That reduces exposure compared with the unauthenticated upload issues, but it does not remove the need to patch. Review which Joomla groups and accounts can upload files, especially accounts used by partners, contributors or integrations.
The SQL injection disclosures affect AcyMailing, DP Calendar, EDocman and Quix Page Builder Pro. Their documented impact includes unauthenticated database access or data exposure. AcyMailing is scored 9.2 Critical in CVSS 4.0 and 7.5 High in CVSS 3.1; these are different scoring systems, so the numerical difference is not a conflict. DP Calendar, EDocman and Quix Page Builder Pro have CVSS 4.0 scores of 8.7 High in the reviewed CVE information.
Helix3 is an access-control issue affecting versions 1.0 through 3.1.1. The reviewed records describe unauthenticated file write or deletion and template-parameter changes. They do not provide a verified fixed version. Administrators should consult the Helix3 vendor site for current guidance, move away from affected versions where a supported remediation is available, restrict public exposure where appropriate, and monitor file integrity. Do not rely on an unsourced release number.
How to prioritize remediation
Agencies should run this process across their entire managed portfolio, including inactive extensions that remain installed. A disabled extension can still create unnecessary risk if its code remains reachable or if it is re-enabled without being updated.
- Inventory first. Record the installed version and enabled status of every listed extension on every Joomla site.
- Patch the KEV entries first. Update Page Builder CK to 3.6.0 or later, SP Page Builder to 6.6.2 or later, iCagenda to 3.9.15 or 4.0.8 as appropriate, and Balbooa Forms to 2.4.1 or later.
- Back up before each change. Retain a restorable database and file backup or infrastructure snapshot, then verify the site after updating.
- Patch the remaining disclosed issues. Apply the documented versions for AcyMailing, RSFiles, Phoca Download, DP Calendar, EDocman and Quix Page Builder Pro. Resolve Helix3 through current vendor guidance rather than guessing at a patch version.
- Reduce exposure while coordinating maintenance. If an urgent update cannot happen immediately, temporarily disable affected public functionality when that is operationally feasible. This is a short-term control, not a substitute for patching.
For iCagenda, use the vendor's relevant branch information: the 3.9.15 changelog applies to the older branch, while the 4.0.8 changelog applies to the newer branch.
Post-update checks and Joomla hardening
Patching removes the known vulnerable condition, but it cannot by itself establish that a site was not compromised before the update. The four KEV-listed file-upload vulnerabilities warrant a focused review of the period before remediation.
For file-upload issues
- Review web-server and application logs for unusual uploads, unexpected requests, errors, or account changes.
- Inspect upload and download directories for unexpected executable or script files. Quarantine suspicious material according to your incident-response process rather than casually deleting potential evidence.
- Configure the web server so upload directories cannot execute PHP or other server-side scripts. This containment control limits the impact of upload validation failures.
- Review Joomla users, administrator accounts and extension configuration for unapproved changes.
- For Phoca Download, reassess upload permissions and remove access that is not necessary for a business function.
For SQL injection issues
- Review database and application logs for anomalous query activity or errors associated with public requests.
- Confirm that the Joomla database account has only the privileges required by the site. Avoid using broad administrative database credentials for a web application.
- If there is evidence or a reasonable concern that database data was exposed, rotate database credentials and other potentially exposed secrets, then assess affected user accounts under the site's incident-response process.
These controls are useful defenses, but they do not make unsupported or end-of-life extension versions safe. Keep Joomla core, templates and extensions on supported releases, remove unused extensions, and make extension inventory part of routine maintenance rather than an emergency exercise.
Deferred NVD analysis and the limits of current records
NVD analysis for CVE-2026-57831 (DP Calendar), CVE-2026-57832 (EDocman) and CVE-2026-58078 (Quix Page Builder Pro) is marked Deferred. That means NVD's analysis is still pending; it should not be described as a completed NVD assessment. The affected ranges, fixed-version guidance and CVSS 4.0 values cited here for those three entries come from the CVE records and the supplied vendor or publisher information.
The deferred status is not a reason to postpone patching. It is a reminder to track the records for later analysis updates and to preserve the distinction between a CVE record, vendor release guidance and NVD's completed enrichment. For example, administrators can consult the DP Calendar CVE record, the DP Calendar product information, and the equivalent records for EDocman and Quix Page Builder Pro.
Add comment