[Verse 1] Three CVEs dropped on July the eleventh Joomla ecosystem taking the hit this session Balbooa Forms, number CVE-2026-56291 No login needed, slip a dangerous file through the door Upload an executable, plant it like a seed Server doesn't check the type, gives the attacker everything they need [Chorus] Unrestricted upload, dangerous type Arbitrary files cutting like a knife PHP drops in where it shouldn't land Unauthenticated hand grabs the whole command Three plugins cracking open, July eleven's the date Patch your Joomla stack before it's too late [Verse 2] iCagenda's next, CVE-2026-48939 The file attachment feature left the window open wide You think you're sending a calendar invite with a note Instead a PHP script slides through and takes remote control No credentials required, just point and click and send The server executes whatever crawls in through that end [Chorus] Unrestricted upload, dangerous type Arbitrary files cutting like a knife PHP drops in where it shouldn't land Unauthenticated hand grabs the whole command Three plugins cracking open, July eleven's the date Patch your Joomla stack before it's too late [Verse 3] SP Page Builder from JoomShaper, 2026-48908 Unauthenticated upload turns your webpage to a crime A page builder swinging hammers in anonymous hands Arbitrary file plants itself and executes commands Three different plugins, three different entry gates All sharing the same skeleton key to infiltrate [Verse 4] The severity scores are sitting critical and high CVSS numbers climbing like a warning in the sky Attackers don't need accounts, they don't need to know your name Just find the exposed endpoint and run the exploit game Webshells nestled inside folders, hidden plain in sight Persistent access granted deep into your site [Bridge] The pattern is identical across all three offenders No authentication wall, no file type filter Server trusts the payload like a letter from a friend But the envelope contains a blade that executes at the end Unrestricted upload is the class name for this flaw Check your plugin versions, that's the sharpest security law [Chorus] Unrestricted upload, dangerous type Arbitrary files cutting like a knife PHP drops in where it shouldn't land Unauthenticated hand grabs the whole command Three plugins cracking open, July eleven's the date Patch your Joomla stack before it's too late [Outro] 56291, 48939, 48908 Three CVE digits you should memorize and post Balbooa, iCagenda, SP Page Builder in the scope Joomla administrators, update or lose control [Chorus] Unrestricted upload, dangerous type Arbitrary files cutting like a knife PHP drops in where it shouldn't land Unauthenticated hand grabs the whole command Three plugins cracking open, July eleven's the date Patch your Joomla stack before it's too late
← Canada Gazette — July 11, 2026 | Critical CVEs (2 of 3) — July 11, 2026 →