Skip to content
You can now search across every topic, entity and event.What's new
Joomla
Product

Joomla

Open-source PHP content-management system; four of its extensions carried KEV-listed flaws in one fortnight.

Last refreshed: 14 July 2026 · Appears in 1 active topic

Key Question

Why did four separate Joomla extensions land on CISA's exploited-vulnerability list in the same fortnight?

Timeline for Joomla

#1014 Jul

Mentioned in: A quiet KEV fortnight, then a 2008 bug

Cybersecurity: Threats and Defences
#94 Jul

Mentioned in: BOD 26-04, a fortnight of triage

Cybersecurity: Threats and Defences
#929 Jun

Carried the Widget Factory access-control flaw

Cybersecurity: Threats and Defences: Mentioned in: Cisco tops a five-vendor KEV batch
View full timeline →
Common Questions
Why were so many Joomla extensions added to CISA's KEV list in July 2026?
CISA added KEV entries for four Joomla-ecosystem extensions, SP Page Builder, iCagenda, Balbooa Forms and a Widget Factory package, in the fortnight to 14 July 2026, reflecting how often vulnerable plugins rather than Joomla's core code create the attack surface.Source: event
Is Joomla itself vulnerable or just its extensions?
The July 2026 KEV additions targeted third-party extensions, not a flaw in Joomla's core codebase, though a vulnerable extension can still compromise a site running the core system.Source: event
How old is the Joomla content management system?
Joomla launched in 2005 as a fork of the earlier Mambo CMS and remains one of the most widely deployed open-source content-management platforms.

Background

Joomla is a free, open-source content-management system built in PHP, used to build and run websites without writing code from scratch. First released in 2005 as a fork of Mambo, it remains one of the most widely deployed CMS platforms after WordPress, powering everything from small business sites to government portals.

Much of Joomla's flexibility comes from third-party extensions: page builders, calendars, forms and other ADD-ons that plug into the core system. That same extensibility is a persistent attack surface, since a single vulnerable extension can expose every site that installed it.

In the fortnight to 14 July 2026, CISA's Known Exploited Vulnerabilities catalogue absorbed KEV-listed CVEs affecting four Joomla-ecosystem extensions: JoomShaper SP Page Builder, iCagenda, Balbooa Forms and a Widget Factory package. Rather than a single headline enterprise vendor, this beat's additions were dominated by the long tail of Joomla plugin code, the kind of software many site operators install and then forget.

The pattern reflects a broader defenders' problem: core CMS platforms get patched promptly, but third-party extensions often lag, giving attackers a durable route into otherwise well-maintained sites.