
Joomla
Open-source PHP content-management system; four of its extensions carried KEV-listed flaws in one fortnight.
Last refreshed: 14 July 2026 · Appears in 1 active topic
Why did four separate Joomla extensions land on CISA's exploited-vulnerability list in the same fortnight?
Timeline for Joomla
Mentioned in: A quiet KEV fortnight, then a 2008 bug
Cybersecurity: Threats and DefencesMentioned in: BOD 26-04, a fortnight of triage
Cybersecurity: Threats and DefencesCarried the Widget Factory access-control flaw
Cybersecurity: Threats and Defences: Mentioned in: Cisco tops a five-vendor KEV batchWhy were so many Joomla extensions added to CISA's KEV list in July 2026?
Is Joomla itself vulnerable or just its extensions?
How old is the Joomla content management system?
Background
Joomla is a free, open-source content-management system built in PHP, used to build and run websites without writing code from scratch. First released in 2005 as a fork of Mambo, it remains one of the most widely deployed CMS platforms after WordPress, powering everything from small business sites to government portals.
Much of Joomla's flexibility comes from third-party extensions: page builders, calendars, forms and other ADD-ons that plug into the core system. That same extensibility is a persistent attack surface, since a single vulnerable extension can expose every site that installed it.
In the fortnight to 14 July 2026, CISA's Known Exploited Vulnerabilities catalogue absorbed KEV-listed CVEs affecting four Joomla-ecosystem extensions: JoomShaper SP Page Builder, iCagenda, Balbooa Forms and a Widget Factory package. Rather than a single headline enterprise vendor, this beat's additions were dominated by the long tail of Joomla plugin code, the kind of software many site operators install and then forget.
The pattern reflects a broader defenders' problem: core CMS platforms get patched promptly, but third-party extensions often lag, giving attackers a durable route into otherwise well-maintained sites.