ELEVATED 2 min read 11 Jul 2026

iCagenda and Balbooa Forms KEV Additions Lead Today's Incident Response Queue

Today's Intel consolidates 31 new and 3 updated promoted findings into 13 owner-action groups. The lead is the CISA KEV addition of actively exploited Joomla ecosystem upload flaws in iCagenda and Balbooa Forms.

Key findings
01
iCagenda CVE-2026-48939 and Balbooa Forms CVE-2026-56291 enter CISA KEV
MEDIUM
02
Azure Linux, NetApp ONTAP, Suricata, and Samsung Android enter EU advisory routing
LOW
03
RabbitMQ and CoreDNS advisory batches require platform-owner triage
LOW
04
CPython CVE-2026-15308 denial-of-service advisory lands in CERT-Bund
LOW
05
File Browser hook-auth and proxy-auth flaws create pre-auth exposure checks
LOW
06
Microsoft Defender RoguePlanet CVE-2026-50656 patch validation remains a priority update
MEDIUM
07
Zimbra 10.1.19 fixes Classic Web Client crafted-email XSS
MEDIUM
08
GitLab, BeyondTrust, and MOVEit advisories return to admin-surface patch queues
LOW
09
Injective npm wallet-stealer reach expands across dependent packages
HIGH
10
MCP Atlassian SSRF bypass and sigstore-go threshold bypass need dependency review
LOW
11
SiYuan publish-mode and API flaws require owner validation
MEDIUM
12
PrestaShop ps_facetedsearch cache handling can allow unauthenticated RCE
CRITICAL
13
melange/apko and BabelDOC advisories add supply-chain and document-processing checks
LOW
[Low] 1. Validate Joomla exposure first: internet-facing estates, iCagenda CVE-2026-48939, and Balbooa Forms CVE-2026-56291. 2. Assign application owners for File Browser, SiYuan, PrestaShop, and Zimbra version checks. 3.

### What changed today

Finding 01 is the lead because CISA added iCagenda CVE-2026-48939 and Balbooa Forms CVE-2026-56291 to KEV on 2026-07-10. That makes Joomla component exposure the first check before broader patch queues. Source: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?vulnId=CVE-2026-48939

Today's Intel deliberately consolidates 34 promoted source-corpus items into 13 owner-action groups. Similar low-confidence platform advisories are grouped by owner workflow; closely related CVEs in the same product are grouped together; lower-signal items are held out of the client-facing finding list when they lack the urgency, exposure pattern, or corroboration needed for a lead. Held or rolled-up items include IBM Langflow, MISP, Kyocera, U-Boot, GigaWiper, GNU patch, Kimai, libp2p, API Platform Core, and individual component entries that are already represented inside broader owner-action groups.

Finding 02 covers Azure Linux, NetApp ONTAP, Suricata, and Samsung Android advisory routing. Finding 03 covers RabbitMQ and CoreDNS owner triage. Finding 04 covers CPython CVE-2026-15308 denial-of-service routing. Finding 05 covers File Browser CVE-2026-54088 and CVE-2026-54089. Finding 06 covers Microsoft Defender CVE-2026-50656. Finding 07 covers Zimbra 10.1.19 Classic Web Client XSS. Finding 08 covers GitLab, BeyondTrust, and MOVEit. Finding 09 covers Injective SDK package exposure. Finding 10 covers MCP Atlassian CVE-2026-27826 and sigstore-go CVE-2026-49834. Finding 11 covers SiYuan CVE-2026-54066, CVE-2026-54068, and CVE-2026-54069. Finding 12 covers PrestaShop CVE-2026-54159. Finding 13 covers melange/apko CVE-2026-54174 and BabelDOC CVE-2026-54071. Source: https://github.com/advisories/GHSA-m93h-4hw7-5qcm

The Defender update remains a validation item: Microsoft Defender CVE-2026-50656 should be checked against Malware Protection Engine 1.1.26060.3008 or later. Injective SDK package exposure stays high in the queue because the poisoned @injectivelabs/sdk-ts 1.20.21 item can persist in lockfiles, CI caches, package proxies, and developer machines. Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50656

GitLab, BeyondTrust, and MOVEit are deliberately mid-tier admin-surface patch queues. RabbitMQ, CoreDNS, CPython, Azure Linux, NetApp ONTAP, Suricata, Samsung Android, MCP Atlassian, sigstore-go, melange/apko, and BabelDOC stay in owner-action workflows until stronger exploitation, victim, or exposure evidence appears. Source: https://advisories.ncsc.nl/advisory?id=NCSC-2026-0222

### Recommended actions

  • Check Joomla estates for iCagenda CVE-2026-48939 and Balbooa Forms CVE-2026-56291.
  • Validate File Browser, SiYuan, PrestaShop, Zimbra, and Defender versions where those products are present.
  • Search for @injectivelabs/sdk-ts 1.20.21 across lockfiles, CI caches, npm proxies, and developer machines.
  • Keep GitLab, BeyondTrust, MOVEit, RabbitMQ, CoreDNS, CPython, and EU advisory batches in owner action workflows.
  • Keep dependency items in Findings 12-13 tied to package inventory and fixed-version evidence.
beyondtrustcisakevcve-2026-15308cve-2026-27826cve-2026-48939cve-2026-50656cve-2026-54066cve-2026-54088cve-2026-54159cve-2026-54174

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.