CISA Adds Two Actively Exploited Unrestricted File‑Upload Vulnerabilities (CVE‑2026‑48939, CVE‑2026‑56291) to KEV Catalog
What It Is – The Cybersecurity & Infrastructure Security Agency (CISA) announced that two vulnerabilities have been added to its Known Exploited Vulnerabilities (KEV) catalog. Both are “unrestricted file‑upload with dangerous type” flaws:
- CVE‑2026‑48939 – iCagenda (a WordPress event‑calendar plugin).
- CVE‑2026‑56291 – Balbooa Forms (a WordPress form‑builder plugin).
Exploitability – CISA’s inclusion is based on evidence of active exploitation in the wild. Public exploit code and attacker‑use reports have been observed, indicating a high likelihood of successful compromise when the vulnerable component is exposed.
Affected Products – iCagenda and Balbooa Forms WordPress plugins (any site that runs these plugins on a publicly reachable web server).
Why It Matters for Compliance & Audit Readiness
- Control‑mapping visibility – Unrestricted upload flaws map to SOC 2 CC6.1 (Change Management) and CC7.1 (System Operations). Demonstrating that you have identified, mapped, and continuously monitored these controls is essential evidence for auditors.
- Continuous remediation evidence – Rapid patching and proof‑of‑remediation (e.g., signed patch‑install logs) satisfy BOD 26‑04’s requirement to prioritize KEV items and retain a defensible audit trail.
- Risk‑based vulnerability management – Treating KEV entries as high‑risk controls aligns with a risk‑based compliance program and shows due diligence to enterprise customers who demand SOC 2‑ready security postures.
Recommended Actions
- Inventory all WordPress sites and confirm whether iCagenda or Balbooa Forms are installed.
- Map the identified vulnerabilities to the relevant SOC 2 controls (CC6.1, CC7.1) in your compliance framework.
- Patch immediately using the vendor‑provided updates; if patches are unavailable, apply temporary mitigations (e.g., block file‑type uploads, enforce strict MIME checks).
- Capture remediation evidence (patch version, deployment timestamps, verification scans) in a continuous‑compliance repository for audit readiness.
- Monitor for any post‑patch exploitation attempts via web‑application firewalls and SIEM alerts.
Source: CISA Advisory – Two Known Exploited Vulnerabilities Added to KEV Catalog (July 10 2026)