HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Advisory

CISA Adds Two Actively Exploited Unrestricted File‑Upload Vulnerabilities (CVE‑2026‑48939, CVE‑2026‑56291) to KEV Catalog

CISA placed two unrestricted file‑upload vulnerabilities affecting iCagenda and Balbooa Forms plugins into its KEV catalog, citing active exploitation. Organizations must treat these as high‑risk controls, map them to SOC 2 requirements, and retain remediation evidence for audit readiness.

LiveThreat™ Intelligence · 📅 July 10, 2026· 📰 cisa.gov
🟠
Severity
High
AD
Type
Advisory
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
cisa.gov

CISA Adds Two Actively Exploited Unrestricted File‑Upload Vulnerabilities (CVE‑2026‑48939, CVE‑2026‑56291) to KEV Catalog

What It Is – The Cybersecurity & Infrastructure Security Agency (CISA) announced that two vulnerabilities have been added to its Known Exploited Vulnerabilities (KEV) catalog. Both are “unrestricted file‑upload with dangerous type” flaws:

  • CVE‑2026‑48939 – iCagenda (a WordPress event‑calendar plugin).
  • CVE‑2026‑56291 – Balbooa Forms (a WordPress form‑builder plugin).

Exploitability – CISA’s inclusion is based on evidence of active exploitation in the wild. Public exploit code and attacker‑use reports have been observed, indicating a high likelihood of successful compromise when the vulnerable component is exposed.

Affected Products – iCagenda and Balbooa Forms WordPress plugins (any site that runs these plugins on a publicly reachable web server).

Why It Matters for Compliance & Audit Readiness

  • Control‑mapping visibility – Unrestricted upload flaws map to SOC 2 CC6.1 (Change Management) and CC7.1 (System Operations). Demonstrating that you have identified, mapped, and continuously monitored these controls is essential evidence for auditors.
  • Continuous remediation evidence – Rapid patching and proof‑of‑remediation (e.g., signed patch‑install logs) satisfy BOD 26‑04’s requirement to prioritize KEV items and retain a defensible audit trail.
  • Risk‑based vulnerability management – Treating KEV entries as high‑risk controls aligns with a risk‑based compliance program and shows due diligence to enterprise customers who demand SOC 2‑ready security postures.

Recommended Actions

  • Inventory all WordPress sites and confirm whether iCagenda or Balbooa Forms are installed.
  • Map the identified vulnerabilities to the relevant SOC 2 controls (CC6.1, CC7.1) in your compliance framework.
  • Patch immediately using the vendor‑provided updates; if patches are unavailable, apply temporary mitigations (e.g., block file‑type uploads, enforce strict MIME checks).
  • Capture remediation evidence (patch version, deployment timestamps, verification scans) in a continuous‑compliance repository for audit readiness.
  • Monitor for any post‑patch exploitation attempts via web‑application firewalls and SIEM alerts.

Source: CISA Advisory – Two Known Exploited Vulnerabilities Added to KEV Catalog (July 10 2026)

📰 Original Source
https://www.cisa.gov/news-events/alerts/2026/07/10/cisa-adds-two-known-exploited-vulnerabilities-catalog

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →