Cyber Threat Brief — July 11 2026

⚠️ This report is AI-generated. Always validate findings.

1. Joomla Extensions File Upload RCE — CVE-2026-48939 / CVE-2026-56291

TL;DR: CISA added two more Joomla extension file-upload-to-RCE flaws to KEV on July 10, making four total Joomla extension KEVs this week. Both are unauthenticated, CVSS 10.0, with public PoCs and active exploitation.

What’s New:

  • CVE-2026-48939 (iCagenda ≤4.0.7): event registration form enforces access control at view layer only — controller accepts unauthenticated uploads with no extension validation; PHP files land at /images/icagenda/frontend/attachments/ and execute immediately
  • CVE-2026-56291 (Balbooa Forms ≤2.4.0): frontend upload handler accepts files with no auth, no CSRF token, no file-type check; .php uploads land in public directory; fixed July 9 in 2.4.1
  • Public PoC for iCagenda on GitHub (shinthink/CVE-2026-48939); exploitation endpoint: index.php?option=com_icagenda&task=registration.submit
  • Both chained with post-exploitation webshells for persistence and lateral movement
  • Joins CVE-2026-48908 (SP Page Builder) and CVE-2026-56290 (Page Builder CK) from July 7 KEV batch — four Joomla extensions in one week indicates systematic scanning

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
POST to index.php?option=com_icagenda&task=registration.submit from unauthenticated sessionURI patternT1190WAF / web access logsBlock unauthenticated POST; hunt in access logs
.php files in /images/icagenda/frontend/attachments/Webshell pathT1505.003File integrity / web server logsAlert on PHP file creation in this path
POST to Balbooa Forms upload handler (com_baforms) with .php extensionURI patternT1190WAF / web access logsBlock PHP uploads; hunt for historical uploads
GET requests to uploaded PHP files in Balbooa public upload dirWebshell executionT1505.003Web access logsHunt for 200 responses to recently created PHP in upload dirs
CVE-2026-48908 / CVE-2026-56290 (companion Joomla KEVs from July 7)Related vulnsT1190Same as abovePatch all four; scan for webshells across all Joomla upload paths

Detection

SourceRuleGap
Splunk ESCUWeb Shell Indicator (generic)No Joomla-specific iCagenda/Balbooa upload path detection
ElasticWebshell Detection via File Creation (generic)No iCagenda/Balbooa endpoint-specific rule
Sigmawebshell_detection_file_creation.yml (generic)Needs tuning for /images/icagenda/ and Balbooa upload paths

Sources: CISA KEV July 10 · iCagenda PoC · mySites.guru iCagenda · mySites.guru Balbooa


2. Ubiquiti Patches 25 UniFi Flaws Including CVSS-10 Command Injection — CVE-2026-50746

TL;DR: Ubiquiti’s SAB-066 advisory patches 25 vulnerabilities across the UniFi ecosystem, including 7 critical flaws. CVE-2026-50746 (CVSS 10.0) enables unauthenticated command injection on UniFi Connect with 100K+ internet-exposed UniFi OS instances globally.

What’s New:

  • CVE-2026-50746 (CVSS 10.0): improper access control in UniFi Connect Application ≤3.4.16 allows network-adjacent attacker to execute OS commands without authentication — no user interaction, low complexity
  • Six additional critical CVEs: CVE-2026-50747, CVE-2026-50748 (UniFi Talk), CVE-2026-54400, CVE-2026-54402 (UniFi Access/Protect), CVE-2026-55115, CVE-2026-55116 (UniFi OS Server, routers, gateways, NAS, surveillance)
  • Attack vector is network-based with no privileges required — exploitable from LAN, VPN, or any routed management network
  • Censys tracks 100K+ exposed UniFi OS instances, ~50K in the US alone
  • No confirmed ITW exploitation yet but prior UniFi OS chain (CVE-2026-34908/34909/34910, KEV June 23) was weaponized within days

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
UniFi Connect Application ≤3.4.16Vulnerable versionT1190Asset inventoryPatch to 3.4.20+ immediately
Network access to UniFi management interfacesAttack vectorT1190Firewall / network logsRestrict management-plane access to trusted VLANs only
Rogue admin account creation (ref: ‘John Sim’ pattern from prior UniFi campaign)Post-exploitationT1136.001UniFi OS audit logsHunt for unexpected admin accounts
UniFi OS < 5.0.8, UDM/Cloud Gateway < 5.1.12Prior vuln (CVE-2026-34908)T1190Asset inventoryConfirm June patches applied; these are actively exploited

Detection

SourceRuleGap
Splunk ESCUNoneNo UniFi-specific detections
ElasticNoneNo UniFi-specific detections
SigmaNoneNo UniFi-specific detections; need management-interface anomaly rules

Sources: Ubiquiti SAB-066 · BleepingComputer · THN · CyberSecurityNews


TL;DR: Wiz disclosed a live mass-exploitation campaign against Gogs self-hosted Git servers. Over 700 of 1,400 exposed instances compromised (>50% breach rate) via CVE-2025-8110 symlink path traversal to RCE, deploying Supershell C2 framework.

What’s New:

  • CVE-2025-8110 (CVSS 8.7): symlink bypass of previously patched CVE-2024-55947 — attacker creates repo with symlink pointing to sensitive target, uses PutContents API to overwrite files outside repo boundary
  • Exploitation pattern: 8-character random-name repositories created in short time windows on July 10, indicating single actor or shared tooling across all infections
  • Post-exploitation deploys Supershell (open-source C2 framework associated with China-linked actors) — Go-based, UPX-packed, Garble-obfuscated reverse SSH shell
  • Affects Gogs ≤0.13.3 with open-registration enabled (default); fixed in 0.13.4 (January 2026) but many instances remain unpatched
  • Requires only authenticated access — default open-registration means any attacker can self-register

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
New repos with random 8-char names (owner + repo)Exploitation indicatorT1190Gogs audit logs / DBHunt for repos created in burst windows
Supershell reverse SSH shell (Go binary, UPX-packed, Garble-obfuscated)MalwareT1219EDR / process monitoringAlert on UPX-packed Go binaries spawned by Gogs process
Symlink creation in repo followed by PutContents API writeExploitation techniqueT1083 / T1190Gogs server logsMonitor for symlink + API write sequences
Gogs ≤0.13.3 with open registrationVulnerable configT1190Asset inventoryUpgrade to 0.13.4+; disable open registration immediately
Outbound SSH connections from Gogs server to unexpected hostsC2 callbackT1071.004Network / firewall logsAlert on Gogs server initiating outbound SSH

Detection

SourceRuleGap
Splunk ESCUNoneNo Gogs-specific detections
ElasticNoneNo Gogs-specific detections
SigmaNoneNeed Gogs process spawning shell/outbound SSH rules

Sources: Wiz Blog · Dark Reading · BankInfoSecurity


Status Updates

  • CVE-2026-50656 (RoguePlanet/Defender): PATCHED July 9 in Malware Protection Engine 1.1.26060.3008. Auto-updates; no customer action. Splunk ESCU Analytics Story available. Original brief.
  • CVE-2026-48282 (Adobe ColdFusion): Federal deadline passed July 10. ITW exploitation ongoing since July 2. Original brief.
  • CVE-2026-46242 (Bad Epoll Linux LPE): 99% reliable PoC widely circulating. Chrome renderer sandbox escape path noted. No ITW exploitation yet but high weaponization risk. Patch your kernels. Original brief.