CVE-2026-56291 — Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability

CVE-2026-56291

Balbooa Forms — Attachment Upload Extension Re-Attached Verbatim, Exploited as Zero-Day Before a Patch Existed

What is Balbooa Forms?

Balbooa Forms is a commercial drag-and-drop form-building extension for the Joomla content management system, letting site owners build contact forms, surveys, and other data-collection forms — including file-attachment fields — without writing custom code. Form-builder extensions like this are common targets for file-upload vulnerabilities because their core purpose is accepting files from site visitors, often without requiring visitors to log in first.

Overview

Balbooa Forms contains an unrestricted file upload vulnerability in its FormModel::uploadAttachmentFile() method, reachable via index.php?option=com_baforms&task=form.uploadAttachmentFile. The code sanitized only the filename portion of an uploaded file using Joomla's File::makeSafe() helper, but then re-attached the attacker-supplied file extension verbatim before writing the file to images/baforms/uploads/form-<id>/ — a publicly accessible, PHP-executable directory. The endpoint enforced no authentication, no CSRF token, and no file-extension allowlist whatsoever, allowing any anonymous visitor to upload and execute arbitrary PHP code.

Affected Versions

Product Vulnerable Fixed
Balbooa Forms Up to and including 2.4.0 2.4.1

Version 2.4.1 was released July 9, 2026.

Technical Details

  • Root cause: Filename sanitization was applied, but the attacker-controlled file extension was preserved and re-attached without validation against an allowlist, and no authentication or CSRF protection gated the upload endpoint at all (CWE-434: Unrestricted Upload of File with Dangerous Type).
  • Attack vector: Network, no privileges or user interaction required (AV:N/AC:L/PR:N/UI:N). CVSS score: 9.8 (Critical).
  • Attack characteristics: A single unauthenticated POST request to task=form.uploadAttachmentFile with a PHP payload is sufficient; the file is written to a predictable, publicly reachable path and can be executed via a direct follow-up request.
  • Impact: Full remote code execution in the context of the web server process.

Discovery

Credited to Phil Taylor of mySites.guru, whose team was alerted via a client-forwarded Hetzner abuse report containing a raw access log showing live exploitation; the team traced the request through the extension's code and reproduced the attack locally within an hour.

Exploitation Context

This was a genuine zero-day: exploitation in the wild began on July 8, 2026, before any patch existed, and attacks reportedly continued against unpatched sites even after the July 9 fix shipped. The Hacker News grouped this CVE together with CVE-2026-48939 (iCagenda) as Joomla extension flaws "reportedly exploited as zero-days." This is the fourth of four related Joomla extension file-upload CVEs in this KEV batch attributed to mySites.guru's client-telemetry-driven discovery process (alongside CVE-2026-48908, CVE-2026-48939, and CVE-2026-56290), all sharing the same underlying pattern of missing auth or incomplete file-type validation on upload handlers. mySites.guru noted in their writeup that a significant number of Balbooa Forms installs observed in their monitoring were running older, vulnerable versions. No specific threat-actor name or precise exposure/Shodan count has been published.

Remediation

  1. Update Balbooa Forms to 2.4.1 or later immediately.
  2. Audit the images/baforms/uploads/ directory tree for unexpected PHP files that may have been planted during the zero-day exploitation window (July 8–9, 2026, and after).
  3. Review web server access logs for POST requests to task=form.uploadAttachmentFile, especially from unauthenticated or unexpected source IPs during that window.
  4. Restrict direct PHP execution in upload directories at the web server level as defense-in-depth against this class of vulnerability.
  5. Follow CISA BOD 26-04 guidance given the July 13, 2026 remediation deadline and confirmed pre-patch zero-day exploitation.

Key Details

PropertyValue
CVE ID CVE-2026-56291
Vendor / Product Balbooa — Forms
NVD Published2026-07-09
NVD Last Modified2026-07-11
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-434 find similar ↗
CISA KEV Added2026-07-10
CISA KEV Deadline2026-07-13
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-07-13. Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Timeline

DateEvent
2026-07-08Zero-day exploitation begins in the wild, before a patch was available
2026-07-09Balbooa releases Forms 2.4.1 fixing the flaw; attacks continue against unpatched sites
2026-07-10Added to CISA Known Exploited Vulnerabilities catalog
2026-07-13CISA BOD 22-01 remediation deadline