What is Balbooa Forms?
Balbooa Forms is a commercial drag-and-drop form-building extension for the Joomla content management system, letting site owners build contact forms, surveys, and other data-collection forms — including file-attachment fields — without writing custom code. Form-builder extensions like this are common targets for file-upload vulnerabilities because their core purpose is accepting files from site visitors, often without requiring visitors to log in first.
Overview
Balbooa Forms contains an unrestricted file upload vulnerability in its FormModel::uploadAttachmentFile() method, reachable via index.php?option=com_baforms&task=form.uploadAttachmentFile. The code sanitized only the filename portion of an uploaded file using Joomla's File::makeSafe() helper, but then re-attached the attacker-supplied file extension verbatim before writing the file to images/baforms/uploads/form-<id>/ — a publicly accessible, PHP-executable directory. The endpoint enforced no authentication, no CSRF token, and no file-extension allowlist whatsoever, allowing any anonymous visitor to upload and execute arbitrary PHP code.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Balbooa Forms | Up to and including 2.4.0 | 2.4.1 |
Version 2.4.1 was released July 9, 2026.
Technical Details
- Root cause: Filename sanitization was applied, but the attacker-controlled file extension was preserved and re-attached without validation against an allowlist, and no authentication or CSRF protection gated the upload endpoint at all (CWE-434: Unrestricted Upload of File with Dangerous Type).
- Attack vector: Network, no privileges or user interaction required (
AV:N/AC:L/PR:N/UI:N). CVSS score: 9.8 (Critical). - Attack characteristics: A single unauthenticated POST request to
task=form.uploadAttachmentFilewith a PHP payload is sufficient; the file is written to a predictable, publicly reachable path and can be executed via a direct follow-up request. - Impact: Full remote code execution in the context of the web server process.
Discovery
Credited to Phil Taylor of mySites.guru, whose team was alerted via a client-forwarded Hetzner abuse report containing a raw access log showing live exploitation; the team traced the request through the extension's code and reproduced the attack locally within an hour.
Exploitation Context
This was a genuine zero-day: exploitation in the wild began on July 8, 2026, before any patch existed, and attacks reportedly continued against unpatched sites even after the July 9 fix shipped. The Hacker News grouped this CVE together with CVE-2026-48939 (iCagenda) as Joomla extension flaws "reportedly exploited as zero-days." This is the fourth of four related Joomla extension file-upload CVEs in this KEV batch attributed to mySites.guru's client-telemetry-driven discovery process (alongside CVE-2026-48908, CVE-2026-48939, and CVE-2026-56290), all sharing the same underlying pattern of missing auth or incomplete file-type validation on upload handlers. mySites.guru noted in their writeup that a significant number of Balbooa Forms installs observed in their monitoring were running older, vulnerable versions. No specific threat-actor name or precise exposure/Shodan count has been published.
Remediation
- Update Balbooa Forms to 2.4.1 or later immediately.
- Audit the
images/baforms/uploads/directory tree for unexpected PHP files that may have been planted during the zero-day exploitation window (July 8–9, 2026, and after). - Review web server access logs for POST requests to
task=form.uploadAttachmentFile, especially from unauthenticated or unexpected source IPs during that window. - Restrict direct PHP execution in upload directories at the web server level as defense-in-depth against this class of vulnerability.
- Follow CISA BOD 26-04 guidance given the July 13, 2026 remediation deadline and confirmed pre-patch zero-day exploitation.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-56291 |
| Vendor / Product | Balbooa — Forms |
| NVD Published | 2026-07-09 |
| NVD Last Modified | 2026-07-11 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-434 find similar ↗ |
| CISA KEV Added | 2026-07-10 |
| CISA KEV Deadline | 2026-07-13 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2026-07-08 | Zero-day exploitation begins in the wild, before a patch was available |
| 2026-07-09 | Balbooa releases Forms 2.4.1 fixing the flaw; attacks continue against unpatched sites |
| 2026-07-10 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2026-07-13 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2026-56291 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Balbooa Forms — Joomla Extension Product Page | Vendor |
| mySites.guru — Balbooa Forms unauthenticated file upload flaw | Security Research |
| The Hacker News — iCagenda and Balbooa Forms Joomla flaws exploited as zero-days | News |
| CyCognito — Emerging threat: CVE-2026-56291 Balbooa Forms RCE | Security Research |