Balbooa Forms unauthenticated RCE exploited (CVE-2026-56291)
CVE-2026-56291
CVE-2026-56291: Balbooa Forms component for Joomla! allows unauthenticated arbitrary file upload leading to full RCE (CVSS 10.0). Actively exploited.
Actively exploited in the wild - CVE-2026-56291 is a critical unauthenticated arbitrary file upload in the Balbooa Forms extension for Joomla that gives attackers full remote code execution on the server. No vendor patch is available yet; apply the mitigations below immediately.
Overview
CVE-2026-56291 is a CRITICAL (CVSS 10.0) vulnerability in the Balbooa Forms extension, a popular form-building component for Joomla!. The flaw allows any unauthenticated attacker to upload arbitrary files, including executable web shells, to the server. Once uploaded, the attacker can execute commands, access the database, steal credentials, and pivot to other systems on the network. No authentication, user interaction, or special privileges are required for exploitation.
Impact
The vulnerability carries the maximum possible CVSS severity score of 10.0. An attacker with network access to a vulnerable Joomla! site can gain full remote administrative control of the web server without any prior access. This includes the ability to read, modify, or delete all files and data, install malware, and use the compromised server as a launch point for further attacks. Given the active exploitation status, any publicly-facing Joomla! site running the Balbooa Forms extension is at immediate risk of compromise.
Remediation and Mitigation
As of the publication of this advisory, no patched version of the Balbooa Forms extension has been released by the vendor. The following mitigation steps are recommended:
- Immediately disable the Balbooa Forms extension in the Joomla! Extension Manager until a security update is available and applied.
- If the extension cannot be disabled, restrict network access to the Joomla! administrative interface using a firewall or web application firewall (WAF).
- Inspect the web root directory for any unrecognized
.phpor executable files uploaded after the KEV publication date (obtain the exact date from your CISA KEV feed). Remove any suspicious files and rotate all administrative and database passwords. - Monitor server logs for POST requests to the component’s file-upload endpoint and block the source IPs.
Security Insight
CVE-2026-56291 is a textbook example of a file-upload vulnerability that should have been prevented by basic validation-checking file extensions and MIME types on the server side. The assignment of a CVSS 10.0 score indicates there are no mitigating controls (like authentication requirements or network segmentation) built into the software. This vulnerability underscores a broader trend in which third-party extensions for major CMS platforms represent a critical, and often overlooked, supply-chain risk. For the latest data breach reports, see our breach reports. For ongoing cybersecurity news, see security news.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE....
Weaver (Fanwei) E-office versions prior to 10.0_20221201 contain an unauthenticated arbitrary file upload vulnerability in the OfficeServer.php endpoint that allows remote attackers to upload maliciou...
Vvveb CMS v1.0.8 contains a remote code execution vulnerability in its media management functionality where a missing return statement in the file rename handler allows authenticated attackers to rena...
Snews CMS 1.7 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files including PHP executables to the snews_files directory. Attackers can u...