CVE-2026-56291: Joomla Extension - balbooa.com - Unauthenticated file upload in Balbooa Forms extension < 2.4.1
The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.
Security readout for executives and security teams
Plain-English summary
CVE-2026-56291 is a critical flaw in the Joomla Balbooa Forms extension. Unauthenticated attackers can upload executable files, which can lead to full remote code execution on the website. CISA KEV listing indicates known exploitation. Joomla sites using Balbooa Forms 1.0 through 2.4.0 should be treated as urgent exposure.
Executive priority
Immediate action is recommended. This is a critical, remotely exploitable website takeover risk with known exploitation. Patch or disable affected Balbooa Forms deployments as a priority, especially on public Joomla sites that support customer, payment, or brand-facing workflows.
Technical view
The issue is CWE-434 unrestricted upload of dangerous files in Balbooa Forms for Joomla versions 1.0-2.4.0. The CVE describes unauthenticated arbitrary executable file upload leading to full RCE. CVSS 4.0 score is 10.0 with network attack vector, low complexity, no privileges, and no user interaction.
Likely exposure
Internet-facing Joomla sites with Balbooa Forms versions 1.0 through 2.4.0 are likely exposed. Sites not using the extension, or using versions outside the affected range, are not indicated as affected by the provided sources.
Exploitation context
CISA KEV status supports that this CVE is known to be exploited. The provided sources do not describe attacker volume, targeting, indicators of compromise, or specific exploit chains. Because exploitation is unauthenticated and remote, exposed public sites carry high business risk.
Researcher notes
Evidence is strong for affected product, version range, vulnerability class, and KEV status. Public source bundle does not provide exploit artifacts, IOCs, or detailed vulnerable endpoint information. Avoid relying on generic Joomla hardening as a substitute for updating or disabling the affected extension.
Mitigation direction
Identify all Joomla sites using Balbooa Forms.
Upgrade Balbooa Forms to version 2.4.1 or later.
If upgrade is not immediately possible, disable the extension pending vendor guidance.
Review vendor and third-party advisory guidance for current remediation details.
Prioritize internet-facing production sites and high-value domains first.
Validation and detection
Inventory Joomla extensions and confirm Balbooa Forms version.
Verify affected versions 1.0 through 2.4.0 are no longer deployed.
Check CISA KEV entry for required remediation timelines.
Review web server and Joomla logs for suspicious uploads.
Confirm file upload directories contain no unexpected executable files.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-434: File access and web shell behavior lookup
File traversal and upload weaknesses can lead teams to review file, web shell, execution, and collection telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The CVE wording references file access or upload behavior, so file telemetry and web shell review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
Exploitation: activeAutomatable: yesTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.