
What is CVE-2026-56291?
CVE-2026-56291 is an unauthenticated arbitrary file upload vulnerability in Balbooa Forms, a commercial drag-and-drop form builder for Joomla installed as the com_baforms component. The flaw is classified as CWE-434, unrestricted upload of a file with a dangerous type.
The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical). It has also been assigned a CVSS v4.0 base score of 10.0 (Critical), with an exploitation maturity of “attacked.”
Exploitation requires no authentication. The vulnerable frontend attachment upload accepts a file from any anonymous visitor, with no login, no CSRF token, and no allow-list on the file extension. Because the upload handler trusts the filename supplied by the caller, and Joomla’s built-in filename cleaner does not strip a .php extension, an attacker can upload a .php file into a web-served directory and then request it in a browser.
The practical impact is full remote code execution on the underlying server. Once an attacker can execute code, they can steal data, deface the site, plant backdoors, or pivot to attack other systems. The vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog and is being actively exploited in the wild.
What assets are affected by CVE-2026-56291?
The vulnerability affects Balbooa Forms up to and including version 2.4.0. The component is used for contact, registration, and survey forms across a large number of Joomla sites, and the vulnerable path is the frontend form attachment upload.
In practice, an affected asset is a public-facing Joomla website with a form that accepts file attachments. These are ordinary web properties: marketing sites, event registration pages, support and contact portals, and campaign microsites. The upload endpoint runs for any visitor, so no published form or guest setting needs to be toggled for the endpoint to be reachable. By default, uploaded files land under images/baforms/uploads/ inside the web root, where they can be served and executed directly.
Externally, the detectable surface is the Joomla CMS itself. Extensions such as Balbooa Forms are not always fingerprintable from the outside, so the population of potentially exposed assets is best understood as internet-facing Joomla sites that may run the vulnerable component. Form-heavy sites tend to be internet-facing by design and are often maintained by marketing or agency teams rather than central security, which is part of why they drift out of patch cycles.
What does our data show about exposure patterns?

Exposure in this set is led by Consumer Discretionary at 23.3% of observed assets, with Industrials contributing 21.6% and Communication Services close behind at 20.8%.
Consumer Discretionary and Communication Services organizations run large public web estates built to attract and convert visitors, which means many campaign sites, registration pages, and localized microsites, often spun up by marketing teams or outside agencies. Joomla is a common choice for these properties, and form builders like Balbooa Forms are exactly the kind of extension added to capture leads and event signups. That distributed ownership is what tends to leave individual sites outside the central patch cycle. Industrials show a related pattern, with sprawling brand, product, and regional sites accumulated over years and long decommission cycles that keep old properties online.
The wide spread across the “Others” bucket points to the underlying risk driver. This is not a vulnerability concentrated in one type of business. It reaches any organization that stood up a Joomla site with a form on it and then stopped tracking it. Forgotten and loosely governed web properties, not core applications, are where this exposure concentrates.
Are fixes available?
Yes. Balbooa fixed the vulnerability in Balbooa Forms 2.4.1, released on 9 July 2026. Any installation on 2.4.0 or earlier should be treated as vulnerable until updated.
Because this flaw was a zero-day that was already being exploited before the patch shipped, updating alone is not sufficient. Any site that ran an affected version while exposed should be checked for signs of compromise, including unexpected files in the Balbooa Forms upload directory and unfamiliar administrator accounts.
Defenders should verify the installed Balbooa Forms version directly rather than assuming a managed or agency-run site is current, since these properties are frequently updated on a different schedule than the core CMS.
Are there any other recommended actions to take?
Until every install is confirmed on 2.4.1, defenders should:
- Inventory all internet-facing Joomla sites and identify which run Balbooa Forms
- Restrict access to form upload endpoints at the WAF layer where feasible
- Block execution of scripts in upload directories such as
images/baforms/uploads/ - Monitor web server logs for POST requests to Balbooa Forms upload paths from anonymous sources
- Audit the Super User list for accounts that no one created
- Scan upload directories for unexpected
.phpfiles
How can CyCognito help your organization?
CyCognito published an Emerging Threat Advisory for CVE-2026-56291 in the CyCognito platform and is actively researching enhanced detection capabilities for this vulnerability.
To learn how CyCognito can help your organization reduce external exposure and manage emerging threats more effectively, contact us to request a demo.