An unauthenticated file upload flaw in Balbooa Forms for Joomla lets any anonymous visitor drop a PHP file into a public folder, resulting in full remote code execution.
Read more about Emerging Threat: (CVE-2026-56291) Balbooa Forms Remote Code Execution via Unauthenticated File Upload