ctipilot.ch

Balbooa Forms for Joomla (com_baforms) unauthenticated file-upload RCE (CWE-434, CVSS 4.0 10.0) — zero-day exploited pre-patch; 3rd Joomla-extension file-upload RCE in the 2026-06/07 wave

cve · CVE-2026-56291

Coverage timeline
1
first 2026-07-09 → last 2026-07-09
Entries
1
1 distinct days
Sources cited
2
2 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-07-09CVE-2026-56291 — Balbooa Forms for Joomla: unauthenticated file-upload RCE exploited as a zero-day (CVSS 10.0)
    trending-vulnerabilitiesBalbooa patches an actively-exploited unauthenticated file-upload RCE in its Joomla Forms extension — the third such flaw in the ecosystem in two weeks

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • balbooa.com1 (50%)
  • mysites.guru1 (50%)

Related entities

Entries about Balbooa Forms for Joomla (com_baforms) unauthenticated file-upload RCE (CWE-434, CVSS 4.0 10.0) — zero-day exploited pre-patch; 3rd Joomla-extension file-upload RCE in the 2026-06/07 wave (1)

2026-07-09 · view entry permalink →

HIGHCVE-2026-56291exploited

CVE-2026-56291 — Balbooa Forms for Joomla: unauthenticated file-upload RCE exploited as a zero-day (CVSS 10.0)

Balbooa Forms is a widely deployed drag-and-drop form builder for Joomla, installed as the com_baforms component for contact, registration and survey forms on thousands of sites, including the SME and municipal/public-sector Joomla estates common across Switzerland and Europe. Up to and including version 2.4.0, its frontend attachment-upload task — reached at index.php?option=com_baforms&task=form.uploadAttachmentFile — ran for any anonymous visitor with no authentication check, no Session::checkToken() CSRF validation, and no allow-list on the uploaded file's extension (mySites.guru, 2026-07-08). The write routine (FormModel::uploadAttachmentFile, around line 122 of the frontend FormModel.php) took the extension from the attacker-supplied filename and sanitised only the name portion with Joomla's File::makeSafe() — which strips dangerous characters but does not reject a .php extension — then rejoined the cleaned name with the untouched extension and wrote the file under images/baforms/uploads/form-<id>/, a directory that is served directly and executes PHP. The result is unauthenticated arbitrary-file-upload-to-RCE (CWE-434), the highest-severity web outcome, requiring no account of any kind; Joomla's CNA scored it CVSS 4.0 base 10.0 (AV:N/AC:L/AT:N/PR:N/UI:N).

This was a genuine zero-day: it surfaced when a mySites.guru customer brought in a raw web-server access log after a Hetzner hosting-abuse report, showing a successful exploit attempt before any patch existed, and the researchers state the same attacks continue against unpatched sites, with no public proof-of-concept released (mySites.guru, 2026-07-08). Balbooa fixed it the same day it was disclosed, shipping 2.4.1 on 9 July 2026 with four layered changes — a server-side extension allow-list per upload field, an optional MIME-type check, a server-generated stored filename (defeating double-extension tricks), and a CSRF token check (Balbooa changelog, 2026-07-09); the flaw is tracked as CVE-2026-56291 (CWE-434, CVSS 4.0 base 10.0). Notably, the changelog lists these as ordinary "Fixed" items — one bullet mentions improving upload security — but nowhere flags that they close an actively-exploited remote code execution flaw or references the CVE, so update-triage that waits for an explicit severity or exploitation signal would leave the door open.

This is the third unrelated Joomla third-party extension disclosed with the identical unauthenticated file-upload-to-RCE class in roughly two weeks — following JoomShaper SP Page Builder (CVE-2026-48908) and Joomlack Page Builder CK (CVE-2026-56290), both added to CISA KEV on 7 July and both covered by this pipeline on 2026-07-08 — and all three were surfaced by the same research outfit. The pattern is now a defender action in its own right: the exposure is not one named component but the class of anonymous-facing upload endpoints across a Joomla estate's third-party extensions. Mapped to T1190 Exploit Public-Facing Application for the upload/execution and T1505.003 Web Shell once the uploaded file is used for persistence.

This was a zero-day: it was already being exploited in the wild when we found it, before any patch existed, and those attacks are still going on now against sites that have not updated.

The flaw was an unauthenticated file upload with no file-type allow-list.

mySites.guru 2026-07-08
vulnerability09 Jul 12:20Zmulti-sourceOpen finding ↗