Balbooa Forms (com_baforms) versions before 2.4.1 are affected by CVE-2026-56291, an actively exploited unauthenticated file-upload vulnerability that can lead to remote code execution. Joomla administrators should identify exposed installations, update to 2.4.1 or later without delay, and review affected sites for signs of unauthorised uploads or code execution.
Joomla sites using Balbooa Forms should be assessed immediately for CVE-2026-56291. The vulnerability affects versions 1.0 through 2.4.0, requires no authentication, and has been added to CISA’s Known Exploited Vulnerabilities catalog. Updating the extension is the priority, but patching alone is not enough for an internet-exposed site that ran a vulnerable release: administrators should also preserve and review relevant logs and file-system evidence.
Balbooa Forms CVE-2026-56291: what is confirmed
CVE-2026-56291 is an unauthenticated arbitrary file-upload vulnerability, classified as CWE-434, in the Balbooa Forms Joomla extension, commonly identified by the component name com_baforms. A remote attacker does not need a Joomla account to exploit the affected functionality. The vulnerability can allow the upload of executable files and lead to full remote code execution on a vulnerable server.
The documented affected range is Balbooa Forms 1.0 through 2.4.0. NVD’s version information identifies releases before 2.4.1 as vulnerable, so 2.4.1 is the first fixed version. Version 2.4.1 and later are not listed as affected in the CVE and NVD records. Do not turn this bounded range into a claim that every Balbooa Forms release is vulnerable.
The issue is critical both because it is unauthenticated and because exploitation can result in code running under the site’s server context. The relevant NVD record reports a CVSS 4.0 score of 10.0 (Critical) and a CVSS 3.1 score of 9.8 (Critical). These are scores from different CVSS versions; they should be labelled separately and must not be treated as interchangeable values.
Why active exploitation changes the Joomla response
CVE-2026-56291 is listed in CISA’s Known Exploited Vulnerabilities catalog. That listing confirms observed exploitation and is a practical prioritisation signal for site owners, agencies and hosting teams. CVSS, by contrast, measures the technical severity characteristics of a vulnerability; it does not by itself establish that attackers are using it.
CISA added CVE-2026-56291 on 10 July 2026 and set a due date of 13 July 2026. That date is relevant to U.S. federal civilian executive-branch agencies subject to CISA’s binding operational directive process. It is not a legal deadline for every Joomla site owner. For all organisations, however, an internet-facing, unauthenticated flaw with confirmed exploitation warrants emergency-change treatment rather than a routine maintenance window.
The supplied evidence does not confirm use of this issue in named ransomware campaigns. CISA’s ransomware-use field is recorded as unknown, so administrators should not infer campaign attribution from the KEV listing. The confirmed facts are sufficient: vulnerable Balbooa Forms installations can be reached without authentication, the impact can be remote code execution, and exploitation has been observed.
Immediate remediation checklist for Balbooa Forms
Work from an inventory rather than assumptions. Agencies should check every managed Joomla site, including low-traffic sites, staging environments that remain publicly reachable, and older client installations that may not appear in normal update reporting.
- Identify the component and version. Check whether Balbooa Forms or com_baforms is installed and record its installed version, site owner, host, and public exposure.
- Prioritise versions 1.0 through 2.4.0. Treat every installation in that documented range as exposed until it is remediated.
- Update to Balbooa Forms 2.4.1 or later. Obtain the current package through the normal, trusted vendor and site-maintenance process. Confirm the installed version after the update and test the forms that matter to the business.
- Disable or remove when prompt patching is not possible. If compatibility testing or access constraints prevent an immediate update, disable or remove the extension and restrict public access where possible. A temporary workaround is not equivalent to a corrective update.
- Preserve evidence before broad cleanup. Retain relevant web-server, Joomla and hosting logs according to the organisation’s incident process. Record the remediation time, previous version and people involved.
- Review for compromise. Examine the period during which the vulnerable version was internet-facing for unexpected upload activity, unusual executable files, altered site files, unfamiliar administrator activity, and suspicious server behaviour. Focus particularly on upload locations and temporary directories, while following the site’s established incident-response procedures.
- Reset trust where indicators warrant it. If the review suggests unauthorised code execution or file modification, treat the site as a potential compromise: contain it, involve the hosting provider or incident-response team, rotate appropriate credentials, restore from a verified clean source where needed, and investigate the scope before returning to normal operation.
A web application firewall, restrictive file permissions, segmented hosting accounts and tested backups are valuable defence-in-depth controls. They can reduce impact or improve recovery, but they do not replace removing the vulnerable version.
Related Joomla extension vulnerabilities to check
The Balbooa Forms issue should prompt an extension inventory review, not an unsupported conclusion that all Joomla form builders share the same risk. The verified issues below differ in product, affected range, authentication requirement and exploitation status.
| Extension or component | CVE | Authentication | Affected versions | Recommended version or action | CVSS | KEV status |
|---|---|---|---|---|---|---|
| Balbooa Forms | CVE-2026-56291 | None | Before 2.4.1 (1.0–2.4.0) | Update to 2.4.1 or later | 4.0: 10.0 Critical; 3.1: 9.8 Critical | Yes; actively exploited |
| Page Builder CK | CVE-2026-56290 | None | Before 3.6.0 | Update to 3.6.0 or later | 4.0: 10.0 Critical; 3.1: 9.8 Critical | Yes; actively exploited |
| Convert Forms | CVE-2024-40744 | None | 1.0.0 and later, before 4.4.8 | Update to 4.4.8 or later | 3.1: 9.8 Critical | No evidence of KEV listing |
| Balbooa Joomla Forms Builder | CVE-2021-47930 | None | 2.0.6 | No fixed version documented in supplied records | 4.0: 8.8 High; 3.1: 8.2 High | Not listed in this evidence set |
| Balbooa Forms | CVE-2025-49485 | Privileged user | 1.0.0–2.3.1.1 | No first fixed version documented in supplied records | 4.0: 8.6 High | Not listed in this evidence set |
CVE-2026-56290 in Page Builder CK is the closest operational comparison: it is an unauthenticated arbitrary file-upload flaw that can lead to remote code execution, affects releases before 3.6.0, and is also listed in CISA KEV. CISA added it on 7 July 2026 with a federal-agency due date of 10 July 2026. Review Page Builder CK deployments and update to 3.6.0 or later.
CVE-2024-40744 affects Convert Forms versions 1.0.0 and later before 4.4.8. It is an unauthenticated unrestricted-file-upload issue via a security bypass and has a CVSS 3.1 score of 9.8 (Critical). Update Convert Forms to 4.4.8 or later. The records supplied for this article do not provide authoritative evidence that CVE-2024-40744 is actively exploited or included in CISA KEV.
From this evidence set, CISA KEV includes only CVE-2026-56290 and CVE-2026-56291. KEV status must not be extended to the Convert Forms issue or the earlier Balbooa SQL injection vulnerabilities.
Earlier Balbooa SQL injection issues are distinct
Balbooa Forms has also had earlier SQL injection CVEs, but they are not interchangeable with CVE-2026-56291. CVE-2021-47930 concerns Balbooa Joomla Forms Builder version 2.0.6 and is an unauthenticated SQL injection issue in the form-submission handler. The supplied CVE and NVD material identifies the affected version but does not document a fixed release. Sites that must retain that version should restrict exposure, harden and monitor it while seeking current vendor update information.
CVE-2025-49485 affects Balbooa Forms versions 1.0.0 through 2.3.1.1, but its authentication condition is materially different: exploitation requires a privileged user. The records do not specify the first fixed version, so administrators should not invent one. Restrict and monitor privileged access, and follow confirmed vendor guidance when available.
NVD marks both CVE-2021-47930 and CVE-2025-49485 as Deferred, meaning its analysis is incomplete and details can change. Neither is listed in CISA KEV in the evidence reviewed here, and there is no authoritative confirmation of real-world exploitation for either issue. Their presence provides useful maintenance context, not evidence that they share the current Balbooa Forms RCE’s exploitation status.
Turn urgent patching into an agency process
For a single site, the required work is straightforward: verify the installed extension version, update, test, and review for compromise. For agencies and multi-site organisations, the failure point is usually incomplete inventory. Maintain a current list of installed Joomla extensions, versions, client ownership, hosting location, maintenance status and public exposure. This allows teams to search centrally for an affected component and assign remediation without relying on memory or individual client records.
Use exploitation status and exposure together when triaging. An unauthenticated component on a public site normally deserves faster handling than a comparable issue available only to authenticated privileged users. Keep a documented exception process for updates that cannot be applied promptly, including the temporary containment measure, risk owner, review date and path to permanent remediation.
Finally, monitor authoritative sources: CVE and NVD records for technical scope, vendor release information for update packages, and CISA KEV for confirmed exploitation prioritisation. The Balbooa Forms case is a reminder that Joomla extension security depends on knowing what is installed, applying targeted updates quickly, and verifying whether an exposed site may already need incident-response work.
Add comment