CVE-2026-56291
Received
Received - Intake
Unauthenticated Arbitrary File Upload in Balbooa Forms Leads to RCE
Vulnerability report for CVE-2026-56291, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-09
Last updated on: 2026-07-09
Assigner: Joomla! Project
Description
Description
The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| balbooa | forms | to 2.4.0 (inc) |
| balbooa | forms | 2.4.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |