Press TechRound interviews Secure.com CEO on the future of AI security
Read

Balbooa Forms Joomla Flaw Lets Hackers Hijack Sites With a Single Upload

critical Balbooa Forms bug lets anyone upload a file and take over a Joomla site with no login. CISA confirms active attacks and wants a fix.

Dateline: July 13, 2026

One Upload, Full Server: Inside the Balbooa Forms Joomla Flaw

Anonymous visitors could upload files to a live Balbooa Forms install and run whatever code they wanted.

  • No login
  • No CSRF token
  • No check on the file type

That gap sat inside one of Joomla’s most used form building extensions, and someone found it while it was already being used against a real customer.

What Happened

The bug is now tracked as CVE-2026-56291. It lives in the com_baforms component, the code behind Balbooa Forms attachment uploads. Any site running version 2.4.0 or older is exposed.

Security firm mySites.guru spotted it on July 8, 2026, after a customer flagged strange activity in an access log. A request had hit the form upload handler and succeeded in a way it should not have. The team traced the request through the extension’s code, rebuilt the attack on a test Joomla site, and confirmed the worst case.

A visitor with no account and no permissions could drop a PHP file into a public folder and then call that file in a browser to run it. That is remote code execution, full control of the server, handed to anyone who knows where to send a request.

Balbooa moved fast. Told privately about the flaw, the vendor shipped version 2.4.1 the next day, July 9, crediting researcher Phil Taylor for the find. The Cybersecurity and Infrastructure Security Agency added the bug to its Known Exploited Vulnerabilities catalog on July 10 and gave federal agencies until July 13 to apply the fix. CVSS scored it a perfect 10.

This was not a flaw someone dug up in a lab. It was already live. Attackers had a working exploit before Balbooa had a patch, which puts it in the small and dangerous category of true zero days.

The Impact

Sites that stayed on 2.4.0 or earlier are still open right now. A successful hit hands an attacker a foothold on the server itself, not just the Joomla install. From there they can plant a persistent shell, add a hidden admin account, pivot to other sites on the same host, or use the server to launch further attacks. Because the flaw needs no login and no user interaction, it is easy to automate, and automated scanners are exactly what tend to find bugs like this first.

Indicators of Compromise

  • Any file in the default upload folder, images/baforms/uploads, that is not an image or document, especially one ending in .php
  • Joomla administrator accounts nobody on the team remembers creating
  • PHP files anywhere on the site that were modified recently or that nobody recognizes

How to Avoid This

Move every Balbooa Forms install to version 2.4.1 or later today, not during the next scheduled maintenance window. Then check for signs of a prior visit using the indicators above. If any of them turn up, treat the site as compromised and start incident response rather than just deleting the file and moving on.

The Australian Cyber Security Centre flagged this as part of a wider pattern this week, warning that a global campaign is scanning for weaknesses across CMS platforms and plugins, with automated tooling closing the gap between disclosure and exploitation faster than ever.

Why This Keeps Happening

Vulnerability response usually depends on someone noticing a KEV listing, checking whether it applies, and chasing down every affected asset by hand. That is slow, and slow is what turns a one day patch window into a month long breach.

  • Pulls new KEV entries daily and flags any exploited CVE the moment it lands, no manual watching required
  • Matches vulnerabilities like this one against your actual asset inventory instead of a generic CVE feed
  • Starts a remediation clock automatically for anything actively exploited, with owners notified the same day
  • Documents the fix and the check for prior compromise, so the audit trail already exists when someone asks for it
  • Keeps a human in the loop for anything touching a critical system, so nothing critical gets patched blind