HTProtect.org
Independent information site on Joomla security vulnerabilities
HTProtect HTProtect JOOMLA SECURITY
htprotect.org Vulnerabilities & update guides
Security vulnerability

Balbooa Forms – critical upload flaw with code execution

Critical Actively exploitedCVE-2026-56291
Act now
Update Balbooa Forms to 2.4.1 or newer immediately – and clean up as well if you suspect a compromise.

Secure version: Balbooa Forms 2.4.1 or newer · via Balbooa

At a glance

Affected extension
Balbooa Forms – form extension (com_baforms)
Vendor
Type of flaw
Unauthenticated file upload via the form front end → remote code execution (RCE); no login and no token or file-type check
Affected versions
All versions up to and including 2.4.0
Secure version
Balbooa Forms 2.4.1 or newer   Download
Severity
Critical · actively exploited
Joomla compatibility
Joomla 4 / 5 / 6
Status / published
Published/patched: 9 July 2026

What is this about?

Balbooa Forms (com_baforms) builds contact and sign-up forms for Joomla. Forms can accept file attachments – and exactly that upload path was left open: the front-end call that stores an attachment could be triggered without logging in and checked neither a security token (CSRF) nor the file type.

As a result, an attacker can upload an executable PHP file. It is placed in a publicly reachable sub-folder of the upload directory and can then be opened straight from the browser – the injected code runs on the server (remote code execution). At that point the whole site can be taken over.

Affected are all versions up to and including 2.4.0. The fix has been available since 9 July 2026 as 2.4.1 and adds the missing checks. The flaw is tracked as CVE-2026-56291 and, according to the report, is already being exploited in the wild; no public exploit code was released.

Am I affected? – How to check

  1. Open the back end

    Log in to the Joomla administrator.

  2. Check the version

    Under ExtensionsManageManage, filter for Balbooa Forms and read off the version.

  3. Assess the version

    If the version is 2.4.0 or older, action is urgently needed.

  4. Watch for traces

    Check the folder images/baforms/uploads/ for foreign .php files and your Users list for unknown administrator accounts.

How to fix it

Before any update: back up
Back up your files and database before updating – so you can roll back if anything goes wrong (e.g. via Akeeba Backup or your host).
  1. Open the Update center

    Go to SystemUpdateExtensions and click Check for updates.

  2. Update Balbooa Forms

    Select the entry and update to 2.4.1 or newer.

  3. Verify the version

    Then confirm that the new version has been applied.

Manual installation (alternative)
If no update appears, download the package from your Balbooa account and install it via ExtensionsManageInstall.

Official source: via Balbooa. Make sure you have at least Balbooa Forms 2.4.1 or newer.

Has the site already been attacked?

If compromised, an update is not enough
The update closes the hole but does not remove any malware already uploaded. Check images/baforms/uploads/ and the surrounding folders for foreign .php files, review your Users list for new Super Users, and if you find anything change all passwords (Joomla admin, FTP/SSH, database). When in doubt, have the site professionally cleaned.

Need help with the clean-up? Find qualified specialists in the Joomla Service Providers Directory.

Sources & further reading

The official information from the respective vendor always takes precedence. This page neutrally summarises publicly available information.

Supporters

Supporters of this site

htprotect.org is a free, vendor-independent information service. It is supported by:

Host & community
FC-Hosting

Joomla host from Germany with active community support – discovered the first attack on the JCE vulnerability.

fc-hosting.de
Initiator & operator
Website-Bereinigung.de

Specialised in cleaning, maintaining and securing Joomla and WordPress websites.

website-bereinigung.de

Support this project

You run a hosting or Joomla service and would like to support htprotect.org – and be listed here as a supporter? Every contribution helps to warn and protect those affected faster.

Prefer to give privately, without a listing? A little something for the tip jar is just as welcome.

Support HTProtect now
Bauschild & Service

Manufactures and installs construction-site signs, hoardings and façade solutions – including design and 3D visualisation.

bauschildundservice.de
IT Specialista

Professional IT support from Czechia – Windows management, domain administration and web hosting.

defendersoft.cz
onlineweg.de

Travel portal from Germany – package holidays, hotels and flights online, with personal travel-agency advice.

onlineweg.de
Criadero

Creative agency from Brandenburg – web design, print media, photography and 360° panoramas from a single source.

criadero.de
Jahn EDV-Dienst GmbH

IT service provider from Wächtersbach – Joomla websites, PC service, hardware and software.

jahnedv.de