Balbooa Forms – critical upload flaw with code execution
Secure version: Balbooa Forms 2.4.1 or newer · via Balbooa
At a glance
com_baforms)What is this about?
Balbooa Forms (com_baforms) builds contact and sign-up forms for Joomla. Forms can accept file attachments – and exactly that upload path was left open: the front-end call that stores an attachment could be triggered without logging in and checked neither a security token (CSRF) nor the file type.
As a result, an attacker can upload an executable PHP file. It is placed in a publicly reachable sub-folder of the upload directory and can then be opened straight from the browser – the injected code runs on the server (remote code execution). At that point the whole site can be taken over.
Affected are all versions up to and including 2.4.0. The fix has been available since 9 July 2026 as 2.4.1 and adds the missing checks. The flaw is tracked as CVE-2026-56291 and, according to the report, is already being exploited in the wild; no public exploit code was released.
Am I affected? – How to check
- Open the back end
Log in to the Joomla administrator.
- Check the version
Under Extensions›Manage›Manage, filter for
Balbooa Formsand read off the version. - Assess the version
If the version is 2.4.0 or older, action is urgently needed.
- Watch for traces
Check the folder images/baforms/uploads/ for foreign
.phpfiles and your Users list for unknown administrator accounts.
How to fix it
- Open the Update center
Go to System›Update›Extensions and click Check for updates.
- Update Balbooa Forms
Select the entry and update to 2.4.1 or newer.
- Verify the version
Then confirm that the new version has been applied.
Official source: via Balbooa. Make sure you have at least Balbooa Forms 2.4.1 or newer.
Has the site already been attacked?
.php files, review your Users list for new Super Users, and if you find anything change all passwords (Joomla admin, FTP/SSH, database). When in doubt, have the site professionally cleaned.Need help with the clean-up? Find qualified specialists in the Joomla Service Providers Directory.
Sources & further reading
- Original advisory – mySites.guruAdvisory with technical details
- Balbooa (vendor)Get the update via the Joomla updater or your Balbooa account
- CVE-2026-56291 (CVE.org)Official CVE record
- Joomla Vulnerable Extensions List (VEL)Community-run list of vulnerable extensions
The official information from the respective vendor always takes precedence. This page neutrally summarises publicly available information.
Supporters of this site
htprotect.org is a free, vendor-independent information service. It is supported by:

Joomla host from Germany with active community support – discovered the first attack on the JCE vulnerability.
fc-hosting.deSpecialised in cleaning, maintaining and securing Joomla and WordPress websites.
website-bereinigung.deSupport this project
You run a hosting or Joomla service and would like to support htprotect.org – and be listed here as a supporter? Every contribution helps to warn and protect those affected faster.
Prefer to give privately, without a listing? A little something for the tip jar is just as welcome.
Manufactures and installs construction-site signs, hoardings and façade solutions – including design and 3D visualisation.
bauschildundservice.deProfessional IT support from Czechia – Windows management, domain administration and web hosting.
defendersoft.czTravel portal from Germany – package holidays, hotels and flights online, with personal travel-agency advice.
onlineweg.deCreative agency from Brandenburg – web design, print media, photography and 360° panoramas from a single source.
criadero.deIT service provider from Wächtersbach – Joomla websites, PC service, hardware and software.
jahnedv.de