Back to overview

CVE-2026-56291

CRITICAL
10.0
CVSS 4.0
Description
The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.

Metadata

CVE ID
CVE-2026-56291
State
PUBLISHED
Assigner
Joomla
Reserved
2026-06-20 11:57 UTC
Published
2026-07-09 09:53 UTC
Last updated
2026-07-09 14:03 UTC
Primary CWE
CWE-434
CWE-434: Unrestricted Upload of File with Dangerous Type
Vendor / Product
balbooa.com / balbooa.com Balbooa Forms extension for Joomla
Sources
cve.org  ·  NVD

Severity & Metrics

10.0 CRITICAL CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
balbooa.com balbooa.com Balbooa Forms extension for Joomla 1.0-2.4.0
Weakness (CWE)
CWESourceDescription
CWE-434 cna CWE-434: Unrestricted Upload of File with Dangerous Type
CVSS scores (1)
ScoreSeverityVersionSourceVector
10.0 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/AU:Y/U:Red
Back to overview