Important information for all Joomla website owners! On July 8, 2026, a critical vulnerability was discovered in the popular Balbooa Forms (com_baforms) form builder component. The vulnerability allows an unauthenticated attacker to upload and execute PHP files on the server, leading to full site compromise.

The vulnerability has been assigned CVE-2026-56291 with a CVSS v4.0 score of 10.0, which corresponds to a maximum threat level. Attackers are already actively scanning the internet for vulnerable sites.

Balbooa developers released a fix in version 2.4.1 on July 9, 2026. This update is critically urgent — delaying the patch will lead to full compromise of your site.

Understanding the threat: what was fixed?

The vulnerability is an unrestricted upload of a dangerous file type (CWE-434) in the Balbooa Forms component. Unlike many other security flaws, this attack does not require authentication. This means the attacker doesn't need to know your administrator password.

How the hack works:

  1. Lack of checks: In versions up to 2.4.0, the file upload handler (form.uploadAttachmentFile) did not check user authentication, did not require a CSRF token, and did not restrict the type of uploaded files.

  2. Shell upload: The attacker sends an HTTP request to the vulnerable handler, uploading a file with a .php extension. The system takes the extension from the filename provided by the attacker and saves the file as-is.

  3. Code execution: The file is saved to the /images/baforms/uploads/form-<id>/ folder, which is publicly accessible. By requesting this file in a browser, the attacker executes their PHP code on your server.

  4. Outcome: The hacker gains full access to the file system, can read configuration.php with database credentials, create a hidden super administrator account, plant a backdoor, or use the server for malicious purposes.

Who is at risk?

All sites running the Balbooa Forms component versions below 2.4.1 are at risk, including all versions from 1.0 through 2.4.0.

Please note
The vulnerability specifically affects the Balbooa Forms component. If you are using other products from this developer, you need to check them separately.

How to fix It: step-by-step instructions

To address this vulnerability, follow the steps below.

Step 1: update Balbooa forms immediately

  1. Go to your Joomla administrator panel and navigate to Extensions → Manage → Update.

  2. Click "Purge Cache" and then "Find Updates".

  3. Locate the update for Balbooa Forms (com_baforms) in the list.

  4. Update to version 2.4.1 or higher.

If the update does not appear:
Download the latest version manually from the official Balbooa developer website and install it via Extensions → Manage → Install.

Step 2: check for signs of compromise

Since the vulnerability was already being actively exploited before the patch was released, updating does not guarantee that your site was not previously compromised. A thorough inspection is necessary.

  1. Check the upload folder: Using FTP or your hosting File Manager, review the /images/baforms/uploads/ folder. Delete any suspicious files, especially with extensions like .php, .phtml.

  2. Check user accounts: In the Users → Manage section, sort the list by registration date. Find and delete any suspicious administrator accounts that you did not create.

  3. Check recently modified files: Pay attention to files modified in the last few days, especially in the site root folder and the /administrator folder.

Step 3: additional security measures

In addition to updating the component, we strongly recommend:

  • Update the Joomla core to the latest version.

  • Install and configure Admin Tools Pro: Generate a strict .htaccess file, enable PHP script execution blocking in the /images and /media folders, and activate CSRF protection.

  • Enable two-factor authentication for all accounts with administrator and editor privileges.

  • Change all passwords: database password, FTP/SSH, and hosting control panel.

Important!
If your site has been hacked and you are unsure what to do, or have any doubts, contact us immediately for assistance!