Balbooa Forms CVE-2026-56291 actively exploited vulnerability

Confirmed
Discovered Jul 10, 2026

CISA KEV active-exploitation listing plus NVD/vendor/reference enrichment.

1
Affected Packages
3
Observables
3
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Current dossier state
needs review
Last verified
Not yet independently verified
Am I affected?
balbooa-forms
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
Observed fact
Direct-source and cited evidence only.
Informed inference
Analysis is labelled where evidence is indirect.
Unknown
Unverified scope remains explicitly open.
Forms
Balbooa
CVE-2026-56291

Analysis

Summary

CISA added CVE-2026-56291 to the Known Exploited Vulnerabilities catalog on 2026-07-10, marking credible active exploitation of Balbooa Forms [1]. NVD records the issue as an unrestricted upload of dangerous file types in the Joomla extension and marks the CVSS 4.0 exploit maturity as attacked [2]. This post treats the item as an exploited-vulnerability response workflow, not as proof that a software supply-chain channel or vendor infrastructure was compromised.

Affected and fixed versions

NVD's Joomla CNA record lists affected versions as balbooa-forms 1.0-2.4.0 [2]. CISA requires vendor-directed mitigation by 2026-07-13 [1]. Public sources reviewed during this cron did not provide a more precise fixed version string; operators should verify installed extension metadata against vendor release/download guidance before closure [3].

Detection and hunting

Use scripts/scope_balbooa-forms-cve-2026-56291-kev.py against exported CMDB, vulnerability scanner, web-server, EDR, ticket, and configuration inventories. A positive hit means the environment references CVE-2026-56291, Balbooa, Forms, or the affected-version selector and needs product-specific triage. The script is offline-only and does not contact vendor, CISA, or NVD systems.

Incident response guidance

Containment starts by locating internet-facing Joomla sites that run Forms and preserving evidence before cleanup. Capture web roots, extension upload directories, access logs, application logs, file modification timelines, process listings, and a UTC chain-of-custody record with evidence hashes and storage owner. Because the vulnerability class allows arbitrary executable upload, responders should look for new PHP/webshell-like files, unexpected extension changes, abnormal child processes from the web server account, persistence in scheduled tasks or Joomla extension/plugin configuration, and outbound connections from the affected host.

Eradication requires applying vendor mitigations or moving outside the affected version range, removing unauthorized uploaded executable files only after preservation, and reviewing administrator sessions and application secrets if exploitation succeeded. Recovery should include a post-fix scan, validation that the upload path no longer permits executable upload, review of backup integrity, and post-recovery monitoring for repeated upload attempts.

IOC handling

No attacker-controlled domains, IPs, URLs, hashes, or filenames were provided by CISA, NVD, or vendor sources reviewed here. The IOC arrays therefore intentionally remain empty except for product and version selectors. Source and advisory URLs are kept in detection selectors rather than being emitted as incident IOCs.

Open questions

  • Public sources did not name attacker infrastructure, uploaded filenames, file hashes, victim counts, or exploit chains.
  • Vendor fixed-version naming should be rechecked against installed extension release metadata during asset validation.

Timeline

6 of 6 rows

Timeline
DateEventDescriptionSource
Jul 10, 2026First seenFirst seen recorded for Balbooa Forms CVE-2026-56291 actively exploited vulnerability.cisa.gov
Jul 10, 2026DiscoveryDiscovery recorded for Balbooa Forms CVE-2026-56291 actively exploited vulnerability.cisa.gov
Jul 9, 2026DisclosureDisclosure recorded for Balbooa Forms CVE-2026-56291 actively exploited vulnerability.cisa.gov
Invalid DatePatch or fixPatch or fix recorded for Balbooa Forms CVE-2026-56291 actively exploited vulnerability.cisa.gov
Jul 13, 2026kev due datekev due date recorded for Balbooa Forms CVE-2026-56291 actively exploited vulnerability.cisa.gov
Jul 10, 2026Balbooa Forms CVE-2026-56291 actively exploited vulnerabilityUnknowncisa.gov

Affected Software

1 of 1 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
balbooa-formsenterprise-software1.0-2.4.0Malicious90%cisa.gov; balbooa.com; nvd.nist.gov

IOC Clipboard

3 IOCs
commandForms
commandBalbooa
commandCVE-2026-56291

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
CVE-2026-56291 asset and telemetry scopePythonDo asset inventories or exported telemetry contain CVE-2026-56291, Balbooa, Forms, or affected-version selectors?scripts/scope_balbooa-forms-cve-2026-56291-kev.py opens in a new tabcisa.gov

Hunt Manifest: CVE-2026-56291 asset and telemetry scope

Title
CVE-2026-56291 asset and telemetry scope
Question
Do asset inventories or exported telemetry contain CVE-2026-56291, Balbooa, Forms, or affected-version selectors?
Telemetry Family
Python
Repository
scripts/scope_balbooa-forms-cve-2026-56291-kev.py
Show tested hunting scriptscripts/scope_balbooa-forms-cve-2026-56291-kev.py
scripts/scope_balbooa-forms-cve-2026-56291-kev.py opens in a new tabPython
#!/usr/bin/env python3
"""Scope CVE-2026-56291 exposure from asset inventories and exported Joomla/web telemetry.

Input: a directory containing CSV, JSON, JSONL, TXT, LOG, YAML, or XML exports.
The script does not contact the network. It looks for the CVE, vendor/product
selectors, and affected-version selectors recorded in the Halting Problems profile.
"""
from __future__ import annotations
import json, os, sys
from pathlib import Path

CVE_ID = "CVE-2026-56291"
VENDOR = "Balbooa"
PRODUCT = "Forms"
AFFECTED_VERSION_SELECTORS = [
  "balbooa-forms 1.0-2.4.0"
]
SOURCE_SELECTORS = [
  "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json",
  "https://nvd.nist.gov/vuln/detail/CVE-2026-56291",
  "https://www.balbooa.com/joomla-forms",
  "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-56291"
]
DOMAINS = []
HASHES = []
URLS = []
FILES = []
PROCESS_PATTERNS = [PRODUCT, VENDOR, CVE_ID]
NETWORK_PATTERNS = []
INDICATORS = [CVE_ID, VENDOR, PRODUCT, *AFFECTED_VERSION_SELECTORS, *SOURCE_SELECTORS]
OUT = os.environ.get("OUT", "hp-balbooa-forms-cve-2026-56291-kev-scope")
TEXT_SUFFIXES = {'.csv','.json','.jsonl','.txt','.log','.yaml','.yml','.xml','.conf','.ini','.md'}
EXCLUDED_DIR_NAMES = {'.git','node_modules','vendor','dist','__pycache__','.venv'}

def read_text(path: Path) -> str:
    try:
        return path.read_text(encoding='utf-8', errors='ignore')
    except Exception:
        return ''

def iter_files(root: Path):
    if root.is_file():
        yield root; return
    for p in root.rglob('*'):
        if p.is_file() and not any(part in EXCLUDED_DIR_NAMES for part in p.parts):
            if not p.suffix or p.suffix.lower() in TEXT_SUFFIXES:
                yield p

def scan(root: Path):
    matches=[]
    lowered=[s.lower() for s in INDICATORS if s]
    for path in iter_files(root):
        text=read_text(path)
        low=text.lower()
        hits=sorted({INDICATORS[i] for i,s in enumerate(lowered) if s in low})
        if hits:
            matches.append({'path': str(path), 'hits': hits})
    return matches

def main(argv=None):
    argv=argv or sys.argv[1:]
    root=Path(argv[0]) if argv else Path('.')
    matches=scan(root)
    out_dir=Path(OUT); out_dir.mkdir(parents=True, exist_ok=True)
    report={'cve': CVE_ID, 'vendor': VENDOR, 'product': PRODUCT, 'affected_version_selectors': AFFECTED_VERSION_SELECTORS, 'match_count': len(matches), 'matches': matches}
    (out_dir/'scope_report.json').write_text(json.dumps(report, indent=2), encoding='utf-8')
    print(json.dumps({'cve': CVE_ID, 'match_count': len(matches), 'report': str(out_dir/'scope_report.json')}, indent=2))
    return 2 if matches else 0
if __name__ == '__main__':
    raise SystemExit(main())

Provenance & Sources

3 of 3 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
cisa.govSecurity Researcher95%2CISA KEV active-exploitation listing plus NVD/vendor/reference enrichment.
balbooa.comSecurity Researcher95%1CISA KEV active-exploitation listing plus NVD/vendor/reference enrichment.
nvd.nist.govSecurity Researcher95%1CISA KEV active-exploitation listing plus NVD/vendor/reference enrichment.