Balbooa Forms Unrestricted File Upload Exploitation (CVE-2026-56291)
Detects exploitation attempts against CVE-2026-56291, an unrestricted upload of file with dangerous type vulnerability (CWE-434) in Balbooa Forms for Joomla. This vulnerability is listed in CISA KEV, indicating confirmed active exploitation. Attackers abuse the forms file upload functionality to upload web shells or other malicious executable content (PHP, PHTML, PHAR, etc.) bypassing extension/type restrictions, leading to remote code execution on the underlying web server.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Balbooa
- Product
- Forms
Weakness (CWE)
Timeline
- Disclosed
- July 10, 2026
References & Proof of Concept
What is CVE-2026-56291 Balbooa Forms Unrestricted File Upload Exploitation (CVE-2026-56291)?
Balbooa Forms Unrestricted File Upload Exploitation (CVE-2026-56291) (CVE-2026-56291) maps to the Initial Access and Execution tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for Balbooa Forms Unrestricted File Upload Exploitation (CVE-2026-56291), covering the data sources and telemetry it touches: IIS Logs, Web Application Firewall Logs, Azure WAF. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Initial Access Execution
// Microsoft Sentinel - Detect Balbooa Forms webshell upload / RCE attempt (CVE-2026-56291)
let suspiciousExt = dynamic([".php",".phtml",".phar",".php5",".php7",".pht",".jsp",".asp",".aspx"]);
W3CIISLog
| where csUriStem has_any ("/components/com_balbooaforms", "/media/com_balbooaforms", "joomla") and cUriQuery has_any ("upload", "file")
| where csMethod == "POST"
| where cUriStem has_any (suspiciousExt)
| extend UploadedFile = extract(@"([^/\\]+\.(php\d?|phtml|phar|pht|jsp|asp|aspx))", 1, csUriStem)
| project TimeGenerated, cIP, csUriStem, csUserAgent, scStatus, UploadedFile
| union (
W3CIISLog
| where cUriStem has "com_balbooaforms" and csMethod == "POST" and scStatus in (200,201,302)
| project TimeGenerated, cIP, csUriStem, csUserAgent, scStatus, UploadedFile="unknown"
)
| sort by TimeGenerated desc Detects HTTP POST requests to Balbooa Forms Joomla component upload endpoints containing dangerous file extensions consistent with webshell upload exploitation of CVE-2026-56291.
Data Sources
Required Tables
False Positives
- Legitimate file uploads with similarly named but benign attachments (e.g. .php in a filename used decoratively)
- Internal QA/testing of the forms component uploading test files
- Misconfigured logging causing false extension matches from query strings
Sigma rule & cross-platform mapping
The detection logic for Balbooa Forms Unrestricted File Upload Exploitation (CVE-2026-56291) (CVE-2026-56291) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windows Browse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-56291
References (4)
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate dangerous file extension upload POST request
Expected signal: Web server access log entry showing POST request to com_balbooaforms upload endpoint with filename test_shell.php and 200/201 status code.
- Test 2Upload double-extension bypass file (.phtml)
Expected signal: Web access log entry for POST request with mismatched Content-Type (image/jpeg) and .phtml extension in filename.
- Test 3Windows IIS-hosted Joomla upload simulation
Expected signal: W3CIISLog entry recording POST to com_balbooaforms endpoint with cs-uri-stem containing test_shell.aspx.
Unlock Pro Content
Get the full detection package for CVE-2026-56291 including response playbook, investigation guide, and atomic red team tests.