CVE-2026-56291 Google Chronicle · YARA-L

Detect Balbooa Forms Unrestricted File Upload Exploitation (CVE-2026-56291) in Google Chronicle

Detects exploitation attempts against CVE-2026-56291, an unrestricted upload of file with dangerous type vulnerability (CWE-434) in Balbooa Forms for Joomla. This vulnerability is listed in CISA KEV, indicating confirmed active exploitation. Attackers abuse the forms file upload functionality to upload web shells or other malicious executable content (PHP, PHTML, PHAR, etc.) bypassing extension/type restrictions, leading to remote code execution on the underlying web server.

MITRE ATT&CK

Tactic
Initial Access Execution

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral
rule balbooa_forms_cve_2026_56291_upload {
  meta:
    author = "df00tech detection engineering"
    description = "Detects exploitation of CVE-2026-56291 - Balbooa Forms unrestricted file upload"
    severity = "HIGH"
    cve = "CVE-2026-56291"
  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    $e.network.http.method = "POST"
    (re.regex($e.target.url, `(?i)(com_balbooaforms|balbooaforms)`))
    (re.regex($e.target.url, `(?i)\.(php\d?|phtml|phar|pht|jsp|asp|aspx)`))
  outcome:
    $risk_score = 75
  condition:
    $e
}
high severity medium confidence

Chronicle YARA-L rule detecting POST requests to Balbooa Forms upload endpoints containing dangerous executable file extensions, indicating CVE-2026-56291 exploitation.

Data Sources

Chronicle Web Proxy LogsChronicle HTTP Network Logs

Required Tables

NETWORK_HTTP

False Positives & Tuning

  • Legitimate uploads with benign filenames containing extension-like substrings
  • Vulnerability scanner traffic during authorized assessments
  • URL rewriting/proxy artifacts producing coincidental matches

Other platforms for CVE-2026-56291


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate dangerous file extension upload POST request

    Expected signal: Web server access log entry showing POST request to com_balbooaforms upload endpoint with filename test_shell.php and 200/201 status code.

  2. Test 2Upload double-extension bypass file (.phtml)

    Expected signal: Web access log entry for POST request with mismatched Content-Type (image/jpeg) and .phtml extension in filename.

  3. Test 3Windows IIS-hosted Joomla upload simulation

    Expected signal: W3CIISLog entry recording POST to com_balbooaforms endpoint with cs-uri-stem containing test_shell.aspx.

Unlock Pro Content

Get the full detection package for CVE-2026-56291 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections