All incidents

CISA adds Balbooa Forms file‑upload flaw (CVE-2026-56291) to KEV catalogue

vulnerabilityopenJul 10, 2026 — Jul 10, 2026

CISA has placed CVE‑2026‑56291 on its Known Exploited Vulnerabilities catalogue after confirming that the flaw in Balbooa Forms is being used in the wild. The addition means that federal civilian agencies are required to remediate the issue within the timeframe set by the agency’s binding operational directive. Security practitioners should treat the vulnerability as a priority given its critical score and the absence of a vendor patch. Federal agencies must apply the mitigations outlined in CISA’s binding operational directive within the stipulated window to avoid potential penalties.

The vulnerability carries a CVSS v3.1 score of 10.0, rating it as critical, and is catalogued as an unrestricted file upload flaw that accepts files of dangerous types without proper validation. According to the NVD entry, the affected component is the file upload handler within Balbooa Forms, which fails to verify the MIME type or extension of uploaded files before storing them on the server. This oversight allows an attacker to place executable code in a location that can be triggered by the web application. Successful exploitation can lead to complete compromise of the host, allowing adversaries to pivot laterally within the network and exfiltrate sensitive data.

An unauthenticated attacker can send a crafted HTTP POST request to the Forms endpoint, uploading a file with a extension such as .php, .jsp or .exe that contains a web shell or malicious binary. Once the file is written to the server’s upload directory, the attacker can trigger execution by navigating to the file’s URL or by exploiting a secondary inclusion mechanism, thereby achieving remote code execution with the privileges of the web server process. Security logs may show abnormal file creation events in the upload directory, often with timestamps that do not correspond to legitimate user activity.

Although CISA has not disclosed specific threat actor names associated with the activity, the vulnerability’s presence in the KEV catalogue indicates that it is already being exploited in the wild. The catalogue is updated only when there is reliable evidence of active use, which means defenders should assume that compromise attempts are ongoing. The KEV entry includes a brief description of the observed exploitation attempts, though specific indicators of compromise have not been released publicly.

The incident highlights the risks posed by third‑party form plugins that mishandle file uploads, a recurring theme in recent web‑application attacks. Many organisations install such extensions to improve functionality, yet they often overlook the need for strict input validation and file type restrictions. This oversight can turn a benign feature into a foothold for full system compromise. Developers are advised to implement server‑side validation that checks both file extension and content type, and to store uploaded files outside of the web root whenever possible.

Organisations should immediately review any deployment of Balbooa Forms, disable the component if it is not essential and enforce a strict allow‑list of file extensions at the web server or application firewall level. Deploying a web application firewall rule that rejects requests containing suspicious file types or unusual payloads can provide immediate protection while a vendor patch is developed. Additionally, organisations should ensure that error messages returned to users do not reveal internal file paths, such as information can assist attackers in crafting further exploits.

Security teams ought to monitor upload directories for newly created files, investigate any unexpected binaries and review web server logs for repeated POST requests to the Forms endpoint. Following CISA’s guidance on vulnerability management and adding the KEV entry to internal tracking will help ensure the flaw is prioritised for remediation once a patch becomes available. Sharing any detected indicators with information sharing and analysis centres can help the broader community defend against similar attacks.

Intelligence briefing updated Jul 10, 2026

CVE-2026-56291 10.0 KEV
Root sourcenvd.nist.gov
Timeline Coverage

Swipe to explore timeline