CVE-2026-56291
Unrestricted Upload of Dangerous File Type: Is CVE-2026-56291 real, exploitable, or a false positive? Here's the community verdict.
signals
public sources
Confirmed exploited in the wild. Patch this first, regardless of the base score.
baseline read
auto · not a community verdict
Real — exploited in the wild
CISA confirms active exploitation. Treat scanner hits as true positives unless your specific version or config is unaffected.
Based on CISA KEV
Confirm or dispute →CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.
References
Published
Embed this verdict
[](https://www.truepositive.app/cve/CVE-2026-56291)<a href="https://www.truepositive.app/cve/CVE-2026-56291"><img src="https://www.truepositive.app/cve/CVE-2026-56291/badge.svg" alt="TruePositive verdict for CVE-2026-56291"></a>Live badge that updates automatically as the community verdict changes.
Community ground truth
Be the first practitioner to weigh in
So far this is only TruePositive's editorial baseline from public sources. Add your real-world verdict below — it becomes the signal the next person triaging this relies on.
🥇 The first 50 practitioners to contribute earn a Founding Contributor badge.
In your experience, is this finding real and exploitable?
awaiting field verdictsCurated baseline: TruePositive's read from public sources is Real & exploitable — a starting point, not a community verdict.
No account needed. Anonymous verdicts post as an unverified signal. Log in to make yours verified and earn reputation.
Field notes & remediation
Verdicts are the quick signal. Notes are the evidence and fixes behind them.
- 0
Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability — Balbooa Forms contains an unrestricted upload of file with dangerous type vulnerability that allows an unauthenticated arbitrary file upload which could allow uploading of executable files leading to full RCE. Listed in the CISA KEV catalog (added 2026-07-10) — confirmed exploited in the wild, not theoretical. FIRST EPSS puts the chance of exploitation in the next 30 days at ~0%. Treat it as real and prioritize remediation over triage.
- 0
Required action for Balbooa Forms: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines. CISA set a federal remediation due date of 2026-07-13. After patching, verify the vulnerable path is no longer reachable before closing the finding.
Add a field note or remediationoptional
Related CVEs
Same weakness: CWE-434 · Unrestricted Upload of Dangerous File Type.
- CVE-2017-12617HIGH 8.1KEVEPSS 100%
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
- CVE-2018-15961CRIT 9.8KEVEPSS 100%
Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution.
- CVE-2021-31207MED 6.6KEVEPSS 100%
Microsoft Exchange Server Security Feature Bypass Vulnerability
- CVE-2017-12615HIGH 8.1KEVEPSS 100%
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
- CVE-2025-31324CRIT 10KEVEPSS 99%
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.
- CVE-2024-50623CRIT 9.8KEVEPSS 99%
In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution.