Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

[KEV] CVE-2026-56291 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2026-56291 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2026-56291 is an unrestricted file upload vulnerability in Balbooa Forms, a form-building component, that allows unauthenticated attackers to upload and execute arbitrary files on the host system.

Technical Detail

The flaw exists because Balbooa Forms fails to properly validate or restrict the file types accepted through its upload functionality, allowing an unauthenticated remote attacker to submit executable files such as web shells or server-side scripts. Once uploaded, an attacker can request the file directly to trigger execution in the context of the web server process. Successful exploitation results in full remote code execution (RCE), granting the attacker arbitrary command execution on the underlying host.

Exploitation Status

CISA has confirmed active exploitation in the wild, having added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalog on July 10, 2026. The exploit is rated as Operational, meaning functional exploit code exists and is being actively used in real-world attacks, not merely demonstrated in controlled research environments. Organizations running Balbooa Forms should treat this as an immediate priority.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established for this vulnerability as of the date of this briefing.

What To Do

Per CISA's Known Exploited Vulnerabilities catalog, federal agencies operating under BOD 22-01 are required to apply patches or mitigations by the deadline specified in the KEV entry (added July 10, 2026). All organizations running Balbooa Forms should apply the vendor-supplied patch immediately. If a patch is not yet available or cannot be applied immediately, disable the file upload functionality within Balbooa Forms or take the affected component offline until remediation is complete. Defenders should audit web-accessible upload directories for recently placed executable files, review web server logs for unexpected POST requests to form endpoints, and monitor for outbound connections or command execution originating from the web server process. Implementing a web application firewall rule to block uploads of executable file extensions is a viable short-term control while patching is underway.

All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →