Exposures › CVE-2026-56291
Balbooa Forms allows unauthenticated arbitrary file upload leading to full RCE.
This vulnerability enables unauthenticated attackers to upload executable files to Balbooa Forms, resulting in full remote code execution. DIB organizations must ensure no unauthenticated upload endpoints exist in their supply chain to prevent ransomware or data exfiltration via compromised vendor services.
Shame score — Unauthenticated RCE via file upload is a critical, avoidable supply-chain failure that directly violates FedRAMP and CMMC requirements for secure upload mechanisms.
Balbooa Forms contains an unrestricted upload of file with dangerous type vulnerability that allows an unauthenticated arbitrary file upload which could allow uploading of executable files leading to full RCE.
No correlated FedRAMP products.