Description
Balbooa Joomla Forms Builder 2.0.6 contains an unauthenticated SQL injection vulnerability in the form submission handler that allows remote attackers to execute arbitrary SQL queries. Attackers can send POST requests to the com_baforms component with malicious JSON payloads in the 'id' field parameter to extract sensitive database information.
Published: 2026-05-10
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Balbooa Joomla Forms Builder 2.0.6 has an unauthenticated SQL injection flaw in the form submission handler that lets attackers send crafted POST requests with malicious JSON in the 'id' field. This flaw allows execution of arbitrary SQL queries, enabling extraction or modification of sensitive database contents. The vulnerability is classified as CWE‑89, a classic SQL injection weakness.

Affected Systems

Balbooa Joomla Forms Builder version 2.0.6.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the lack of an EPSS score and the absence from CISA KEV suggest the exploit is not well documented yet but remains possible. Because authentication is not required to reach the vulnerable endpoint, an attacker can readily abuse the flaw once the component is exposed on a web server, leading to potential data theft or database tampering.

Generated by OpenCVE AI on May 10, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Balbooa Joomla Forms Builder to the latest patched version.
  • If a patch is unavailable, disable the com_baforms component or block its POST endpoint to prevent unauthenticated access.
  • Implement input validation or parameterized queries for the 'id' field to mitigate injection attempts.
  • Deploy a web application firewall to detect and block suspicious SQL injection payloads.

Generated by OpenCVE AI on May 10, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Balbooa
Balbooa balbooa Joomla Forms Builder
Vendors & Products Balbooa
Balbooa balbooa Joomla Forms Builder

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Balbooa Joomla Forms Builder 2.0.6 contains an unauthenticated SQL injection vulnerability in the form submission handler that allows remote attackers to execute arbitrary SQL queries. Attackers can send POST requests to the com_baforms component with malicious JSON payloads in the 'id' field parameter to extract sensitive database information.
Title Balbooa Joomla Forms Builder 2.0.6 SQL Injection Unauthenticated
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Balbooa Balbooa Joomla Forms Builder
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:43:51.180Z

Reserved: 2026-02-01T11:24:18.716Z

Link: CVE-2021-47930

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:29.163

Modified: 2026-05-10T13:16:29.163

Link: CVE-2021-47930

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:23:32Z

Weaknesses