[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$flELHBJ_73jYDf2JjufcHwi-N1IJN2zm5Bl8s-SF-cwQ":3},{"article":4,"iocs":53},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"b30522ab-c6fa-409e-865d-47f2b6a3d69f","CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV","cisa-adds-4-actively-exploited-adobe-joomla-and-langflow-flaws-to-kev-963a87","The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerabilities are listed below - CVE-2026-48282 (CVSS score: 10.0) - A path traversal vulnerability in Adobe ColdFusion that could lead to arbitrary code execution in the context of the","CISA added four critical vulnerabilities to its Known Exploited Vulnerabilities catalog, all showing evidence of active exploitation. These include a path traversal flaw in Adobe ColdFusion (CVE-2026-48282), improper access control in Joomla Page Builder (CVE-2026-56290), an authorization bypass in Langflow (CVE-2026-55255), and an unrestricted file upload in JoomShaper SP Page Builder (CVE-2026-48908). Exploitation includes web shell deployment, credential theft targeting LLM provider and AWS keys, and suspected botnet\u002Fcryptojacking activity.","CISA adds 4 actively exploited Adobe, Joomla, and Langflow CVEs to KEV catalog.","CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV Ravie LakshmananJul 08, 2026AI Security \u002F Vulnerability The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerabilities are listed below - CVE-2026-48282 (CVSS score: 10.0) - A path traversal vulnerability in Adobe ColdFusion that could lead to arbitrary code execution in the context of the current user. CVE-2026-56290 (CVSS score: 10.0) - An improper access control vulnerability in Joomlack Page Builder that could allow for remote code execution via unauthenticated arbitrary file upload. CVE-2026-55255 (CVSS score: 6.1) - An authorization bypass through a user-controlled key vulnerability in Langflow that could allow an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. CVE-2026-48908 (CVSS score: 10.0) - An unrestricted upload of a file with a dangerous type vulnerability in JoomShaper SP Page Builder that allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code. It's worth noting that exploitation of CVE-2026-48282 was observed within hours of public disclosure, with Ryan Dewhurst, security researcher and founder of KEVIntel, telling The Hacker News that an attempt was recorded from an IP address geolocated to India (\"103.207.14[.]220\"). CVE-2026-48908, on the other hand, is said to have been exploited as a zero-day to upload a PHP file by means of an HTTP POST request to the \"index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon\" endpoint, followed by the appearance of a new Super User account, per mySites.guru. Users of SP Page Builder are advised to update to version 6.6.2 or later. The Joomla and WordPress site manager service has also recorded exploitation efforts aimed at CVE-2026-56290 as of June 27, 2026, to deliver a web shell on susceptible sites. The issue has been addressed in Page Builder CK version 3.6.0. \"The first confirmed web shell we caught sat at \u002Fmedia\u002Fcom_pagebuilderck\u002Fgfonts\u002Fbhup.php, an uploader shell keyed on a $_POST['_upl'] field,\" mySites.guru explained. \"Because the flaw lets the attacker pick the destination folder, a planted file could be anywhere, not just the obvious upload directories, so look for stray PHP files under \u002Fmedia\u002Fcom_pagebuilderck\u002F first and then more widely under \u002Fimages, \u002Fmedia, \u002Ftemplates, and \u002Fadministrator.\" As for CVE-2026-55255, Sysdig revealed late last month that it observed a lone operator (\"45.207.216[.]55\") weaponizing the vulnerability along with CVE-2026-33017, an unauthenticated remote code execution flaw in Langflow, as part of a sustained campaign that lasted between June 22 and June 25, 2026. \"On June 25, 2026, the operator (45.207.216[.]55) returned to an internet-exposed Langflow instance they had first probed three days before and ran a tight, methodical session: application\u002Fauth reconnaissance → flow enumeration → the CVE-2026-55255 IDOR → a sustained loop of the CVE-2026-33017 RCE with outbound connection attempts,\" Sysdig's Michael Clark said. The activity is assessed to be opportunistic and financially motivated. The exploitation of CVE-2026-33017 is followed by the deployment of payloads designed to fetch a second-stage downloader responsible for delivering additional malware. This attack chain is consistent with botnet and cryptojacking attacks. That said, the exact nature of the final payload is unknown. The cloud security company has described CVE-2026-55255 as a case of cross-tenant insecure direct object reference (IDOR), which the threat actor exploited to steal large language model (LLM) provider keys and AWS keys. \"AI orchestration platforms are a trove of credentials in their own right, and this operator clearly knew it,\" Sysdig said. \"The RCE went after the host, while the IDOR went after other tenants' flows and their keys.\" The development makes it the latest Langflow flaw to be exploited by bad actors over the past year after CVE-2025-3248, CVE-2026-0770, CVE-2026-33017, CVE-2026-21445, CVE-2025-34291, and CVE-2026-5027. Last week, Sysdig also documented the first known case of agentic ransomware in which a human operator deployed an artificial agent and provisioned the necessary infrastructure to let the agent handle the entire extortion operation from start to finish by exploiting the CVE-2025-3248 Langflow flaw. It has been codenamed JADEPUFFER. In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are advised to apply the fixes by July 10, 2026, to safeguard their networks. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  AI Security, Cloud security, CMS Security, Path Traversal, remote code execution, Vulnerability, Web Shell ⚡ Top Stories This Week ThreatsDay: AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware + 14 Stories Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries OpenAI Previews GPT-5.6 Sol With Restricted Access and Stronger Cyber Safeguards FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts ⚡ Weekly Recap: Linux Kernel Flaws, AI Malware Tricks, Turla Backdoor, Infostealers and More Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks WhatsApp is Finally Getting Usernames to Help Keep Phone Numbers Private Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild New BioShocking Attack Tricks AI Browsers Into Leaking User Credentials AirDrop and Quick Share Flaws Let Nearby Attackers Trigger Crashes and Bypass Checks 282 iOS AI Apps Leak API Keys and Open AI Proxy Access in Network Traffic Study GuardFall Exposes Open-Source AI Coding Agents to Decades-Old Shell Injection Risks Microsoft Warns Poisoned MCP Tool Descriptions Can Make AI Agents Leak Data RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets Get Gartner’s Guide to AI Agent Supervision and Runtime Controls","https:\u002F\u002Fthehackernews.com\u002F2026\u002F07\u002Fcisa-adds-4-actively-exploited-adobe.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEgZn36WwWfaOwK7XCU9aKjVPS7QAyrnBKsKMXtVRyYbD2X30HI-ojl5F8ttD9VcbXB36anuKWq-JGEhzPq1fjwnEhKPKMjkPDMPAFe8OqR85N1dc0QZoZ7JCN9ziqGuQ8M4irelfxa_zca62EV-s9qBO9WI47ECtzM8Zi2X8T-MFfuRRbJQ8u48Y2RRt3UT\u002Fs1600\u002Fcisa-main.jpg","2026-07-08T05:33:12+00:00","2026-07-08T08:00:22.371378+00:00",9,[18,21,23,25,27,30],{"name":19,"type":20},"Adobe","vendor",{"name":22,"type":20},"Joomla",{"name":24,"type":20},"JoomShaper",{"name":26,"type":20},"Langflow",{"name":28,"type":29},"Adobe ColdFusion","product",{"name":31,"type":29},"Joomla Page Builder","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":32,"icon":34,"name":35,"slug":36},null,"Vulnerabilities","vulnerabilities",[38,43,48],{"category":39},{"id":40,"icon":34,"name":41,"slug":42},"574f766a-fb3f-487c-8d2c-0720ae75471b","Zero-day","zero-day",{"category":44},{"id":45,"icon":34,"name":46,"slug":47},"839da5c1-3c34-47e2-9499-f7201640e3ac","AI Security","ai-security",{"category":49},{"id":50,"icon":34,"name":51,"slug":52},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[54,58,61,64,67,70,74],{"type":55,"value":56,"context":57},"cve","CVE-2026-48282","Adobe ColdFusion path traversal, CVSS 10.0, exploited within hours of disclosure",{"type":55,"value":59,"context":60},"CVE-2026-56290","Joomla Page Builder improper access control, CVSS 10.0, exploited June 27 2026",{"type":55,"value":62,"context":63},"CVE-2026-55255","Langflow authorization bypass\u002FIDOR, CVSS 6.1, exploited June 22-25 2026",{"type":55,"value":65,"context":66},"CVE-2026-48908","JoomShaper SP Page Builder unrestricted file upload, CVSS 10.0, exploited as zero-day",{"type":55,"value":68,"context":69},"CVE-2026-33017","Langflow unauthenticated RCE, used in sustained attack campaign",{"type":71,"value":72,"context":73},"ip","103.207.14.220","Exploitation source for CVE-2026-48282, geolocated to India",{"type":71,"value":75,"context":76},"45.207.216.55","Threat actor IP weaponizing CVE-2026-55255 and CVE-2026-33017 in sustained campaign"]