Back to Feed
VulnerabilitiesJul 8, 2026

CISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws

CISA adds exploited vulnerabilities in ColdFusion, Langflow, and Joomla extensions to KEV catalog.

Summary

CISA has added four critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch them by July 10. The flaws affect Adobe ColdFusion (CVE-2026-48282), Langflow (CVE-2026-55255), SP Page Builder by JoomShaper (CVE-2026-48908), and Page Builder CK by Joomlack (CVE-2026-56290). These vulnerabilities have been actively exploited in the wild, with attackers using them for code execution, planting backdoors, and creating hidden administrator accounts.

Full text

The US cybersecurity agency CISA on Tuesday warned that vulnerabilities in Adobe ColdFusion, Langflow, and two Joomla extensions have been exploited in the wild. Tracked as CVE-2026-48282 (CVSS score of 10/10), the ColdFusion bug was flagged as exploited only days after Adobe rolled out patches for it on June 30. It is a path traversal issue that allows attackers to execute arbitrary code. The Langflow security defect, tracked as CVE-2026-55255 (CVSS score of 9.9), is described as a cross-tenant insecure direct object reference (IDOR) weakness that allows attackers to execute flows belonging to other users by supplying a flow UUID. It was patched in Langflow version 1.9.1. On June 26, cybersecurity firm Sysdig warned that hackers had started exploiting the critical-severity vulnerability in the wild, despite there being no public proof-of-concept (PoC) exploit at the time. As part of the observed attacks, a threat actor performed host reconnaissance, harvested flow IDs, replayed the IDs to trigger the IDOR, and chained in CVE-2026-33017, a remote code execution (RCE) bug in Langflow that was patched in March. On Tuesday, CISA added the ColdFusion and the Langflow security defects to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch them within three days.Advertisement. Scroll to continue reading. Additionally, it warned that hackers have been exploiting two Joomla extension vulnerabilities, impacting SP Page Builder by JoomShaper and Page Builder CK by Joomlack. The SP Page Builder bug, tracked as CVE-2026-48908 (CVSS score of 10/10), is described as an improper access control issue that allows unauthenticated attackers to achieve RCE. Fixed in SP Page Builder version 6.6.2, it impacts the custom icon upload feature of the plugin, which can be reached without authentication. Because the vulnerable function writes files to the web root folder, the weakness can lead to PHP code execution on servers that execute code from the web root. Recent reports have shown that threat actors have been exploiting the vulnerability to plant hidden administrator accounts on Joomla websites and deploy a PHP file manager backdoor. Tracked as CVE-2026-56290 (CVSS score of 10/10), the Page Builder CK bug is described as an unauthenticated arbitrary file upload issue leading to RCE on the underlying web server. The security defect was resolved in Page Builder CK version 3.6.0, released on June 27. Within hours, threat actors started targeting the bug to plant web shells. Per BOD 26-04, federal agencies are required to patch all four security weaknesses by July 10. All organizations are advised to review CISA’s KEV list and address the vulnerabilities in it as soon as possible. Related: Critical Gitea Flaw Under Active Exploitation, Researchers Warn Related: New CitrixBleed Vulnerability Exploited Immediately After Public Disclosure Related: CISA Warns of Actively Exploited Microsoft SharePoint Vulnerability Related: Critical SimpleHelp Vulnerability Exploited for Malware Delivery Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Blogspot-Hosted Payloads Delivered in ‘Veil#Drop’ AttacksArmored Likho APT Targeting Government, Electric Power EntitiesNorth Korean Hackers Target Open Source Developers in Supply Chain Attacks Proof-of-Concept Exploit Released for Linux ‘Bad Epoll’ Root Access VulnerabilityPrompt Injection Attacks Trick AI Agents Into Making Crypto PaymentsAgentic AI Used to Conduct Ransomware Attack via LangflowMedtronic Data Breach Impacts 3.8 Million PeopleAlleged Scattered Spider Hacker Extradited to US Latest News Critical Vulnerability Exposes GitHub Agentic Workflows to Prompt InjectionCounty Government Reportedly Paid $1 Million to Cyber Extortion GroupCritical Gitea Flaw Under Active Exploitation, Researchers WarnCISA Reportedly Using Anthropic’s Mythos to Scan Government Software for FlawsCritical Adobe ColdFusion Vulnerability Exploited in AttacksIran-Linked Hackers Using Modular C&C Framework in CyberattacksCISO Conversations: Tarah Wheeler, Cybersecurity Leader, Thought Leader and Original ThinkerLinux Kernel Vulnerability Allows VM Escape on Intel and AMD Systems Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveSherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.More People On The MoveExpert Insights The Shift Toward Business-Aligned Risk Management Moving from isolated, technical data to a continuous risk lifecycle can help organizations align security controls with actual business consequences. (Steve Durbin) How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

  • cve — CVE-2026-48282
  • cve — CVE-2026-55255
  • cve — CVE-2026-33017
  • cve — CVE-2026-48908
  • cve — CVE-2026-56290

Entities

Adobe (vendor)ColdFusion (product)Langflow (product)SP Page Builder (product)JoomShaper (vendor)Page Builder CK (product)