---Advertisement---

CISA KEV Adds Four Flaws Adobe ColdFusion Joomla Langflow Actively Exploited

By xploitzone
July 8, 2026 9:20 PM
---Advertisement---

CISA added four actively exploited vulnerabilities to its KEV catalog covering Adobe ColdFusion CVE 2026 48282 two Joomla page builder flaws and a Langflow cross tenant IDOR tracked as CVE 2026 55255 with a July 10 2026 remediation deadline for federal agencies.

Imagine a web server sitting quietly behind a company firewall while attackers in another country probe it through a path that looks like a completely normal file request. No login attempt. No brute force. Just one carefully crafted URL that Adobe ColdFusion processes without question and suddenly the attacker runs whatever code they want on that machine.

That exact scenario played out within hours of the vulnerability going public and CISA responded by adding four freshly exploited flaws to its Known Exploited Vulnerabilities catalog on July 7 and July 8 2026 demanding federal agencies patch everything by July 10.

Adobe, Joomla & Langflow Exploits

The four vulnerabilities landing on the KEV catalog this week cover three different software ecosystems and each carries a distinct exploitation method worth understanding separately before treating them as a single patch batch.

Adobe ColdFusion carries CVE 2026 48282 scoring a perfect 10.0 on the CVSS scale. The flaw sits in path traversal territory allowing an unauthenticated attacker to navigate outside intended directory boundaries and execute arbitrary code in the context of whatever user the ColdFusion process runs under.

Security researcher Ryan Dewhurst of KEVIntel confirmed to The Hacker News that exploitation attempts began within hours of public disclosure tracing back to an IP address geolocated to India at 103.207.14.220.

The speed between publication and active exploitation represents one of the clearest signals that attackers maintain automated scanning infrastructure ready to test newly disclosed flaws almost immediately after details become available.

Two separate Joomla page builder products appear on this KEV update covering CVE 2026 56290 in Joomlack Page Builder and CVE 2026 48908 in JoomShaper SP Page Builder. Both vulnerabilities enable unauthenticated arbitrary file upload leading to remote code execution and both carry perfect 10.0 CVSS scores.

The JoomShaper flaw saw zero day exploitation before any patch existed with attackers uploading PHP web shells through a specific endpoint and immediately creating unauthorized Super User accounts inside affected Joomla installations.

Security monitoring service mySites.guru published technical details revealing that the first confirmed web shell appeared at a path under the com sppagebuilder media directory and that the flaw lets attackers choose their own destination folder meaning stale PHP files could sit almost anywhere on the server rather than only in obvious upload directories.

The Joomlack flaw similarly permitted web shell delivery starting at least as far back as June 27 2026 with the fixed version arriving in PageBuilder CK 3.6.0. SP Page Builder users need version 6.6.2 or later to close the file upload vector entirely.

Langflow contributes the fourth entry through CVE 2026 55255 which Sysdig classified as a cross tenant insecure direct object reference flaw. An authenticated attacker can execute any flow belonging to another tenant simply by substituting the victim tenant flow identifier inside a standard API request.

The CVSS score sits at 6.1 which looks far less alarming than the 10.0 scores surrounding it but Sysdig documented a threat actor at IP address 45.207.216.55 combining this flaw with the separately tracked CVE 2026 33017 unauthenticated remote code execution flaw in a sustained campaign running between June 22 and June 25 2026.

That the operator returned three days after initial reconnaissance to run a tight methodical session covering authentication enumeration then flow enumeration then the IDOR exploit followed by sustained RCE with outbound connection attempts.

Langflow LLM Key Theft And Emergency Patch Mitigation Guide

The Langflow exploitation chain deserves particular attention beyond the technical CVSS score because of what attackers actually extracted. Sysdig documented that the same operator used the IDOR flaw to steal LLM provider API keys and AWS credentials belonging to other tenants on the same Langflow instance while using the RCE flaw simultaneously to compromise the underlying host infrastructure.

AI orchestration platforms like Langflow concentrate enormous credential value in a single place since every configured AI workflow stores the authentication secrets needed to call external AI and cloud services making a single compromise against one of these platforms potentially more valuable than breaching an equivalent traditional application.

This exploitation pattern connects directly to a broader documented trend around Langflow. CVE 2026 55255 represents at least the sixth Langflow flaw to see active exploitation since 2025 following CVE 2025 3248 and CVE 2026 0770 and CVE 2026 33017 and CVE 2026 21445 and CVE 2025 34291 and CVE 2026 5027.

Last week Sysdig also published documentation of the first known fully agentic ransomware operation named JADEPUFFER where a human operator deployed an AI agent and provisioned supporting infrastructure then allowed the agent to handle the complete extortion workflow autonomously by exploiting the earlier CVE 2025 3248 Langflow flaw. That development moves AI exploitation from theoretical concern into confirmed criminal methodology.

Federal Civilian Executive Branch agencies face a mandatory July 10 2026 deadline to remediate all four vulnerabilities under Binding Operational Directive 22 01. That three day window from the July 7 and 8 catalog additions represents one of the tightest KEV remediation timelines seen this year and reflects CISA judgment that confirmed active exploitation against these specific flaws warrants emergency treatment rather than standard patch scheduling.

Organizations running Adobe ColdFusion should prioritize the update to the patched build immediately given that exploitation began within hours of disclosure and the flaw requires no authentication whatsoever.

Joomla administrators running either affected page builder plugin need to verify they run SP Page Builder 6.6.2 or later and PageBuilder CK 3.6.0 or later and should actively search for unexpected PHP files throughout the media templates images and administrator directory trees rather than only checking obvious upload locations. Any new Super User account created without administrator knowledge should get treated as a confirmed compromise indicator requiring full incident response rather than simple account deletion.

Langflow deployments need both CVE 2026 33017 and CVE 2026 55255 patches applied together since attackers demonstrated using both flaws simultaneously in the same session. Organizations running Langflow in multi tenant configurations face the additional obligation of auditing all stored API keys and cloud credentials configured across tenant workflows since the IDOR flaw let attackers read other tenants flow configurations including embedded secrets without ever touching the host filesystem through traditional means.

xploitzone

Exploring the world of cybersecurity through in depth analysis of vulnerabilities,data breaches and emerging threats. Delivering real insights technical breakdowns and bug bounty discoveries for security enthusiasts and researchers.

Join Twitter

Join Now

Join Telegram

Join Now

Leave a Comment