U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added [1, 2] Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities (KEV) catalog.
The flaws added to the catalog are:
- CVE-2026-48282 Adobe ColdFusion Path Traversal Vulnerability
- CVE-2026-48908 JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability
- CVE-2026-55255 Langflow Authorization Bypass Through User-Controlled Key Vulnerability
- CVE-2026-56290 Joomlack Page Builder Improper Access Control Vulnerability
In early July, attackers started exploiting CVE-2026-48282, a maximum-severity vulnerability in Adobe ColdFusion. The flaw is a path traversal issue that could result in arbitrary code execution without authentication. It affects ColdFusion 2025.9, 2023.20, and earlier versions, allowing remote attackers to execute code on vulnerable servers.
Adobe warned that the vulnerability is easy to exploit and is likely to be exploited in attacks in the wild.
KEVIntel researchers reported that less than two hours after details of CVE-2026-48282 became public, attackers started exploiting it in attacks in the wild. KEVIntel founder Ryan Dewhurst reported that the attacks originated from the IP address 103.207.14[.]220 by an attacker located in India.
The second flaw added to the catalog, tracked as CVE-2026-48908, lets attackers upload a malicious PHP file and create a new administrator account on vulnerable sites running SP Page Builder. A second flaw, CVE-2026-56290, is being used to install web shells on sites using Page Builder CK. Website owners should update to SP Page Builder 6.6.2+ and Page Builder CK 3.6.0+, and check for suspicious PHP files in upload and media folders.
“Update, 27 June 2026: this is now being exploited in the wild. Within hours of the fix landing, our suspect content tool flagged a live web shell on a connected Joomla site, planted through this exact flaw.” the website mySites.guru reported. “The file sat at /media/com_pagebuilderck/gfonts/bhup.php, an upload handler that runs whatever an attacker POSTs to it. The fix shipped on 27 June 2026 and the attackers were not far behind, so if you run PageBuilder CK below 3.6.0, treat this as urgent: update now, then check for compromise. Every affected site is already flagged on the new Important tab, and the suspect content tool is actively catching shells like this one (see below).”
The third issue added to the KeV catalog, tracked as CVE-2026-55255, is an authorization bypass through a user-controlled key vulnerability in Langflow that could allow an authenticated attacker to execute any flow belonging to another user by specifying the victim’s flow ID in the request.
Sysdig researchers observed attackers exploiting CVE-2026-55255 and CVE-2026-33017 in Langflow between June 22 and 25. The attacker combined an authentication bypass with a remote code execution flaw to access exposed servers, steal LLM provider and AWS keys, and attempt to deploy additional malware.
“On June 25, 2026, the Sysdig Threat Research Team (TRT) observed the first known active exploitation of a CVSS 9.9 “critical” Langflow vulnerability, tracked as CVE-2026-55255. What we saw explains why this vulnerability likely took longer to exploit than its lower-scored sibling vulnerability, tracked as CVE-2026-33017 with a CVSS score of 9.3, which has already been exploited thousands of times.” reported Sysdig.
Researchers believe the campaign was financially motivated, likely aimed at botnet or cryptojacking activity. The incident highlights how AI orchestration platforms have become valuable targets because they often store sensitive credentials.
The last issue added to the catalog, CVE-2026-56290, is a critical vulnerability in Joomlack Page Builder that allows unauthenticated attackers to upload malicious files and execute code remotely on vulnerable servers.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to urgently fix the vulnerabilities by July 10, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
