CISA Adds Exploited ColdFusion, Langflow, and Joomla Bugs to KEV List

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations about active exploitation of critical flaws in Adobe ColdFusion, Langflow, and two Joomla extensions, urging r...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations about active exploitation of critical flaws in Adobe ColdFusion, Langflow, and two Joomla extensions, urging rapid patching and remediation.

ColdFusion and Langflow flaws under attack

Among the newly highlighted issues is CVE-2026-48282, a maximum-severity Adobe ColdFusion vulnerability involving path traversal that can let attackers run arbitrary code. Adobe released fixes on June 30, and CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog shortly afterward after evidence emerged that attackers were already using it in real-world intrusions.

CISA also flagged CVE-2026-55255 in Langflow, a low-code application platform. The flaw is a cross-tenant insecure direct object reference weakness that can allow one user to access or trigger another user’s flows by supplying a flow UUID. Langflow addressed the issue in version 1.9.1. Security researchers previously reported that attackers were already abusing the bug, and in some cases chaining it with an older remote code execution issue to gain deeper access.

Joomla extension weaknesses also exploited

The agency additionally warned about two Joomla-related vulnerabilities affecting popular extensions. One is CVE-2026-48908 in SP Page Builder by JoomShaper, an access control problem that can allow unauthenticated remote code execution through the custom icon upload feature. The issue was fixed in SP Page Builder 6.6.2.

The second is CVE-2026-56290 in Page Builder CK by Joomlack, an unauthenticated arbitrary file upload flaw that can also lead to remote code execution on the server. That issue was resolved in Page Builder CK 3.6.0, released on June 27. Reports indicate attackers moved quickly to abuse the weakness for web shell deployment.

Patch deadlines for federal agencies

Under CISA guidance and Binding Operational Directive 26-04, U.S. federal civilian agencies must address all four vulnerabilities by July 10. CISA said other organizations should review the KEV catalog regularly and prioritize any listed flaws that affect their systems, especially when exploitation is already underway.

The warning comes amid a series of recent advisories on actively exploited software bugs, reinforcing the need for organizations to apply updates quickly and verify that exposed web applications are protected.