CISA Flags Four Actively Exploited Flaws in Adobe, Joomla and Langflow
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog after determining that they are being used in activ...
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog after determining that they are being used in active attacks. The affected products include Adobe ColdFusion, two Joomla-related page builder extensions, and the AI workflow platform Langflow.
Vulnerabilities added to the KEV list
- CVE-2026-48282 — a critical path traversal issue in Adobe ColdFusion that can lead to code execution as the current user.
- CVE-2026-56290 — an improper access control flaw in Joomlack Page Builder that may enable remote code execution through unauthenticated file uploads.
- CVE-2026-55255 — an authorization-bypass problem in Langflow that could let an authenticated user access another user’s flow by supplying the victim’s flow ID.
- CVE-2026-48908 — an unrestricted file upload issue in JoomShaper SP Page Builder that can allow attackers to upload dangerous files, including PHP code.
Researchers reported that exploitation of the ColdFusion flaw began quickly after public disclosure, with activity observed within hours. In the Joomla ecosystem, security teams have linked the SP Page Builder issue to zero-day abuse that involved uploading a PHP file and, in some cases, the creation of a new super admin account. Users of SP Page Builder are being advised to update to version 6.6.2 or later.
Page Builder CK has also seen malicious attempts, with defenders noting that attackers may place web shells outside the most obvious upload directories. The issue has been fixed in Page Builder CK version 3.6.0. Meanwhile, Langflow has been targeted in campaigns that combine the IDOR flaw with a separate remote code execution bug to probe exposed systems, enumerate flows, and steal credentials such as LLM provider keys and AWS keys.
CISA’s KEV inclusion means federal civilian agencies must apply the relevant fixes by July 10, 2026. Organizations running the affected software should prioritize patching, review exposed web directories for suspicious files, and check for unauthorized accounts or outbound connections that may indicate compromise.
