EXPLOITED VULNERABILITIES

CISA Flags Four Actively Exploited Flaws

ColdFusion, Joomla Page Builders, and Langflow Under Attack

Matt Lucas  |  July 8, 2026  |  6 min
CISA Flags Four Actively Exploited Flaws — editorial hero illustration
4
CVEs added to KEV
3x 10.0
CVSS critical scores
Hours
Disclosure to exploit (ColdFusion)
Jul 10
FCEB patch deadline
TL;DR
  • What: CISA added four actively exploited flaws to KEV: CVE-2026-48282 (Adobe ColdFusion), CVE-2026-56290 (Page Builder CK), CVE-2026-48908 (SP Page Builder), and CVE-2026-55255 (Langflow).
  • Impact: Attackers achieved unauthenticated RCE, dropped web shells, created rogue Super User accounts, and stole cross-tenant LLM and AWS credentials from AI orchestration hosts.
  • Fix / mitigation: Patch now: SP Page Builder 6.6.2+, Page Builder CK 3.6.0+, and apply Adobe ColdFusion and Langflow vendor updates before the July 10, 2026 FCEB deadline.
  • Who's at risk: Organizations running Adobe ColdFusion, Joomla sites with SP Page Builder or Page Builder CK, and internet-exposed Langflow instances.

CISA added four vulnerabilities to its Known Exploited Vulnerabilities catalog on July 8, 2026, all with confirmed active exploitation. Three carry the maximum CVSS score of 10.0. The affected products are Adobe ColdFusion, two competing Joomla page builders, and Langflow, an open-source AI orchestration platform. Federal Civilian Executive Branch agencies have until July 10, 2026 to remediate.

The common thread is speed and low barrier to entry. Two of these flaws allow unauthenticated remote code execution via file upload. One ColdFusion flaw was exploited within hours of public disclosure. If you run any of these products, treat this as an emergency patch cycle, not a scheduled one.

The four flaws

ColdFusion: exploited within hours

CVE-2026-48282 went from disclosure to exploitation attempt in a matter of hours. Ryan Dewhurst, founder of KEVIntel, told The Hacker News an attempt was logged from an IP geolocated to India (103.207.14.220). Path traversal to code execution in an enterprise app server is a well-worn attacker playbook, and ColdFusion has been a repeat KEV entry. Apply Adobe's update and audit for any traversal patterns hitting file endpoints since the disclosure date.

Two Joomla page builders, two web shells

CVE-2026-48908 in SP Page Builder was exploited as a zero-day. Attackers sent an HTTP POST to index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon to drop a PHP file, then a new Super User account appeared, per mySites.guru. That account creation is the tell: full administrative persistence beyond the initial shell. Update to SP Page Builder 6.6.2 or later and audit your Super User list immediately.

CVE-2026-56290 in Page Builder CK saw exploitation from June 27, 2026 to deliver web shells. Because the flaw lets the attacker choose the destination folder, planted files can land anywhere. mySites.guru caught the first confirmed shell at /media/com_pagebuilderck/gfonts/bhup.php, an uploader keyed on a $_POST['_upl'] field. Fixed in Page Builder CK 3.6.0.

Hunt for stray PHP files now

For Page Builder CK, check /media/com_pagebuilderck/ first, then widen to /images, /media, /templates, and /administrator. For SP Page Builder, review Super User accounts for unauthorized additions. Patching alone does not evict an attacker who already has a web shell and an admin account.

Langflow: the AI platform as a credential vault

CVE-2026-55255 is the lower-scored flaw at 6.1, but the campaign around it is the most instructive. Sysdig observed a lone operator (45.207.216.55) chaining it with CVE-2026-33017, an unauthenticated RCE, against an exposed Langflow instance between June 22 and June 25, 2026. The session was methodical: auth reconnaissance, flow enumeration, the CVE-2026-55255 IDOR, then a sustained loop of the RCE with outbound connection attempts.

The IDOR is a cross-tenant insecure direct object reference. The operator used it to steal LLM provider keys and AWS keys from other tenants' flows. As Sysdig put it, the RCE went after the host while the IDOR went after other tenants' credentials. AI orchestration platforms concentrate exactly the secrets attackers want, and this operator knew it. The activity is assessed as opportunistic and financially motivated, consistent with botnet and cryptojacking staging, though the final payload is unconfirmed.

Langflow is a recurring target

CVE-2026-55255 is the latest in a long line: CVE-2025-3248, CVE-2026-0770, CVE-2026-33017, CVE-2026-21445, CVE-2025-34291, and CVE-2026-5027. Sysdig also documented JADEPUFFER, the first known agentic ransomware, where an operator let an AI agent run an entire extortion operation off the CVE-2025-3248 Langflow flaw. If you run Langflow, get it off the public internet.

What to do before July 10

The pattern here is consistent: critical file-upload and traversal flaws in widely deployed web software, weaponized fast by opportunistic operators. The Langflow case is the forward-looking warning. As AI orchestration platforms accumulate credentials and automation capability, they become high-value targets for both credential theft and fully automated extortion.

Questions about your exposure?

RedEye Security provides assessments for organizations that need to understand their real risk.

Talk to us