Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws

0
Critical
Exploit
Published: 07/08/2026 (07/08/2026, 10:45:25 UTC)
Source: SecurityWeek

Description

Two newly disclosed critical vulnerabilities in Adobe ColdFusion and Langflow join two Joomla extension flaws in CISA's Known Exploited Vulnerabilities catalog, with federal agencies given until July 10 to patch. The post CISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws appeared first on SecurityWeek .

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/08/2026, 10:58:29 UTC

Technical Analysis

CISA has added four critical vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2026-48282 in Adobe ColdFusion (path traversal allowing arbitrary code execution, CVSS 10.0), CVE-2026-55255 in Langflow (cross-tenant insecure direct object reference allowing execution of other users' flows, CVSS 9.9), CVE-2026-48908 in Joomla SP Page Builder (unauthenticated improper access control leading to remote code execution, CVSS 10.0), and CVE-2026-56290 in Joomla Page Builder CK (unauthenticated arbitrary file upload leading to remote code execution, CVSS 10.0). Adobe patched ColdFusion on June 30, Langflow patched the IDOR in version 1.9.1, and Joomla extensions were patched in SP Page Builder 6.6.2 and Page Builder CK 3.6.0. Exploitation has been observed in the wild, including planting web shells and hidden admin accounts. Federal agencies must patch these by July 10, 2026, per CISA directive BOD 26-04.

Potential Impact

Successful exploitation of these vulnerabilities allows remote attackers to execute arbitrary code on affected servers without authentication, leading to full compromise. In Joomla extensions, attackers have deployed PHP backdoors and created hidden administrator accounts, facilitating persistent unauthorized access. The Langflow IDOR combined with a remote code execution bug enables attackers to execute flows of other users and gain control over the system. The ColdFusion path traversal vulnerability enables arbitrary code execution, posing a critical risk to affected environments. These vulnerabilities have been actively exploited shortly after disclosure, increasing the urgency of remediation.

Mitigation Recommendations

Patches are available and must be applied immediately. Adobe released a fix for ColdFusion on June 30, 2026. Langflow patched the IDOR vulnerability in version 1.9.1. Joomla SP Page Builder fixed the issue in version 6.6.2, and Page Builder CK patched their vulnerability in version 3.6.0. Federal agencies are required to patch these vulnerabilities by July 10, 2026, as per CISA's directive BOD 26-04. Organizations should prioritize updating to these fixed versions to mitigate active exploitation risks. No vendor advisory states 'no action required' or 'already mitigated'; therefore, patching is the primary recommended action.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Article Source
{"url":"https://www.securityweek.com/cisa-urges-immediate-patching-of-exploited-coldfusion-langflow-joomla-flaws/","fetched":true,"fetchedAt":"2026-07-08T10:58:20.861Z","wordCount":1158}

Threat ID: 6a4e2d4cc9d9e3dbe3f4a196

Added to database: 07/08/2026, 10:58:20 UTC

Last enriched: 07/08/2026, 10:58:29 UTC

Last updated: 07/09/2026, 03:09:31 UTC

Views: 53

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses