CISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws
Two newly disclosed critical vulnerabilities in Adobe ColdFusion and Langflow join two Joomla extension flaws in CISA's Known Exploited Vulnerabilities catalog, with federal agencies given until July 10 to patch. The post CISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws appeared first on SecurityWeek .
AI Analysis
Technical Summary
CISA has added four critical vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2026-48282 in Adobe ColdFusion (path traversal allowing arbitrary code execution, CVSS 10.0), CVE-2026-55255 in Langflow (cross-tenant insecure direct object reference allowing execution of other users' flows, CVSS 9.9), CVE-2026-48908 in Joomla SP Page Builder (unauthenticated improper access control leading to remote code execution, CVSS 10.0), and CVE-2026-56290 in Joomla Page Builder CK (unauthenticated arbitrary file upload leading to remote code execution, CVSS 10.0). Adobe patched ColdFusion on June 30, Langflow patched the IDOR in version 1.9.1, and Joomla extensions were patched in SP Page Builder 6.6.2 and Page Builder CK 3.6.0. Exploitation has been observed in the wild, including planting web shells and hidden admin accounts. Federal agencies must patch these by July 10, 2026, per CISA directive BOD 26-04.
Potential Impact
Successful exploitation of these vulnerabilities allows remote attackers to execute arbitrary code on affected servers without authentication, leading to full compromise. In Joomla extensions, attackers have deployed PHP backdoors and created hidden administrator accounts, facilitating persistent unauthorized access. The Langflow IDOR combined with a remote code execution bug enables attackers to execute flows of other users and gain control over the system. The ColdFusion path traversal vulnerability enables arbitrary code execution, posing a critical risk to affected environments. These vulnerabilities have been actively exploited shortly after disclosure, increasing the urgency of remediation.
Mitigation Recommendations
Patches are available and must be applied immediately. Adobe released a fix for ColdFusion on June 30, 2026. Langflow patched the IDOR vulnerability in version 1.9.1. Joomla SP Page Builder fixed the issue in version 6.6.2, and Page Builder CK patched their vulnerability in version 3.6.0. Federal agencies are required to patch these vulnerabilities by July 10, 2026, as per CISA's directive BOD 26-04. Organizations should prioritize updating to these fixed versions to mitigate active exploitation risks. No vendor advisory states 'no action required' or 'already mitigated'; therefore, patching is the primary recommended action.
CISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws
Description
Two newly disclosed critical vulnerabilities in Adobe ColdFusion and Langflow join two Joomla extension flaws in CISA's Known Exploited Vulnerabilities catalog, with federal agencies given until July 10 to patch. The post CISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws appeared first on SecurityWeek .
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CISA has added four critical vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2026-48282 in Adobe ColdFusion (path traversal allowing arbitrary code execution, CVSS 10.0), CVE-2026-55255 in Langflow (cross-tenant insecure direct object reference allowing execution of other users' flows, CVSS 9.9), CVE-2026-48908 in Joomla SP Page Builder (unauthenticated improper access control leading to remote code execution, CVSS 10.0), and CVE-2026-56290 in Joomla Page Builder CK (unauthenticated arbitrary file upload leading to remote code execution, CVSS 10.0). Adobe patched ColdFusion on June 30, Langflow patched the IDOR in version 1.9.1, and Joomla extensions were patched in SP Page Builder 6.6.2 and Page Builder CK 3.6.0. Exploitation has been observed in the wild, including planting web shells and hidden admin accounts. Federal agencies must patch these by July 10, 2026, per CISA directive BOD 26-04.
Potential Impact
Successful exploitation of these vulnerabilities allows remote attackers to execute arbitrary code on affected servers without authentication, leading to full compromise. In Joomla extensions, attackers have deployed PHP backdoors and created hidden administrator accounts, facilitating persistent unauthorized access. The Langflow IDOR combined with a remote code execution bug enables attackers to execute flows of other users and gain control over the system. The ColdFusion path traversal vulnerability enables arbitrary code execution, posing a critical risk to affected environments. These vulnerabilities have been actively exploited shortly after disclosure, increasing the urgency of remediation.
Mitigation Recommendations
Patches are available and must be applied immediately. Adobe released a fix for ColdFusion on June 30, 2026. Langflow patched the IDOR vulnerability in version 1.9.1. Joomla SP Page Builder fixed the issue in version 6.6.2, and Page Builder CK patched their vulnerability in version 3.6.0. Federal agencies are required to patch these vulnerabilities by July 10, 2026, as per CISA's directive BOD 26-04. Organizations should prioritize updating to these fixed versions to mitigate active exploitation risks. No vendor advisory states 'no action required' or 'already mitigated'; therefore, patching is the primary recommended action.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/cisa-urges-immediate-patching-of-exploited-coldfusion-langflow-joomla-flaws/","fetched":true,"fetchedAt":"2026-07-08T10:58:20.861Z","wordCount":1158}
Threat ID: 6a4e2d4cc9d9e3dbe3f4a196
Added to database: 07/08/2026, 10:58:20 UTC
Last enriched: 07/08/2026, 10:58:29 UTC
Last updated: 07/09/2026, 03:09:31 UTC
Views: 53
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.