CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four critical security flaws to its Known Exploited Vulnerabilities (KEV) catalog, warning of active exploitation in the wild. The vulnerabilities affect widely used software, including Adobe ColdFusion, Joomla, and Langflow, and have been assigned high CVSS scores, indicating severe risk.
Vulnerabilities Overview
-
CVE-2026-48282 (CVSS score: 10.0)
- Affected Software: Adobe ColdFusion
- Description: A path traversal vulnerability that could lead to arbitrary code execution in the context of the current user.
- Exploitation Details: This flaw was exploited within hours of public disclosure, with an attack attempt recorded from an IP address geolocated to India.
-
CVE-2026-56290 (CVSS score: 10.0)
- Affected Software: Joomlack Page Builder
- Description: An improper access control vulnerability allowing remote code execution via unauthenticated arbitrary file upload.
- Exploitation Details: Exploitation efforts were recorded as early as June 27, 2026, with attackers delivering a web shell to susceptible sites. The issue has been patched in Page Builder CK version 3.6.0.
-
CVE-2026-55255 (CVSS score: 6.1)
- Affected Software: Langflow
- Description: An authorization bypass vulnerability allowing authenticated attackers to execute flows belonging to other users by specifying the victim's flow ID.
- Exploitation Details: Sysdig observed a lone operator exploiting this vulnerability in combination with CVE-2026-33017 (an unauthenticated remote code execution flaw) in a financially motivated campaign.
-
CVE-2026-48908 (CVSS score: 10.0)
- Affected Software: JoomShaper SP Page Builder
- Description: An unrestricted file upload vulnerability allowing unauthenticated users to upload and execute arbitrary PHP code.
- Exploitation Details: This zero-day vulnerability was exploited to upload a PHP file via an HTTP POST request, resulting in the creation of a new Super User account. Users are advised to update to SP Page Builder version 6.6.2 or later.
Key Exploitation Insights
-
CVE-2026-48282: The rapid exploitation of this vulnerability highlights the urgency of patching critical flaws as soon as they are disclosed. Attackers are increasingly monitoring public disclosures to launch immediate attacks.
-
CVE-2026-56290: The delivery of a web shell via this vulnerability demonstrates the potential for attackers to gain persistent access to compromised systems. Affected users are urged to scan for malicious files in non-obvious directories, such as
/media/com_pagebuilderck,/images,/templates, and/administrator. -
CVE-2026-55255 and CVE-2026-33017: Sysdig's analysis reveals a sophisticated attack chain involving cross-tenant insecure direct object reference (IDOR) and remote code execution (RCE). The attacker targeted AI orchestration platforms, stealing large language model (LLM) provider keys and AWS keys. This underscores the growing threat to cloud-based AI systems.
-
CVE-2026-48908: The creation of a Super User account through this zero-day exploit highlights the severity of unauthenticated vulnerabilities. Immediate patching is essential to prevent unauthorized access and privilege escalation.
Recommendations for Mitigation
CISA has mandated Federal Civilian Executive Branch (FCEB) agencies to apply the necessary patches by July 10, 2026, to mitigate the risk posed by these vulnerabilities. Organizations are advised to:
- Patch Immediately: Apply the latest updates for Adobe ColdFusion, Joomlack Page Builder, JoomShaper SP Page Builder, and Langflow.
- Monitor for Exploitation: Use security tools to detect suspicious activity, such as unauthorized file uploads or unusual network traffic.
- Conduct Thorough Audits: Scan for and remove any malicious files or accounts created by attackers.
- Implement Strong Access Controls: Limit access to critical systems and enforce least-privilege principles to minimize the impact of future vulnerabilities.
Conclusion
The addition of these four vulnerabilities to CISA's KEV catalog underscores the ongoing challenge of securing modern software ecosystems. As attackers become more agile in exploiting newly disclosed flaws, organizations must prioritize proactive patching and robust security monitoring to protect their systems and data.
For organizations relying on Adobe, Joomla, or Langflow, these vulnerabilities serve as a stark reminder of the importance of timely updates and continuous vigilance in the face of evolving cyber threats.