CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV
CISA added four actively exploited vulnerabilities to its KEV catalog: two critical Adobe ColdFusion and JoomShaper flaws, one Joomlack Page Builder RCE, and one Langflow authorization bypass. Langflow is under active attack via CVE-2026-55255 (IDOR) combined with CVE-2026-33017 (RCE) to steal LLM and AWS credentials for financial gain. Attackers are leveraging these CMS and framework flaws to deploy web shells, create superuser accounts, and execute arbitrary code with minimal delay after discl
Analysis
TL;DR
- CISA added four actively exploited vulnerabilities to its KEV catalog: two critical Adobe ColdFusion and JoomShaper flaws, one Joomlack Page Builder RCE, and one Langflow authorization bypass.
- Langflow is under active attack via CVE-2026-55255 (IDOR) combined with CVE-2026-33017 (RCE) to steal LLM and AWS credentials for financial gain.
- Attackers are leveraging these CMS and framework flaws to deploy web shells, create superuser accounts, and execute arbitrary code with minimal delay after disclosure.
- Federal agencies must patch affected systems by July 10, 2026, highlighting the urgent need for rapid remediation in exposed enterprise environments.
Why It Matters
This update underscores the critical risk facing organizations using popular CMS platforms and AI orchestration tools like Langflow, which are increasingly targeted for credential theft and remote code execution. For AI practitioners and security teams, it highlights that AI infrastructure is no longer just a target for data exfiltration but a vector for broader system compromise and financial crime. Immediate patching and monitoring for unauthorized file uploads or suspicious API calls are essential to prevent exploitation.
Technical Details
- Adobe ColdFusion (CVE-2026-48282): A path traversal vulnerability with a CVSS score of 10.0 allowing arbitrary code execution in the context of the current user. Exploitation was observed within hours of disclosure.
- Joomlack Page Builder (CVE-2026-56290): An improper access control flaw (CVSS 10.0) enabling unauthenticated remote code execution via arbitrary file upload. Attackers used this to deploy web shells, such as
bhup.php, in various directories. - Langflow Authorization Bypass (CVE-2026-55255): An IDOR vulnerability (CVSS 6.1) allowing authenticated attackers to execute flows belonging to other users by manipulating user-controlled keys. This was used to steal LLM provider keys and AWS credentials.
- JoomShaper SP Page Builder (CVE-2026-48908): An unrestricted file upload vulnerability (CVSS 10.0) allowing unauthenticated PHP code execution. Attackers uploaded malicious files via specific endpoints to gain superuser access.
- Attack Chain: Threat actors combined Langflow’s IDOR and RCE flaws to perform reconnaissance, enumerate flows, steal credentials, and deploy second-stage downloaders for botnet or cryptojacking purposes.
Industry Insight
- Prioritize AI Infrastructure Security: AI orchestration platforms like Langflow contain high-value credentials (API keys, cloud tokens). Treat them with the same security rigor as traditional databases or identity providers.
- Rapid Patching is Non-Negotiable: The observation of exploitation within hours of disclosure for Adobe and Joomla flaws indicates that automated scanning tools are aggressively targeting known CVEs. Organizations must implement automated vulnerability management and patching pipelines.
- Monitor for Credential Theft: Given the focus on stealing LLM and cloud keys, implement strict access controls, rotate credentials regularly, and monitor for unusual API usage patterns or unauthorized flow executions in AI platforms.
Disclaimer: The above content is generated by AI and is for reference only.