CISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws
CISA has added four critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation in the wild. Adobe ColdFusion CVE-2026-48282 (CVSS 10.0) involves a path traversal flaw allowing arbitrary code execution, patched shortly before exploitation began. Langflow CVE-2026-55255 (CVSS 9.9) is a cross-tenant IDOR vulnerability enabling unauthorized flow execution, chained with a previously patched RCE bug. Two Joomla extensions, SP Page Builder and Page Builder
Analysis
TL;DR
- CISA has added four critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation in the wild.
- Adobe ColdFusion CVE-2026-48282 (CVSS 10.0) involves a path traversal flaw allowing arbitrary code execution, patched shortly before exploitation began.
- Langflow CVE-2026-55255 (CVSS 9.9) is a cross-tenant IDOR vulnerability enabling unauthorized flow execution, chained with a previously patched RCE bug.
- Two Joomla extensions, SP Page Builder and Page Builder CK, contain critical unauthenticated file upload flaws leading to Remote Code Execution (RCE).
Why It Matters
This update highlights the accelerating timeline between patch release and active exploitation, particularly for widely used frameworks like Adobe ColdFusion and Langflow. For AI practitioners using Langflow, the specific chaining of IDOR with RCE underscores the necessity of strict input validation and access controls in LLM orchestration tools. Federal agencies face immediate compliance deadlines under BOD 26-04, emphasizing the critical need for rapid vulnerability management in enterprise environments.
Technical Details
- Adobe ColdFusion (CVE-2026-48282): A path traversal vulnerability with a CVSS score of 10.0 that allows attackers to execute arbitrary code. It was flagged as exploited in the wild just days after Adobe issued patches on June 30.
- Langflow (CVE-2026-55255): A cross-tenant Insecure Direct Object Reference (IDOR) with a CVSS score of 9.9. Attackers exploited this by harvesting flow UUIDs to execute flows belonging to other users. This was chained with CVE-2026-33017, a remote code execution bug patched in March, to facilitate deeper compromise. Patched in version 1.9.1.
- SP Page Builder (CVE-2026-48908): An improper access control issue (CVSS 10.0) in the custom icon upload feature. Unauthenticated attackers can write files to the web root, leading to PHP code execution. Threat actors used this to plant hidden administrator accounts and PHP file manager backdoors. Patched in version 6.6.2.
- Page Builder CK (CVE-2026-56290): An unauthenticated arbitrary file upload vulnerability (CVSS 10.0) resulting in RCE. Exploitation led to the deployment of web shells within hours of the fix release in version 3.6.0.
Industry Insight
- Zero-Day Response Velocity: The rapid exploitation of ColdFusion and Joomla vulnerabilities demonstrates that threat actors are actively monitoring vendor patch notes. Organizations must prioritize patching critical infrastructure components immediately upon release, rather than waiting for proof-of-concept exploits to appear.
- Supply Chain Security in AI Tools: The Langflow incident reveals that even specialized AI development platforms are susceptible to traditional web application vulnerabilities (IDOR, RCE). Developers using such tools must ensure they are running the latest versions and segment their environments to limit lateral movement.
- Compliance Urgency: With CISA enforcing a July 10 deadline for federal agencies via BOD 26-04, non-federal organizations should treat these vulnerabilities as high-priority risks. Proactive remediation is essential to avoid becoming targets for the same attack chains observed in the wild.
Disclaimer: The above content is generated by AI and is for reference only.