CISA Adds 4 CVEs to KEV: Joomla, ColdFusion Under Active Attack
CISA adds four actively exploited vulnerabilities to KEV catalog including two max-severity Joomla plugin flaws and Adobe ColdFusion CVE-2026-48282. Federal deadline is July 10.
The U.S. Cybersecurity and Infrastructure Security Agency added four security vulnerabilities to its Known Exploited Vulnerabilities catalog on July 9, with two Joomla plugin flaws and an Adobe ColdFusion bug all carrying maximum CVSS 10.0 severity ratings. Federal agencies must patch by July 10, giving them roughly 24 hours to remediate.
The compressed timeline reflects just how aggressively attackers are weaponizing these flaws. Adobe ColdFusion exploitation, for instance, began within two hours of public disclosure.
The Four Vulnerabilities
CVE-2026-48282 affects Adobe ColdFusion versions 2025.9, 2023.20, and earlier. A path traversal vulnerability in the Remote Development Services (RDS) FILEIO handler enables unauthenticated attackers to achieve arbitrary code execution. Honeypot sensors detected exploitation attempts from IP 103.207.14[.]220 within minutes of the watchTowr technical analysis going public on July 2. We covered the initial Adobe ColdFusion disclosure last week, but the speed of weaponization caught many organizations off guard.
CVE-2026-56290 targets Joomlack Page Builder with an improper access control vulnerability allowing remote code execution through unauthenticated file uploads. Attackers have been exploiting this since June 27 to deploy web shells, with researchers identifying malicious payloads at paths like /media/com_pagebuilderck/gfonts/bhup.php. Organizations running this plugin should update to version 3.6.0 immediately.
CVE-2026-48908 hits JoomShaper SP Page Builder with a dangerous file upload vulnerability enabling unauthenticated PHP code execution. Attackers are targeting the index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon endpoint, and successful exploitation has resulted in unauthorized Super User account creation. Version 6.6.2 addresses the flaw.
CVE-2026-55255 rounds out the list with a Langflow authorization bypass. Unlike the critical Langflow RCE we covered on July 7, this CVSS 6.1 vulnerability enables authenticated attackers to execute flows belonging to other users through a cross-tenant IDOR bug. Between June 22-25, an operator at 45.207.216[.]55 chained this flaw with CVE-2026-33017 to steal LLM and AWS credentials from affected instances.
Why This Matters
Joomla powers millions of websites, and plugin vulnerabilities have historically been a reliable entry point for attackers. The two Page Builder flaws both enable unauthenticated RCE through file upload—the kind of trivially exploitable bug that gets picked up by automated scanning tools within days.
The ColdFusion situation is particularly concerning. Adobe patched CVE-2026-48282 on July 1, but exploitation began July 2. That leaves a window measured in hours, not days. Organizations still running manual patching processes simply cannot keep pace.
For teams managing AI infrastructure, the Langflow cross-tenant vulnerability represents a growing attack surface. As more organizations deploy LLM orchestration tools like Langflow, flaws that expose API keys and credentials become high-value targets. If you're running Langflow in a multi-tenant environment, audit your flow permissions immediately.
Recommended Mitigations
- Apply vendor patches immediately for all four CVEs—the July 10 federal deadline applies to FCEB agencies, but private organizations should treat this with equal urgency
- Audit Joomla installations for unrecognized administrator accounts or web shells in media directories
- Block known malicious IPs including 103.207.14[.]220 (ColdFusion exploitation) and 45.207.216[.]55 (Langflow exploitation)
- Review ColdFusion RDS configurations and disable if not actively required
- Check Langflow tenant isolation if running multi-user deployments
CISA's KEV catalog now contains over 1,200 entries. For organizations tracking vulnerability prioritization, KEV additions should trigger immediate remediation workflows—these are not theoretical risks but confirmed active exploitation.
Related Articles
CISA Orders Patch for CVSS 10 Joomla JCE Flaw by June 19
CVE-2026-48907 in Joomla Content Editor allows unauthenticated attackers to upload and execute PHP code. CISA added it to the KEV catalog after active exploitation deploying web shells.
Jun 18, 2026BlueHammer: Defender Flaw Now Weaponized by Ransomware Gangs
CISA confirms ransomware groups are exploiting CVE-2026-33825, a Microsoft Defender privilege escalation flaw leaked in April. Patch urgently if you haven't already.
Jul 4, 2026SharePoint RCE Under Active Exploitation, CISA Deadline July 4
CVE-2026-45659 lets authenticated attackers with basic Site Member permissions execute arbitrary code on SharePoint servers. CISA added it to KEV after confirming active exploitation.
Jul 3, 2026SimpleHelp CVSS 10 Auth Bypass Hits CISA KEV After Malware Surge
CVE-2026-48558 lets attackers bypass OIDC auth and register as technicians. CISA added it to KEV June 29 after TaskWeaver and Djinn Stealer deployments.
Jun 30, 2026