Skip to content
Chimera readability score 67 out of 100, Academic reading level.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added [1, 2] Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities (KEV) catalog.
The flaws added to the catalog are:
In early July, attackers started exploiting CVE-2026-48282, a maximum-severity vulnerability in Adobe ColdFusion. The flaw is a path traversal issue that could result in arbitrary code execution without authentication. It affects ColdFusion 2025.9, 2023.20, and earlier versions, allowing remote attackers to execute code on vulnerable servers.
Adobe warned that the vulnerability is easy to exploit and is likely to be exploited in attacks in the wild.
KEVIntel researchers reported that less than two hours after details of CVE-2026-48282 became public, attackers started exploiting it in attacks in the wild. KEVIntel founder Ryan Dewhurst reported that the attacks originated from the IP address 103.207.14[.]220 by an attacker located in India.
The second flaw added to the catalog, tracked as CVE-2026-48908, lets attackers upload a malicious PHP file and create a new administrator account on vulnerable sites running SP Page Builder. A second flaw, CVE-2026-56290, is being used to install web shells on sites using Page Builder CK. Website owners should update to SP Page Builder 6.6.2+ and Page Builder CK 3.6.0+, and check for suspicious PHP files in upload and media folders.
“Update, 27 June 2026: this is now being exploited in the wild. Within hours of the fix landing, our suspect content tool flagged a live web shell on a connected Joomla site, planted through this exact flaw.” the website mySites.guru reported. “The file sat at /media/com_pagebuilderck/gfonts/bhup.php
, an upload handler that runs whatever an attacker POSTs to it. The fix shipped on 27 June 2026 and the attackers were not far behind, so if you run PageBuilder CK below 3.6.0, treat this as urgent: update now, then check for compromise. Every affected site is already flagged on the new Important tab, and the suspect content tool is actively catching shells like this one (see below).”
The third issue added to the KeV catalog, tracked as CVE-2026-55255, is an authorization bypass through a user-controlled key vulnerability in Langflow that could allow an authenticated attacker to execute any flow belonging to another user by specifying the victim’s flow ID in the request.
Sysdig researchers observed attackers exploiting CVE-2026-55255 and CVE-2026-33017 in Langflow between June 22 and 25. The attacker combined an authentication bypass with a remote code execution flaw to access exposed servers, steal LLM provider and AWS keys, and attempt to deploy additional malware.
“On June 25, 2026, the Sysdig Threat Research Team (TRT) observed the first known active exploitation of a CVSS 9.9 “critical” Langflow vulnerability, tracked as CVE-2026-55255. What we saw explains why this vulnerability likely took longer to exploit than its lower-scored sibling vulnerability, tracked as CVE-2026-33017 with a CVSS score of 9.3, which has already been exploited thousands of times.” reported Sysdig.
Researchers believe the campaign was financially motivated, likely aimed at botnet or cryptojacking activity. The incident highlights how AI orchestration platforms have become valuable targets because they often store sensitive credentials.
The last issue added to the catalog, CVE-2026-56290, is a critical vulnerability in Joomlack Page Builder that allows unauthenticated attackers to upload malicious files and execute code remotely on vulnerable servers.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to urgently fix the vulnerabilities by July 10, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)

Sentinel — Human

Confidence

This text reads like a factual summary derived from real-time vulnerability tracking, blending official advisories with specific research findings, suggesting human compilation rather than pure synthetic generation.

Signals Detected
low severity: Sentence length variance shows natural variation; the tone is direct and fact-driven rather than uniformly balanced.
low severity: The text flows logically from introducing a list of vulnerabilities to detailing specific exploitation chains, reflecting investigative reporting structure.
low severity: Specific attribution (KEVIntel researchers, Sysdig researchers) and references to specific dates/IPs suggest grounding in real investigative findings rather than pure generation.
low severity: The detailed quoting of a specific file path and version numbers suggests sourcing from internal or direct incident reports, increasing perceived human validation.
Human Indicators
Use of highly specific, nested technical details (CVE numbers, file paths, dates) that require deep context beyond general LLM knowledge to assemble smoothly.
The structure mimics a security bulletin or investigative report, relying on verified sources implied by the CISA/KEVIntel references.