Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerabilities are listed below - CVE-2026-48282 (CVSS score: 10.0) - A path traversal vulnerability in Adobe ColdFusion that could lead to arbitrary code execution in the context of the
Analysis Summary
Detailed below is a summary of the four vulnerabilities recently added to the CISA Known Exploited Vulnerabilities (KEV) catalog.
---
# Vulnerabilities: CISA KEV Update (July 2026)
## CVE Details
- **CVE IDs:** CVE-2026-48282, CVE-2026-56290, CVE-2026-55255, CVE-2026-48908
- **CVSS Scores:**
- CVE-2026-48282: **10.0 (Critical)**
- CVE-2026-56290: **10.0 (Critical)**
- CVE-2026-48908: **10.0 (Critical)**
- CVE-2026-55255: **6.1 (Medium)**
- **CWE:** Path Traversal, Improper Access Control, Unrestricted Upload, Insecure Direct Object Reference (IDOR)
## Affected Systems
- **Products:**
- Adobe ColdFusion
- Joomlack Page Builder (Joomla extension)
- JoomShaper SP Page Builder (Joomla extension)
- Langflow (AI Orchestration Platform)
- **Versions:**
- **SP Page Builder:** Versions prior to 6.6.2
- **PageBuilder CK (Joomlack):** Versions prior to 3.6.0
- **Configurations:** Systems with these management/builder platforms exposed to the internet.
## Vulnerability Description
- **CVE-2026-48282 (Adobe):** A path traversal flaw in ColdFusion. Attackers can navigate outside intended directories to execute arbitrary code within the user's security context.
- **CVE-2026-56290 (Joomlack):** Unauthenticated arbitrary file upload. Lack of access control allows attackers to upload scripts directly to the server.
- **CVE-2026-48908 (JoomShaper):** Unauthenticated upload of "dangerous" file types via a specific endpoint, allowing for PHP code execution.
- **CVE-2026-55255 (Langflow):** An IDOR / Authorization bypass. Authenticated users can modify or execute AI flows belonging to other users by manipulating the flow ID in requests.
## Exploitation
- **Status:** **Exploited in the Wild** (All four CVEs). PoCs are actively weaponized.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Theft of credentials, LLM keys, and AWS keys)
- **Integrity:** High (Web shell deployment, unauthorized file modification, creation of Super User accounts)
- **Availability:** High (Potential for cryptojacking or botnet recruitment)
## Remediation
### Patches
- **JoomShaper SP Page Builder:** Update to version **6.6.2** or later.
- **Joomlack PageBuilder CK:** Update to version **3.6.0** or later.
- **Adobe ColdFusion:** Apply the latest security updates released in July 2026.
- **Langflow:** Upgrade to the latest version to address IDOR and related RCE flaws (CVE-2026-33017).
### Workarounds
- Implement strict IP whitelisting for management panels.
- Disable file upload functionality in CMS builders if not strictly required.
- Isolate AI orchestration platforms (Langflow) behind a VPN or robust Authentication Middleware.
## Detection
- **Indicators of Compromise (IoCs):**
- IP Address: `103.207.14[.]220` (Adobe ColdFusion scanning)
- IP Address: `45.207.216[.]55` (Langflow exploitation)
- Files: `bhup.php` (Web shell located in `/media/com_pagebuilderck/gfonts/`)
- Requests: POST requests to `index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon`
- **Detection Methods:**
- Monitor for the creation of unauthorized "Super User" accounts in Joomla.
- Search for unexpected PHP files in `/media`, `/images`, `/templates`, and `/administrator` directories.
- Check Langflow logs for flow enumeration and IDOR patterns.
## References
- CISA KEV Catalog: hxxps://www.cisa[.]gov/known-exploited-vulnerabilities-catalog
- Vendor Advisory (JoomShaper): hxxps://mysites[.]guru/blog/sp-page-builder-zero-day-uploadcustomicon-rce/
- Vendor Advisory (Joomlack): hxxps://mysites[.]guru/blog/pagebuilderck-unauthenticated-file-upload-rce/
- Security Research: hxxps://www.sysdig[.]com/blog/understanding-langflow-cve-2026-55255/