CISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws

  Rassegna Stampa, Security
image_pdfimage_print

The US cybersecurity agency CISA on Tuesday warned that vulnerabilities in Adobe ColdFusion, Langflow, and two Joomla extensions have been exploited in the wild.

Tracked as CVE-2026-48282 (CVSS score of 10/10), the ColdFusion bug was flagged as exploited only days after Adobe rolled out patches for it on June 30. It is a path traversal issue that allows attackers to execute arbitrary code.

The Langflow security defect, tracked as CVE-2026-55255 (CVSS score of 9.9), is described as a cross-tenant insecure direct object reference (IDOR) weakness that allows attackers to execute flows belonging to other users by supplying a flow UUID. It was patched in Langflow version 1.9.1.

On June 26, cybersecurity firm Sysdig warned that hackers had started exploiting the critical-severity vulnerability in the wild, despite there being no public proof-of-concept (PoC) exploit at the time.

As part of the observed attacks, a threat actor performed host reconnaissance, harvested flow IDs, replayed the IDs to trigger the IDOR, and chained in CVE-2026-33017, a remote code execution (RCE) bug in Langflow that was patched in March.

On Tuesday, CISA added the ColdFusion and the Langflow security defects to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch them within three days.

Advertisement. Scroll to continue reading.

Additionally, it warned that hackers have been exploiting two Joomla extension vulnerabilities, impacting SP Page Builder by JoomShaper and Page Builder CK by Joomlack.

The SP Page Builder bug, tracked as CVE-2026-48908 (CVSS score of 10/10), is described as an improper access control issue that allows unauthenticated attackers to achieve RCE.

Fixed in SP Page Builder version 6.6.2, it impacts the custom icon upload feature of the plugin, which can be reached without authentication. Because the vulnerable function writes files to the web root folder, the weakness can lead to PHP code execution on servers that execute code from the web root.

Recent reports have shown that threat actors have been exploiting the vulnerability to plant hidden administrator accounts on Joomla websites and deploy a PHP file manager backdoor.

Tracked as CVE-2026-56290 (CVSS score of 10/10), the Page Builder CK bug is described as an unauthenticated arbitrary file upload issue leading to RCE on the underlying web server.

The security defect was resolved in Page Builder CK version 3.6.0, released on June 27. Within hours, threat actors started targeting the bug to plant web shells.

Per BOD 26-04, federal agencies are required to patch all four security weaknesses by July 10. All organizations are advised to review CISA’s KEV list and address the vulnerabilities in it as soon as possible.

Related: Critical Gitea Flaw Under Active Exploitation, Researchers Warn

Related: New CitrixBleed Vulnerability Exploited Immediately After Public Disclosure

Related: CISA Warns of Actively Exploited Microsoft SharePoint Vulnerability

Related: Critical SimpleHelp Vulnerability Exploited for Malware Delivery

https://www.securityweek.com/cisa-urges-immediate-patching-of-exploited-coldfusion-langflow-joomla-flaws/