The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding security vulnerabilities in Adobe ColdFusion, Langflow, and two Joomla extensions. These flaws have been actively exploited, prompting CISA to urge immediate patching.
Critical ColdFusion Vulnerability
One of the most severe vulnerabilities is found in Adobe ColdFusion, identified as CVE-2026-48282 with a critical CVSS score of 10/10. This path traversal flaw permits attackers to execute arbitrary code. Despite Adobe releasing patches on June 30, threats exploiting this vulnerability were quickly observed.
Langflow Security Concerns
Langflow is also under scrutiny for CVE-2026-55255, a cross-tenant insecure direct object reference (IDOR) issue with a CVSS score of 9.9. This flaw allows attackers to execute unauthorized flows by manipulating flow UUIDs. Despite a patch in Langflow version 1.9.1, hackers have exploited this vulnerability without public proof-of-concept exploitation.
In attacks witnessed by cybersecurity firm Sysdig, threat actors executed host reconnaissance, harvested flow IDs, and leveraged the vulnerability to initiate remote code execution (RCE), further linking with another Langflow flaw, CVE-2026-33017, which was addressed in March.
Joomla Extensions Under Attack
Joomla extensions are not immune to exploitation as attackers have targeted SP Page Builder and Page Builder CK. The SP Page Builder vulnerability, CVE-2026-48908, carries a CVSS score of 10/10 due to improper access controls, allowing RCE through unauthenticated access to the custom icon upload feature. This flaw was addressed in version 6.6.2.
Meanwhile, Page Builder CK’s CVE-2026-56290, also with a CVSS score of 10/10, poses a risk of unauthenticated arbitrary file upload, leading to RCE. This vulnerability was resolved in version 3.6.0, released on June 27, yet malicious actors have since leveraged it to install web shells.
Urgency in Patching and Future Measures
CISA’s Known Exploited Vulnerabilities (KEV) catalog now includes these critical issues, mandating federal agencies to apply patches within a three-day window. Organizations are strongly advised to consult CISA’s KEV list and address these vulnerabilities promptly to mitigate potential risks.
Ensuring cybersecurity resilience demands vigilant monitoring and timely application of security patches, as highlighted by the recent exploitation of these vulnerabilities. Stakeholders must prioritize addressing these flaws to safeguard their systems against evolving threats.
