CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV Catalog
- CISA action: CISA added four actively exploited vulnerabilities to its KEV catalog – CVE-2026-48282, CVE-2026-55255, CVE-2026-48908, and CVE-2026-56290.
- Products affected: The flaws impact Adobe ColdFusion, Joomla page builder extensions (Joomlack and JoomShaper SP Page Builder), and Langflow.
- Patch deadline: Federal agencies must remediate the vulnerabilities by July 10 under Binding Operational Directive 26-04.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The additions span flaws in Adobe ColdFusion, Joomla page builders, and Langflow, with CVE-2026-48282, CVE-2026-55255, and CVE-2026-56290
Adobe ColdFusion, Joomla, and Langflow Under Attack
CISA confirmed these flaws are under active exploitation. The move places the affected products under immediate scrutiny for organizations tasked with maintaining a hardened security posture. The newly listed vulnerabilities cover three distinct technologies.
- CVE-2026-48282 – an Adobe ColdFusion path traversal vulnerability, could lead to arbitrary code execution in the context of the current user.
- Two flaws affect Joomla page builder extensions:
- CVE-2026-56290 – an improper access control vulnerability in Joomlack Page Builder that could allow remote code execution (RCE),
- CVE-2026-48908 – a separate unrestricted file upload flaw in JoomShaper SP Page Builder that allows unauthenticated users to ultimately execute PHP code.
- CVE-2026-55255 – an authorization bypass in Langflow, allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID.
ColdFusion remains a recurring target for attackers seeking server-side access, with 16 prior ColdFusion CVEs already sitting in the KEV catalog. Langflow vulnerability is reflecting the growing interest of threat actors in AI tooling, following separate Langflow flaws already exploited last month.
July 10 Remediation Deadline
Federal Civilian Executive Branch agencies must remediate the identified vulnerabilities by the July 10 deadline under Binding Operational Directive 26-04, Prioritizing Security Updates Based on Risk, which updated and replaced the earlier BOD 22-01,
CISA also strongly recommends that private-sector organizations prioritize timely patching of KEV-listed flaws to reduce exposure.
Applying vendor fixes ahead of the cutoff remains the most direct path to mitigating active exploitation across Adobe ColdFusion, Joomla, and Langflow deployments.
Hackers a PoC to exploit a critical ColdFusion vulnerability that permits reading arbitrary files on compromised servers in 2024.





