CISA Adds ColdFusion, Langflow, Two Joomla CVEs to KEV

CISA added four actively exploited flaws to KEV on July 7, requiring federal agencies to patch ColdFusion, Langflow, and two Joomla extensions by July 10.
Table of Contents
    Add a header to begin generating the table of contents

    The Cybersecurity and Infrastructure Security Agency added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog on July 7, triggering a mandatory patch deadline of July 10 for all US Federal Civilian Executive Branch agencies. The batch covers Adobe ColdFusion, Langflow’s AI workflow platform, and two Joomla page-builder extensions — a three-day remediation window CISA imposed under Binding Operational Directive 26-04.

    The July 10 Federal Mandate and What Activates Under BOD 26-04

    When CISA formally adds a vulnerability to the KEV catalog, Binding Operational Directive 26-04 activates automatically for all FCEB agencies. The directive requires federal civilian agencies to remediate the listed vulnerabilities by the specified deadline or report non-compliance to CISA. The July 10 deadline — three days from the July 7 KEV additions — represents one of the tighter turnaround windows issued under the directive, reflecting CISA’s assessment that all four vulnerabilities are already under active exploitation.

    CVE-2026-48282 in Adobe ColdFusion: Maximum CVSS Score and Unauthenticated Code Execution

    CVE-2026-48282 affects Adobe ColdFusion 2025 (versions 2025.9 and earlier) and ColdFusion 2023 (versions 2023.20 and earlier). The vulnerability is a path traversal flaw rated CVSS 10.0 — maximum severity — that allows unauthenticated attackers to execute arbitrary code on affected servers. Adobe released patches in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21. Confirmed in-the-wild exploitation was documented within two hours of proof-of-concept details becoming public, prior to the July 7 KEV addition. Federal agencies running unpatched ColdFusion instances must apply the update by Friday.

    CVE-2026-55255 in Langflow: CVSS 9.9 Authorization Bypass on AI Workflow Platform

    CVE-2026-55255 affects Langflow, the open-source AI workflow orchestration platform. The vulnerability is an authorization bypass rated CVSS 9.9. Authenticated users can exploit the flaw to execute flows belonging to other users, violating tenant isolation and enabling unauthorized access to AI workflows and any data those workflows process or store. Active exploitation was observed between June 22 and June 25. The July 7 KEV addition represents the US government’s formal confirmation that threat actors are actively weaponizing this flaw.

    CVE-2026-55255 is distinct from two previously disclosed Langflow vulnerabilities — CVE-2026-5027 and CVE-2026-33017 — which received prior coverage. Federal agencies running Langflow deployments must patch by July 10 per the same BOD 26-04 directive.

    Two Joomla Extension CVEs Round Out the July 7 KEV Batch

    The remaining two additions target Joomla page-builder extensions deployed across a wide range of CMS-based websites, including those operated by government entities.

    CVE-2026-48908 affects the JoomShaper SP Page Builder extension for Joomla. The flaw permits malicious PHP file uploads and unauthorized administrator account creation, giving unauthenticated attackers who successfully upload a web shell the ability to execute arbitrary code on the underlying web server and create persistent administrative backdoor accounts. The fix is SP Page Builder version 6.6.2 or later.

    CVE-2026-56290 affects Joomlack’s Page Builder CK extension. The vulnerability allows unauthenticated attackers to upload malicious files and execute arbitrary code — no credentials required. The fix is Page Builder CK version 3.6.0 or later.

    Four Actively Exploited CVEs, One Friday Deadline for Federal IT Teams

    The convergence of four actively exploited vulnerabilities under a single three-day remediation window reflects CISA’s posture that the threat to federal systems is immediate and current rather than theoretical. All four CVEs affect software commonly found in federal agency environments: ColdFusion is a long-established enterprise web platform; Langflow adoption has grown as agencies explore AI workflow automation; and Joomla-based web properties are present across dozens of federal and state government sites.

    For federal IT teams, the July 10 deadline applies regardless of whether internal vulnerability management processes have reached these CVEs through their normal prioritization pipeline. BOD 26-04 overrides internal patch scheduling for KEV-listed items. Agencies that cannot remediate by the deadline are required to report the exception to CISA with a documented remediation plan.

    Non-federal organizations running the same software — ColdFusion, Langflow, SP Page Builder, or Page Builder CK — face the same underlying exploitation risk without the mandatory deadline structure. CISA’s KEV additions serve as the most reliable public signal that threat actors are actively using these vulnerabilities in real attacks, making this batch a high-priority patch target across sectors beyond the federal government.

    Related Posts