Skip to main content
Emerging ThreatsMalware & Ransomware

CISA Warns of Active Exploitation of Adobe, Joomla, and Langflow Flaws

Brightly-lit industrial control system in a neutral server room setting.

"On June 25, 2026, the operator (45.207.216.55) returned to an internet-exposed Langflow instance they had first probed three days before and ran a tight, methodical session," Sysdig's Michael Clark said.

CISA adds four actively exploited flaws to the KEV catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog after citing evidence of active exploitation. The entries carry high severity ratings and concrete exploitation activity: three of the four have a CVSS score of 10.0 and one scores 6.1. CISA's action places a federal compliance deadline on remediation for Federal Civilian Executive Branch (FCEB) agencies—apply fixes by July 10, 2026.

Adobe ColdFusion: CVE-2026-48282 — path traversal to code execution

CVE-2026-48282 is described as a path traversal vulnerability in Adobe ColdFusion that could lead to arbitrary code execution in the context of the current user. Its CVSS score is 10.0. Exploitation was observed within hours of public disclosure, with Ryan Dewhurst, security researcher and founder of KEVIntel, telling The Hacker News that an attempt was recorded from an IP address geolocated to India (103.207.14[.]220).

Joomlack and JoomShaper page builders: file upload and PHP execution (CVE-2026-56290, CVE-2026-48908)

Two high-severity vulnerabilities affecting popular page builder components for Joomla were added to KEV. CVE-2026-56290 (CVSS 10.0) is an improper access control issue in Joomlack Page Builder that allows unauthenticated arbitrary file upload and can result in remote code execution. Exploitation attempts were recorded on June 27, 2026, aimed at delivering a web shell to susceptible Joomla and WordPress sites. PageBuilder CK addressed the issue in version 3.6.0.

CVE-2026-48908 (CVSS 10.0) affects JoomShaper SP Page Builder and is an unrestricted upload of a file with a dangerous type vulnerability that permits unauthenticated users to upload arbitrary files and ultimately upload and execute PHP code. mySites.guru reported exploitation as a zero-day via an HTTP POST to the index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon endpoint, followed by the appearance of a new Super User account. Users are advised to update SP Page Builder to version 6.6.2 or later.

Langflow: IDOR and chained RCEs in an opportunistic campaign (CVE-2026-55255 and CVE-2026-33017)

CVE-2026-55255 (CVSS 6.1) is an authorization bypass through a user-controlled key in Langflow that allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID. Sysdig reported that a single operator (45.207.216[.]55) weaponized CVE-2026-55255 alongside CVE-2026-33017, an unauthenticated remote code execution flaw in Langflow, in a sustained campaign between June 22 and June 25, 2026.

Sysdig detailed the chain observed on June 25: initial application/auth reconnaissance, flow enumeration, exploitation of the CVE-2026-55255 IDOR to harvest credentials and LLM provider keys, then repeated exploitation of CVE-2026-33017 RCE with outbound connection attempts. The cloud security company assessed the activity as opportunistic and financially motivated; the RCE was followed by payloads designed to fetch a second-stage downloader that delivers additional malware. The resulting attack chain is consistent with botnet and cryptojacking activity, although the exact final payloads remain unknown.

Sysdig also framed CVE-2026-55255 as a cross-tenant insecure direct object reference (IDOR): "AI orchestration platforms are a trove of credentials in their own right, and this operator clearly knew it," the company said. The operator allegedly used the RCE against hosts and the IDOR to extract other tenants' flows and keys. The advisory notes this is the latest Langflow flaw to be exploited following a series of prior CVEs cited by the cloud security firm.

Observed web shells and indicators — the Joomlack web shell case

mySites.guru documented an initial confirmed web shell from the PageBuilder CK exploit: a file at /media/com_pagebuilderck/gfonts/bhup.php that behaved as an uploader shell keyed on a $_POST['_upl'] field. Because the flaw permits an attacker to choose the destination folder, mySites.guru warned defenders to search beyond obvious upload directories: start at /media/com_pagebuilderck/ and then scan /images, /media, /templates, and /administrator for stray PHP files.

What this means for FCEB agencies, site managers, and cloud operators

  • FCEB agencies: CISA's KEV additions carry a remediation deadline—apply fixes by July 10, 2026—to reduce exposure to the documented, active exploitation.
  • Website administrators and CMS managers (Joomla / WordPress): Verify PageBuilder CK is at least version 3.6.0 and SP Page Builder is 6.6.2 or later; scan for unexpected PHP files in the paths mySites.guru listed and watch for newly created privileged accounts.
  • Cloud operators and Langflow deployers: Investigate for indicators tied to 45.207.216[.]55 and 45.207.216.55 activity, review flows and credential storage for cross-tenant exposure, and prioritize patches for CVE-2026-55255 and CVE-2026-33017 to disrupt attack chains that aim to harvest keys and deploy downloaders.

The quartet of KEV entries underscores two parallel realities: rapid weaponization within hours of disclosure for some flaws, and methodical, credential-focused campaigns that combine IDORs with RCEs for others. With agency remediation deadlines now set and concrete exploit artifacts—IP addresses, web shell paths, vulnerable endpoints, and fixed software versions—available, the immediate task for defenders is clear: apply the updates and hunt for the indicators published by researchers.

Original story