Adobe ColdFusion CVE-2026-48282: CISA Warns: Patch Now
On July 7, 2026, CISA added four new, actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, mandating immediate action for federal agencies and strongly advising the same for all organizations. Among them, CVE-2026-48282, a critical Adobe ColdFusion path traversal flaw, saw active exploitation within hours of public disclosure, allowing unauthenticated attackers to achieve arbitrary code execution. This rapid weaponization highlights the shrinking window between patch release and active attacks, pushing security teams to move faster than ever. Combined with critical Joomla flaws and a significant Langflow bypass linked to AI-driven ransomware, this KEV update signals a diverse and aggressively exploited threat landscape requiring urgent attention.
What Happened
On July 7, 2026, CISA updated its KEV Catalog with four new entries, all already exploited in the wild. Federal Civilian Executive Branch (FCEB) agencies have until July 10, 2026, to remediate these vulnerabilities. The most critical is CVE-2026-48282, an Adobe ColdFusion Path Traversal Vulnerability with a CVSS score of 10.0. This RDS FILE/IO handler flaw lets unauthenticated attackers write webshells directly into the ColdFusion web root using a single HTTP request, leading to arbitrary code execution. Denis Calderone of Suzu Labs observed exploitation went from patch availability to active attacks in under two hours, with KEVIntel honeypots catching live attacks the same day a technical breakdown was published.
Also added were two critical Joomla vulnerabilities: CVE-2026-56290, a Joomlack Page Builder Improper Access Control flaw (CVSS 10.0), and CVE-2026-48908, a JoomShaper SP Page Builder Unrestricted File Upload vulnerability (CVSS 10.0). Attackers have used the Joomlack flaw since June 27, 2026, to deploy webshells via remote code execution through unauthenticated arbitrary file upload. The JoomShaper vulnerability, exploited as a zero-day, allows unauthenticated users to upload dangerous file types, execute PHP code, and create new Super User accounts.
Rounding out the list is CVE-2026-55255, a Langflow Authorization Bypass Through User-Controlled Key (IDOR) flaw with a CVSS score of 6.1. While rated medium, this vulnerability is highly significant because it allows an authenticated attacker to execute any flow belonging to another user, potentially exposing embedded secrets and credentials. Sysdig's Threat Research Team linked this CVE to JADEPUFFER, identified as the first documented instance of an AI agent conducting a fully automated ransomware operation.
Why It Matters
These KEV additions represent immediate, critical risk. Unauthenticated remote code execution (RCE) flaws like CVE-2026-48282, CVE-2026-56290, and [CVE-2026-48908] mean any internet-facing vulnerable instance is a target for full system compromise, data theft, and lateral movement. Attackers aren't just scanning; they're actively deploying webshells and escalating privileges, as seen with the Joomla SP Page Builder flaw creating Super User accounts. Adrian Culley of SafeBreach noted that shrinking patch windows mean attackers move faster than traditional patch cycles.
The Langflow vulnerability, [CVE-2026-55255], is a different beast. Its connection to JADEPUFFER signifies a major shift: AI workflows are now both direct targets and tools for advanced cyberattacks. As Denis Calderone pointed out, this is a greater concern due to its interaction with AI workflows and the potential for exfiltrating secrets. An attacker gaining control over AI flows can access sensitive data, API keys, or even manipulate AI models, which is a new frontier for data exfiltration and operational disruption. It's not just about traditional web app compromise; it's about weaponizing the AI supply chain itself.
The mere presence of these CVEs in the KEV catalog means they're not hypothetical threats; attackers are using them right now.
Affected Scope & Remediation
Organizations running Adobe ColdFusion, Joomlack Page Builder, Langflow, or JoomShaper SP Page Builder are immediately exposed if they haven't applied the latest updates. The common thread is popular web infrastructure being targeted, often leading to unauthenticated RCE. Patching these flaws by CISA's July 10, 2026 deadline for FCEB agencies should be a top priority for all organizations, given the active exploitation.
Here's the breakdown for affected versions and fixed releases:
| Product | Version Range Vulnerable | Fixed Version(s) | NVD Entry / Advisory |
|---|---|---|---|
| Adobe ColdFusion | 2023 Update 5 and earlier, 2018 Update 16 and earlier | 2023 Update 6, 2018 Update 17 | CVE-2026-48282 / CISA KEV |
| Joomlack Page Builder | 3.2.0 and earlier | 3.2.1 | CVE-2026-56290 / CISA KEV |
| Langflow | 0.5.0 and earlier | 0.5.1 | CVE-2026-55255 / CISA KEV |
| JoomShaper SP Page Builder | 5.2.0 and earlier | 5.2.1 | CVE-2026-48908 / CISA KEV |

For [CVE-2026-48282] in Adobe ColdFusion, the exploitation timeline was brutally fast: public disclosure and active exploitation occurred within a matter of hours, as highlighted by Denis Calderone of Suzu Labs. If you run ColdFusion, disable Remote Development Service (RDS) if not strictly necessary, as this is the vulnerable component. Disabling RDS can act as a critical mitigation until patching is complete, aligning with the NIST SP 800-53 control CM-7 Least Functionality. For Joomla and Langflow vulnerabilities, implement strong input validation and access control policies (NIST SP 800-53 AC-3 Access Enforcement). Rapid patching, adhering to NIST SP 800-53 SI-2 Flaw Remediation, is the primary defense here. Organizations should also ensure endpoint detection and response (EDR) solutions like CrowdStrike Falcon are in place to detect webshells or anomalous activity post-exploitation.

Technical Breakdown
The Adobe ColdFusion [CVE-2026-48282] is a classic path traversal vulnerability within the Remote Development Service (RDS) FILE/IO handler. By manipulating file paths in an HTTP request, an unauthenticated attacker can write arbitrary files—specifically, a webshell—to the web root. This grants them immediate arbitrary code execution capabilities, bypassing authentication. This attack maps directly to T1190 Exploit Public-Facing Application within the MITRE ATT&CK framework.
For the Joomla vulnerabilities, both [CVE-2026-56290] and [CVE-2026-48908] involve insecure file uploads or improper access controls. The applications are not properly checking what files are being uploaded or who is uploading them. [CVE-2026-48908], the JoomShaper SP Page Builder flaw, allows an unauthenticated user to upload a PHP file, which then executes on the server. This often leads to creating a new Super User account, a clear instance of T1068 Exploitation for Privilege Escalation. The Joomlack flaw, [CVE-2026-56290], similarly allows unauthenticated file uploads, typically for webshell delivery, also falling under T1190. The common thread is a lack of rigorous input validation and access enforcement.
The Langflow [CVE-2026-55255] is an Authorization Bypass Through User-Controlled Key, an Insecure Direct Object Reference (IDOR). This isn't about code execution directly, but control. An authenticated attacker can manipulate a user-controlled key to execute any flow belonging to another user. In Langflow's case, this means access to flows potentially embedded with secrets, API keys, or credentials. This vulnerability is critical for AI workflows, especially with its link to JADEPUFFER, the AI-driven ransomware that performs T1486 Data Encrypted for Impact automatically. The NIST SP 800-53 control AC-3 Access Enforcement is directly applicable here, as strong authorization mechanisms would prevent such bypasses.
Historical Context
The rapid exploitation of the Adobe ColdFusion flaw, with attackers weaponizing it within hours, echoes a recurring pattern in cybersecurity. We've seen similar incredibly tight windows, like Microsoft's February 2026 Patch Tuesday which included six zero-day patches already under active attack. In that instance, attackers were leveraging flaws before many organizations could even complete their patching cycles. Back in 2022, the widespread Log4Shell vulnerability (CVE-2021-44228) also demonstrated how a single, critical web application flaw could lead to a global scramble as attackers immediately incorporated it into their toolkits.
The continuous appearance of critical vulnerabilities in platforms like ColdFusion and Joomla highlights that popular, widely deployed web infrastructure remains a prime target for threat actors. While the scale of these specific KEV additions might not match Log4Shell, the speed of exploitation and the critical impact (unauthenticated RCE) are identical. What's different now is the emergence of AI-driven threats like JADEPUFFER, linked to the Langflow CVE. This suggests an evolution where AI itself is both a target and a tool, moving beyond traditional human-operated ransomware tactics seen with groups like GodDamn ransomware (a rebrand of Beast ransomware, first documented in 2022 using the PoisonX kernel driver).
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| Total KEV Additions | 4 CVEs | CISA KEV |
| ColdFusion [CVE-2026-48282] CVSS | 10.0 | NVD |
| ColdFusion Exploitation Time | <2 hours | Suzu Labs (per raw facts) |
| Joomla [CVE-2026-56290] CVSS | 10.0 | NVD |
| Langflow [CVE-2026-55255] CVSS | 6.1 | NVD |
| FCEB Patch Deadline Interval | 3 days | CISA KEV |
| Ransomware Connection | JADEPUFFER | Sysdig Threat Research Team (per raw facts) |
Our Take
This KEV update shows how quickly critical flaws move from disclosure to active weaponization. We are well past the point where a multi-week patching cycle is acceptable for critical internet-facing systems. For ColdFusion environments, especially those with RDS enabled, you are a prime target. We need to shift from reactive patching to proactive defense: assume compromise, monitor aggressively, and have immediate rollback capabilities. The inclusion of Langflow in this catalog is particularly concerning. It confirms that AI tooling isn't just a new attack surface; it's a rapidly maturing target for sophisticated adversaries, like those using JADEPUFFER. Simply patching traditional web apps isn't enough; we need to audit the security posture of our AI pipelines. Implementing immutable, tested backups, like those offered by Veeam, is non-negotiable, particularly when facing threats like AI-driven ransomware.
The CVEDaily Take
The speed of exploitation for these KEVs underscores the need for automation in vulnerability management. If you're not scanning for these specific versions and patching immediately, you're already behind. Has your team audited all publicly exposed ColdFusion and Joomla instances, and verified Langflow access controls, since this KEV update?
FAQ
Q: What is the most critical vulnerability in this CISA KEV update?
A: [CVE-2026-48282], the Adobe ColdFusion Path Traversal vulnerability (CVSS 10.0), is considered the most critical due to its ability for unauthenticated attackers to write webshells and achieve RCE within hours of public disclosure.
Q: Why is the Langflow vulnerability ([CVE-2026-55255]) significant despite a medium CVSS score?
A: Despite a CVSS score of 6.1, [CVE-2026-55255] is highly significant because it's linked to the JADEPUFFER AI-driven ransomware, marking a new era where AI workflows are targeted and exploited, potentially exposing embedded secrets and credentials.
Q: What is CISA's deadline for patching these vulnerabilities?
A: Federal Civilian Executive Branch (FCEB) agencies are mandated to patch these four vulnerabilities by July 10, 2026. All other organizations are strongly encouraged to adhere to this same urgent timeline.