
CISA KEV Adds Four Actively Exploited Zero-Days in Adobe ColdFusion, Joomla Builders, Langflow
CISA catalogued four actively exploited vulnerabilities affecting widely deployed Adobe, Joomla, and Langflow products. Technical telemetry confirms rapid weaponization and credential harvesting. Unpatched instances face immediate risk of web-shell deployment and key theft.
The catalog entry covers path traversal in ColdFusion (CVSS 10.0) exploited within hours of disclosure from IP 103.207.14.220, plus unauthenticated file-upload RCE in two Joomla page builders and an IDOR in Langflow. Exploitation logs from mySites.guru and Sysdig show web shells planted in non-standard directories and credential theft from LLM orchestration flows. ColdFusion and SP Page Builder both reached critical exploitation speed that matches prior Adobe zero-day campaigns documented in 2023-2025 CISA alerts.
Evidence trails reveal consistent targeting of exposed administrative interfaces and AI tooling that stores third-party keys. Sysdig telemetry tied the Langflow operator (45.207.216.55) to a four-day campaign that chained CVE-2026-55255 with unauthenticated RCE to exfiltrate AWS and provider credentials before deploying second-stage downloaders. Joomla incidents similarly produced super-user accounts via POST requests to asset.uploadCustomIcon endpoints.
These additions continue the documented pattern of Adobe and open-source CMS flaws moving from disclosure to KEV listing inside 48 hours when mass-scanning infrastructure is already in place. Procurement records and contractor job postings show federal agencies still run unpatched ColdFusion instances on internal networks, creating immediate lateral-movement paths once initial web shells appear.
Administrators must prioritize patching ColdFusion, Page Builder CK 3.6.0+, SP Page Builder 6.6.2+, and Langflow instances; failure to do so within seven days will likely produce additional confirmed compromises tracked in future KEV updates.
CISA: At least one additional Adobe ColdFusion CVE added to KEV within 14 days of 7 July 2026
Sources (3)
- [1]Primary Source(https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- [2]Supporting Source(https://sysdig.com/blog/langflow-idorr-campaign/)
- [3]Supporting Source(https://mysites.guru/sp-page-builder-exploitation/)