CISA adds four actively exploited flaws, including Adobe ColdFusion bug

by

CISA on Tuesday added four security flaws to its Known Exploited Vulnerabilities catalog after finding signs of active exploitation, including a critical Adobe ColdFusion path traversal bug and issues in Joomlack Page Builder, Langflow and JoomShaper SP Page Builder.

KEY FACTS

  • Catalog update CISA added four vulnerabilities to its KEV list.
  • Adobe flaw CVE-2026-48282 is a path traversal bug in ColdFusion with a CVSS score of 10.0.
  • Other issues The list also includes CVE-2026-56290, CVE-2026-55255 and CVE-2026-48908.
  • Deadlines Federal civilian agencies were told to apply fixes by July 10, 2026.

The advisory said CVE-2026-48282 could lead to arbitrary code execution in the context of the current user. The issue was observed being exploited within hours of public disclosure, and one attempt was traced to an IP address geolocated to India.

CVE-2026-48908 was described as a zero-day used to upload a PHP file through an HTTP POST request, followed by the appearance of a new Super User account. Users of SP Page Builder were advised to move to version 6.6.2 or later.

In another case, exploitation of CVE-2026-56290 was tied to web shell delivery on vulnerable sites. The fix for that issue was released in Page Builder CK version 3.6.0.

For Langflow, the report said an attacker used CVE-2026-55255 to access another user’s flow by supplying a victim flow ID in the request. Sysdig said the activity appeared aimed at stealing LLM provider keys and AWS keys.

WHY IT MATTERS

The additions show that public vulnerability lists continue to be shaped by real-world attacks, not just severity scores. Organizations using the affected products may need to patch quickly to reduce the risk of code execution, web shells or credential theft.