
CISA added four actively exploited flaws to its Known Exploited Vulnerabilities catalog according to a recent advisory, affecting Adobe ColdFusion, Joomla page builders and Langflow. The move signals an urgent need for defenders to review exposure and apply patches.
CVE-2026-48282, scored CVSS 10, is a path traversal vulnerability in Adobe ColdFusion that permits unauthenticated arbitrary code execution. CVE-2026-48908, also CVSS 10, lets attackers upload malicious files through the JoomShaper SP Page Builder component. CVE-2026-55255, scored CVSS 8.4, describes an authorization bypass in Langflow where user‑controlled keys can be manipulated to gain elevated privileges as detailed in the vendor advisory. CVE-2026-56290, rated CVSS 10, is an improper access control flaw in the Joomlack Page Builder that enables remote code execution.
CISA noted that all four flaws are being exploited in the wild, although no specific threat actors have been publicly identified according to recent reporting. Patches are available from the respective vendors and have been marked as required in the KEV catalogue.
The addition brings the total of KEV entries to a new high and highlights the growing danger facing web‑application ecosystems as noted in industry coverage. Organisations that rely on ColdFusion servers or Joomla extensions should treat these issues as priority risks.
Defenders should start by confirming which versions of ColdFusion, Joomla and Langflow are in use and then apply the latest security updates supplied by Adobe, the Joomla extension developers and the Langflow project. Where immediate patching is not possible, administrators can restrict network access to the affected interfaces, disable unused features and enable detailed logging to spot abnormal file uploads or authentication attempts.
Maintaining an accurate inventory of internet‑facing assets and subscribing to CISA alerts helps ensure that future KEV additions are acted upon quickly through the official catalogue. Testing patches in a controlled environment before rollout reduces the chance of disruption, and deploying a web application firewall can provide temporary protection while fixes are rolled out.