Critical KEV Updates for ColdFusion, Joomla and Gitea
Adobe urged customers to apply emergency patches for CVE‑2026‑48282 after CISA added the path‑traversal flaw to its KEV catalogue, noting active exploitation in the wild [C1] CISA also listed the Joomlack Page Builder improper access control issue (CVE‑2026‑56290) and the JoomShaper SP Page Builder unrestricted upload flaw (CVE‑2026‑48908) in the KEV catalogue [C2][C5] Additionally, the Langflow authorization bypass (CVE‑2026‑55255) and a critical Gitea reverse‑proxy authentication bug (CVE‑2026‑20896) were flagged as actively exploited [C4][C8]
Supply‑Chain Threats
KVM Escape, Tenda Backdoor and BMC Flaw
Researchers disclosed a sixteen‑year‑old KVM use‑after‑free vulnerability (CVE‑2026‑53359) that lets a compromised guest VM corrupt host memory and execute code on the hypervisor [C32] A hidden backdoor in multiple Tenda router models (CVE‑2026‑11405) grants unauthenticated administrative access, with no patch currently available [C33] An unauthenticated remote command injection in BMC Control‑M/Server (CVE‑2026‑10539) allows attackers to hijack servers and exfiltrate sensitive data [C13] The ‘GitLost’ bug in GitHub Agentic Workflows enables unauthenticated attackers to pull private repository data via crafted public issues [C12]
Ransomware Payments, Banking Malware and AI‑Driven Supply‑Chain Risks
A U.S. government entity reportedly paid $1 million in ransom to the Kairos extortion group after a 2 TB breach in May 2025 [C7] Android banking malware‑as‑a‑service advertised on Telegram is fuelling fraud by lowering the technical barrier for cybercriminals [C9] Analysts warn that while AI accelerates development, it also introduces new supply‑chain attack surfaces that require heightened vigilance [C28].