Back to Blog
CVE-2026-48282, CVE-2026-55255, CVE-2026-33017, CVE-2026-48908, CVE-2026-56290: Adobe ColdFusion, Langflow, Joomla — Critical RCE, Active Exploitation (June 2026)
vulnerabilities

CVE-2026-48282, CVE-2026-55255, CVE-2026-33017, CVE-2026-48908, CVE-2026-56290: Adobe ColdFusion, Langflow, Joomla — Critical RCE, Active Exploitation (June 2026)

breachwire TeamJul 9, 20262 min read

CVE-2026-48282, CVE-2026-55255, CVE-2026-33017, CVE-2026-48908, CVE-2026-56290 — Adobe ColdFusion, Langflow, Joomla

Multiple critical vulnerabilities (CVE-2026-48282, CVE-2026-55255, CVE-2026-33017, CVE-2026-48908, CVE-2026-56290) affecting Adobe ColdFusion, Langflow, and Joomla extensions are being actively exploited in the wild. These flaws allow remote code execution (RCE), arbitrary file uploads, and privilege escalation, with confirmed incidents of attackers planting backdoors, creating hidden administrator accounts, and deploying web shells. Severity is critical; exploitation is ongoing.

Attack Vector

Attackers exploit a path traversal RCE in ColdFusion (CVE-2026-48282), chained IDOR and RCE in Langflow (CVE-2026-55255, CVE-2026-33017), and RCE vulnerabilities in Joomla SP Page Builder (CVE-2026-48908) and Page Builder CK (CVE-2026-56290). Exploitation typically involves sending crafted HTTP requests to vulnerable endpoints, enabling arbitrary code execution and system takeover. Observed indicators include unauthorized admin account creation and web shell deployment. No user interaction is required.

Who Is at Risk

Federal agencies and any organization running Adobe ColdFusion, Langflow, Joomla SP Page Builder, or Joomla Page Builder CK are at immediate risk. All supported versions of these products are affected unless patched. Public-facing deployments are especially vulnerable. CISA has specifically mandated federal agencies to patch by July 10, 2026.

Patch & Mitigate

  • Patch: Apply vendor patches for Adobe ColdFusion, Langflow, Joomla SP Page Builder, and Page Builder CK immediately. Federal agencies must patch by July 10, 2026.
  • Workaround: No reliable workarounds reported. Restrict public access to admin interfaces as a temporary measure.
  • Detect: Review logs for unusual admin account creation, unexpected file uploads, and web shell artifacts. Monitor for outbound connections from web servers and unauthorized changes to application files.

MITRE ATT&CK

  • TA0001 — Initial Access: Attackers exploit public-facing applications to gain entry.
  • TA0005 — Defense Evasion: Web shells and hidden accounts are used to maintain persistence and evade detection.
  • TA0008 — Lateral Movement: Compromised systems may be used to pivot deeper into networks.

Source: https://www.securityweek.com/cisa-urges-immediate-patching-of-exploited-coldfusion-langflow-joomla-flaws/

Start Your 14-Day Free Trial

Get curated cyber intelligence delivered to your inbox every morning at 6 AM. No credit card required.

Get Started Free
Share this article: