vulnerability

CISA's July KEV batch puts Joomla page builders and Langflow on emergency patch lists

Lucas OliveiraLucas OliveiraResearch
July 8, 2026·7 min read
CISA's July KEV batch puts Joomla page builders and Langflow on emergency patch lists

CISA added three vulnerabilities to its Known Exploited Vulnerabilities catalog on July 7, 2026, and the mix is a useful snapshot of current exposure: two exploited Joomla page-builder flaws that can lead to remote code execution, and one Langflow authorization flaw affecting AI workflow environments.

The new KEV entries are:

  • CVE-2026-48908: JoomShaper SP Page Builder unrestricted upload of files with dangerous type
  • CVE-2026-55255: Langflow authorization bypass through a user-controlled key
  • CVE-2026-56290: Joomlack Page Builder improper access control

CISA's alert does not publish exploit chains or indicators of compromise, but the KEV listing is the key operational signal. These are not theoretical findings waiting for attacker interest. They have evidence of active exploitation.

For defenders, the lesson is blunt: exposed content-management extensions and low-friction AI workflow platforms now belong in the same emergency response queue as VPNs, remote-management systems, and application servers.

What changed

The July 7 KEV update groups two different risk surfaces.

The Joomla issues are classic high-impact web exposure. Both affect page-builder extensions that can sit on public websites, often maintained outside central infrastructure teams. If an attacker can upload and execute server-side code without authentication, a marketing site or partner portal can quickly become a beachhead for persistence, credential theft, redirect campaigns, or broader incident response.

The Langflow issue is different but equally strategic. Langflow is used to build and deploy AI-powered agents and workflows. The GitHub advisory describes CVE-2026-55255 as an insecure direct object reference in /api/v1/responses, where an authenticated attacker can execute another user's flow by supplying the victim's flow ID. That makes it an authorization failure inside a platform that may handle prompts, connectors, credentials, generated outputs, and automation logic.

This combination matters because attackers are no longer choosing between "old CMS" and "new AI stack." Both are useful if they are exposed, underpatched, and loosely monitored.

CVE-2026-48908: SP Page Builder for Joomla

CVE-2026-48908 affects SP Page Builder for Joomla versions up to and including 6.6.1. NVD describes the issue as unauthenticated arbitrary file upload that ultimately allows PHP code upload and execution.

Research from mySites.guru says the vulnerable route involves the asset.uploadCustomIcon task and that exploitation has been observed in the wild. Their reporting says attackers used the flaw to plant hidden Super Administrator accounts and PHP file-manager backdoors for persistence.

That is the important defender takeaway: patching the extension is necessary, but it is not enough if attackers already landed. Any site that ran a vulnerable version while exposed should be checked for unauthorized administrator accounts, unexpected PHP files, modified templates, suspicious extensions, and new scheduled tasks or cron entries.

Recommended response:

  1. Upgrade SP Page Builder to 6.6.2 or later.
  2. Confirm the patched version is present on every Joomla site, including staging and forgotten microsites.
  3. Review Joomla administrator accounts for unknown users, especially recently created privileged accounts.
  4. Search web roots and upload directories for recently added PHP files.
  5. Review access logs for unauthenticated upload attempts and requests to newly created files.

CVE-2026-56290: Page Builder CK for Joomla

CVE-2026-56290 affects Page Builder CK, another Joomla extension. NVD describes it as an unauthenticated arbitrary file upload vulnerability that allows executable files to be uploaded and leads to full RCE.

mySites.guru reported that exploitation began within hours of the fix landing and observed a web shell at /media/com_pagebuilderck/gfonts/bhup.php. The affected line is Page Builder CK below 3.6.0 for current Joomla sites, with separate backported fixes for older Joomla branches.

This is the kind of vulnerability where asset inventory often fails. Security teams may know they run Joomla, but not which page-builder extension version is installed across every business-owned site. Attackers do not need that organizational chart. They only need the vulnerable endpoint.

Recommended response:

  1. Upgrade Page Builder CK to 3.6.0 or later on current Joomla branches.
  2. For older Joomla versions, verify the vendor's backported fixed releases are installed.
  3. Hunt for bhup.php and any other unexpected PHP under /media/com_pagebuilderck/.
  4. Compare file modification times against the June 27, 2026 patch and exploitation window.
  5. Rebuild from known-good source if web shells or unauthorized changes are found.

CVE-2026-55255: Langflow IDOR in AI workflows

CVE-2026-55255 affects Langflow before 1.9.1. The GitHub advisory says the bug is an insecure direct object reference in /api/v1/responses that allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID.

NVD and OpenCVE list the weakness as CWE-639, authorization bypass through user-controlled key. Sysdig reported active exploitation on June 25, 2026 and argued that the case shows why vulnerability priority should not be driven only by headline CVSS values. A flaw that requires authentication can still be dangerous if the platform is internet-facing, has weak tenant separation, or stores high-value automation flows.

The impact depends on what the flows do. In a lightly used lab, the exposure may be limited. In a production AI workflow environment, another user's flow may contain business logic, prompt chains, tool calls, sensitive outputs, credentials in nodes, or automation that can touch downstream systems.

Recommended response:

  1. Upgrade Langflow to 1.9.1 or later.
  2. Identify internet-facing Langflow instances and restrict access behind VPN, SSO, or private network controls.
  3. Review logs for unusual calls to /api/v1/responses where one user executes flows owned by another user.
  4. Audit flows for embedded secrets, connector tokens, or prompts containing sensitive operational data.
  5. Rotate credentials exposed through flows if cross-user access is suspected.

Why this KEV batch matters

This set is small, but it points to a bigger defensive problem.

First, CMS extensions are still a reliable attack path. Joomla, WordPress, Drupal, and similar platforms often have many plugins installed over many years. The core platform may be maintained, while extensions drift. Attackers know that gap well.

Second, AI workflow platforms are becoming operational infrastructure before many organizations have mature controls around them. Tools like Langflow are attractive because they connect models, data, APIs, and user workflows quickly. That same connectivity raises the stakes when an access-control bug appears.

Third, active exploitation compresses the response timeline. Once a vulnerability lands in KEV, teams should move from normal patch management into exposure triage, compromise assessment, and rapid remediation.

Practical detection ideas

For Joomla environments:

  • inventory SP Page Builder and Page Builder CK installations across production, staging, and legacy sites
  • alert on new PHP files under upload, media, cache, image, or extension-controlled directories
  • search for unexpected Super Administrator accounts and recent privilege changes
  • review requests to extension upload handlers, especially from unknown IP addresses
  • compare current web roots against known-good backups or deployment artifacts

For Langflow environments:

  • identify all Langflow instances and versions
  • review authentication logs for suspicious low-privilege accounts
  • inspect /api/v1/responses activity for mismatched user and flow ownership
  • look for sudden execution of sensitive flows by unusual users
  • review connector and environment secrets used by flows

For both:

  • treat public exposure as a risk multiplier
  • preserve logs before rebuilding or cleaning compromised systems
  • rotate credentials if exploitation is plausible
  • document affected assets so future KEV entries can be matched faster

The broader lesson

The July 7 KEV update is not just a Joomla story or a Langflow story. It is a reminder that attackers look for useful control points, not fashionable categories.

A page-builder extension can provide a web shell. An AI workflow platform can expose another user's automation. Both can become stepping stones into data, credentials, and trusted systems.

The best response is not panic; it is disciplined urgency: patch the known vulnerable versions, verify public exposure, hunt for signs of compromise, and reduce the number of internet-facing tools that can turn a single weak endpoint into full operational access.

References

  1. CISA Adds Three Known Exploited Vulnerabilities to Catalog
  2. CVE-2026-48908 Detail
  3. SP Page Builder Zero Day RCE Fixed in 6.6.2
  4. CVE-2026-56290 Detail
  5. PageBuilder CK RCE - CVE-2026-56290
  6. Langflow: IDOR Vulnerability in /api/v1/responses Endpoint Allows Authenticated Attackers to Access Another User's Flow
  7. CVE-2026-55255 Detail
  8. Understanding Langflow CVE-2026-55255

Written by

Lucas Oliveira

Research

A DevOps engineer and cybersecurity enthusiast with a passion for uncovering the latest in zero-day exploits, automation, and emerging tech. I write to share real-world insights from the trenches of IT and security, aiming to make complex topics more accessible and actionable. Whether I’m building tools, tracking threat actors, or experimenting with AI workflows, I’m always exploring new ways to stay one step ahead in today’s fast-moving digital landscape.