INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Adobe ColdFusion, Joomlack Page Builder Exploit Added
| 2026-07-08 08:38 CRITICAL HIGHExecutive Summary AI-generated
The attackers exploited a range of vulnerabilities in Adobe ColdFusion, JoomShaper SP Page Builder and Langflow Authorization Bypass Through User-Controlled Key Vulnerability to gain unauthorized access to compromised servers. The attacks originated from IP addresses in India, with the first reported incident on July 8th, 2026. Researchers at KEVIntel identified these vulnerabilities as CVE-2026-48282, CVE-2026-48908 and CVE-2026-55255, which allowed attackers to execute code on vulnerable servers, upload malicious files and create new administrator accounts, deploy web shells and steal sensitive data. The attacks were financially motivated, targeting botnet or cryptojacking activity.
Technical Mitigations AI-generated
* Regularly update and patch Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder: Ensure all affected systems have the latest security patches installed to prevent exploitation of known vulnerabilities.
* Use a web application firewall (WAF) or intrusion detection system (IDS): Implementing a WAF or IDS can help detect and block malicious traffic, reducing the risk of successful attacks on vulnerable sites.
* Implement secure coding practices: Ensure developers follow best practices for secure coding, such as validating user input, using secure protocols like HTTPS, and keeping software up to date with the latest security patches.
* Monitor system logs and network traffic: Regularly review system logs and network traffic to detect suspicious activity that may indicate an attack is in progress.
* Use a Content Security Policy (CSP): Implementing a CSP can help restrict what types of content are allowed on web pages, reducing the risk of XSS attacks.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2025-3248CVE-2025-3248
CVE-2025-34291CVE-2025-34291
CVE-2026-48908CVE-2026-48908
CVE-2026-0770CVE-2026-0770
CVE-2026-33017CVE-2026-33017
CVE-2026-48282CVE-2026-48282
CVE-2026-5027CVE-2026-5027
CVE-2026-55255CVE-2026-55255
CVE-2026-56290CVE-2026-56290
CVE-2026-21445CVE-2026-21445
Target & Sectors
IN
mediamedia
Incident Timeline
2026/05/26
The threat actors used a lone operator to exploit CVE-2026-55255 in Adobe ColdFusion, along with an unauthenticated remote code execution flaw in Langflow and Joomlack Page Builder.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-55255
"
As for CVE-2026-55255, Sysdig
revealed
late last month that it observed a lone operator ("45.207.216[.]55") weaponizing the vulnerability along with CVE-2026-33017, an unauthenticated remote code execution flaw in Langflow, as part of a sustained campaign that lasted between June 22 and June 25, 2026.
organisation
CVE-2026-33017
"
As for CVE-2026-55255, Sysdig
revealed
late last month that it observed a lone operator ("45.207.216[.]55") weaponizing the vulnerability along with CVE-2026-33017, an unauthenticated remote code execution flaw in Langflow, as part of a sustained campaign that lasted between June 22 and June 25, 2026.
tactic
Remote Code Execution
"
As for CVE-2026-55255, Sysdig
revealed
late last month that it observed a lone operator ("45.207.216[.]55") weaponizing the vulnerability along with CVE-2026-33017, an unauthenticated remote code execution flaw in Langflow, as part of a sustained campaign that lasted between June 22 and June 25, 2026.
June 2026
Threat actors used a remote code execution vulnerability in Adobe ColdFusion to target AWS, exploiting an authorization bypass through a user-controlled key vulnerability in Langflow.
Click on any entity below to view its context and source!
organisation
KeV
The third issue added to the KeV catalog, tracked as CVE-2026-55255, is an authorization bypass through a user-controlled key vulnerability in Langflow that could allow an authenticated attacker to execute any flow belonging to another user by specifying the victim’s flow ID in the request.
organisation
AWS
The attacker combined an authentication bypass with a remote code execution flaw to access exposed servers, steal LLM provider and AWS keys, and attempt to deploy additional malware.
between June 22
Threat actors exploited CVE-2026-55255 and CVE-2026-33017 vulnerabilities in Langflow between June 22 and 25.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-55255
Sysdig researchers observed attackers exploiting CVE-2026-55255 and
CVE-2026-33017
in Langflow between June 22 and 25.
vulnerability
CVE-2026-33017
Sysdig researchers observed attackers exploiting CVE-2026-55255 and
CVE-2026-33017
in Langflow between June 22 and 25.
June 25, 2026
The operator exploited the Langflow vulnerability CVE-2026-55255.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-55255
“On June 25, 2026, the Sysdig Threat Research Team (TRT) observed the first known active exploitation of a CVSS 9.9 “critical” Langflow vulnerability, tracked as
CVE-2026-55255
.
"On June 25, 2026, the operator (45.207.216[.]55) returned to an internet-exposed Langflow instance they had first probed three days before and ran a tight, methodical session: application/auth reconnaissance → flow enumeration → the CVE-2026-55255 IDOR → a sustained loop of the CVE-2026-33017 RCE with outbound connection attempts," Sysdig's Michael Clark said.
vulnerability
CVSS 9.9
“On June 25, 2026, the Sysdig Threat Research Team (TRT) observed the first known active exploitation of a CVSS 9.9 “critical” Langflow vulnerability, tracked as
CVE-2026-55255
.
organisation
the Sysdig Threat Research Team
“On June 25, 2026, the Sysdig Threat Research Team (TRT) observed the first known active exploitation of a CVSS 9.9 “critical” Langflow vulnerability, tracked as
CVE-2026-55255
.
organisation
TRT
“On June 25, 2026, the Sysdig Threat Research Team (TRT) observed the first known active exploitation of a CVSS 9.9 “critical” Langflow vulnerability, tracked as
CVE-2026-55255
.
general_metric
9.9 critical Langflow vulnerability
“On June 25, 2026, the Sysdig Threat Research Team (TRT) observed the first known active exploitation of a CVSS 9.9 “critical” Langflow vulnerability, tracked as
CVE-2026-55255
.
vulnerability
CVE-2026-33017
"On June 25, 2026, the operator (45.207.216[.]55) returned to an internet-exposed Langflow instance they had first probed three days before and ran a tight, methodical session: application/auth reconnaissance → flow enumeration → the CVE-2026-55255 IDOR → a sustained loop of the CVE-2026-33017 RCE with outbound connection attempts," Sysdig's Michael Clark said.
tactic
Reconnaissance
"On June 25, 2026, the operator (45.207.216[.]55) returned to an internet-exposed Langflow instance they had first probed three days before and ran a tight, methodical session: application/auth reconnaissance → flow enumeration → the CVE-2026-55255 IDOR → a sustained loop of the CVE-2026-33017 RCE with outbound connection attempts," Sysdig's Michael Clark said.
organisation
CVSS
What we saw explains why this vulnerability likely took longer to exploit than its lower-scored sibling vulnerability, tracked as
CVE-2026-33017
with a CVSS score of 9.3, which has already been exploited thousands of times.”
reported
Sysdig.
June 27, 2026
Threat actors used CVE-2026-56290 to exploit vulnerabilities in Adobe ColdFusion and Joomlack Page Builder, as well as Langflow and JoomShaper SP Page Builders.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-56290
The Joomla and WordPress site manager service has also recorded exploitation efforts aimed at CVE-2026-56290 as of June 27, 2026, to deliver a web shell on susceptible sites.
organisation
WordPress
The Joomla and WordPress site manager service has also recorded exploitation efforts aimed at CVE-2026-56290 as of June 27, 2026, to deliver a web shell on susceptible sites.
27 June 2026
The U.S. CISA added Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog on June 27, 2026.
Click on any entity below to view its context and source!
infrastructure
3.6.0
The fix shipped on 27 June 2026 and the attackers were not far behind, so if you run PageBuilder CK below 3.6.0, treat this as urgent: update now, then check for compromise.
organisation
PageBuilder CK
The fix shipped on 27 June 2026 and the attackers were not far behind, so if you run PageBuilder CK below 3.6.0, treat this as urgent: update now, then check for compromise.
2026/07/01
Ransomware operators exploited the CVE-2025-3248 Langflow flaw in Adobe ColdFusion and Joomlack Page Builder to deploy an artificial agent.
Click on any entity below to view its context and source!
tactic
Ransomware
Last week, Sysdig also
documented
the first known case of agentic ransomware in which a human operator deployed an artificial agent and provisioned the necessary infrastructure to let the agent handle the entire extortion operation from start to finish by exploiting the CVE-2025-3248 Langflow flaw.
tactic
Extortion
Last week, Sysdig also
documented
the first known case of agentic ransomware in which a human operator deployed an artificial agent and provisioned the necessary infrastructure to let the agent handle the entire extortion operation from start to finish by exploiting the CVE-2025-3248 Langflow flaw.
vulnerability
CVE-2025-3248
Last week, Sysdig also
documented
the first known case of agentic ransomware in which a human operator deployed an artificial agent and provisioned the necessary infrastructure to let the agent handle the entire extortion operation from start to finish by exploiting the CVE-2025-3248 Langflow flaw.
organisation
Sysdig
Last week, Sysdig also
documented
the first known case of agentic ransomware in which a human operator deployed an artificial agent and provisioned the necessary infrastructure to let the agent handle the entire extortion operation from start to finish by exploiting the CVE-2025-3248 Langflow flaw.
Jul 08, 2026
Threat actors exploited vulnerabilities in Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builders.
between June 22 and June 25, 2026
Threat actors used a lone operator to target CVE-2026-55255 and an unauthenticated remote code execution flaw in Langflow, as part of a sustained campaign that exploited vulnerabilities in Adobe ColdFusion and Joomlack Page Builder.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-55255
"
As for CVE-2026-55255, Sysdig
revealed
late last month that it observed a lone operator ("45.207.216[.]55") weaponizing the vulnerability along with CVE-2026-33017, an unauthenticated remote code execution flaw in Langflow, as part of a sustained campaign that lasted between June 22 and June 25, 2026.
organisation
CVE-2026-33017
"
As for CVE-2026-55255, Sysdig
revealed
late last month that it observed a lone operator ("45.207.216[.]55") weaponizing the vulnerability along with CVE-2026-33017, an unauthenticated remote code execution flaw in Langflow, as part of a sustained campaign that lasted between June 22 and June 25, 2026.
tactic
Remote Code Execution
"
As for CVE-2026-55255, Sysdig
revealed
late last month that it observed a lone operator ("45.207.216[.]55") weaponizing the vulnerability along with CVE-2026-33017, an unauthenticated remote code execution flaw in Langflow, as part of a sustained campaign that lasted between June 22 and June 25, 2026.
2026/07/08
Attackers exploited a vulnerability in Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder.
Click on any entity below to view its context and source!
organisation
IP
KEVIntel founder Ryan Dewhurst reported that the attacks originated from the IP address 103.207.14[.]220 by an attacker located in India.
It's worth noting that
exploitation
of CVE-2026-48282 was
observed
within hours of public disclosure, with Ryan Dewhurst, security researcher and founder of KEVIntel, telling The Hacker News that an attempt was recorded from an IP address geolocated to India ("103.207.14[.]220").
organisation
KEVIntel
It's worth noting that
exploitation
of CVE-2026-48282 was
observed
within hours of public disclosure, with Ryan Dewhurst, security researcher and founder of KEVIntel, telling The Hacker News that an attempt was recorded from an IP address geolocated to India ("103.207.14[.]220").
KEVIntel researchers reported that less than two hours after details of CVE-2026-48282 became public, attackers started exploiting it in attacks in the wild.
organisation
The Hacker News
It's worth noting that
exploitation
of CVE-2026-48282 was
observed
within hours of public disclosure, with Ryan Dewhurst, security researcher and founder of KEVIntel, telling The Hacker News that an attempt was recorded from an IP address geolocated to India ("103.207.14[.]220").
infrastructure
6.6.2
Website owners should update to SP Page Builder 6.6.2+ and Page Builder CK 3.6.0+, and check for suspicious PHP files in upload and media folders.
Users of SP Page Builder are advised to update to version 6.6.2 or later.
infrastructure
3.6.0
Website owners should update to SP Page Builder 6.6.2+ and Page Builder CK 3.6.0+, and check for suspicious PHP files in upload and media folders.
The issue has been addressed in Page Builder CK version 3.6.0.
organisation
JoomShaper
The flaws added to the catalog are:
CVE-2026-48282
Adobe ColdFusion Path Traversal Vulnerability
CVE-2026-48908
JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability
CVE-2026-55255
Langflow Authorization Bypass Through User-Controlled Key Vulnerability
CVE-2026-56290
Joomlack Page Builder Improper Access Control Vulnerability
In early July, attackers
started exploiting
CVE-2026-48282
, a maximum-severity vulnerability in Adobe ColdFusion.
organisation
Adobe ColdFusion
The flaws added to the catalog are:
CVE-2026-48282
Adobe ColdFusion Path Traversal Vulnerability
CVE-2026-48908
JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability
CVE-2026-55255
Langflow Authorization Bypass Through User-Controlled Key Vulnerability
CVE-2026-56290
Joomlack Page Builder Improper Access Control Vulnerability
In early July, attackers
started exploiting
CVE-2026-48282
, a maximum-severity vulnerability in Adobe ColdFusion.
A path traversal vulnerability in Adobe ColdFusion that could lead to arbitrary code execution in the context of the current user.
organisation
PHP
The second flaw added to the catalog, tracked as CVE-2026-48908, lets attackers upload a malicious PHP file and create a new administrator account on vulnerable sites running SP Page Builder.
An unrestricted upload of a file with a dangerous type vulnerability in JoomShaper SP Page Builder that allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.
organisation
CVE-2026
CVE-2026-48908
(CVSS score: 10.0) -
organisation
CVE-2026-48908
CVE-2026-48908, on the other hand, is said to have been exploited as a zero-day to upload a PHP file by means of an HTTP POST request to the "index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon" endpoint, followed by the appearance of a new Super User account, per
mySites.guru
.
organisation
Super User
CVE-2026-48908, on the other hand, is said to have been exploited as a zero-day to upload a PHP file by means of an HTTP POST request to the "index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon" endpoint, followed by the appearance of a new Super User account, per
mySites.guru
.
organisation
AWS
The cloud security company has described CVE-2026-55255 as a case of cross-tenant insecure direct object reference (IDOR), which the threat actor exploited to steal large language model (LLM) provider keys and AWS keys.
organisation
CVE-2026-56290
CVE-2026-56290
(CVSS score: 10.0) - An improper access control vulnerability in Joomlack Page Builder that could allow for remote code execution via unauthenticated arbitrary file upload.
infrastructure
10.0
CVE-2026-56290
(CVSS score: 10.0) - An improper access control vulnerability in Joomlack Page Builder that could allow for remote code execution via unauthenticated arbitrary file upload.
infrastructure
2025.9
It affects ColdFusion 2025.9, 2023.20, and earlier versions, allowing remote attackers to execute code on vulnerable servers.
infrastructure
2023.20
It affects ColdFusion 2025.9, 2023.20, and earlier versions, allowing remote attackers to execute code on vulnerable servers.
organisation
JoomShaper SP
An unrestricted upload of a file with a dangerous type vulnerability in JoomShaper SP Page Builder that allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.
Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its
Known Exploited Vulnerabilities (KEV) catalog
.
organisation
KeV
Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its
Known Exploited Vulnerabilities (KEV) catalog
.
organisation
Known Exploited
Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its
Known Exploited Vulnerabilities (KEV) catalog
.
organisation
CVE-2025-34291
"
The development makes it the latest Langflow flaw to be exploited by bad actors over the past year after
CVE-2025-3248
,
CVE-2026-0770, CVE-2026-33017, CVE-2026-21445, CVE-2025-34291, and CVE-2026-5027
.
organisation
CVE-2025
"
The development makes it the latest Langflow flaw to be exploited by bad actors over the past year after
CVE-2025-3248
,
CVE-2026-0770, CVE-2026-33017, CVE-2026-21445, CVE-2025-34291, and CVE-2026-5027
.
organisation
Adobe
Adobe warned that the vulnerability is easy to exploit and is likely to be exploited in attacks in the wild.
July 10, 2026
Threat actors used Adobe ColdFusion to target FCEB agencies, which then exploited vulnerabilities in Joomlack Page Builder and Langflow before being affected by flaws in JoomShaper SP Page Builder.
Click on any entity below to view its context and source!
attribution
FCEB
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are advised to apply the fixes by July 10, 2026, to safeguard their networks.
attribution
Federal Civilian Executive Branch
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are advised to apply the fixes by July 10, 2026, to safeguard their networks.
Tactical Metrics
Metrics
infrastructure
6.6.2
Software Version
Click for context!
Website owners should update to SP Page Builder 6.6.2+ and Page Builder CK 3.6.0+, and check for suspicious PHP files in upload and media folders.
Users of SP Page Builder are advised to update to version 6.6.2 or later.
Metrics
infrastructure
3.6.0
Software Version
Website owners should update to SP Page Builder 6.6.2+ and Page Builder CK 3.6.0+, and check for suspicious PHP files in upload and media folders.
The fix shipped on 27 June 2026 and the attackers were not far behind, so if you run PageBuilder CK below 3.6.0, treat this as urgent: update now, then check for compromise.
The issue has been addressed in Page Builder CK version 3.6.0.
Metrics
infrastructure
2025.9
Software Version
It affects ColdFusion 2025.9, 2023.20, and earlier versions, allowing remote attackers to execute code on vulnerable servers.
Metrics
infrastructure
2023.20
Software Version
It affects ColdFusion 2025.9, 2023.20, and earlier versions, allowing remote attackers to execute code on vulnerable servers.
Metrics
infrastructure
10.0
Software Version
CVE-2026-56290
(CVSS score: 10.0) - An improper access control vulnerability in Joomlack Page Builder that could allow for remote code execution via unauthenticated arbitrary file upload.
Intelligence Sources
The Hacker News
2026-07-08
Security Affairs
2026-07-08
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-07-09T06:01
Comprehensive Tactical Telemetry
Highly Correlated Entities
24x
organisation
Identified Entity
IP
entity
12x
timeline
Temporal Reference
June 25, 2026
date
11x
attribution
Attributing Entity
JoomShaper SP
authority
10x
vulnerability
Exploited CVE
CVE-2026-48282
cve
6x
tactic
Cyber Operation Type
Botnet
tactic
5x
infrastructure
Software Version
6.6.2
version
2x
vulnerability
CVSS Score
10
score
2x
general metric
Cisa
1
cisa
Contextual Telemetry
Context Block
9 METRICS
source region
Origin Country
India
country
industry
Targeted Sector
Media
sector
general metric
Coldfusion
2,026
coldfusion
general metric
Cve-2026
55,255
cve-2026
general metric
Critical Langflow Vulnerability
10
critical langflow vulnerability
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
target region
Target Country
India
country
general metric
Cvss Score
6
cvss score
general metric
Jul
8
jul
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.