CISA KEV puts Adobe, Joomla and Langflow flaws on an urgent patch list
CISA's KEV catalog lists exploited Adobe ColdFusion, Joomla page-builder and Langflow vulnerabilities with near-term remediation deadlines, making this a same-day patch triage item for exposed systems.
Confirmed: CISA's Known Exploited Vulnerabilities catalog lists active-exploitation entries for Adobe ColdFusion, JoomShaper SP Page Builder, Joomlack Page Builder and Langflow with July 10, 2026 remediation deadlines. This is an operational patch-triage item, especially for internet-exposed CMS, AI workflow and developer infrastructure.

What changed
CISA's KEV catalog added several exploited vulnerabilities around July 7 and July 10. The July 7 entries include Adobe ColdFusion CVE-2026-48282, JoomShaper SP Page Builder CVE-2026-48908, Joomlack Page Builder CVE-2026-56290 and Langflow CVE-2026-55255, all with a July 10 due date in the catalog.
The catalog also shows newer July 10 entries for Balbooa Forms CVE-2026-56291 and iCagenda CVE-2026-48939 with July 13 due dates. Those newer entries are included here as watchlist context, while the independently corroborated cluster is the Adobe, Joomla and Langflow group.
Key takeaways
- CISA KEV means CISA has evidence of active exploitation, not just theoretical severity.
- Adobe ColdFusion, Joomla page-builder extensions and Langflow should be checked immediately if exposed.
- The July 7 group has a July 10, 2026 remediation due date in the official catalog.
- The Langflow entry matters for AI orchestration environments because flows can contain credentials and connected service access.
- Patch teams should verify asset exposure before assuming a plugin or workflow system is out of scope.
Availability and access
The primary source is the public CISA KEV CSV dataset. It lists vendor, product, CVE, short description, required action, due date, ransomware-use status and notes.
The required action is not a single universal patch command. CISA tells organizations to apply vendor mitigations, follow BOD 26-04 risk-prioritized patching guidance where applicable, follow forensics triage requirements and discontinue use if mitigations are unavailable.
| CVE | Product | Catalog date | Due date | Practical check |
|---|---|---|---|---|
| CVE-2026-48282 | Adobe ColdFusion | July 7, 2026 | July 10, 2026 | patch or mitigate exposed ColdFusion servers |
| CVE-2026-48908 | JoomShaper SP Page Builder | July 7, 2026 | July 10, 2026 | update and inspect for unexpected uploaded files |
| CVE-2026-56290 | Joomlack Page Builder | July 7, 2026 | July 10, 2026 | patch and inspect upload paths |
| CVE-2026-55255 | Langflow | July 7, 2026 | July 10, 2026 | check flow access, credentials and exposed instances |
Practical LinkLoot angle
This belongs in the same triage lane as exposed admin panels, plugins and AI workflow tools. The highest-value move is not reading another summary; it is matching the CVEs against inventory, confirming internet exposure and documenting whether the vendor fix or mitigation is in place.
For teams experimenting with AI workflow systems, Langflow is the reminder that orchestration tools can hold valuable credentials. If your team uses AI agents or workflow automation, pair patching with key rotation and tighter runtime access. LinkLoot's AI agent guide is a useful adjacent checklist: /guides/ai-agent-tools.
What to verify before you act
- Search inventory for ColdFusion, SP Page Builder, Page Builder CK and Langflow before deciding the issue is irrelevant.
- Confirm version numbers against vendor advisories linked from the CISA KEV notes.
- Check web roots and upload directories for unexpected PHP or executable files on affected CMS systems.
- Review Langflow flow permissions, stored provider keys and outbound execution paths.
- Document remediation timing, because the KEV due dates are short.
Source check
Confirmed by:
- CISA's KEV CSV, which lists the CVEs, affected products, dates added, due dates and required action text.
- The Hacker News, which independently reports the July 7 Adobe, Joomla and Langflow KEV cluster and summarizes exploitation context.
Early signal / context:
- The official alert page was not used as the primary source in this run because the local fetcher received an access-denied response. The public CISA KEV CSV provided the official, machine-readable confirmation.
It means CISA has evidence that the vulnerability is being actively exploited.
