🚨 CRITICAL ALERT: Active Zero-Day Exploits

Three unauthenticated remote code execution (RCE) vulnerabilities and one insecure direct object reference (IDOR) flaw with CVSS scores from 8.4 to 10.0 are actively exploited in the wild, enabling arbitrary file uploads, PHP code execution, and unauthorized flow access across SP Page Builder, Page Builder CK, Langflow, and ColdFusion. All four vulnerabilities are listed on CISA KEV with exploitation dates of July 7, 2026, and require immediate patching to prevent full system compromise.

Critical Vulnerabilities (CVSS ≥ 8.0)

  • CVE-2026-48908 (CVSS: 9.8)

    Unauthenticated arbitrary file upload in SP Page Builder for Joomla (versions 1.0.0–6.6.1) allows attackers to upload and execute PHP code directly in the web root, resulting in full RCE. No authentication, configuration, or user interaction is required. Actively exploited in the wild with CVSS 4.0 score of 10.0. Root cause: missing authentication and file-type validation on `asset.uploadCustomIcon` controller (CWE-284).

    View NVD | CISA KEV

  • CVE-2026-56290 (CVSS: 9.8)

    Unauthenticated arbitrary file upload in Joomla extension Page Builder CK enables attackers to upload executable files leading to full remote code execution. Vulnerability affects default configurations with no authentication required, allowing direct PHP code execution on the server.

    View NVD | CISA KEV

  • CVE-2026-48282 (CVSS: 10.0)

    Path traversal vulnerability in ColdFusion versions 2025.9, 2023.20, and earlier allows arbitrary code execution in the context of the current user without any user interaction. Scope is changed, enabling attackers to bypass directory restrictions and execute malicious code directly. This is the highest possible severity level for any security flaw.

    View NVD | CISA KEV

  • CVE-2026-55255 (CVSS: 8.4)

    Insecure Direct Object Reference (IDOR) vulnerability in Langflow prior to 1.9.1 at `/api/v1/responses` endpoint allows authenticated attackers to execute any flow belonging to another user by specifying the victim’s flow ID. Fixed in version 1.9.1, enabling unauthorized cross-user flow execution.

    View NVD | CISA KEV

âš¡ Immediate Actions Required

1. Patch Immediately: Upgrade SP Page Builder to version 6.6.2 or later (released June 14, 2026), which gates the `uploadCustomIcon` controller behind authenticated sessions and enforces anti-CSRF tokens. Apply Langflow update to 1.9.1 to fix IDOR vulnerability. Update ColdFusion to the latest version addressing path traversal flaw.

2. If Upgrade Not Possible: Deploy RsFirewall 3.3.7 for SP Page Builder protection, which includes a protective rule mitigating exploitation. Use Joomla Firewall component to scan sites deeply for rogue files.

3. Post-Exploitation Mitigation: Clear `/tmp` and `/cache` folders (keep only index.html), check `/images/` and `/media/` for unauthorized .php files and delete them immediately, reinstall Joomla core files, remove non-user-created admin accounts, change all passwords (Joomla users, database user), and lock attacker IPs after reviewing server logs.

4. Verification: Check for `.php.gif` or `.php.jpg` files, clear cache and tmp folders, verify no rogue users exist (especially power users), and restore sites to configurations from 2–3 weeks prior if compromised.