- Product: joomshaper.net SP Page Builder extension for Joomla, JoomlaCK.fr Page Builder CK extension for Joomla +2
- Vulnerabilities: 4 flaws (CVE-2026-48908, CVE-2026-56290, CVE-2026-55255, CVE-2026-48282)
- Highest severity: 10 (Critical · CVSSv4)
- Worst impact: Remote Code Execution
- Status: 4 exploited; patches available
- Action: Update to 1.9.1 now
| CVE | CVSS | Type | Status |
|---|---|---|---|
| CVE-2026-48908 | 10 | Joomla Extension - joomshaper.com - Remote Code Execution in SP Pagebuilder extension for Joomla < 6.6.2 | Exploited |
| CVE-2026-56290 | 10 | Joomla Extension - - Unauthenticated file upload in Page Builder CK extension < 3.6.0 | Exploited |
| CVE-2026-48282 | 10.0 | CWE-22 | Exploited |
| CVE-2026-55255 | 8.4 | CWE-639 | Exploited |
TL;DR
The CISA KEV Catalog just gained four actively exploited flaws. Three of them carry a top CVSS score of 10. Federal agencies must patch all four by July 10, 2026.
Why it matters
CISA adds bugs to this list only when attackers already abuse them. Because these flaws are actively exploited, the risk is immediate. Three of the four grant full remote code execution. As a result, exposed servers face takeover with little effort. Also, most of the flaws need no login at all. This KEV Catalog update spans Joomla, an AI tool, and an app server. Still, private teams should treat the July 10 deadline as their own.
The four flaws
Joomla page builders
First, two Joomla page builders stand out at CVSS 10. CVE-2026-48908 hits JoomShaper SP Page Builder. It lets unauthenticated users upload files and run PHP code. Next, CVE-2026-56290 affects Page Builder CK from Joomlack. It also allows an unauthenticated upload that ends in full RCE.
Langflow and Adobe ColdFusion
CVE-2026-55255 is a Langflow access-control bug rated CVSS 8.1. There, an authenticated user can run another user’s flow by its ID. Meanwhile, CVE-2026-48282 is a max-severity ColdFusion path traversal flaw. Researchers saw attacks within hours of its public disclosure. Since exploitation started fast, defenders had almost no runway. In fact, KEVIntel logged honeypot hits within two hours of release.
Affected versions
ColdFusion 2025.9, 2023.20, and earlier all contain the flaw. Also, Langflow builds before 1.9.1 carry the access-control bug. Both Joomla page builders stay open in their vulnerable releases.
Patch and mitigation
Update each product without delay. First, Langflow users should move to 1.9.1 or later. Then, ColdFusion admins should apply Adobe’s newest security update. Its fixes ship in 2023 Update 21 and 2025 Update 10. Joomla owners should patch or remove the affected page builders.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.