CISA adds 4 Adobe, Joomla, Langflow bugs to KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The
What Happened
CISA added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog on Tuesday, citing evidence of active exploitation. The vulnerabilities affect Adobe ColdFusion (CVE-2026-48282), two Joomla CMS components, and the Langflow AI development platform. Federal agencies must patch by April 22, 2026 under Binding Operational Directive 22-01.
The new entries include a critical-severity ColdFusion remote code execution (RCE) bug, two Joomla flaws enabling privilege escalation and SQL injection, and a Langflow vulnerability that allows credential theft from environment variable leaks. All four CVEs have confirmed in-the-wild exploitation.
Why It Matters
These four flaws span widely deployed enterprise stacks - web content management (Joomla), application servers (ColdFusion), and AI/ML orchestration platforms (Langflow). The ColdFusion RCE is particularly dangerous: CVE-2026-48282 allows unauthenticated attackers to execute arbitrary code on exposed ColdFusion instances, which often sit in DMZs or serve as internal application gateways. Langflow’s vulnerability undermines trust in AI pipelines by leaking API keys and database credentials stored in environment variables.
Given the diversity of affected platforms, organizations running even one of these products face immediate exposure. The KEV listing confirms that threat actors have weaponized these bugs in active campaigns, raising the likelihood of mass scanning and automated exploitation attempts.
Technical Details
CVE-2026-48282: Critical RCE in Adobe ColdFusion (versions 2023 and 2021). Unauthenticated attackers can exploit improper input validation to execute arbitrary commands remotely. Proof-of-concept code has been publicly released, lowering the barrier for exploitation.
Joomla flaws (CVEs not public as of writing): Two vulnerabilities affecting Joomla 4.x and 5.x. One enables privilege escalation via improper access control in the user component; the other is SQL injection via unsanitized parameters in the custom fields module, potentially allowing database extraction.
Langflow flaw: An information disclosure vulnerability in Langflow versions prior to 1.0.15. Attackers can trigger error responses that expose environment variables containing API keys, cloud credentials, or database connection strings. This is particularly dangerous in containerized or CI/CD deployments where env vars often hold privileged secrets.
Immediate Risk
Risk level: CRITICAL for publicly exposed ColdFusion and Joomla instances - exploitation is confirmed and PoC code is available. Langflow instances on internal development networks face credential exfiltration risk if internet-accessible.
Organizations should assume compromise if any affected product version is exposed to the internet without automated patching. ColdFusion instances older than 2023 update 4 or 2021 update 16 must be patched immediately. Joomla users should update to the latest 4.4.x or 5.x maintenance release. Langflow must be upgraded to version 1.0.15 or later.
Security Insight
The simultaneous addition of these four diverse flaws to KEV illustrates a shift in attacker targeting: threat actors are now exploiting niche platforms like Langflow alongside legacy enterprise staples like ColdFusion. This pattern mirrors the 2023-2024 trend of attackers targeting Confluence and SharePoint for initial access, but now extended to AI/ML pipelines. Defensive teams should extend patch prioritization beyond traditional web servers and CRM platforms to include AI orchestration tools, which often have weaker security posture and fewer monitoring controls. Review any Langflow, Airflow, or MLflow instances for environment variable exposure immediately - they are now a favored entry point for supply chain credential theft.
Further Reading
Never miss a security update
Get real-time security alerts delivered to your preferred platform.
Related News
A suspected China-aligned threat activity cluster has been observed exploiting Roundcube webmail software belonging to physics and engineering departments of U.S. and Canadian universities as part of
Threat actors associated with the Anubis ransomware operation have been observed exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to obtain initial access. 'Although tactics differ between
CISA warned on Wednesday that attackers have begun exploiting a high-severity Microsoft SharePoint remote code execution vulnerability patched in May. [...]
An unknown threat actor has been observed exploiting a recently disclosed maximum-severity security flaw in SimpleHelp to deliver two previously unreported malware families, TaskWeaver and Djinn Steal