CISA added eight new vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog during the past seven days, spanning legacy Cisco infrastructure, multiple Joomla ecosystem extensions, Adobe ColdFusion, Langflow, and Microsoft SharePoint Server. The most significant operational trend is the concentration of unauthenticated file upload vulnerabilities affecting public-facing web applications, many of which provide immediate paths to web shell deployment and remote code execution. Security, vulnerability management, and infrastructure teams should prioritise internet-facing web applications and collaboration platforms for immediate exposure validation and remediation activity.
Reading time 10 minutes
Audience: Vulnerability Managers, Security Operations, CISOs, DevSecOps Teams
Reading Time: Approximately 10 minutes
Here is the updated table with the CVE IDs converted to your requested URL format.
| CVE ID | Vendor / Product | CVSS | Date Added | CISA Due Date | Exploitation Type | EPSS | Reachability |
| CVE-2008-4128 | Cisco IOS 12.4 | 8.8 (High) | 13 July 2026 | 03 Aug 2026 | Cross-Site Request Forgery / Command Execution | 12.04% (0.12040) | Network (AV:N) |
| CVE-2026-56291 | Balbooa Forms | 9.8 (Critical) | 10 July 2026 | 31 Jul 2026 | Unauthenticated File Upload → RCE | Pending (< 0.05%)* | Network (AV:N; PR:N) |
| CVE-2026-48939 | iCagenda | 9.8 (Critical) | 10 July 2026 | 31 Jul 2026 | Unauthenticated File Upload → RCE | 0.48% (0.00480) | Network (AV:N; PR:N) |
| CVE-2026-48908 | JoomShaper SP Page Builder | 9.8 (Critical) | 07 July 2026 | 28 Jul 2026 | Unauthenticated File Upload → RCE | 0.79% (0.00790) | Network (AV:N; PR:N) |
| CVE-2026-55255 | Langflow | 8.4 (High) | 07 July 2026 | 28 Jul 2026 | Authorization Bypass / IDOR | 0.24% (0.00236) | Network (AV:N; PR:L) |
| CVE-2026-56290 | Joomlack Page Builder | 9.8 (Critical) | 07 July 2026 | 28 Jul 2026 | Unauthenticated File Upload → RCE | 0.36% (0.00360) | Network (AV:N; PR:N) |
| CVE-2026-48282 | Adobe ColdFusion | [CVSS PENDING NVD VALIDATION] | 07 July 2026 | 28 Jul 2026 | Path Traversal → RCE | 0.92% (0.00917) | Network (AV:N) |
What it is
A legacy cross-site request forgery vulnerability that allows remote attackers to execute commands against vulnerable Cisco IOS management interfaces.
Affected versions
→ Cisco IOS 12.4 running HTTP Administration services.
Exploitation status
Active exploitation confirmed via CISA KEV inclusion.
Patch available
Yes. Cisco previously published remediation guidance and fixed releases.
Operational risk
The age of this vulnerability makes its KEV inclusion noteworthy. Organisations operating legacy networking equipment should treat this as an indicator that unsupported infrastructure remains attractive to attackers targeting edge devices.
What it is
An unauthenticated arbitrary file upload vulnerability that allows attackers to upload executable files and obtain remote code execution.
Affected versions
→ [See Hackerstorm detailed report or vendor updates for latest]
Exploitation status
Active exploitation confirmed through KEV inclusion.
Patch available
Yes.
Operational risk
Public-facing Joomla deployments using Balbooa Forms should be considered exposed until proven otherwise. Unauthenticated upload vulnerabilities typically lead directly to web shell deployment and persistence.
What it is
An unrestricted file upload vulnerability enabling arbitrary PHP code execution.
Affected versions
→ iCagenda 3.2.1 to 3.9.14
→ iCagenda 4.0.0 to 4.0.7
Exploitation status
Active exploitation confirmed through KEV inclusion.
Patch available
Yes. Fixed in versions 3.9.15 and 4.0.8.
Operational risk
This vulnerability provides attackers with a straightforward route to persistent web access and is particularly concerning for internet-facing Joomla environments.
What it is
An unauthenticated arbitrary file upload vulnerability resulting in remote PHP code execution.
Affected versions
→ SP Page Builder versions 1.0.0 through 6.6.1.
Exploitation status
Active exploitation confirmed through KEV inclusion.
Patch available
Yes.
Operational risk
The combination of unauthenticated access and direct code execution places this among the highest operational priorities this week.
What it is
An authorization bypass vulnerability allowing authenticated users to execute flows belonging to other users or tenants.
Affected versions
→ Langflow versions prior to 1.9.1.
Exploitation status
Active exploitation confirmed through KEV inclusion.
Patch available
Yes. Fixed in Langflow version 1.9.1.
Operational risk
AI workflow platforms increasingly process sensitive business data and API credentials, making cross-tenant access vulnerabilities operationally significant.
What it is
An improper access control vulnerability enabling unauthenticated arbitrary file upload and remote code execution.
Affected versions
→ [See Hackerstorm detailed report or vendor updates for latest]
Exploitation status
Active exploitation confirmed through KEV inclusion.
Patch available
Yes.
Operational risk
This follows the same exploitation model seen across multiple Joomla ecosystem vulnerabilities this week and should be prioritised accordingly.
What it is
A path traversal vulnerability that can ultimately result in arbitrary code execution.
Affected versions
→ [See Hackerstorm detailed report or vendor updates for latest]
Exploitation status
Active exploitation confirmed through KEV inclusion.
Patch available
Yes.
Operational risk
ColdFusion remains a frequent target due to its prevalence in legacy enterprise environments and internet-facing deployments.
This week's KEV additions continue a broader trend observed throughout 2026: attackers are aggressively targeting internet-facing content management systems and web application extensions that provide immediate code execution opportunities. Four of the eight additions involve unauthenticated file upload paths resulting in direct web shell deployment and persistence opportunities.
The appearance of both SharePoint and Langflow alongside traditional CMS ecosystems also highlights increasing attacker interest in collaboration platforms and AI application infrastructure rather than purely network edge devices. No public campaign attribution has yet been published for the majority of this week's additions beyond confirmed exploitation status through KEV inclusion.
| Priority | CVE | Recommended Action | Timeline |
| Critical | CVE-2026-56291 | Patch Balbooa Forms immediately and inspect web roots for uploaded files or shells. | Immediate |
| Critical | CVE-2026-48939 | Update iCagenda installations and investigate recent uploads. | Immediate |
| Critical | CVE-2026-48908 | Patch SP Page Builder and review web server integrity. | Immediate |
| Critical | CVE-2026-56290 | Patch Joomlack Page Builder and inspect web-accessible directories. | Immediate |
| High | CVE-2026-48282 | Patch ColdFusion environments and review internet exposure. | Within 24 Hours |
| High | CVE-2026-55255 | Upgrade Langflow deployments to version 1.9.1 or later. | Within 72 Hours |
| Medium | CVE-2008-4128 | Replace or isolate vulnerable Cisco infrastructure where upgrades are unavailable. | Next Patch Window |
| CVE | Minimum Detection Guidance |
| CVE-2008-4128 | Monitor HTTP administration access logs and unexpected configuration changes on Cisco devices. |
| CVE-2026-56291 | Review web server logs for suspicious file uploads and newly created PHP files. |
| CVE-2026-48939 | Monitor upload directories for executable content and unexpected web shells. |
| CVE-2026-48908 | Review Apache/IIS logs for upload requests followed by PHP execution. |
| CVE-2026-55255 | Monitor API logs for cross-user flow execution requests and unusual object identifiers. |
| CVE-2026-56290 | Inspect web roots for recently created executable content and unexpected administrative activity. |
| CVE-2026-48282 | Monitor ColdFusion logs for directory traversal sequences and unexpected child process execution. |
This week's additions reinforce one of the clearest exploitation trends of 2026: attackers increasingly prefer vulnerabilities that convert directly into web shell deployment rather than relying on complex exploit chains. File upload vulnerabilities continue to offer low-cost, high-reliability compromise paths that remain effective against organisations of every size.
Perhaps more interesting is the emergence of AI workflow platforms such as Langflow within the KEV ecosystem. Vulnerability management teams have traditionally focused on operating systems, edge appliances and collaboration platforms; however, AI infrastructure is rapidly becoming a business-critical attack surface with access to credentials, proprietary data and downstream automation systems.
Confirmed exploitation should continue to outweigh severity scoring alone during prioritisation decisions. KEV additions reflect real attacker behaviour rather than theoretical exploitability and remain one of the strongest signals available to vulnerability management programmes.
🔗 Exposure-Based Vulnerability Prioritization: EPSS, KEV & Risk
Why read this: Integrate EPSS scoring with KEV intelligence for exposure-driven remediation decisions.
https://www.hackerstorm.com/articles/our-blog/vulnerability-intelligence-analysis/vulnerability-management-operational-risk-exposure-prioritization
🔗 CVE Overload: Why Most Patch Programs Fail
Why read this: Identify systemic vulnerabilities in traditional patching workflows.
https://www.hackerstorm.com/articles/our-blog/vulnerabililty-intelligence/why-most-patch-programs-fail
🔗 CVSS vs EPSS: How to Prioritise Vulnerabilities by Real Exploitation Risk
Why read this: Replace static severity scoring with probability-based threat modeling.
https://www.hackerstorm.com/articles/our-blog/vulnerability-intelligence-analysis/cvss-vs-epss-vulnerability-prioritisation-exploitation-risk
This analysis is based on publicly available reporting and security research summaries. Some technical details may change as additional information becomes available.
Timur Mehmet | Founder & Lead Editor
Timur is a veteran Information Security professional with a career spanning over three decades. Since the 1990s, he has led security initiatives across high-stakes sectors, including Finance, Telecommunications, Media, and Energy. Professional qualifications over the years have included CISSP, ISO27000 Auditor, ITIL and technologies such as Networking, Operating Systems, PKI, Firewalls. For more information including independent citations and credentials, visit our About page.
Contact:
This article adheres to Hackerstorm.com's commitment to accuracy, independence, and transparency:
Editorial Policy: Ethics, Non-Bias, Fact Checking and Corrections
Learn More: About Hackerstorm.com | FAQs
COOKIE / PRIVACY POLICY: This website uses essential cookies required for basic site functionality. We also use analytics cookies to understand how the website is used. We do not use cookies for marketing or personalization, and we do not sell or share any personal data with third parties.