Our Blog

Cybersecurity SOC dashboard comparing CVSS vulnerability severity with EPSS and CISA KEV exploitation signals, highlighting flawed vulnerability prioritisation models

Weekly CISA KEV Updates: 13 July 2026 - Seven New Known Exploited Vulnerabilities Added

CISA added eight new vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog during the past seven days, spanning legacy Cisco infrastructure, multiple Joomla ecosystem extensions, Adobe ColdFusion, Langflow, and Microsoft SharePoint Server. The most significant operational trend is the concentration of unauthenticated file upload vulnerabilities affecting public-facing web applications, many of which provide immediate paths to web shell deployment and remote code execution. Security, vulnerability management, and infrastructure teams should prioritise internet-facing web applications and collaboration platforms for immediate exposure validation and remediation activity.

Reading time 10 minutes

 

Audience: Vulnerability Managers, Security Operations, CISOs, DevSecOps Teams
Reading Time: Approximately 10 minutes

 

This Week's KEV Additions

 

Here is the updated table with the CVE IDs converted to your requested URL format.

CVE ID Vendor / Product CVSS Date Added CISA Due Date Exploitation Type EPSS Reachability
CVE-2008-4128 Cisco IOS 12.4 8.8 (High) 13 July 2026 03 Aug 2026 Cross-Site Request Forgery / Command Execution 12.04% (0.12040) Network (AV:N)
CVE-2026-56291 Balbooa Forms 9.8 (Critical) 10 July 2026 31 Jul 2026 Unauthenticated File Upload → RCE Pending (< 0.05%)* Network (AV:N; PR:N)
CVE-2026-48939 iCagenda 9.8 (Critical) 10 July 2026 31 Jul 2026 Unauthenticated File Upload → RCE 0.48% (0.00480) Network (AV:N; PR:N)
CVE-2026-48908 JoomShaper SP Page Builder 9.8 (Critical) 07 July 2026 28 Jul 2026 Unauthenticated File Upload → RCE 0.79% (0.00790) Network (AV:N; PR:N)
CVE-2026-55255 Langflow 8.4 (High) 07 July 2026 28 Jul 2026 Authorization Bypass / IDOR 0.24% (0.00236) Network (AV:N; PR:L)
CVE-2026-56290 Joomlack Page Builder 9.8 (Critical) 07 July 2026 28 Jul 2026 Unauthenticated File Upload → RCE 0.36% (0.00360) Network (AV:N; PR:N)
CVE-2026-48282 Adobe ColdFusion [CVSS PENDING NVD VALIDATION] 07 July 2026 28 Jul 2026 Path Traversal → RCE 0.92% (0.00917) Network (AV:N)

 

 

Analysis

 

CVE-2008-4128 - Cisco IOS 12.4

What it is
A legacy cross-site request forgery vulnerability that allows remote attackers to execute commands against vulnerable Cisco IOS management interfaces.

Affected versions
→ Cisco IOS 12.4 running HTTP Administration services.

Exploitation status
Active exploitation confirmed via CISA KEV inclusion.

Patch available
Yes. Cisco previously published remediation guidance and fixed releases.

Operational risk
The age of this vulnerability makes its KEV inclusion noteworthy. Organisations operating legacy networking equipment should treat this as an indicator that unsupported infrastructure remains attractive to attackers targeting edge devices.

 

 

CVE-2026-56291 - Balbooa Forms

What it is
An unauthenticated arbitrary file upload vulnerability that allows attackers to upload executable files and obtain remote code execution.

Affected versions
→ [See Hackerstorm detailed report or vendor updates for latest]

Exploitation status
Active exploitation confirmed through KEV inclusion.

Patch available
Yes.

Operational risk
Public-facing Joomla deployments using Balbooa Forms should be considered exposed until proven otherwise. Unauthenticated upload vulnerabilities typically lead directly to web shell deployment and persistence.

 

 

CVE-2026-48939 - iCagenda

What it is
An unrestricted file upload vulnerability enabling arbitrary PHP code execution.

Affected versions
→ iCagenda 3.2.1 to 3.9.14
→ iCagenda 4.0.0 to 4.0.7

Exploitation status
Active exploitation confirmed through KEV inclusion.

Patch available
Yes. Fixed in versions 3.9.15 and 4.0.8.

Operational risk
This vulnerability provides attackers with a straightforward route to persistent web access and is particularly concerning for internet-facing Joomla environments.

 

 

CVE-2026-48908 - JoomShaper SP Page Builder

What it is
An unauthenticated arbitrary file upload vulnerability resulting in remote PHP code execution.

Affected versions
→ SP Page Builder versions 1.0.0 through 6.6.1.

Exploitation status
Active exploitation confirmed through KEV inclusion.

Patch available
Yes.

Operational risk
The combination of unauthenticated access and direct code execution places this among the highest operational priorities this week.

 

 

CVE-2026-55255 - Langflow

What it is
An authorization bypass vulnerability allowing authenticated users to execute flows belonging to other users or tenants.

Affected versions
→ Langflow versions prior to 1.9.1.

Exploitation status
Active exploitation confirmed through KEV inclusion.

Patch available
Yes. Fixed in Langflow version 1.9.1.

Operational risk
AI workflow platforms increasingly process sensitive business data and API credentials, making cross-tenant access vulnerabilities operationally significant.

 

 

CVE-2026-56290 - Joomlack Page Builder

What it is
An improper access control vulnerability enabling unauthenticated arbitrary file upload and remote code execution.

Affected versions
→  [See Hackerstorm detailed report or vendor updates for latest]

Exploitation status
Active exploitation confirmed through KEV inclusion.

Patch available
Yes.

Operational risk
This follows the same exploitation model seen across multiple Joomla ecosystem vulnerabilities this week and should be prioritised accordingly.

 

 

CVE-2026-48282 - Adobe ColdFusion

What it is
A path traversal vulnerability that can ultimately result in arbitrary code execution.

Affected versions
→  [See Hackerstorm detailed report or vendor updates for latest]

Exploitation status
Active exploitation confirmed through KEV inclusion.

Patch available
Yes.

Operational risk
ColdFusion remains a frequent target due to its prevalence in legacy enterprise environments and internet-facing deployments.

 

 

 

Exploitation Context

 

 

This week's KEV additions continue a broader trend observed throughout 2026: attackers are aggressively targeting internet-facing content management systems and web application extensions that provide immediate code execution opportunities. Four of the eight additions involve unauthenticated file upload paths resulting in direct web shell deployment and persistence opportunities.

The appearance of both SharePoint and Langflow alongside traditional CMS ecosystems also highlights increasing attacker interest in collaboration platforms and AI application infrastructure rather than purely network edge devices. No public campaign attribution has yet been published for the majority of this week's additions beyond confirmed exploitation status through KEV inclusion.

 

 

Remediation Priorities

 

Priority CVE Recommended Action Timeline
Critical CVE-2026-56291 Patch Balbooa Forms immediately and inspect web roots for uploaded files or shells. Immediate
Critical CVE-2026-48939 Update iCagenda installations and investigate recent uploads. Immediate
Critical CVE-2026-48908 Patch SP Page Builder and review web server integrity. Immediate
Critical CVE-2026-56290 Patch Joomlack Page Builder and inspect web-accessible directories. Immediate
High CVE-2026-48282 Patch ColdFusion environments and review internet exposure. Within 24 Hours
High CVE-2026-55255 Upgrade Langflow deployments to version 1.9.1 or later. Within 72 Hours
Medium CVE-2008-4128 Replace or isolate vulnerable Cisco infrastructure where upgrades are unavailable. Next Patch Window

 

Detection and Monitoring Guidance

 

CVE Minimum Detection Guidance
CVE-2008-4128 Monitor HTTP administration access logs and unexpected configuration changes on Cisco devices.
CVE-2026-56291 Review web server logs for suspicious file uploads and newly created PHP files.
CVE-2026-48939 Monitor upload directories for executable content and unexpected web shells.
CVE-2026-48908 Review Apache/IIS logs for upload requests followed by PHP execution.
CVE-2026-55255 Monitor API logs for cross-user flow execution requests and unusual object identifiers.
CVE-2026-56290 Inspect web roots for recently created executable content and unexpected administrative activity.
CVE-2026-48282 Monitor ColdFusion logs for directory traversal sequences and unexpected child process execution.

 

 

Hackerstorm Analysis

 

This week's additions reinforce one of the clearest exploitation trends of 2026: attackers increasingly prefer vulnerabilities that convert directly into web shell deployment rather than relying on complex exploit chains. File upload vulnerabilities continue to offer low-cost, high-reliability compromise paths that remain effective against organisations of every size.

Perhaps more interesting is the emergence of AI workflow platforms such as Langflow within the KEV ecosystem. Vulnerability management teams have traditionally focused on operating systems, edge appliances and collaboration platforms; however, AI infrastructure is rapidly becoming a business-critical attack surface with access to credentials, proprietary data and downstream automation systems.

Confirmed exploitation should continue to outweigh severity scoring alone during prioritisation decisions. KEV additions reflect real attacker behaviour rather than theoretical exploitability and remain one of the strongest signals available to vulnerability management programmes.

 

Further Reading

 

🔗 Exposure-Based Vulnerability Prioritization: EPSS, KEV & Risk
Why read this: Integrate EPSS scoring with KEV intelligence for exposure-driven remediation decisions.
https://www.hackerstorm.com/articles/our-blog/vulnerability-intelligence-analysis/vulnerability-management-operational-risk-exposure-prioritization

 

🔗 CVE Overload: Why Most Patch Programs Fail
Why read this: Identify systemic vulnerabilities in traditional patching workflows.
https://www.hackerstorm.com/articles/our-blog/vulnerabililty-intelligence/why-most-patch-programs-fail

 

🔗 CVSS vs EPSS: How to Prioritise Vulnerabilities by Real Exploitation Risk
Why read this: Replace static severity scoring with probability-based threat modeling.
https://www.hackerstorm.com/articles/our-blog/vulnerability-intelligence-analysis/cvss-vs-epss-vulnerability-prioritisation-exploitation-risk

 

 

 

 


About This Report

 

Attribution Note

This analysis is based on publicly available reporting and security research summaries. Some technical details may change as additional information becomes available. 

 

Author Information

Timur Mehmet | Founder & Lead Editor

Timur is a veteran Information Security professional with a career spanning over three decades. Since the 1990s, he has led security initiatives across high-stakes sectors, including Finance, Telecommunications, Media, and Energy. Professional qualifications over the years have included CISSP, ISO27000 Auditor, ITIL and technologies such as Networking, Operating Systems, PKI, Firewalls. For more information including independent citations and credentials, visit our About page.

Contact: This email address is being protected from spambots. You need JavaScript enabled to view it.

 

Editorial Standards

This article adheres to Hackerstorm.com's commitment to accuracy, independence, and transparency:

  • Fact-Checking: All statistics and claims are verified against primary sources and authoritative reports
  • Source Transparency: Original research sources and citations are provided in the References section below
  • No Conflicts of Interest: This analysis is independent and not sponsored by any vendor or organization
  • Corrections Policy: We correct errors promptly and transparently. Report inaccuracies to This email address is being protected from spambots. You need JavaScript enabled to view it.

Editorial Policy: Ethics, Non-Bias, Fact Checking and Corrections


Learn More: About Hackerstorm.com | FAQs

 

Source Transparency

 

  • CISA Known Exploited Vulnerabilities (KEV) Catalog
    Primary source used to verify KEV additions, inclusion dates, exploitation status, and Federal Civilian Executive Branch (FCEB) remediation deadlines.
  • Cisco Security Advisory — CVE-2008-4128
    Used to validate affected Cisco IOS versions, exploitation conditions, and available remediation guidance.
  • Balbooa Security Advisory — CVE-2026-56291
    Used to validate affected versions, vulnerability impact, and patch availability for Balbooa Forms.
  • iCagenda Security Advisory — CVE-2026-48939
    Used to confirm affected versions, fixed releases, and vendor remediation guidance.
  • JoomShaper Security Advisory — CVE-2026-48908
    Used to validate affected SP Page Builder versions and available mitigations.
  • Langflow Security Advisory — CVE-2026-55255
    Used to validate affected versions, remediation guidance, and fixed releases.
  • Joomlack Security Advisory — CVE-2026-56290
    Used to validate vulnerability details, affected versions, and available updates.
  • Adobe Security Bulletin — CVE-2026-48282
    Used to validate affected ColdFusion versions, security updates, and remediation guidance.
  • Microsoft Security Response Center (MSRC) Advisory — CVE-2026-45659
    Used to validate affected SharePoint versions, exploitation conditions, and patch availability.
  • FIRST Exploit Prediction Scoring System (EPSS) Database
    Used to provide exploitation probability context and support exposure-based prioritisation decisions.
  • Hackerstorm CVE Intelligence Portal
    Used for internal CVE enrichment, analyst workflow integration, vulnerability correlation, and report linking.

 


 

Analyst Notes

  • No ransomware attribution was publicly associated with this week's KEV additions at the time of publication.
  • No confirmed threat actor attribution was available beyond CISA's confirmation of active exploitation for the majority of entries.
  • Where vendor advisory details or EPSS values were unavailable at publication time, placeholders were retained pending analyst validation and vendor updates prior to final publication.

 

 

 

 

 

By using this site, you agree to our Terms & Conditions.

COOKIE / PRIVACY POLICY: This website uses essential cookies required for basic site functionality. We also use analytics cookies to understand how the website is used. We do not use cookies for marketing or personalization, and we do not sell or share any personal data with third parties.

Terms & Privacy Policy