CISA Warns About 4 New Adobe Flaws Under Active Attack

CISA Warns About 4 New Adobe Flaws Under Active Attack

The U.S. Cybersecurity and Infrastructure Security Agency has added four security vulnerabilities to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. These flaws span multiple platforms and demonstrate how quickly attackers move to weaponize newly disclosed vulnerabilities, with one flaw being exploited within hours of public disclosure by an attacker traced to an Indian IP address.

Two of the vulnerabilities affect popular content management systems. CVE-2026-48908 in Joomla's SP Page Builder was exploited as a zero-day to upload malicious PHP files and create unauthorized Super User accounts, while CVE-2026-56290 in Page Builder CK was used to drop web shells on WordPress and Joomla sites starting in late June 2026. The latter vulnerability is particularly dangerous because it allows attackers to place malicious files anywhere on the system, not just in typical upload directories, making detection more challenging.

The most significant threat involves CVE-2026-55255 and CVE-2026-33017, which target Langflow, an AI orchestration platform. A single attacker combined these flaws in a coordinated campaign between June 22 and 25, 2026, using an insecure direct object reference vulnerability to steal API keys and cloud credentials from multiple tenants, followed by remote code execution to deploy malware. Security researchers believe the operation was financially motivated, likely involving botnet or cryptojacking payloads, and represents a growing pattern of attacks against AI platforms that store numerous sensitive credentials.

This incident highlights the escalating threat to AI infrastructure, with Langflow alone suffering from at least seven exploited vulnerabilities over the past year. Security researchers recently documented the first known case of agentic ransomware, where attackers deployed an automated agent through a Langflow vulnerability to run an entire extortion campaign autonomously. Federal agencies have been given until July 10, 2026, to apply patches for these actively exploited flaws, underscoring the urgent need for organizations to secure AI systems and maintain aggressive patch management practices.

Stay secure — stay Wavasec. 🔐