CISA Warns of Active Exploitation in Adobe ColdFusion and Joomla Page Builders
- CVE ID
- CVE-2026-48282, CVE-2026-56290, CVE-2026-48908
- CVSS Score
- N/A
- Affected Products
- Adobe ColdFusion, Joomlack Page Builder, JoomShaper SP Page Builder
Overview
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive for federal agencies to urgently patch three critical vulnerabilities that have been added to its Known Exploited Vulnerabilities (KEV) Catalog. These flaws affect Adobe ColdFusion, Joomlack Page Builder, and JoomShaper SP Page Builder, and all are currently under active exploitation by malicious actors. The rapid weaponization of these vulnerabilities highlights a persistent threat where attackers quickly leverage newly disclosed flaws to compromise vulnerable systems globally. Organizations, particularly those with internet-facing instances of these products, are at severe risk if they do not apply the recommended patches immediately.
Technical Details
The three critical vulnerabilities include:
-
CVE-2026-48282 (Adobe ColdFusion Path Traversal Vulnerability): This flaw in Adobe ColdFusion, affecting versions 2025.9, 2023.20, and earlier, is a maximum-severity path traversal vulnerability with a CVSS score of 10.0. It allows unauthenticated remote attackers to execute arbitrary code on affected systems with low attack complexity. Attackers can manipulate file paths to access or execute files outside of their intended directory, leading to full system compromise. Adobe released security updates to address this issue, but exploitation was observed within hours of public disclosure.
-
CVE-2026-56290 (Joomlack Page Builder Improper Access Control Vulnerability): Rated with a CVSS score of 10.0, this critical vulnerability resides in the Joomlack Page Builder extension for Joomla. It permits unauthenticated arbitrary file uploads, enabling remote code execution. This means an attacker can upload malicious executable files, such as web shells, to a vulnerable server without needing any authentication. Once uploaded, the web shell grants the attacker persistent access and control over the compromised website and potentially the underlying server.
-
CVE-2026-48908 (JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability): Another Joomla extension, JoomShaper SP Page Builder, is affected by this critical vulnerability (CVSS score 10.0). Similar to the Joomlack flaw, this allows unauthenticated users to upload arbitrary files, including dangerous types like PHP code. Exploitation of this vulnerability has been observed as a zero-day, where attackers uploaded a PHP file via an HTTP POST request to a specific endpoint, subsequently creating a new Super User account on compromised sites.
Real-World Impact
The active exploitation of these vulnerabilities poses severe risks. For organizations running vulnerable versions of Adobe ColdFusion, attackers can gain full control over the application and the server it runs on, leading to data theft, system defacement, or further network intrusion. Similarly, successful exploitation of the Joomla Page Builder flaws allows attackers to inject web shells, which can be used for persistent access, data manipulation, or as a launchpad for attacks against other systems within the network. The creation of Super User accounts, as seen with JoomShaper SP Page Builder, grants attackers complete administrative control, effectively handing over the keys to the entire website and potentially other integrated systems. The speed with which these vulnerabilities were exploited after public disclosure underscores the critical window organizations have to patch before becoming a victim.
Threat Landscape
The current threat landscape is characterized by increasingly aggressive and automated exploitation of known vulnerabilities. Threat actors, ranging from individual opportunists to sophisticated state-backed groups, continuously scan the internet for unpatched systems. Vulnerabilities in widely used platforms like Adobe ColdFusion and popular content management system extensions like those for Joomla are prime targets due to their broad adoption. The fact that CVE-2026-48282 was exploited within hours of its disclosure demonstrates the current “race to patch” scenario, where defenders must act faster than attackers. The availability of exploit code or proof-of-concept (PoC) examples often accelerates this process, putting any unpatched system at immediate and severe risk. These types of flaws are frequently integrated into automated attack toolkits, leading to widespread compromise attempts.
Remediation
Organizations are strongly urged to take immediate action to mitigate these critical vulnerabilities:
-
Apply Patches Immediately:
- Adobe ColdFusion: Update to ColdFusion versions 2025 Update 10, 2023 Update 21, or later.
- Joomlack Page Builder: Update the extension to the latest available secure version. If an update is not immediately feasible, consider temporarily disabling or removing the extension until a patch can be applied.
- JoomShaper SP Page Builder: Update to version 6.6.2 or later.
-
Vulnerability Scanning and Asset Management: Conduct thorough vulnerability scans to identify all instances of affected products within your environment. Prioritize internet-facing systems for immediate patching. Maintain an accurate inventory of all software assets to ensure comprehensive coverage during security updates.
-
Monitor for Exploitation: Review logs for any indicators of compromise (IoCs) related to these CVEs, particularly for unexpected file uploads, new user accounts, or suspicious processes. Look for stray PHP files in unexpected directories like
/media/com_pagebuilderck/,/images,/media,/templates, and/administratorfor the Joomla vulnerabilities. -
Network Segmentation and Least Privilege: Implement network segmentation to limit the blast radius of any potential compromise. Ensure that user accounts and service accounts operate with the principle of least privilege, reducing the impact if credentials are stolen or systems are compromised.
-
Web Application Firewall (WAF): Deploy and properly configure a WAF to help detect and block exploitation attempts against these and similar vulnerabilities. Regular rule updates are crucial to maintain effectiveness against evolving threats.
CISA requires federal agencies to patch these vulnerabilities by July 10, 2026, as per Binding Operational Directive (BOD) 26-04. All organizations, regardless of sector, should adhere to this directive’s spirit and prioritize rapid remediation to protect their networks from active threats.
Related content
JoomShaper SP Page Builder RCE: Critical Unauthenticated File Upload Actively Exploited
AdvisoryCritical Joomlack Page Builder RCE via Improper Access Control
AdvisoryCritical Adobe ColdFusion Vulnerability (CVE-2026-48282) Actively Exploited In The Wild
AdvisoryCRITICAL ADOBE COLDFUSION RCE (CVE-2026-48282) ACTIVELY EXPLOITED
Found something similar in your stack?
Let's find out before it becomes an incident.
Book an advisory call