This month: 7 KEVs detected

CISA stopped reliably sending KEV alerts.
We didn't.

CyberComply monitors the CISA Known Exploited Vulnerabilities catalog 24/7 and alerts you the moment a new KEV drops — before the deadline clock starts ticking without you knowing.

CVE-2026-48939
iCagenda · iCagenda
iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability
Detected Jul 10 · 3-day patch deadline
CVE-2026-56291
Balbooa · Forms
Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability
Detected Jul 10 · 3-day patch deadline
CVE-2026-48282
Adobe · ColdFusion
Adobe ColdFusion Path Traversal Vulnerability
Detected Jul 7 · 3-day patch deadline

KEV Intelligence Brief: July 10, 2026

Prepared by: Cybersecurity Intelligence | Distribution: Federal Contractors, DevOps, SecOps Leadership Reporting Period: June 29 – July 10, 2026 | Classification: TLP:WHITE

Deadline Watch: Overdue and Expiring Patches Demand Immediate Action

Three patch deadlines have already passed as of today, and two more expire by Sunday. If your organization hasn't acted, you are out of compliance with BOD 26-04 and likely exposed to active exploitation.

CVE-2026-48558 (SimpleHelp) carried a July 2 deadline — now over a week overdue. The vulnerability resides in SimpleHelp's OIDC authentication flow, where submitted identity tokens are accepted without cryptographic signature verification. An unauthenticated remote attacker can forge a token with arbitrary identity claims to obtain a full technician session, and in some configurations bypass MFA entirely. SimpleHelp is a remote support platform widely deployed in managed service provider environments, making this a supply-chain pivot risk: a compromised technician session isn't just an endpoint problem — it's a master key to every system that technician touches. Organizations using SimpleHelp with OIDC enabled should treat any existing technician sessions initiated after the vulnerability window as potentially compromised, rotate credentials, and audit session logs immediately. Patching alone is insufficient without forensic triage per CISA's BOD 26-04 requirements.

CVE-2026-45659 (Microsoft SharePoint Server) had a July 4 deadline, also past. Deserialization of untrusted data enabling authenticated remote code execution on SharePoint is a high-signal entry — SharePoint's deep integration with Active Directory and enterprise document workflows means post-exploitation lateral movement can be rapid and high-impact. Note that "authenticated" here lowers the bar less than it appears: threat actors routinely chain credential-stuffing or phishing for initial access before exploiting deserialization. If your SharePoint instance is internet-facing and unpatched, assume the exposure window has been actively tested. Apply the Microsoft security update immediately and review SharePoint ULS logs for anomalous deserialization events.

CVE-2026-48282 (Adobe ColdFusion) and CVE-2026-48908 (JoomShaper SP Page Builder) both carried a July 10 deadline — today. ColdFusion's path traversal vulnerability enabling arbitrary code execution in the current user context follows a well-worn pattern for this platform; ColdFusion has historically been a high-priority target for nation-state and ransomware actors alike due to its backend data access. JoomShaper SP Page Builder's unauthenticated arbitrary file upload leading to PHP execution is equally severe and affects Joomla-based sites at scale. Both require same-day action. For internet-facing ColdFusion deployments where patching cannot occur immediately, isolate the server behind a WAF with strict file-type upload controls and restrict outbound network access to limit post-exploitation staging.

The CMS and Form-Builder Attack Surface: Unauthenticated RCE at Scale

Four of this week's KEV additions share a structurally identical attack pattern: unauthenticated or improperly controlled file upload leading to server-side code execution. This clustering is not coincidental — it reflects sustained adversary focus on the long tail of CMS plugins and page-builder components that organizations deploy and forget.

CVE-2026-56291 (Balbooa Forms) and CVE-2026-56290 (Joomlack Page Builder) were added July 7 with a July 10 deadline. Balbooa Forms allows unauthenticated upload of executable files enabling full RCE — no credentials required, no chaining necessary. Joomlack Page Builder's improper access control reaches the same outcome through a slightly different path. Both are Joomla ecosystem components, and their simultaneous KEV addition alongside JoomShaper SP Page Builder (CVE-2026-48908) signals that CISA and its reporting partners are seeing coordinated scanning or exploitation across the Joomla plugin landscape. Organizations running Joomla-based public-facing sites should treat all three entries as a single threat surface and audit every installed extension for update status today.

CVE-2026-48939 (iCagenda), added today with a July 13 deadline, rounds out this cluster. The file attachment feature allows PHP code upload and execution. While the three-day deadline provides minimal runway, the pattern here is consistent: attackers are targeting file-handling features in CMS components as reliable webshell delivery mechanisms. For any of these four products where vendor patches are not yet available or cannot be applied immediately, the operational response is clear — disable the affected upload or form features entirely, enforce server-side file type validation at the web server layer, and deploy file integrity monitoring on web roots to detect dropped shells.

AI Toolchain Exposure: Langflow Authorization Bypass

CVE-2026-55255 (Langflow) stands apart from the file-upload cluster but warrants equal urgency for organizations that have adopted AI workflow automation. Added July 7 with a July 10 deadline, this authorization bypass through a user-controlled key allows an authenticated attacker to execute any other user's flow simply by specifying the victim's flow ID in the request. In Langflow deployments where flows may interact with APIs, databases, internal tools, or LLM providers, this is effectively a privilege escalation and data exfiltration primitive wrapped in a logic flaw.

The risk calculus here is different from a webshell upload: the attacker already has a valid account, and the exploitation leaves minimal obvious indicators compared to file-based RCE. Security teams should audit Langflow access logs for cross-user flow execution patterns, enforce strict user segmentation, and evaluate whether any flows have credentials or API keys embedded in their configurations — those should be rotated immediately regardless of confirmed exploitation.

Compliance Posture Checklist

  • Overdue (patch now, initiate forensic triage): CVE-2026-48558, CVE-2026-45659
  • Deadline today, July 10: CVE-2026-48282, CVE-2026-48908, CVE-2026-55255, CVE-2026-56290, CVE-2026-56291
  • Deadline July 13: CVE-2026-48939
  • All entries fall under BOD 26-04 obligations for federal agencies and contractors. Assess internet exposure for each asset and document remediation or compensating control decisions.

Sources: CISA KEV Catalog · Adobe Security Bulletins · Microsoft Security Update Guide – SharePoint · CISA BOD 26-04 · SimpleHelp Security Advisories · Langflow GitHub Security Advisories

Free KEV Alerts

  • Real-time notification the moment a KEV drops
  • Vendor and product details
  • BOD 26-04 remediation deadline included

Pro Alerts Coming Soon

  • Real-time notification the moment a KEV drops
  • Filtered to your specific vendor watchlist
  • Urgency scoring (Critical / Urgent / Standard)
  • Direct patch links included

Stay ahead of CISA.

No spam. Unsubscribe anytime. We don't sell your data.


Upcoming Patch Due Dates

via Binding Operational Directive 26-04

BOD 26-04 is CISA's current vulnerability remediation directive for Federal Civilian Executive Branch (FCEB) agencies, updating the KEV-driven framework introduced under BOD 22-01 with a more risk-based approach to prioritization. While binding only on FCEB agencies, its framework increasingly influences contractor expectations through procurement requirements, FedRAMP programs, and agency security clauses.

Loading...

News Logo

Cyber Security News

You may have missed...


📌 Pinned

*

https:betanews.comMar 5

Inside a cyberattack: How hackers steal data

The truth about cybersecurity is that it's almost impossible to keep hackers outside of an organization, particularly as the cybercrime industry ...

https://www.govinfosecurity.comJul 10

European Patience With Cybersecurity Laggards Snaps - GovInfoSecurity

The European Commission is cracking down on Spain, France and other countries for failing to implement or abide by cybersecurity legislation.

https://www.govtech.comJul 10

North Carolina Makes Largest Cyber Investment in State History - GovTech

The $60 million allocation includes recurring funding to mature the state's cybersecurity program and one-time money for modernization and risk ...

https://www.darkreading.comJul 10

As Global Conflicts Go Digital, Businesses Need Wartime Gameplans - Dark Reading

And like other midsize businesses, the company wasn't likely to have any kind of exceptional cybersecurity defenses getting in Russia's way. The rest ...

https://www.darkreading.comJul 6

JadePuffer: First Successful Autonomous LLM-Driven Ransomware Attack

Researchers discover JadePuffer, the first documented autonomous ransomware operation executed by an LLM that exploited Langflow (CVE-2025-3248) to st...

https://thehackernews.comJul 7

Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities

... Hacker News, adding the use of generic lures indicates a "larger ... The development marks the first time a Chinese hacking group has been ...

https://www.wired.comJul 8

What Happens if China Hacks the US Water Supply? I Went to a Secret War Game to Find Out

Evacuated hospitals. In a closed-door simulation, insurers played out their response to a mass disruption by China's Volt Typhoon hackers—and found a ...

https://www.securitymagazine.comJul 9

Accenture Confirms Breach After Hackers Claim Source Code Theft | Security Magazine

The company confirmed a data breach after a hacker claimed to have taken 35GB of data, including source code. “The claimed theft of source code ...

https://www.govinfosecurity.comJul 9

American Hackers-for-Hire Proposal Sparks Heavy Criticism

The United States could get its own hack-for-hire network of contractors deputized by the federal government to penetrate foreign adversaries ...


Updated daily