This month: 8 KEVs detected

CISA stopped reliably sending KEV alerts.
We didn't.

CyberComply monitors the CISA Known Exploited Vulnerabilities catalog 24/7 and alerts you the moment a new KEV drops — before the deadline clock starts ticking without you knowing.

CVE-2008-4128
Cisco · IOS
Cisco IOS Cross-Site Request Forgery Vulnerability
Detected Jul 13 · 3-day patch deadline
CVE-2026-48939
iCagenda · iCagenda
iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability
Detected Jul 10 · 3-day patch deadline
CVE-2026-56291
Balbooa · Forms
Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability
Detected Jul 10 · 3-day patch deadline

KEV Intelligence Brief: July 13, 2026

Prepared by: Cybersecurity Intelligence | Audience: Federal Contractors, DevOps, SOC Leadership | Date: Monday, July 13, 2026

This week's KEV additions reflect a troubling convergence: unauthenticated file upload chains dominating the CMS and web-builder ecosystem, critical infrastructure tools bleeding authentication entirely, and enterprise platforms carrying deserialization and traversal vulnerabilities that are already past their federal patch deadlines. Organizations should treat the deadline status of several entries below as an active compliance posture failure, not a future action item.

The Unauthenticated Upload Epidemic: CMS and Web Builder Platforms

The single most striking pattern across this week's additions is the clustering of unrestricted file upload vulnerabilities across CMS plugins and Joomla-adjacent page builder products. Four entries — CVE-2026-48939 (iCagenda), CVE-2026-56291 (Balbooa Forms), CVE-2026-48908 (JoomShaper SP Page Builder), and CVE-2026-56290 (Joomlack Page Builder) — share a near-identical attack surface: an attacker, in most cases completely unauthenticated, uploads a PHP webshell or other executable through a file attachment or form submission feature and achieves full remote code execution.

The July 10 patch deadline for iCagenda and Balbooa Forms has now passed. The July 10 deadlines for JoomShaper SP Page Builder and Joomlack Page Builder are equally expired. Federal agencies and contractors running any of these components on internet-facing Joomla installations are already out of compliance with BOD 26-04 and should treat those systems as potentially compromised pending forensic triage.

The operational calculus here is straightforward but urgent: these are not privilege-escalation chains requiring authenticated access. An adversary with an HTTP connection and a crafted multipart POST request has a plausible path to webshell deployment. If patches are unavailable or unconfirmed, the appropriate interim action is to take the affected endpoints offline or place them behind authenticated reverse proxies with file upload functionality disabled at the WAF layer. Forensic triage — specifically reviewing web server logs for unusual POST activity to upload directories, and scanning the webroot for recently modified PHP files — should begin immediately regardless of patch status. CISA's forensics triage requirements under BOD 26-04 are not optional here; they exist precisely for scenarios where exploitation windows predate remediation.

Identity and Authorization Failures: Where Authentication Should Have Held

Two entries this week represent a qualitatively different failure mode — not missing input validation, but the collapse of authentication and authorization controls entirely.

CVE-2026-48558 in SimpleHelp is the more severe of the two. The vulnerability resides in the OIDC authentication flow: when OIDC is configured, identity tokens submitted during login are accepted without cryptographic signature verification. A remote, unauthenticated attacker can forge an identity token with arbitrary claims and obtain a fully authenticated technician session — in some configurations, bypassing MFA entirely. The federal patch deadline was July 2, meaning this is now eleven days overdue. SimpleHelp is a remote access platform, and a fully authenticated technician session in adversary hands is functionally equivalent to persistent, privileged access to every endpoint the tool manages. Organizations using SimpleHelp with OIDC enabled should assume the authentication boundary has no integrity until patched, rotate any credentials or session tokens that traversed the platform, audit technician session logs for anomalous access patterns, and verify MFA enforcement independently of SimpleHelp's own controls.

CVE-2026-55255 in Langflow is narrower but contextually significant. This authorization bypass allows an authenticated attacker to execute any workflow belonging to another user simply by specifying a victim's flow ID in the request. In AI pipeline environments where Langflow is used to orchestrate sensitive data workflows — retrieval-augmented generation chains, API integrations, credential-bearing tool calls — lateral movement between user contexts can expose far more than the vulnerability description implies. The July 10 deadline is past. Teams running Langflow in multi-tenant or shared internal environments should audit flow ownership, restrict network access to authenticated internal users only, and verify that no flows contain embedded API keys or credentials accessible via this path.

Deadline Watch: Adobe ColdFusion and Microsoft SharePoint

The two highest-profile enterprise entries this week carry the oldest overdue deadlines and the broadest potential blast radius.

CVE-2026-48282, a path traversal vulnerability in Adobe ColdFusion, allows arbitrary code execution in the context of the current user. ColdFusion remains a persistent target precisely because its deployments tend to be older, under-resourced, and internet-facing by design. The July 10 deadline has passed. Adobe's security advisory should be the authoritative patching reference; organizations unable to patch immediately should enforce network-layer restrictions on ColdFusion administrative interfaces and review file system access logs for anomalous directory traversal patterns.

CVE-2026-45659 in Microsoft SharePoint Server is a deserialization of untrusted data vulnerability enabling network-based code execution by an authorized attacker. The federal deadline was July 4 — nine days ago. While the requirement for existing authorization reduces the unauthenticated attack surface, SharePoint's role as a collaboration hub means credential compromise anywhere in the environment translates directly to exploitation potential here. Microsoft's patch should be applied immediately; in the interim, restrict SharePoint access to known internal networks and review authentication logs for unusual account activity. SharePoint deserialization vulnerabilities have historically attracted sophisticated threat actors, and the active exploitation designation from CISA should be treated as confirmation of in-the-wild activity.

Priority Summary for SOC and Patch Teams: Five of eight entries have already passed their federal patch deadlines as of today. Treat CVE-2026-48558, CVE-2026-45659, and the four CMS file upload CVEs as active incident response priorities, not patch management queue items.

Sources: CISA KEV Catalog · CISA BOD 26-04 · Adobe Security Bulletins · Microsoft Security Update Guide · SimpleHelp Security Advisories · CISA Forensics Triage Guidance

Free KEV Alerts

  • Real-time notification the moment a KEV drops
  • Vendor and product details
  • BOD 26-04 remediation deadline included

Pro Alerts Coming Soon

  • Real-time notification the moment a KEV drops
  • Filtered to your specific vendor watchlist
  • Urgency scoring (Critical / Urgent / Standard)
  • Direct patch links included

Stay ahead of CISA.

No spam. Unsubscribe anytime. We don't sell your data.


Upcoming Patch Due Dates

via Binding Operational Directive 26-04

BOD 26-04 is CISA's current vulnerability remediation directive for Federal Civilian Executive Branch (FCEB) agencies, updating the KEV-driven framework introduced under BOD 22-01 with a more risk-based approach to prioritization. While binding only on FCEB agencies, its framework increasingly influences contractor expectations through procurement requirements, FedRAMP programs, and agency security clauses.

Loading...

News Logo

Cyber Security News

You may have missed...


📌 Pinned

*

https:betanews.comMar 5

Inside a cyberattack: How hackers steal data

The truth about cybersecurity is that it's almost impossible to keep hackers outside of an organization, particularly as the cybercrime industry ...

https://thehackernews.comJul 13

iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two maximum-severity security flaws impacting iCagenda and Balbooa ...

https://www.govtech.comJul 12

On AI Ethics: Why Prompt Engineering Needs a Moral Compass - GovTech

In this first of a three-part series, we look at why “working as designed” is no longer good enough for enterprise AI or cybersecurity pros.

https://www.bbc.comJul 12

What leaked messages tell us about global hacking gang Conti - BBC

Conti, one of the world's largest ransomware groups, spent years hacking people. But in 2022 the tables turned when the criminal gang imploded and ...

https://www.trustinfinitech.comJul 10

Microsoft Issues Emergency Patch for RoguePlanet Windows Defender Zero-Day

Microsoft issued an out-of-band emergency patch for RoguePlanet, a high-severity privilege escalation zero-day vulnerability in Windows Defender, with...

https://techcrunch.comJul 11

US cybersecurity agency CISA had to build its incident playbook during the incident, agency reveals

Independent cybersecurity journalist Brian Krebs reported in May that a security researcher with cyber firm GitGuardian alerted him to reams of ...

https://www.govinfosecurity.comJul 11

When Hackers Cut the Internet, Will the Water Still Flow? - GovInfoSecurity

A tier one national cellular and telecommunications provider is suffering a service outage as a result of a cyberattack by Chinese military hackers, ....

https://www.govinfosecurity.comJul 10

European Patience With Cybersecurity Laggards Snaps - GovInfoSecurity

The European Commission is cracking down on Spain, France and other countries for failing to implement or abide by cybersecurity legislation.

https://www.govtech.comJul 10

North Carolina Makes Largest Cyber Investment in State History - GovTech

The $60 million allocation includes recurring funding to mature the state's cybersecurity program and one-time money for modernization and risk ...


Updated daily