CISA stopped reliably sending KEV alerts.
We didn't.
CyberComply monitors the CISA Known Exploited Vulnerabilities catalog 24/7 and alerts you the moment a new KEV drops — before the deadline clock starts ticking without you knowing.
KEV Intelligence Brief: July 13, 2026
Prepared by: Cybersecurity Intelligence | Audience: Federal Contractors, DevOps, SOC Leadership | Date: Monday, July 13, 2026
This week's KEV additions reflect a troubling convergence: unauthenticated file upload chains dominating the CMS and web-builder ecosystem, critical infrastructure tools bleeding authentication entirely, and enterprise platforms carrying deserialization and traversal vulnerabilities that are already past their federal patch deadlines. Organizations should treat the deadline status of several entries below as an active compliance posture failure, not a future action item.
The Unauthenticated Upload Epidemic: CMS and Web Builder Platforms
The single most striking pattern across this week's additions is the clustering of unrestricted file upload vulnerabilities across CMS plugins and Joomla-adjacent page builder products. Four entries — CVE-2026-48939 (iCagenda), CVE-2026-56291 (Balbooa Forms), CVE-2026-48908 (JoomShaper SP Page Builder), and CVE-2026-56290 (Joomlack Page Builder) — share a near-identical attack surface: an attacker, in most cases completely unauthenticated, uploads a PHP webshell or other executable through a file attachment or form submission feature and achieves full remote code execution.
The July 10 patch deadline for iCagenda and Balbooa Forms has now passed. The July 10 deadlines for JoomShaper SP Page Builder and Joomlack Page Builder are equally expired. Federal agencies and contractors running any of these components on internet-facing Joomla installations are already out of compliance with BOD 26-04 and should treat those systems as potentially compromised pending forensic triage.
The operational calculus here is straightforward but urgent: these are not privilege-escalation chains requiring authenticated access. An adversary with an HTTP connection and a crafted multipart POST request has a plausible path to webshell deployment. If patches are unavailable or unconfirmed, the appropriate interim action is to take the affected endpoints offline or place them behind authenticated reverse proxies with file upload functionality disabled at the WAF layer. Forensic triage — specifically reviewing web server logs for unusual POST activity to upload directories, and scanning the webroot for recently modified PHP files — should begin immediately regardless of patch status. CISA's forensics triage requirements under BOD 26-04 are not optional here; they exist precisely for scenarios where exploitation windows predate remediation.
Identity and Authorization Failures: Where Authentication Should Have Held
Two entries this week represent a qualitatively different failure mode — not missing input validation, but the collapse of authentication and authorization controls entirely.
CVE-2026-48558 in SimpleHelp is the more severe of the two. The vulnerability resides in the OIDC authentication flow: when OIDC is configured, identity tokens submitted during login are accepted without cryptographic signature verification. A remote, unauthenticated attacker can forge an identity token with arbitrary claims and obtain a fully authenticated technician session — in some configurations, bypassing MFA entirely. The federal patch deadline was July 2, meaning this is now eleven days overdue. SimpleHelp is a remote access platform, and a fully authenticated technician session in adversary hands is functionally equivalent to persistent, privileged access to every endpoint the tool manages. Organizations using SimpleHelp with OIDC enabled should assume the authentication boundary has no integrity until patched, rotate any credentials or session tokens that traversed the platform, audit technician session logs for anomalous access patterns, and verify MFA enforcement independently of SimpleHelp's own controls.
CVE-2026-55255 in Langflow is narrower but contextually significant. This authorization bypass allows an authenticated attacker to execute any workflow belonging to another user simply by specifying a victim's flow ID in the request. In AI pipeline environments where Langflow is used to orchestrate sensitive data workflows — retrieval-augmented generation chains, API integrations, credential-bearing tool calls — lateral movement between user contexts can expose far more than the vulnerability description implies. The July 10 deadline is past. Teams running Langflow in multi-tenant or shared internal environments should audit flow ownership, restrict network access to authenticated internal users only, and verify that no flows contain embedded API keys or credentials accessible via this path.
Deadline Watch: Adobe ColdFusion and Microsoft SharePoint
The two highest-profile enterprise entries this week carry the oldest overdue deadlines and the broadest potential blast radius.
CVE-2026-48282, a path traversal vulnerability in Adobe ColdFusion, allows arbitrary code execution in the context of the current user. ColdFusion remains a persistent target precisely because its deployments tend to be older, under-resourced, and internet-facing by design. The July 10 deadline has passed. Adobe's security advisory should be the authoritative patching reference; organizations unable to patch immediately should enforce network-layer restrictions on ColdFusion administrative interfaces and review file system access logs for anomalous directory traversal patterns.
CVE-2026-45659 in Microsoft SharePoint Server is a deserialization of untrusted data vulnerability enabling network-based code execution by an authorized attacker. The federal deadline was July 4 — nine days ago. While the requirement for existing authorization reduces the unauthenticated attack surface, SharePoint's role as a collaboration hub means credential compromise anywhere in the environment translates directly to exploitation potential here. Microsoft's patch should be applied immediately; in the interim, restrict SharePoint access to known internal networks and review authentication logs for unusual account activity. SharePoint deserialization vulnerabilities have historically attracted sophisticated threat actors, and the active exploitation designation from CISA should be treated as confirmation of in-the-wild activity.
Priority Summary for SOC and Patch Teams: Five of eight entries have already passed their federal patch deadlines as of today. Treat CVE-2026-48558, CVE-2026-45659, and the four CMS file upload CVEs as active incident response priorities, not patch management queue items.
Sources: CISA KEV Catalog · CISA BOD 26-04 · Adobe Security Bulletins · Microsoft Security Update Guide · SimpleHelp Security Advisories · CISA Forensics Triage Guidance
Free KEV Alerts
- Real-time notification the moment a KEV drops
- Vendor and product details
- BOD 26-04 remediation deadline included
Pro Alerts Coming Soon
- Real-time notification the moment a KEV drops
- Filtered to your specific vendor watchlist
- Urgency scoring (Critical / Urgent / Standard)
- Direct patch links included
Stay ahead of CISA.
Common Vulnerability and Exposure
CVEs form a database of known security vulnerabilities that are actively tracked and managed by a group of organizations, such as the U.S. National Cyber Security Alliance. CVEs are an important tool for network security management because they not only provide an inventory of existing vulnerabilities, but also provide information about how the vulnerability can be exploited and instructions on how to protect against it.
Search the KEV Catalog by Vendor or Product
Search for CVEs by vendor or product to identify known exploited vulnerabilities in your environment
Upcoming Patch Due Dates
via Binding Operational Directive 26-04
BOD 26-04 is CISA's current vulnerability remediation directive for Federal Civilian Executive Branch (FCEB) agencies, updating the KEV-driven framework introduced under BOD 22-01 with a more risk-based approach to prioritization. While binding only on FCEB agencies, its framework increasingly influences contractor expectations through procurement requirements, FedRAMP programs, and agency security clauses.
Loading...
Cyber Security News
You may have missed...
*
Inside a cyberattack: How hackers steal data
The truth about cybersecurity is that it's almost impossible to keep hackers outside of an organization, particularly as the cybercrime industry ...
iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two maximum-severity security flaws impacting iCagenda and Balbooa ...
On AI Ethics: Why Prompt Engineering Needs a Moral Compass - GovTech
In this first of a three-part series, we look at why “working as designed” is no longer good enough for enterprise AI or cybersecurity pros.
What leaked messages tell us about global hacking gang Conti - BBC
Conti, one of the world's largest ransomware groups, spent years hacking people. But in 2022 the tables turned when the criminal gang imploded and ...
Microsoft Issues Emergency Patch for RoguePlanet Windows Defender Zero-Day
Microsoft issued an out-of-band emergency patch for RoguePlanet, a high-severity privilege escalation zero-day vulnerability in Windows Defender, with...
US cybersecurity agency CISA had to build its incident playbook during the incident, agency reveals
Independent cybersecurity journalist Brian Krebs reported in May that a security researcher with cyber firm GitGuardian alerted him to reams of ...
When Hackers Cut the Internet, Will the Water Still Flow? - GovInfoSecurity
A tier one national cellular and telecommunications provider is suffering a service outage as a result of a cyberattack by Chinese military hackers, ....
European Patience With Cybersecurity Laggards Snaps - GovInfoSecurity
The European Commission is cracking down on Spain, France and other countries for failing to implement or abide by cybersecurity legislation.
North Carolina Makes Largest Cyber Investment in State History - GovTech
The $60 million allocation includes recurring funding to mature the state's cybersecurity program and one-time money for modernization and risk ...
Updated daily
