This month: 5 KEVs detected

CISA stopped reliably sending KEV alerts.
We didn't.

CyberComply monitors the CISA Known Exploited Vulnerabilities catalog 24/7 and alerts you the moment a new KEV drops — before the deadline clock starts ticking without you knowing.

CVE-2026-48282
Adobe · ColdFusion
Adobe ColdFusion Path Traversal Vulnerability
Detected Jul 7 · 3-day patch deadline
CVE-2026-48908
JoomShaper · SP Page Builder
JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability
Detected Jul 7 · 3-day patch deadline
CVE-2026-55255
Langflow · Langflow
Langflow Authorization Bypass Through User-Controlled Key Vulnerability
Detected Jul 7 · 3-day patch deadline

KEV Intelligence Brief — July 8, 2026

Issued: Wednesday, July 8, 2026 Audience: Federal contractors, DevOps/platform teams, security operations leaders Scope: 8 KEV additions spanning June 25 – July 7, 2026

Three patch deadlines in this batch have already passed. Two more expire in 48 hours. If your organization runs any of the affected products and has not confirmed remediation, stop reading and start patching.

Deadline Watch: Overdue and Expiring in 48 Hours

Four vulnerabilities in this batch carry deadlines that are either past or critically imminent, and the combination of affected products should command immediate leadership attention.

Microsoft SharePoint Server (CVE-2026-45659) — deadline July 4, now four days overdue — exposes a deserialization of untrusted data vulnerability that enables authenticated network code execution. Deserialization flaws in SharePoint have historically been weaponized for lateral movement and credential harvesting within enterprise environments. "Authenticated" does not mean low risk here; threat actors routinely obtain valid credentials through phishing or prior compromises before pivoting to exploitation. Any SharePoint Server instance that has not received the relevant patch should be treated as potentially compromised. Pull authentication logs, review service account activity, and apply CISA's Forensics Triage Requirements before simply patching and moving on.

SimpleHelp (CVE-2026-48558) — deadline July 2, six days overdue — is arguably the most operationally dangerous entry in this batch. When OIDC authentication is configured, the platform accepts identity tokens without verifying their cryptographic signatures, allowing an unauthenticated remote attacker to forge a token, impersonate an arbitrary technician, and obtain a fully authenticated session — potentially bypassing MFA entirely. SimpleHelp is remote support software, meaning successful exploitation grants an attacker keyboard-level access to endpoints that technicians routinely service. Organizations should immediately audit active technician sessions for anomalies, rotate all API keys and service credentials associated with the platform, and verify whether OIDC was enabled in their deployment configuration. If patching is not immediately feasible, disable OIDC authentication and restrict access to trusted IP ranges at the network perimeter.

PTC Windchill and FlexPLM (CVE-2026-12569) and Cisco Unified CM (CVE-2026-20230) both carried a June 28 deadline, now ten days past. PTC's improper input validation flaw allows unauthenticated remote code execution via a malformed network request — a critical severity class that should have prompted emergency patching windows in any defense-industrial or manufacturing environment running Windchill or FlexPLM. These platforms manage product lifecycle and supply chain data; their compromise carries intellectual property and operational security implications beyond typical IT incidents. Cisco Unified CM's SSRF vulnerability (CVE-2026-20230) enables unauthenticated file writes to the underlying OS, creating a reliable staging mechanism for privilege escalation to root. Voice and communications infrastructure is frequently underpatched relative to enterprise IT assets; operations teams should validate patch status against all Unified CM and Unified CM SME nodes, including those in telephony DMZs that may be outside standard vulnerability scan scope.

Unauthenticated File Upload: A Coordinated Attack Surface Across CMS Ecosystems

Three of the July 7 additions — all sharing a July 10 patch deadline — target content management and page builder ecosystems with unauthenticated or minimally authenticated file upload primitives, a class of vulnerability that provides direct, reliable paths to webshell deployment and persistent access.

JoomShaper SP Page Builder (CVE-2026-48908) allows fully unauthenticated users to upload arbitrary files and execute PHP code. Joomlack Page Builder (CVE-2026-56290) reaches the same outcome — unauthenticated arbitrary file upload leading to remote code execution — through an improper access control flaw. The appearance of two distinct Joomla ecosystem page builders in a single KEV batch strongly suggests active scanning and exploitation campaigns targeting this component class. Any internet-facing Joomla installation running either plugin should be treated as high-priority regardless of perceived traffic or sensitivity. Teams should immediately pull web server logs for anomalous POST requests to file upload endpoints, audit the webroot for recently created PHP files in unexpected directories, and apply vendor patches before the July 10 deadline.

Adobe ColdFusion (CVE-2026-48282) rounds out this cluster with a path traversal vulnerability leading to arbitrary code execution. ColdFusion has a well-documented exploitation history; threat actors have maintained working tooling against ColdFusion path traversal and file disclosure primitives across multiple CVE generations. Internet-facing ColdFusion instances are high-confidence targets. BOD 26-04 obligations are explicit: patch by July 10 or discontinue use. If patching cannot be completed before the deadline, isolate the instance from the internet immediately and initiate forensic triage per CISA guidance.

AI Tooling Adds a New Attack Surface to Monitor

Langflow (CVE-2026-55255) — also deadline July 10 — introduces an authorization bypass through user-controlled key that allows an authenticated attacker to execute any flow belonging to another user by supplying a victim's flow ID in the request. This is a significant finding in the context of how Langflow is typically deployed: as a multi-user AI workflow orchestration platform, often with flows that invoke external APIs, execute code, or process sensitive data. The vulnerability enables privilege escalation between tenants without requiring any credential compromise. Organizations that have deployed Langflow in shared or multi-tenant configurations should audit flow ownership and execution logs immediately, apply available patches, and evaluate whether cross-user flow execution has occurred for any high-privilege or externally connected flows.

Summary Deadline Table

| CVE | Product | Deadline | Status | |---|---|---|---| | CVE-2026-20230 | Cisco Unified CM | 2026-06-28 | Overdue — 10 days | | CVE-2026-12569 | PTC Windchill/FlexPLM | 2026-06-28 | Overdue — 10 days | | CVE-2026-48558 | SimpleHelp | 2026-07-02 | Overdue — 6 days | | CVE-2026-45659 | Microsoft SharePoint | 2026-07-04 | Overdue — 4 days | | CVE-2026-48282 | Adobe ColdFusion | 2026-07-10 | 48 hours | | CVE-2026-48908 | JoomShaper SP Page Builder | 2026-07-10 | 48 hours | | CVE-2026-55255 | Langflow | 2026-07-10 | 48 hours | | CVE-2026-56290 | Joomlack Page Builder | 2026-07-10 | 48 hours |

Sources: CISA KEV Catalog · CISA BOD 26-04 · Adobe Security Bulletins · Microsoft Security Response Center · Cisco Security Advisories · PTC Security Advisories · SimpleHelp Security Advisories · CISA Forensics Triage Guidance

Free KEV Alerts

  • Real-time notification the moment a KEV drops
  • Vendor and product details
  • BOD 26-04 remediation deadline included

Pro Alerts Coming Soon

  • Real-time notification the moment a KEV drops
  • Filtered to your specific vendor watchlist
  • Urgency scoring (Critical / Urgent / Standard)
  • Direct patch links included

Stay ahead of CISA.

No spam. Unsubscribe anytime. We don't sell your data.


Upcoming Patch Due Dates

via Binding Operational Directive 26-04

BOD 26-04 is CISA's current vulnerability remediation directive for Federal Civilian Executive Branch (FCEB) agencies, updating the KEV-driven framework introduced under BOD 22-01 with a more risk-based approach to prioritization. While binding only on FCEB agencies, its framework increasingly influences contractor expectations through procurement requirements, FedRAMP programs, and agency security clauses.

Loading...

News Logo

Cyber Security News

You may have missed...


📌 Pinned

*

https:betanews.comMar 5

Inside a cyberattack: How hackers steal data

The truth about cybersecurity is that it's almost impossible to keep hackers outside of an organization, particularly as the cybercrime industry ...

https://techcrunch.comJul 8

Hacked, leaked, and held for ransom: The worst breaches of 2026 so far | TechCrunch

From a massive DOGE data breach and the hacking of critical energy and water systems to the hack of an FBI surveillance system, here are the most ...

https://www.pcmag.comJul 6

A Hacker's Arrest Reveals Microsoft Can Track Users Via a Windows Device ID | PCMag

The FBI used a Microsoft device identifier, dubbed GDID, to link a teenager to a hack attributed to Scattered Spider, raising privacy red flags ...

https://therecord.mediaJul 7

Major medical device manufacturer notifies nearly 4 million of breach

The Medtronic breach is just the latest example of a hacking gang targeting a company in the med tech sector. In March, the medical device firm ...

https://federalnewsnetwork.comJul 6

Federal government organizations must double down efforts to combat 'living off the land' attacks

LotL attacks represent a new frontier in cybersecurity, where adversaries use trusted system tools to carry out malicious activities.

https://thehackernews.comJul 6

Breach Transparency Remains Cybersecurity's Toughest Governance Problem

Cybersecurity is entering a new phase. It's one where the gap between awareness and operational execution is becoming the industry's biggest ...

https://www.cisa.govJul 6

Mohamed Telab - CISA

Mohamed Telab serves as the acting Regional Director (a/RD) for CISA Region 2. In this capacity he oversees the management of all CISA regional ...

https://www.cybersecbrief.comJul 4

Bad Epoll Linux Kernel Vulnerability Allows Unprivileged Users to Gain Root Access

A new critical Linux kernel flaw called Bad Epoll (CVE-2026-46242) enables unprivileged users to escalate privileges to root on Linux and Android syst...

https://www.coindesk.comJul 5

How ethical hackers with just a $3000 server found a flaw that could've put $70 billion in crypto at risk

Hacker facing screens with lines of code (Boitumelo/Unsplash) (Boitumelo/Unsplash). Summary. Show. Ethical hackers from security firm Hexens ...


Updated daily