CISA Flags Four Live-Exploited Bugs in Adobe, Joomla and Langflow

The US cyber agency gave federal agencies until early December to patch a critical Adobe ColdFusion flaw and three others already being abused in the wild.

ThreatVectr Newsdesk· 3 min read
Full-frame edge-to-edge photoreal news-editorial image of a dimly lit server room with rows of dark rack-mounted servers, blue and amber status LEDs reflecting
Share

Key points

  • The US Cybersecurity and Infrastructure Security Agency added four actively exploited flaws to its Known Exploited Vulnerabilities catalog on Tuesday.
  • One of the bugs, CVE-2026-48282 in Adobe ColdFusion, carries the maximum severity score of 10.0.
  • The other flaws affect Joomla and Langflow, an open-source tool used to build AI applications.
  • US federal agencies must patch the flaws within the deadlines set by CISA under Binding Operational Directive 22-01.
  • Private companies running the same software are strongly urged to apply fixes on the same timeline.

The US Cybersecurity and Infrastructure Security Agency, known as CISA, is the government body that helps protect American networks from cyberattacks. On Tuesday it added four software flaws to a public list it calls the Known Exploited Vulnerabilities catalog, or KEV for short.

Getting onto that list means one thing. Criminals are already using the flaw to break into real systems.

The list, first reported by The Hacker News, covers products from Adobe, Joomla and Langflow. Between them, these tools run a huge number of business websites and, increasingly, artificial intelligence apps.

What are the flaws, in plain English?

The most serious is a bug in Adobe ColdFusion, a platform businesses use to build websites and web apps. It is tracked as CVE-2026-48282 and scores a perfect 10.0 out of 10 on the standard severity scale, meaning it is as bad as these ratings get.

The flaw is what engineers call a path traversal issue. In simple terms, it lets an attacker trick the server into opening or running files it should have kept private. Adobe warns this can lead to arbitrary code execution, which is jargon for the attacker running whatever program they want on the victim's server.

If that happens on a live business website, the attacker can steal customer data, plant malicious software, or use the server as a launchpad for further attacks.

The other three flaws sit in Joomla, a popular free tool for building websites, and Langflow, an open-source platform developers use to wire up AI models into working apps. CISA has not published detailed attack write-ups, but its inclusion of these flaws on the KEV list means it has seen real exploitation, not just theoretical risk.

Should ordinary people worry?

Not directly, but the knock-on effects can reach anyone. If a shop, clinic or council runs a website built on ColdFusion or Joomla and does not patch quickly, customer accounts and personal data on that site are at risk.

What customers can do is boringly familiar. Use a unique password for every site, ideally created by a password manager. Turn on two-factor authentication, which asks for a code from your phone as well as a password, wherever it is offered.

Would two-factor authentication have stopped these specific attacks? Honestly, no. These are server-side flaws, meaning the break-in happens on the company's own machines, well before any login screen. Two-factor authentication protects your account. It does not protect the company hosting it.

That is why the burden here sits squarely on the organisations running the vulnerable software.

What happens next?

Under a rule called Binding Operational Directive 22-01, every US federal civilian agency must patch anything on the KEV list by the deadline CISA sets, usually about three weeks. CISA also "strongly urges" private companies to follow the same schedule.

Admins running ColdFusion should check Adobe's security bulletins and apply the latest updates without waiting. Joomla site owners can update from the admin dashboard. Langflow users should pull the newest release from the project's official repository.

For more on the flaw itself, the official record is on the National Vulnerability Database entry for CVE-2026-48282. The full KEV catalog lives at CISA's known exploited vulnerabilities page.

The pattern here is a familiar one. Attackers scan the internet for unpatched servers within hours of a flaw becoming public. Patching fast is not optional. It is the job.

© 2026 Threat Vectr