Adobe ColdFusion Flaw Actively Exploited — Patch Now
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. July 08, 2026
cybr.cx Daily Digest — July 08, 2026
Critical Vulnerabilities
⚠️ Actively exploited — CVE-2026-48282 | Adobe ColdFusion | No CVSS in KEV
A path traversal vulnerability in Adobe ColdFusion allows attackers to execute arbitrary code in the context of the current user. ColdFusion installations remain a perennial target for web shell deployment and ransomware staging — if you're running internet-facing ColdFusion, treat this as a fire drill. CISA's remediation deadline was July 10.
⚠️ Actively exploited — CVE-2026-48908 | JoomShaper SP Page Builder (Joomla)
Unauthenticated arbitrary file upload with no restrictions on dangerous file types — meaning attackers can drop a PHP webshell directly and achieve remote code execution. Joomla sites running SP Page Builder are being actively targeted right now. Patch or disable the plugin immediately; CISA deadline is July 10.
⚠️ Actively exploited — CVE-2026-56290 | Joomlack Page Builder (Joomla)
Nearly identical class of vulnerability to the above — improper access control enabling unauthenticated arbitrary file upload leading to RCE. Two Joomla page builder plugins actively exploited simultaneously suggests a coordinated campaign targeting the CMS ecosystem. July 10 remediation deadline.
⚠️ Actively exploited — CVE-2026-55255 | Langflow
An authenticated attacker can execute any flow belonging to another user simply by substituting the victim's flow ID in the request — a trivial authorization bypass with significant consequences for AI pipeline platforms exposed to multi-tenant environments. Given Langflow's growing adoption in enterprise AI tooling, lateral movement via flow hijacking is a real risk. CISA deadline July 10.
⚠️ Actively exploited — CVE-2026-45659 | Microsoft SharePoint Server
Deserialization of untrusted data allowing an authorized network attacker to achieve code execution. SharePoint deserialization bugs have a long history of rapid weaponisation; this one has been in the KEV since July 1 with a July 4 deadline that has now passed — if you haven't patched, you're overdue.
CVE-2026-25271 | Qualcomm (likely) — Async Input Processing | CVSS 7.8
A classic TOCTOU (time-of-check/time-of-use) memory corruption flaw triggered through asynchronous input parameter handling. No KEV listing yet, but memory corruption with a 7.8 score warrants prompt attention, particularly in mobile or embedded contexts. Patch when available.
CVE-2026-55574 | vLLM < 0.24.0 | CVSS 7.5
User-supplied regular expressions passed to vLLM's structured_outputs.regex API reach the grammar compiler backends — xgrammar and outlines — with no compilation timeout and no sanitisation. A malicious regex can trigger catastrophic backtracking and lock up inference infrastructure. If you're running vLLM with public or multi-tenant access, upgrade to 0.24.0 and validate any regex inputs upstream.
CVE-2026-59708 | Ghostfolio | CVSS 7.5
The public portfolio endpoint accepts private access IDs without enforcing granteeUserId filtering, meaning anyone with a valid access ID can retrieve full portfolio data — holdings, quantities, purchase prices, and performance metrics — without authentication. Low exploitation complexity makes this particularly dangerous for self-hosted instances exposed to the internet.
CVE-2026-21383 | AES-GCM Key Wrapping Implementation | CVSS 7.1
A static initialisation vector is used across AES-GCM key wrapping operations, fundamentally breaking the security of the scheme — AES-GCM requires a unique IV per invocation or nonce reuse can expose the authentication key. The affected product isn't fully identified in current NVD data, but any system using this library for key management should be treated as potentially compromised.
Headline News
Januscape: Guest-to-Host KVM Escape via CVE-2026-53359
A publicly released exploit chain named Januscape demonstrates a guest-to-host escape in KVM/x86, the Linux kernel's primary virtualisation layer. The exploit targets CVE-2026-53359 and has been published with a working proof-of-concept, meaning cloud infrastructure, VPS providers, and any organisation running KVM-based virtualisation is now facing an actively weaponisable hypervisor escape. The implications are significant: a compromised guest VM can potentially reach the host kernel and, from there, pivot to other co-resident tenants. Practitioners running KVM should audit kernel versions immediately, apply available patches, and consider the blast radius of any multi-tenant workloads sharing physical hosts. This class of vulnerability — where the virtualisation boundary itself breaks down — is among the most severe in cloud security, and the public release of working code dramatically shortens attacker ramp-up time.
Vishing via Microsoft Teams Delivers EtherRAT to Corporate Networks
Threat actors are conducting vishing campaigns over Microsoft Teams, impersonating internal IT support staff to socially engineer employees into installing EtherRAT — a remote access trojan that provides persistent access to corporate networks. The attack flow bypasses traditional email-based phishing defences entirely: attackers initiate voice calls through Teams, establish credibility through insider knowledge of company structure, and direct victims to execute malicious installers under the guise of legitimate IT troubleshooting. EtherRAT provides full remote control capabilities, making initial access broker-style post-exploitation straightforward. Defenders should review Teams external call policies, implement strict controls on who can initiate calls from outside the tenant, and run awareness exercises specifically covering voice-based social engineering — a vector that many security training programmes underweight relative to email phishing.
AI Fuzzing Tools Drive Record CVE Surge — 1,500 High-Severity Disclosures in June Alone
Frontier AI models purpose-built for vulnerability discovery are reshaping the disclosure pipeline in ways the patching ecosystem isn't yet equipped to absorb. In June 2026, approximately 1,500 high- and critical-severity CVEs were reported by 21 major organisations — a pace that strains both vendor patch development and enterprise vulnerability management programmes simultaneously. The acceleration is structural: AI-assisted fuzzing and code analysis tools can now surface in days what previously took months of manual review, and the volume shows no sign of plateauing. For practitioners, this means CVSS-based prioritisation alone is increasingly inadequate — the queue is simply too large. Combining KEV tracking, exploit prediction scoring, and asset-criticality context is becoming essential operational hygiene rather than a nice-to-have.
Schrödinger's Feed
Researchers have combined machine learning with quantum physics to identify two new superconducting materials and, more consequentially, developed a dramatically faster computational method for searching the broader superconductor landscape — a step that could accelerate progress toward room-temperature superconductivity. Room-temperature superconductors matter to security practitioners because they're a foundational enabling technology for fault-tolerant quantum computers: the colder and more fragile current superconducting qubits remain, the longer the timeline to cryptographically relevant quantum machines. If that timeline compresses, the urgency around post-quantum cryptography migration — already pressing — becomes acute. Keep an eye on materials science breakthroughs; the path to "harvest now, decrypt later" attacks becoming practical runs through the physics lab as much as the algorithm stack.
/dev/random
The EU's Chat Control proposals — both the original 1.0 version and the revised 2.0 iteration — have resurfaced in public discussion, and the technical implications deserve a second look beyond the policy headlines. The core mechanism in both proposals would require client-side scanning of encrypted messages before they are sent, meaning the encryption itself remains mathematically intact while the plaintext is inspected at the endpoint — a distinction that cryptographers have uniformly described as "breaking E2E encryption with extra steps." Version 2.0 rebranded the approach as "upload moderation" rather than scanning, a change in vocabulary that left the underlying architecture largely unchanged. It's a rare case where the marketing team and the threat model are in direct conflict — and the threat model is winning the technical argument, even if not yet the legislative one.