██████╗██╗   ██╗██████╗ ██████╗     ██████╗██╗  ██╗
 ██╔════╝╚██╗ ██╔╝██╔══██╗██╔══██╗   ██╔════╝╚██╗██╔╝
 ██║      ╚████╔╝ ██████╔╝██████╔╝ ● ██║      ╚███╔╝ 
 ██║       ╚██╔╝  ██╔══██╗██╔══██╗   ██║      ██╔██╗ 
 ╚██████╗   ██║   ██████╔╝██║  ██║   ╚██████╗██╔╝ ██╗
  ╚═════╝   ╚═╝   ╚═════╝ ╚═╝  ╚═╝    ╚═════╝╚═╝  ╚═╝
────────────────────────────────── STAY SHARP ───

Adobe ColdFusion Flaw Exploited: CISA Deadline Already Missed

Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. July 11, 2026

Share

cybr.cx Daily Digest — July 11, 2026


Critical Vulnerabilities

⚠️ Actively Exploited — CVE-2026-48282 | Adobe ColdFusion | CVSS: N/A

A path traversal vulnerability in Adobe ColdFusion is being actively exploited in the wild and carries a CISA KEV due date that has already passed (July 10). Successful exploitation allows arbitrary code execution in the context of the current user — on ColdFusion servers, that often means SYSTEM or root. If you're running ColdFusion anywhere in your environment, patch or isolate immediately; this one is being weaponised now.

⚠️ Actively Exploited — CVE-2026-56291 | Balbooa Forms (Joomla) | CVSS: N/A

Unauthenticated arbitrary file upload in the Balbooa Forms component allows attackers to drop and execute PHP webshells with no credentials required. CISA added this on July 10 with a patch deadline of July 13 — that's tomorrow. Any Joomla instance running this component should be treated as potentially compromised; audit upload directories for unexpected PHP files immediately.

⚠️ Actively Exploited — CVE-2026-48939 | iCagenda (Joomla) | CVSS: N/A

The iCagenda event management component for Joomla allows unauthenticated users to upload arbitrary file types via the file attachment feature, including PHP code for direct execution. This is the third Joomla-ecosystem component on CISA's KEV list this week — a clear pattern of active threat actor interest in Joomla plugins. Disable the component if patching is not immediately possible.

⚠️ Actively Exploited — CVE-2026-56290 | Joomlack Page Builder | CVSS: N/A

Another unauthenticated arbitrary file upload leading to RCE via improper access control in Joomlack's Page Builder. The clustering of four Joomla component RCEs on KEV simultaneously strongly suggests an active campaign targeting Joomla sites. Administrators should audit all third-party Joomla components and apply principle of least privilege to upload directories.

⚠️ Actively Exploited — CVE-2026-48908 | JoomShaper SP Page Builder | CVSS: N/A

JoomShaper's SP Page Builder rounds out the Joomla quadruplet — unauthenticated file upload resulting in PHP execution. CISA's due date has already passed (July 10). The pattern across all four Joomla KEVs is identical: unrestricted file upload, no authentication required, direct code execution. Treat this as a coordinated campaign.

⚠️ Actively Exploited — CVE-2026-55255 | Langflow | CVSS: N/A

An authorisation bypass in Langflow allows authenticated users to execute any flow belonging to any other user by simply specifying a victim's flow ID in the request. In AI pipeline environments, flows may contain sensitive API keys, data connections, or execute code — making this a significant lateral movement and data exfiltration risk. Given Langflow's growing adoption in enterprise AI workflows, this deserves urgent attention.

CVE-2025-30007 | HestiaCP before 1.9.5 | CVSS: 8.8

A low-privileged authenticated user can inject a single-quote character into unvalidated DNS record types, ultimately escaping eval-based parsing in update_domain_zone() and executing arbitrary OS commands as root. The privilege escalation path here is clean and reliable — low-priv to root via the web panel. Update to 1.9.5 immediately; HestiaCP is widely used in SMB hosting environments.

CVE-2026-54329 | Snipe-IT before 8.6.2 | CVSS: 8.5

When Full Multiple Companies Support is enabled, a low-privileged user can create accessory records under a different company's namespace by exploiting unguarded mass assignment on the company_id field. In multi-tenant asset management deployments this enables cross-tenant data tampering. Upgrade to 8.6.2 and audit recent Accessories API activity if running a multi-company configuration.

CVE-2026-56305 | Capgo before 12.128.2 | CVSS: 8.3

The password change endpoint does not require current password confirmation, meaning anyone with temporary session access — via XSS, session hijacking, or a shared device — can permanently lock out the legitimate account owner and achieve full takeover. Straightforward account takeover primitive; update to 12.128.2 and review session management controls.

CVE-2026-57850 | RustDesk before 1.4.9 | CVSS: 8.3

RustDesk fails to enforce session scope server-side, allowing a peer granted a limited session type (FileTransfer, PortForward, Terminal, etc.) to send full Remote session control messages. An attacker who legitimately receives a restricted session can silently escalate to full remote control. Update to 1.4.9 — this is particularly relevant in environments that use RustDesk for scoped support access.

CVE-2026-59856 / CVE-2026-59858 | Vim before 9.2.0736 / 9.2.0735 | CVSS: 7.8 each

Two related code injection bugs in Vim's PHP and C omni-completion scripts allow a crafted buffer — a malicious source file — to inject arbitrary Vimscript commands via unescaped interpolation into search() patterns and :vimgrep executions respectively. Opening an attacker-controlled file in Vim with completion enabled is enough. Update to the patched versions; these are realistic supply-chain and social engineering vectors for developer-targeted attacks.


Headline News

GigaWiper: Microsoft Tracks Destructive Windows Backdoor With Wiper Capability

Microsoft has published detailed analysis of a malware family it tracks as GigaWiper — a Windows backdoor with integrated destructive capabilities including disk wiping, file encryption, and persistent remote access. The combination of ransomware-style encryption with wiper functionality is a hallmark of nation-state or hacktivist-adjacent actors seeking either deniability or guaranteed damage regardless of whether a ransom is paid. Practitioners should note that GigaWiper's disk-wiping component operates independently of the encryption module, meaning even organisations that can decrypt may still face total data loss. Detection opportunities centre on abnormal low-level disk I/O, unexpected volume shadow copy deletion, and outbound C2 patterns documented in Microsoft's indicators of compromise. Organisations running critical Windows infrastructure should review their endpoint detection coverage against wiper-class behaviour specifically, which differs meaningfully from conventional ransomware kill chains.

Injective Labs npm Package Compromised to Steal Crypto Wallet Keys

Attackers compromised the GitHub repository of Injective Labs and used access to publish a trojanised version of the project's SDK to npm, targeting cryptocurrency wallet private keys and mnemonic seed phrases. Any developer or application that installed the malicious package version and handled wallet credentials should assume those keys are fully compromised and rotate them immediately. The attack follows the now-familiar supply chain pattern: gain access to a trusted source repository, publish a malicious package through legitimate channels, and harvest secrets from downstream consumers who have no reason to distrust the source. This incident is particularly notable given the financial stakes — mnemonic phrases give permanent, irrevocable access to all funds in a wallet hierarchy. Development teams working with blockchain SDKs should implement npm package integrity checks, lockfile pinning, and runtime secrets monitoring as baseline controls.

Australian Cyber Security Centre Flags Ongoing CMS Plugin Exploitation

Australia's cyber security authority has issued its second advisory in two months warning that unpatched content management system vulnerabilities — specifically WordPress plugins — continue to be actively exploited against Australian organisations. The advisory aligns directly with this week's CISA KEV additions, which are dominated by Joomla component file upload flaws, suggesting a broader pattern of threat actors systematically targeting CMS ecosystems where patch rates are historically low. Practitioners managing web infrastructure should treat any internet-facing CMS plugin with an unrestricted file upload function as a critical attack surface until confirmed patched. The repeated advisory cadence from ACSC is a signal that defenders are not moving fast enough; automated patching and CMS plugin inventory management should be treated as non-negotiable hygiene at this point.


Schrödinger's Feed

BTQ Technologies and South Korean secure-element firm ICTK have completed the architectural design phase for a hybrid post-quantum security processor — a chip intended to run both classical and quantum-resistant cryptographic algorithms side by side. The collaboration targets hardware-level PQC integration, which matters because software-only PQC migrations leave legacy systems exposed and introduce performance overhead that embedded and IoT devices can rarely absorb. Getting PQC into silicon at the secure-element layer — the same class of hardware that protects payment cards, HSMs, and identity tokens — is where the cryptographic migration actually gets solved at scale. Practitioners overseeing long-lifecycle hardware programmes (industrial control systems, payment infrastructure, government identity schemes) should track this space closely: the procurement decisions you make in the next 12–18 months will determine your cryptographic posture for the next decade.


/dev/random

In a finding that should humble every materials scientist who has ever called spider silk the toughest stuff nature produces, limpet teeth — the tiny radula of a marine snail — were confirmed to be significantly stronger, with tensile strength up to 6.5 GPa compared to spider silk's comparatively modest 4 GPa ceiling. The structure responsible is a tightly packed composite of iron-based goethite nanofibres embedded in a protein matrix, essentially a biological nanocomposite that beats most engineering materials pound-for-pound. The reason this keeps recirculating among technically-minded audiences a decade after publication is probably that it remains deeply counterintuitive: the animal famous for carrying its home on its back has teeth that could, in principle, embarrass most industrial materials. No security angle whatsoever — but if your threat model includes very small, very determined molluscs, you may want to reassess your physical perimeter.