Adobe ColdFusion Flaw Exploited: Patch Deadline Already Missed
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. July 12, 2026
cybr.cx Daily Digest — July 12, 2026
Critical Vulnerabilities
⚠️ Actively exploited — CVE-2026-48282 | Adobe ColdFusion | No CVSS in KEV data
A path traversal vulnerability in Adobe ColdFusion is being actively exploited in the wild and carries a CISA KEV patch deadline that has already passed (July 10). Successful exploitation allows arbitrary code execution in the context of the running service. If you have internet-facing ColdFusion instances, assume compromise and patch immediately — ColdFusion has a long history of being a high-value initial access target.
⚠️ Actively exploited — CVE-2026-56291 | Balbooa Forms (Joomla)
Unauthenticated attackers can upload executable files to servers running the Balbooa Forms component, leading to full remote code execution. No authentication is required, making this trivially weaponisable at scale. CISA's remediation deadline was July 13 — today. Patch or take the component offline now.
⚠️ Actively exploited — CVE-2026-48939 | iCagenda (Joomla)
The iCagenda event calendar component allows arbitrary file uploads — including PHP shells — through its file attachment feature, again without meaningful restriction. Exploitation is confirmed in the wild. Joomla site operators should audit installed components and remove or update iCagenda without delay.
⚠️ Actively exploited — CVE-2026-48908 | JoomShaper SP Page Builder
Another Joomla component under active attack: SP Page Builder allows unauthenticated users to upload and execute arbitrary PHP code. The pattern of three Joomla component RCE bugs being simultaneously exploited suggests coordinated mass-scanning campaigns targeting Joomla installations. Audit your component inventory.
⚠️ Actively exploited — CVE-2026-56290 | Joomlack Page Builder
Improper access controls in Joomlack's Page Builder permit unauthenticated arbitrary file upload leading to RCE — structurally identical to the SP Page Builder issue above. The clustering of these Joomla bugs in the same KEV batch strongly implies a single threat actor or toolkit scanning for all simultaneously.
⚠️ Actively exploited — CVE-2026-55255 | Langflow
An authorisation bypass in Langflow allows an authenticated attacker to execute any flow belonging to another user simply by specifying the victim's flow ID. Given that Langflow is an AI agent orchestration platform, exploitation could expose sensitive system prompts, API keys embedded in flows, or trigger destructive automated actions on behalf of other users. Patch to the latest version immediately.
CVE-2026-13353 | WP Ultimate CSV Importer (WordPress) | CVSS 8.8
Missing capability checks on multiple AJAX handlers, combined with an exposed plugin nonce, allow any authenticated user — regardless of role — to install add-ons and trigger imports that result in remote code execution. This is effectively an authenticated-to-RCE chain available to any registered WordPress user. Update to 8.0.2 or later.
CVE-2026-14262 | Simple JWT Login (WordPress) | CVSS 8.8
A logic flaw in JWT payload generation means an attacker can inject arbitrary claims into a JWT token that the plugin then trusts — bypassing authentication and potentially escalating to Administrator. Any WordPress site using JWT-based login flows should treat this as critical. Update to 3.6.7 or later.
CVE-2026-13756 | WP Grid Builder (WordPress) | CVSS 8.8
Subscriber-level users can call the /wp-json/wpgb/v2/metadata REST endpoint to write arbitrary user meta keys, enabling a clean privilege escalation to Administrator. Exploitation requires only a valid low-privilege account. Update beyond version 2.3.3 immediately.
CVE-2026-61426 | PraisonAI (AI agent framework) | CVSS 8.6
PraisonAI's default configuration binds to all network interfaces, requires no API key, and sets wildcard CORS — meaning any unauthenticated party on the network can enumerate agent instructions, read system prompts, or invoke agents entirely without authentication. Anyone running PraisonAI exposed beyond localhost should update to 1.7.3 and add network-level controls.
Headline News
GhostLock: A 15-Year Linux Kernel Privilege Escalation Hits Every Major Distro
A newly disclosed Linux kernel vulnerability tracked as CVE-2026-43499, dubbed GhostLock, has existed in every major Linux distribution since 2011. The bug is a stack use-after-free in the kernel's I/O subsystem and — critically — requires no special kernel configuration and no existing privilege to trigger. Researchers developed a working exploit with 97% stability, meaning it reliably converts to a local privilege escalation and, in demonstrated cases, full container escape. The breadth of impact here is significant: cloud infrastructure, container platforms, embedded Linux, and enterprise servers are all potentially affected. Defenders should treat this as an urgent patching priority and monitor for kernel exploit indicators, particularly on multi-tenant systems where local code execution is accessible to untrusted users.
Zimbra Classic Web Client Stored XSS — Malicious Emails Execute Code on Open
Zimbra has issued version 10.1.19 to patch a critical stored cross-site scripting vulnerability in its Classic Web Client — a component in widespread enterprise and government use. The attack vector is a malicious email: when a target simply opens the message in the Classic Web Client, attacker-controlled JavaScript executes in the context of the victim's authenticated mail session. From there, an attacker can read emails, exfiltrate contacts, pivot to connected services, or plant persistent payloads. Zimbra has historically been a favoured target for nation-state actors, and stored XSS via email is a particularly elegant delivery mechanism that bypasses many endpoint controls. Organisations still running the Classic Web Client should upgrade immediately and review mail gateway logs for anomalous inbound content.
Egyptian Hackers Breach Argentine Football Association Systems
Following Argentina's round-of-16 World Cup victory over Egypt — accompanied by immediate accusations of referee bias and FIFA corruption from Egyptian officials — a group of Egyptian-affiliated hackers breached systems belonging to the Argentine Football Association. The intrusion appears to be politically motivated, framed publicly as retaliation for perceived corruption in the tournament. While the full extent of exfiltrated data has not been confirmed, the incident follows a well-established pattern of hacktivist operations using high-profile sporting events as both motivation and cover. For security practitioners, this is a timely reminder that major international events reliably generate a surge in hacktivist activity against associated organisations — threat modelling for sports bodies, sponsors, and national federations should account for this predictable threat spike.
Schrödinger's Feed
Microsoft has accelerated its post-quantum cryptography transition as a formal component of its Secure Future Initiative, specifically citing the "harvest now, decrypt later" threat model — where adversaries are actively exfiltrating encrypted traffic today to decrypt once sufficiently powerful quantum hardware exists. The company is now driving PQC requirements into critical products and cloud services on an expedited timeline, moving beyond planning into concrete implementation. This follows NIST's finalisation of its first PQC standards and represents one of the largest real-world PQC deployments in enterprise software. Practitioners should note: if Microsoft is treating harvest-now-decrypt-later as an active, present-tense threat rather than a future concern, the window for organisations to begin their own cryptographic inventory and migration planning is closing faster than many roadmaps assume.
/dev/random
Researchers have published findings suggesting that minimalist modern interior design — think flat surfaces, uniform colours, and sparse geometric layouts — may actually impose measurable cognitive load on the human brain, which evolved to process richly textured, varied natural environments. Stripped of the visual complexity it apparently expects, the brain works harder to orient itself spatially, increasing low-level stress. The security angle writes itself: open-plan, minimalist SOC environments designed to look clean and professional may be quietly fatiguing the analysts sitting in them for 12-hour shifts. Perhaps the real threat to your detection capability isn't alert fatigue — it's the exposed concrete ceiling and the tasteful monochrome accent wall.