██████╗██╗   ██╗██████╗ ██████╗     ██████╗██╗  ██╗
 ██╔════╝╚██╗ ██╔╝██╔══██╗██╔══██╗   ██╔════╝╚██╗██╔╝
 ██║      ╚████╔╝ ██████╔╝██████╔╝ ● ██║      ╚███╔╝ 
 ██║       ╚██╔╝  ██╔══██╗██╔══██╗   ██║      ██╔██╗ 
 ╚██████╗   ██║   ██████╔╝██║  ██║   ╚██████╗██╔╝ ██╗
  ╚═════╝   ╚═╝   ╚═════╝ ╚═╝  ╚═╝    ╚═════╝╚═╝  ╚═╝
────────────────────────────────── STAY SHARP ───

Adobe ColdFusion Zero-Day Exploited; CISA Demands Urgent Patch

Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. July 10, 2026

Share

cybr.cx Daily Digest — July 10, 2026


Critical Vulnerabilities

⚠️ Actively exploited — CVE-2026-48282 | Adobe ColdFusion | CVSS: N/A (KEV listed)
Adobe ColdFusion contains a path traversal vulnerability that leads directly to arbitrary code execution under the current user's context. CISA added this to the Known Exploited Vulnerabilities catalogue on July 7 with a remediation deadline of today — if you haven't patched already, assume you're behind the clock. ColdFusion installations exposed to the internet should be treated as high-priority targets; patch or isolate immediately.

⚠️ Actively exploited — CVE-2026-48908 | JoomShaper SP Page Builder (Joomla) | CVSS: N/A (KEV listed)
This unauthenticated arbitrary file upload flaw in JoomShaper's SP Page Builder allows attackers to drop and execute PHP webshells without any credentials whatsoever. CISA's remediation deadline is today. Any Joomla site running SP Page Builder should be treated as potentially compromised if left unpatched — check for unexpected PHP files in upload directories.

⚠️ Actively exploited — CVE-2026-56290 | Joomlack Page Builder | CVSS: N/A (KEV listed)
A near-identical unauthenticated arbitrary file upload vulnerability exists in Joomlack's competing Page Builder product, also enabling remote code execution. Two separate Joomla page-builder components with critical unauthenticated upload flaws being exploited simultaneously suggests targeted attention on the Joomla ecosystem. Audit all Joomla installations across your estate today.

⚠️ Actively exploited — CVE-2026-55255 | Langflow | CVSS: N/A (KEV listed)
Langflow's authorization model can be bypassed by any authenticated user who simply specifies another user's flow ID in an API request, allowing full execution of that flow. In AI-workflow environments, this can mean exfiltrating credentials, triggering data pipeline actions, or pivoting to connected systems under a victim's identity. If Langflow is part of your AI infrastructure, patch to a remediated version and audit flow access logs for anomalous cross-user execution.

CVE-2026-58459 | gpsd (through release-3.27.5) | CVSS: 7.8 HIGH
A command injection vulnerability in gpsd's gpsprof tool allows an attacker who controls the GPS device subtype value — sourced from a DEVICES JSON log or NMEA PGRMT sentence — to embed backtick payloads in gnuplot plot titles that execute arbitrary shell commands. The attack surface is anyone parsing untrusted GPS data, including maritime, automotive, and IoT deployments. Fixed at commit 4c06658; update or sanitise subtype input at the integration boundary.

CVE-2026-59206 | n8n (prior to 1.123.61 / 2.27.4 / 2.28.1) | CVSS: 7.1 HIGH
An authenticated n8n user with default workflow:create permissions can pollute Object.prototype through a crafted workflow, causing unauthenticated HTTP requests to be treated as privileged. This effectively allows privilege escalation to admin-equivalent access from a standard user account and exposes user and project listing endpoints. Update to the patched releases; self-hosted instances are particularly at risk if multi-tenant or externally accessible.

CVE-2026-15270 | D-Link DIR-823G 1.0.2B05_20181207 | CVSS: 7.5 HIGH
A least-privilege violation in the D-Link DIR-823G's web interface (/etc/boa/boa.conf) allows remote privilege escalation, though exploitation requires a high level of complexity. This is an end-of-life device with no vendor patch forthcoming — if it's still on your network or in a client environment, replace it. Consumer-grade EOL routers remain a persistent blind spot in SMB and branch office security.


Headline News

Ubiquiti UniFi Hit by Seven Critical Vulnerabilities Including Maximum-Severity Command Injection

Ubiquiti has released patches addressing seven critical vulnerabilities in UniFi OS, headlined by CVE-2026-50746 — a maximum-severity command injection flaw in the UniFi Connect Application. The vulnerability allows an attacker to execute arbitrary commands on affected devices, which in many deployments means full network infrastructure compromise given UniFi's role in managing access points, switches, and gateways. UniFi equipment is ubiquitous in SMBs, enterprise branch offices, and managed service provider stacks, making the blast radius significant. Practitioners should prioritise updating UniFi OS across all managed controllers immediately, and audit for any indicators of lateral movement from network infrastructure to adjacent segments. The breadth of the patch batch — seven critical findings at once — suggests either a coordinated external research disclosure or an internal audit that uncovered systemic issues in the codebase.

Malicious Paysafe and Skrill SDKs on npm and PyPI Harvesting Developer Credentials

A supply chain campaign has been identified on both npm and PyPI distributing fake SDKs impersonating legitimate packages for Paysafe, Skrill, and Neteller — three widely used payment processing platforms. The malicious packages delivered stealer malware targeting developer credentials, session tokens, and likely payment API keys stored in local environments. The attack follows a well-worn playbook: register plausible package names, surface them in search results, and wait for developers integrating payment functionality to install them during project setup or dependency updates. Any developer who recently integrated Paysafe, Skrill, or Neteller functionality should audit their package.json and requirements.txt for unexpected package names, rotate all API credentials, and scan CI/CD environments for persistence mechanisms. This campaign is a reminder that typosquatting and brand impersonation on public registries remain a cost-effective initial access vector with high credential yield.


Schrödinger's Feed

A German government-backed consortium called TruQuaC (Trustworthy Quantum Control and Communication) has launched a €3.06 million project specifically focused on building a secure control-plane and gateway architecture for distributed quantum systems — a rarely discussed but critical layer of the quantum stack. As quantum hardware scales from single QPUs to networked, distributed architectures, the classical control plane becomes an attractive attack surface: whoever controls the orchestration layer controls the computation. This is one of the first funded research efforts explicitly treating distributed quantum orchestration as a security engineering problem rather than purely a physics or performance one. Practitioners building quantum-adjacent infrastructure or advising on post-quantum roadmaps should watch this space — the security properties of the quantum control plane will matter long before cryptographically relevant quantum computers arrive.


/dev/random

A solo developer has shipped what the train simulation community is calling the finest entry in the genre — built entirely by one person. The security angle? Zero. The achievement is the story: a single developer apparently out-shipped entire studios with dedicated QA, art, and engineering teams across the full product cycle. It's the kind of project that makes you reconsider your threat model for "what can one motivated person accomplish" — which, depending on whether that person is building train sims or writing exploit chains, lands very differently. Somewhere, a CISO is showing this to their board as a parable about insider risk; somewhere else, a red teamer is using it as motivation.