██████╗██╗   ██╗██████╗ ██████╗     ██████╗██╗  ██╗
 ██╔════╝╚██╗ ██╔╝██╔══██╗██╔══██╗   ██╔════╝╚██╗██╔╝
 ██║      ╚████╔╝ ██████╔╝██████╔╝ ● ██║      ╚███╔╝ 
 ██║       ╚██╔╝  ██╔══██╗██╔══██╗   ██║      ██╔██╗ 
 ╚██████╗   ██║   ██████╔╝██║  ██║   ╚██████╗██╔╝ ██╗
  ╚═════╝   ╚═╝   ╚═════╝ ╚═╝  ╚═╝    ╚═════╝╚═╝  ╚═╝
────────────────────────────────── STAY SHARP ───

Joomla Under Siege: CISA Deadlines Blown, Exploits Active Now

Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. July 13, 2026

Share

cybr.cx — Daily Digest | July 13, 2026


Critical Vulnerabilities

⚠️ Actively Exploited — Joomla Ecosystem Under Siege

Three Joomla-adjacent components are being actively weaponised right now, and CISA's remediation deadlines have already passed for two of them.

CVE-2026-48908 — JoomShaper SP Page Builder (no CVSS in NVD feed, KEV-listed) — Unauthenticated users can upload arbitrary PHP files and execute them server-side. No authentication required means mass exploitation is trivial; treat any internet-facing Joomla install running SP Page Builder as compromised until patched or removed.

CVE-2026-56290 — Joomlack Page Builder (KEV-listed) — Improper access controls enable unauthenticated arbitrary file upload leading to remote code execution. Effectively the same attack surface as CVE-2026-48908, suggesting a coordinated campaign targeting Joomla page-builder plugins.

CVE-2026-56291 — Balbooa Forms (KEV-listed, due today) — Another unauthenticated file upload flaw in a Joomla form component, permitting upload and execution of arbitrary files for full RCE. CISA's remediation deadline is today, July 13. If you haven't acted, assume breach and begin incident response.

CVE-2026-48939 — iCagenda (KEV-listed) — The file attachment feature in this Joomla event calendar plugin allows unrestricted upload of PHP files. Active exploitation confirmed; disable the attachment feature or pull the plugin immediately.


CVE-2026-55255 — Langflow | KEV-listed
⚠️ Actively exploited. An authorisation bypass lets an authenticated attacker execute any workflow belonging to another user simply by supplying a victim's flow ID in the API request. In multi-tenant Langflow deployments — common in enterprise AI tooling — this means any authenticated low-privilege user can invoke another user's agent flows, potentially exfiltrating data or triggering destructive actions. Actively exploited in the wild; restrict external access and audit flow ownership immediately.


CVE-2026-48282 — Adobe ColdFusion | KEV-listed
⚠️ Actively exploited. A path traversal vulnerability allows arbitrary code execution in the context of the running ColdFusion process. ColdFusion has historically been a high-value target for initial access brokers; exploitation in the wild is confirmed. Patch or isolate immediately — unpatched ColdFusion servers are unlikely to survive long exposure.


CVE-2026-59260 — OpenWrt luci-app-samba4 | CVSS 8.8
The Samba4 LuCI application grants file execution permission on /usr/sbin/smbd to authenticated delegated users. An attacker can pass arbitrary Samba global options — including message command — to a root smbd process, triggering command execution when SMB messages are processed. Authenticated access to the LuCI interface is required, but on home and SMB routers running OpenWrt that bar is often low.

CVE-2026-61875 / CVE-2026-61876 — OpenWrt luci-app-upnp / LuCI DHCPv6 | CVSS 8.8
Two stored XSS flaws in OpenWrt's web interface. The first allows unauthenticated LAN clients to inject JavaScript via a UPnP NewPortMappingDescription SOAP field; the second via a malicious DHCPv6 FQDN containing script tags. Both execute in the admin's browser when status pages are viewed — a straightforward path to session hijacking or credential theft on the router itself. Any device on the local network segment is a potential attacker.

CVE-2026-15480 / CVE-2026-15481 / CVE-2026-15483 / CVE-2026-15484 — TRENDnet TEW-635BRM & TEW-821DAP | CVSS 8.8
Multiple remotely exploitable stack buffer overflow and command injection flaws across two end-of-life TRENDnet routers. Public exploits exist. TRENDnet has declined to patch EOL hardware. If these devices are still in production environments, replace them — there is no remediation path.

CVE-2026-58281 — Microsoft Edge (Chromium-based) | CVSS 8.3
Deserialization of untrusted data allows unauthenticated remote code execution over a network. Details remain sparse but the attack vector is network-accessible, making this higher risk than typical browser bugs. Ensure Edge is updated to the latest channel release.


Headline News

"Januscape" Linux Kernel Privilege Escalation Draws Urgent Attention

A local privilege escalation vulnerability in the Linux kernel, publicly disclosed on July 6 and dubbed Januscape (CVE-2026-53359), has reached the broader practitioner community this week as Ubuntu confirmed mitigations are now available. The flaw affects all current Ubuntu releases and, given the kernel's ubiquity, the blast radius extends across virtually every major Linux distribution. Local privilege escalation flaws are a critical stepping stone in post-exploitation chains — an attacker with any code execution foothold, however limited, can leverage Januscape to achieve root. Mitigations are available now via Ubuntu's security channels, with full kernel patches expected imminently from upstream; administrators should apply available mitigations immediately and schedule kernel updates for the earliest feasible maintenance window. The public disclosure timeline — a week before patches are fully available — means exploitation in targeted attacks is a realistic near-term risk.


FSF Sysadmins Detail Practical Botnet Blocking with reaction

The Free Software Foundation's infrastructure team has published a detailed account of how they deploy reaction — a log-parsing, rate-limiting daemon in the vein of fail2ban — to dynamically block botnet traffic at the network level. The writeup is notable for its operational specificity: the team describes pattern matching against real attack traffic, temporary versus permanent block strategies, and the tradeoffs of aggressive blocking versus false-positive risk on a public-facing mail and web infrastructure. For defenders running self-managed Linux infrastructure without commercial WAF or bot-management budgets, this represents a practical, freely replicable defensive architecture. The transparency around what attack patterns are actually hitting FSF's servers in 2026 — credential stuffing, scanner floods, and brute-force SSH attempts — is itself useful threat intelligence for teams managing similar environments.


Schrödinger's Feed

ETH Zurich researchers have published a hardware architecture that separates quantum processing from working memory by using mechanical vibrations — phonons stored in mechanical resonators — rather than electromagnetic fields to hold quantum state. The design, published in Science, mirrors the classical CPU/RAM separation that underpins modern computing, potentially allowing quantum processors to scale without the crosstalk and decoherence that plague tightly packed qubit arrays. For cryptography, the long-term significance is real: fault-tolerant quantum computers capable of running Shor's algorithm at scale remain gated on exactly these kinds of memory and error-correction engineering problems. Practitioners investing in post-quantum cryptography migration timelines should note that architectural breakthroughs like this — even incremental ones — have a habit of compressing those timelines faster than standardisation bodies anticipate.


/dev/random

This week's philosophical heavyweight from the tech adjacent internet asks us to reconsider our pathological obsession with usefulness — arguing, with apparent sincerity, that optimising every tool, habit, and thought for instrumental value is quietly hollowing out the parts of cognition that produce genuinely novel ideas. It's a fine argument, and practitioners will recognise the irony of reading it in a productivity digest they subscribed to for actionable intelligence. The security industry, which has spent a decade demanding that everything from threat intel to training programmes demonstrate measurable ROI, may be particularly susceptible to the critique. Unstructured thinking time: CVSS score pending.