0dayNews — Vulnerability & Exploit News
Known Exploited Vulnerabilities
JoomShaper SP Page Builder unauthenticated file-upload RCE
An unrestricted-file-upload flaw in JoomShaper SP Page Builder (a Joomla extension) lets unauthenticated users upload arbitrary files, leading to execution of PHP code. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.
Langflow /api/v1/responses IDOR — cross-user flow execution
An authenticated IDOR in Langflow's /api/v1/responses endpoint lets a logged-in attacker execute any other user's flow by passing the victim's flow UUID. NVD scores it 8.4 high; the vendor GHSA calls it 9.9 critical. Fixed in Langflow 1.9.1. Added to CISA KEV on 2026-07-07.
Joomlack Page Builder unauthenticated file-upload RCE
An improper access control flaw in Joomlack Page Builder (a Joomla extension) permits unauthenticated arbitrary file upload, leading to remote code execution. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.
Microsoft SharePoint Server deserialization remote code execution
A high-severity deserialization-of-untrusted-data flaw in on-premises Microsoft SharePoint Server that leads to remote code execution. Patched by Microsoft in the May 2026 security update; added to the CISA Known Exploited Vulnerabilities catalog on July 2, 2026 after confirmed exploitation in the wild.
Adobe ColdFusion path-traversal to arbitrary code execution
Unauthenticated path-traversal (CWE-22) in Adobe ColdFusion 2023 (through update 20) and 2025 (through update 9) permitting arbitrary code execution without user interaction. CVSS 10.0. Patched by Adobe on 2026-07-01 in APSB26-68 (ColdFusion 2023 update 21, 2025 update 10). Active in-the-wild exploitation confirmed by the Canadian Centre for Cyber Security on 2026-07-02; Shadowserver counts ~800 exposed instances.
SimpleHelp OIDC Authentication Bypass
SimpleHelp 5.5.15 and prior accepts OIDC identity tokens without verifying their signature — a forged token yields a full technician session. CVSS 10.0, KEV, patch is 5.5.16.
From the desk

Ill Bloom is a $3.1M lesson in weak randomness, again
Coinspect disclosed weak PRNG in wallet recovery-phrase generation; attackers drained $3.1M in a May sweep. The pattern — bad randomness, stolen keys — is old.

Ex-DigitalMint negotiator gets 70 months for BlackCat scheme
Angelo Martino, ex-DigitalMint IR employee, sentenced to 70 months for feeding BlackCat victims' insurance limits and negotiation floors. An old failure mode.

Meta's Muse Image defaults on for public Instagram
Meta's new Muse Image model reuses public Instagram photos and reels by default — no notification, no watermark discussion, opt-out three levels deep in Sharing settings.

The clearinghouse boom is not new, and neither is the fatigue
Chainguard announced Athena. Red Hat and the White House announced Lightwell. Vulnerability clearinghouses have been getting reannounced since the 1980s.
The ATO fight moved past credential stuffing
The Hacker News argues account takeover shifted from credential stuffing to attacking verification — passkeys pushed the front door shut, so attackers moved.
Talos on 'attackers only need to be right once'
Cisco Talos's Hazel argues 'attackers only need to be right once' is a cliché the defensive community should retire. It's overdue.
This week's SITREP
Desk Briefing: the install-time gate is not the gate you think it is
Three stories on the desk in 48 hours land on the same nerve — the trust boundary around installers is porous — plus a ransomware group that never encrypted a file and a KEV status change on Defender's BlueHammer LPE.


