0dayNews — Vulnerability & Exploit News
Known Exploited Vulnerabilities
JoomShaper SP Page Builder unauthenticated file-upload RCE
An unrestricted-file-upload flaw in JoomShaper SP Page Builder (a Joomla extension) lets unauthenticated users upload arbitrary files, leading to execution of PHP code. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.
Langflow /api/v1/responses IDOR — cross-user flow execution
An authenticated IDOR in Langflow's /api/v1/responses endpoint lets a logged-in attacker execute any other user's flow by passing the victim's flow UUID. NVD scores it 8.4 high; the vendor GHSA calls it 9.9 critical. Fixed in Langflow 1.9.1. Added to CISA KEV on 2026-07-07.
Joomlack Page Builder unauthenticated file-upload RCE
An improper access control flaw in Joomlack Page Builder (a Joomla extension) permits unauthenticated arbitrary file upload, leading to remote code execution. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.
Microsoft SharePoint Server deserialization remote code execution
A high-severity deserialization-of-untrusted-data flaw in on-premises Microsoft SharePoint Server that leads to remote code execution. Patched by Microsoft in the May 2026 security update; added to the CISA Known Exploited Vulnerabilities catalog on July 2, 2026 after confirmed exploitation in the wild.
Adobe ColdFusion path-traversal to arbitrary code execution
Unauthenticated path-traversal (CWE-22) in Adobe ColdFusion 2023 (through update 20) and 2025 (through update 9) permitting arbitrary code execution without user interaction. CVSS 10.0. Patched by Adobe on 2026-07-01 in APSB26-68 (ColdFusion 2023 update 21, 2025 update 10). Active in-the-wild exploitation confirmed by the Canadian Centre for Cyber Security on 2026-07-02; Shadowserver counts ~800 exposed instances.
SimpleHelp OIDC Authentication Bypass
SimpleHelp 5.5.15 and prior accepts OIDC identity tokens without verifying their signature — a forged token yields a full technician session. CVSS 10.0, KEV, patch is 5.5.16.
From the desk

AssuranceAmerica breach: 6.9M drivers, 4-month notice gap
AssuranceAmerica confirms a March 16 intrusion exposed data on 6,998,886 drivers. Notification letters went out in July — a nearly four-month gap between detection and public notice.

Infoblox: Lurking Lizard runs 230-domain fake 7-Zip proxy
Infoblox ties a China-based residential-proxy operator to 230+ lookalike domains active since 2022, seeding fake 7-Zip and WireVPN installers.
Microsoft patches Defender 'RoguePlanet' LPE; PoC public
Microsoft shipped an out-of-band Defender engine update for RoguePlanet (CVE-2026-50656), a race-condition LPE to SYSTEM. Public PoC. Verify auto-update landed.
GhostApproval symlink bug hits six AI coding assistants
Wiz research: Amazon Q, Cursor, Claude Code, Augment, Antigravity, Windsurf all approved one file path in the dialog while writing to another via symlinks.

RedWing turns Android bank fraud into a Telegram rental
Zimperium's zLabs details RedWing, an Android bank-fraud MaaS sold on Telegram — Oblivion variant, subscription tiers, prebuilt droppers, 82 target banks.

Spain arrests suspected CARR logistics operator
Spanish police detained a Palencia man tied to CyberArmy of Russia Reborn, Z-Pentest, and NoName057(16). The announcement lands nearly four months after the raid.
This week's SITREP
Desk Briefing: the install-time gate is not the gate you think it is
Three stories on the desk in 48 hours land on the same nerve — the trust boundary around installers is porous — plus a ransomware group that never encrypted a file and a KEV status change on Defender's BlueHammer LPE.


