0dayNews — Vulnerability & Exploit News
Known Exploited Vulnerabilities
Balbooa Forms unauthenticated file-upload RCE
The Balbooa Forms Joomla extension (com_baforms) up to 2.4.0 accepts unauthenticated file uploads that permit dropping a PHP file to the web root, leading to remote code execution. Fixed in 2.4.1. CVSS 9.8. Added to CISA KEV on 2026-07-10.
JoomShaper SP Page Builder unauthenticated file-upload RCE
An unrestricted-file-upload flaw in JoomShaper SP Page Builder (a Joomla extension) lets unauthenticated users upload arbitrary files, leading to execution of PHP code. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.
Langflow /api/v1/responses IDOR — cross-user flow execution
An authenticated IDOR in Langflow's /api/v1/responses endpoint lets a logged-in attacker execute any other user's flow by passing the victim's flow UUID. NVD scores it 8.4 high; the vendor GHSA calls it 9.9 critical. Fixed in Langflow 1.9.1. Added to CISA KEV on 2026-07-07.
Joomlack Page Builder unauthenticated file-upload RCE
An improper access control flaw in Joomlack Page Builder (a Joomla extension) permits unauthenticated arbitrary file upload, leading to remote code execution. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.
Microsoft SharePoint Server deserialization remote code execution
A high-severity deserialization-of-untrusted-data flaw in on-premises Microsoft SharePoint Server that leads to remote code execution. Patched by Microsoft in the May 2026 security update; added to the CISA Known Exploited Vulnerabilities catalog on July 2, 2026 after confirmed exploitation in the wild.
Adobe ColdFusion path-traversal to arbitrary code execution
Unauthenticated path-traversal (CWE-22) in Adobe ColdFusion 2023 (through update 20) and 2025 (through update 9) permitting arbitrary code execution without user interaction. CVSS 10.0. Patched by Adobe on 2026-07-01 in APSB26-68 (ColdFusion 2023 update 21, 2025 update 10). Active in-the-wild exploitation confirmed by the Canadian Centre for Cyber Security on 2026-07-02; Shadowserver counts ~800 exposed instances.
From the desk
Silver Fox ships MODBEACON, a Rust RAT with gRPC C2
QiAnXin attributes a new Rust-based RAT called MODBEACON to Silver Fox, using gRPC streaming for encrypted C2 and SEO-poisoned installers for delivery.
Metasploit Weekly Adds Flowise CSV, macOS PackageKit
Rapid7's Metasploit weekly drops two modules — a Flowise CSV Agent prompt-injection RCE and a macOS PackageKit LPE. New tooling, not new bugs.

OpenMandriva contributor deleted GNOME and Cosmic repos
Davide Beatrici, a three-year OpenMandriva admin, deleted the Cosmic and GNOME repositories and pushed an obsoleting empty package into Cooker on July 8.
Zimbra ships 10.1.19; Google TAG reported the XSS
Zimbra 10.1.19 patches a stored XSS in the Classic Web Client. No CVE yet, no confirmed exploitation — Google TAG reported it, which is the reason to patch now.

npm 12 turns install scripts off by default
npm 12 defaults allowScripts to off and deprecates 2FA-bypass tokens. Closes the install-hook branch; does not touch the maintainer-account one.

A seized crypto account that moved from a cell
Rossen Iossifov, ten years into a laundering sentence, is charged with moving $290K from a seized crypto account. The interesting part is it still moved.
This week's SITREP
Desk Briefing: the install-time gate is not the gate you think it is
Three stories on the desk in 48 hours land on the same nerve — the trust boundary around installers is porous — plus a ransomware group that never encrypted a file and a KEV status change on Defender's BlueHammer LPE.
