0dayNews — Vulnerability & Exploit News
Known Exploited Vulnerabilities
Balbooa Forms unauthenticated file-upload RCE
The Balbooa Forms Joomla extension (com_baforms) up to 2.4.0 accepts unauthenticated file uploads that permit dropping a PHP file to the web root, leading to remote code execution. Fixed in 2.4.1. CVSS 9.8. Added to CISA KEV on 2026-07-10.
JoomShaper SP Page Builder unauthenticated file-upload RCE
An unrestricted-file-upload flaw in JoomShaper SP Page Builder (a Joomla extension) lets unauthenticated users upload arbitrary files, leading to execution of PHP code. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.
Langflow /api/v1/responses IDOR — cross-user flow execution
An authenticated IDOR in Langflow's /api/v1/responses endpoint lets a logged-in attacker execute any other user's flow by passing the victim's flow UUID. NVD scores it 8.4 high; the vendor GHSA calls it 9.9 critical. Fixed in Langflow 1.9.1. Added to CISA KEV on 2026-07-07.
Joomlack Page Builder unauthenticated file-upload RCE
An improper access control flaw in Joomlack Page Builder (a Joomla extension) permits unauthenticated arbitrary file upload, leading to remote code execution. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.
Microsoft SharePoint Server deserialization remote code execution
A high-severity deserialization-of-untrusted-data flaw in on-premises Microsoft SharePoint Server that leads to remote code execution. Patched by Microsoft in the May 2026 security update; added to the CISA Known Exploited Vulnerabilities catalog on July 2, 2026 after confirmed exploitation in the wild.
Adobe ColdFusion path-traversal to arbitrary code execution
Unauthenticated path-traversal (CWE-22) in Adobe ColdFusion 2023 (through update 20) and 2025 (through update 9) permitting arbitrary code execution without user interaction. CVSS 10.0. Patched by Adobe on 2026-07-01 in APSB26-68 (ColdFusion 2023 update 21, 2025 update 10). Active in-the-wild exploitation confirmed by the Canadian Centre for Cyber Security on 2026-07-02; Shadowserver counts ~800 exposed instances.
From the desk

PTC Windchill PLM RCE is on KEV — shells still landing
PTC Windchill PDMLink and FlexPLM ship an unauth deserialization RCE. CISA added it to KEV on 2026-06-25. Unpatched instances are still catching JSP webshells.

Australia's ACSC names 18 CMS bugs under exploitation
Australia's ACSC named 18 CVEs across WordPress plugins, Craft CMS, Joomla JCE, and more as active exploitation targets, with attackers dropping webshells.

Gitea Docker Auth Bypass: Patch 1.26.4, CSA Confirms
Sysdig confirms the first in-the-wild hit on Gitea Docker CVE-2026-20896; Singapore CSA now warns customers; 1.26.3 shipped with a regression, so run 1.26.4.

Six U-Boot flaws trace to one libfdt helper
Binarly disclosed six bugs in U-Boot's FIT-image parsing on July 9 — two potential RCE, four DoS — all tracing to unchecked libfdt calls present since 2013.07.

Ghostcommit and the reviewers that don't open the PNG
A PNG carrying prompt injection slips past AI code reviewers that never open image files, then talks a coding agent into exfiltrating a repo's .env secrets as a list of numbers.
Silver Fox ships MODBEACON, a Rust RAT with gRPC C2
QiAnXin attributes a new Rust-based RAT called MODBEACON to Silver Fox, using gRPC streaming for encrypted C2 and SEO-poisoned installers for delivery.
This week's SITREP
Week in Review: AI Attacks Stopped Being Theoretical
Eight named AI-agent incidents in one week, another wave of Microsoft 365 device-code vishing landing on the same targets it always does, and the usual queue of edge-appliance KEV additions — Kilobaud on what the collection has in common.



