0dayNews — Vulnerability & Exploit News
Known Exploited Vulnerabilities
Balbooa Forms unauthenticated file-upload RCE
The Balbooa Forms Joomla extension (com_baforms) up to 2.4.0 accepts unauthenticated file uploads that permit dropping a PHP file to the web root, leading to remote code execution. Fixed in 2.4.1. CVSS 9.8. Added to CISA KEV on 2026-07-10.
JoomShaper SP Page Builder unauthenticated file-upload RCE
An unrestricted-file-upload flaw in JoomShaper SP Page Builder (a Joomla extension) lets unauthenticated users upload arbitrary files, leading to execution of PHP code. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.
Langflow /api/v1/responses IDOR — cross-user flow execution
An authenticated IDOR in Langflow's /api/v1/responses endpoint lets a logged-in attacker execute any other user's flow by passing the victim's flow UUID. NVD scores it 8.4 high; the vendor GHSA calls it 9.9 critical. Fixed in Langflow 1.9.1. Added to CISA KEV on 2026-07-07.
Joomlack Page Builder unauthenticated file-upload RCE
An improper access control flaw in Joomlack Page Builder (a Joomla extension) permits unauthenticated arbitrary file upload, leading to remote code execution. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.
Microsoft SharePoint Server deserialization remote code execution
A high-severity deserialization-of-untrusted-data flaw in on-premises Microsoft SharePoint Server that leads to remote code execution. Patched by Microsoft in the May 2026 security update; added to the CISA Known Exploited Vulnerabilities catalog on July 2, 2026 after confirmed exploitation in the wild.
Adobe ColdFusion path-traversal to arbitrary code execution
Unauthenticated path-traversal (CWE-22) in Adobe ColdFusion 2023 (through update 20) and 2025 (through update 9) permitting arbitrary code execution without user interaction. CVSS 10.0. Patched by Adobe on 2026-07-01 in APSB26-68 (ColdFusion 2023 update 21, 2025 update 10). Active in-the-wild exploitation confirmed by the Canadian Centre for Cyber Security on 2026-07-02; Shadowserver counts ~800 exposed instances.
From the desk

MemGhost: an email that rewrites an AI agent's memory
arXiv paper: one crafted email talks a memory-enabled AI agent into writing attacker-supplied 'facts' into its memory files. Future sessions load them.

CISA postmortem: nine alerts ignored, six months exposed
CISA's postmortem on its own six-month GitHub credential leak faults slow key rotation and nine ignored GitGuardian alerts — signal without intake.

Lidl online shop breach hits DE, BE, NL via provider
Lidl says a file at an unnamed service provider was accessed; DE/BE/NL online shop customer PII taken. Passwords and payment data not yet ruled out.

Huntress Flags Suspected AI-Written PowerShell in AD Case
Huntress attributes an early-June AD enumeration case to a PowerShell script with clear LLM tells — cyan-and-green banners and 'FULLY FIXED' in the title.

First joint EU-UK cyber sanctions name 33 Russian targets
The EU Council named 9 individuals and 4 entities; the UK named 24 more. FSB Center 16, Sandworm, Turla, Lumma Stealer, and Rybar LLC are on the list.

Seven years on, CVE-2018-0171 draws a 13-state advisory
US, UK, and eleven allied governments co-signed a July 13 advisory naming FSB Centre 16 as the actor still pulling configs off end-of-life Cisco routers via CVE-2018-0171.




