0dayNews — Vulnerability & Exploit News
Known Exploited Vulnerabilities
JoomShaper SP Page Builder unauthenticated file-upload RCE
An unrestricted-file-upload flaw in JoomShaper SP Page Builder (a Joomla extension) lets unauthenticated users upload arbitrary files, leading to execution of PHP code. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.
Langflow /api/v1/responses IDOR — cross-user flow execution
An authenticated IDOR in Langflow's /api/v1/responses endpoint lets a logged-in attacker execute any other user's flow by passing the victim's flow UUID. NVD scores it 8.4 high; the vendor GHSA calls it 9.9 critical. Fixed in Langflow 1.9.1. Added to CISA KEV on 2026-07-07.
Joomlack Page Builder unauthenticated file-upload RCE
An improper access control flaw in Joomlack Page Builder (a Joomla extension) permits unauthenticated arbitrary file upload, leading to remote code execution. CVSS 9.8 critical. Added to CISA KEV on 2026-07-07 alongside two other adds.
Microsoft SharePoint Server deserialization remote code execution
A high-severity deserialization-of-untrusted-data flaw in on-premises Microsoft SharePoint Server that leads to remote code execution. Patched by Microsoft in the May 2026 security update; added to the CISA Known Exploited Vulnerabilities catalog on July 2, 2026 after confirmed exploitation in the wild.
Adobe ColdFusion path-traversal to arbitrary code execution
Unauthenticated path-traversal (CWE-22) in Adobe ColdFusion 2023 (through update 20) and 2025 (through update 9) permitting arbitrary code execution without user interaction. CVSS 10.0. Patched by Adobe on 2026-07-01 in APSB26-68 (ColdFusion 2023 update 21, 2025 update 10). Active in-the-wild exploitation confirmed by the Canadian Centre for Cyber Security on 2026-07-02; Shadowserver counts ~800 exposed instances.
SimpleHelp Authentication Bypass Vulnerability
SimpleHelp contains an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication.
From the desk
GitLost: Public Issue Leaks Private GitHub Repo Data
Noma Security's GitLost shows how a public GitHub issue can trick Agentic Workflows into leaking private repos. Not patchable — scope your agent tokens today.
Ubiquiti Patches Max-Severity UniFi Connect Command Injection
Ubiquiti Bulletin 066 patches seven critical UniFi flaws, headlined by a CVSS 10.0 command injection in UniFi Connect 3.4.16 and earlier. Fix: 3.4.20 or later.
Dialogflow's Rogue Agent Flaw Is a Very Old Bug Class
Varonis' Rogue Agent finding in Google Dialogflow CX is a shared-runtime exec() escape — a bug class old enough to have graduated shared hosting.
GhostLock: 15-Year Linux Kernel Root/Container Escape
Nebula Security's GhostLock (CVE-2026-43499) — a 15-year-old futex use-after-free — hits every mainstream Linux distro. Escapes containers. Patch again.
DEBULL Kit Runs M365 Device-Code Phishing, Storm-2372
ZeroBEC reports DEBULL — a device-code phishing kit repackaging Storm-2372 tradecraft — active against M365 tenants late June to early July. Block it.
CISA Adds Langflow and Two Joomla Builders to KEV
CISA added three vulnerabilities to KEV on July 7 — a Langflow IDOR and two Joomla page-builder RCEs. Federal due date is July 10. Priority order below.
This week's SITREP
Desk Briefing: the install-time gate is not the gate you think it is
Three stories on the desk in 48 hours land on the same nerve — the trust boundary around installers is porous — plus a ransomware group that never encrypted a file and a KEV status change on Defender's BlueHammer LPE.


