CISA Adds Langflow and Two Joomla Builders to KEV
CISA added three vulnerabilities to KEV on July 7 — a Langflow IDOR and two Joomla page-builder RCEs. Federal due date is July 10. Priority order below.
CISA added three vulnerabilities to the Known Exploited Vulnerabilities catalog on July 7 — one Langflow authorization bypass, one Joomlack Page Builder unauthenticated RCE, one JoomShaper SP Page Builder unauthenticated RCE. Federal due date on all three is 2026-07-10. Not federal? The due date is the calendar you should be reading off, not the CISA boilerplate. Here’s the honest order.
The three
CVE-2026-55255 — Langflow. An insecure direct object reference in the /api/v1/responses endpoint. Per the vendor’s GHSA-qrpv-q767-xqq2, the get_flow_by_id_or_endpoint_name helper validated ownership on endpoint-name lookups but not on UUID lookups, so an authenticated user could execute any other user’s flow by passing the victim’s flow UUID in the request. NVD scores it 8.4 high; the vendor GHSA calls it 9.9 critical. Fixed in Langflow 1.9.1 via PR #12832. Disclosed 2026-06-19.
Two things worth naming on this one. First: Langflow instances landed on the KEV catalog once already this month under a different CVE — Sysdig’s JADEPUFFER writeup documented a ransomware chain that broke in through a Langflow code-execution flaw and ran end-to-end from an LLM. A second Langflow entry in two weeks is not a coincidence — publicly reachable Langflow surfaces are drawing attention right now. Second: “authenticated” reads as friction until you look at how these deployments actually run. Shared-team Langflow instances hand out workflow-editor accounts liberally; the ownership boundary this IDOR crosses is exactly the boundary those deployments assumed the app was enforcing.
CVE-2026-56290 — Joomlack Page Builder (a Joomla extension, vendor page). Improper access control → unauthenticated arbitrary file upload → remote code execution. CVSS 9.8 critical. NVD published the record on 2026-07-07, same day CISA added it.
CVE-2026-48908 — JoomShaper SP Page Builder (a separate Joomla extension from a separate vendor, but in the same class). Unrestricted file upload → PHP code execution, unauthenticated. CVSS 9.8 critical. Also published and added to KEV on 2026-07-07.
Two Joomla page-builder RCEs, same day, same shape. That is not a coincidence either — that is what happens when a class of vulnerability lands on somebody’s crawler and works its way through a market. Read that as: whichever of these two extensions you don’t run today, look at your other page-builder extensions this week.
Priority order
Patch first: the two Joomla page builders. Unauthenticated → RCE, both of them. If you run either extension on a public-facing Joomla site, that install is one of the more predictable webshell targets on the KEV list this month. Verify what your site is running before dismissing it — check the #__extensions table if you don’t remember, or run a pass over the site’s images/ and template uploads directories looking for anything ending in .php or .phtml you did not put there. If you cannot patch the same day, take the site offline; a compromised Joomla install is the kind of thing that turns into a mail-spam relay by the following morning.
Patch second: Langflow. Authenticated, so the exposure gate is narrower — but if your Langflow instance is shared across a team, that gate is not much of one. Upgrade to Langflow 1.9.1. If you cannot upgrade this week for reasons — vendor pipeline, air-gapped deploy, whatever — restrict the /api/v1/responses endpoint at the ingress and audit the last 30 days of flow-execution logs for cross-user activity. The vendor’s fix returns a 404 on cross-user access rather than leaking flow existence via error codes, so your log signal will change shape once you patch.
Do not skip the audit step because “we don’t run federal systems.” The July 10 KEV due date is a federal deadline. The exploitation status the catalog implies is not. On these three, CISA is telling you exploitation is being observed somewhere — “somewhere” does not exclude your environment.
The score-versus-signal note
NVD and the Langflow vendor advisory disagree on the -55255 score: NVD lands at 8.4 high, the GHSA at 9.9 critical. We go with NVD for the severity badge — same policy we used on BeyondTrust three days ago — and flag both. Either way, the KEV listing is the signal, not the score. CISA added these three because it has evidence of active exploitation, not because a CVSS calculator hit a threshold. The Joomla pair are 9.8s regardless; the Langflow one crosses eight on NVD’s math and nearly ten on the vendor’s. If you are prioritizing by badge color rather than exploitation status, you are reading the wrong column.
Sourcing
- CISA. Known Exploited Vulnerabilities catalog, 2026-07-07 additions.
- Langflow. GHSA-qrpv-q767-xqq2 — Insecure Direct Object Reference on flow execution. Disclosed 2026-06-19.
- NVD records: CVE-2026-55255, CVE-2026-56290, CVE-2026-48908.
Found this useful? Share it.


