Multiple security vulnerabilities have been identified in Joomla page builders and Adobe ColdFusion. These vulnerabilities pose a significant risk to users, with three of the four flaws carrying a top CVSS score of 10, granting full remote code execution. Affected version ranges include ColdFusion 2025 and earlier, Langflow builds before 1.9.1, Joomla page builders < 6.6.2 and < 3.6.0.
CVE-2026-48908 (CVSS 10 — Critical): This vulnerability affects the JoomShaper SP Page Builder extension for Joomla, allowing unauthenticated users to upload files and run PHP code.[/subscribe_to_unlock_form]
Multiple security vulnerabilities have been identified in Joomla page builders and Adobe ColdFusion. These vulnerabilities pose a significant risk to users, with three of the four flaws carrying a top CVSS score of 10, granting full remote code execution. Affected version ranges include ColdFusion 2025 and earlier, Langflow builds before 1.9.1, Joomla page builders < 6.6.2 and < 3.6.0.
CVE-2026-48908 (CVSS 10 — Critical): This vulnerability affects the JoomShaper SP Page Builder extension for Joomla, allowing unauthenticated users to upload files and run PHP code.[emaillocker id="1283"]
CVE-2026-56290 (CVSS 10 — Critical): This flaw impacts the Page Builder CK extension from JoomlaCK.fr, enabling an unauthenticated file upload that ends in full remote code execution.
CVE-2026-55255: This Langflow access-control bug allows an authenticated user to run another user’s flow by its ID. These vulnerabilities collectively present a high risk to users, particularly those who have not applied the available patches. Administrators should update each product without delay.
CVE-2026-48282 (CVSS 10.0 — Critical): This is a max-severity ColdFusion path traversal flaw that was exploited within hours of public disclosure.
We recommend you to update Joomla to version 1.9.1 or later and ColdFusion 2023 Update 21 and 2025 Update 10 and Joomla owners should patch or remove the affected page builders.
The following reports contain further technical details:
[/emaillocker]