Cybersecurity law
Cybersecurity and Infrastructure Security Agency, Alert, "CISA Adds Three Known Exploited Vulnerabilities to Catalog," issued July 7, 2026. Vulnerabilities added to the Known Exploited Vulnerabilities (KEV) Catalog:
(1) CVE-2026-48908 — JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability. JoomShaper SP Page Builder contains an unrestricted upload of file with dangerous type vulnerability that allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code. Reported CVSS 10.0. Exploited as a zero-day via HTTP POST to index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon, followed by creation of a Super User account. Vendor reference: extensions.joomla.org/extension/sp-page-builder/. Fixed in SP Page Builder 6.6.2.
(2) CVE-2026-55255 — Langflow Authorization Bypass Through User-Controlled Key Vulnerability. Langflow contains an authorization bypass through user-controlled key vulnerability which allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. Vendor reference: github.com/langflow-ai/langflow/security/advisories/GHSA-qrpv-q767-xqq2. NVD: nvd.nist.gov/vuln/detail/CVE-2026-55255.
(3) CVE-2026-56290 — Joomlack Page Builder Improper Access Control Vulnerability. Joomlack Page Builder contains an improper access control vulnerability that could allow for remote code execution via unauthenticated arbitrary file upload. Reported CVSS 9.8. Exploitation observed from June 27, 2026 delivering web shells. Fixed in Page Builder CK 3.6.0. Vendor reference: joomlack.fr/en/joomla-extensions/page-builder-ck.
Required action for all three: "Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA's BOD 26-04 Prioritizing Security Updates Based on Risk guidance and CISA's Forensics Triage Requirements." For CVE-2026-56290 and CVE-2026-48908, CISA adds: "Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable."
Remediation deadline for Federal Civilian Executive Branch agencies: July 10, 2026.
Authority. Binding Operational Directive 26-04, "Prioritizing Security Updates Based on Risk," which replaced BOD 22-01 in June 2026. BOD 26-04 establishes vulnerability management requirements for FCEB agencies, reinforces the KEV Catalog, and requires agencies to prioritize rapid remediation of high-risk vulnerabilities — specifically CVEs listed in the KEV Catalog on publicly exposed assets that grant total control of the asset post-exploitation — while deferring action for lower-risk vulnerabilities. It replaces BOD 22-01's uniform two-week clock with variable deadlines keyed to severity and active exploitation. Implementation guidance and Forensics Triage Requirements at cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk. BOD 26-04 binds FCEB agencies only; CISA strongly urges all organizations to prioritize timely remediation of KEV-listed vulnerabilities.
SAME-DAY SEPARATE ALERT. CVE-2026-48282 (Adobe ColdFusion, path traversal permitting arbitrary code execution, CVSS 10.0, affecting ColdFusion 2025.9, 2023.20, and earlier; vendor advisory APSB26-68, July 1, 2026) was added to the KEV Catalog on July 7, 2026 under a separate CISA alert, with the same July 10, 2026 FCEB deadline. Reported exploitation within approximately two hours of public disclosure. NOT covered by this row. Recommend a separate laws row.
AI law
CVE-2026-55255 is the first entry in the KEV Catalog for an AI agent orchestration platform. Technically a cross-tenant insecure direct object reference (IDOR). Sysdig Threat Research Team observed first known active exploitation on June 25, 2026, by an operator (reported as 45.207.216[.]55) who, on an internet-exposed Langflow instance first probed three days earlier, executed application and authentication reconnaissance, flow enumeration, the CVE-2026-55255 IDOR, and a sustained loop of CVE-2026-33017 unauthenticated RCE with outbound connection attempts. Campaign period June 22-25, 2026; assessed as opportunistic and financially motivated, with post-exploitation payloads fetching a second-stage downloader delivering additional malware. Objects of theft: large language model provider API keys and AWS credentials held in tenant flows.
Severity-scoring divergence. Public reporting of the CVSS score for CVE-2026-55255 is inconsistent (6.1, 8.4, and 9.9 all appear in secondary sources). CISA does not assign CVSS; the KEV listing turns on evidence of active exploitation, not score. The operational point, uncontested across sources, is that the IDOR is the only path crossing tenant boundaries on managed or multi-tenant deployments where RCE is sandboxed per tenant, and that successful exploitation is not distinguishable from normal flow execution except by an anomalous flow ID in /api/v1/responses access logs.
Seventh distinct Langflow flaw in active or recent exploitation within the preceding year, alongside CVE-2025-3248, CVE-2025-34291, CVE-2026-0770, CVE-2026-5027, CVE-2026-21445, and CVE-2026-33017.
Adjacent development, reported by Sysdig and relevant to AI governance: the first documented fully agentic ransomware operation (reported designation JADEPUFFER), in which a human operator deployed an AI agent and provisioned infrastructure permitting the agent to conduct an entire extortion operation end to end, using a Langflow instance as the initial access vector via CVE-2025-3248. Sysdig's account and the vendor commentary are secondary sources; only the KEV listing itself and BOD 26-04 are official.
URL CORRECTION. Ingested primary_citation_url was cisa.gov/news-events/alerts/2026/07/07/cisa-adds-four-known-exploited-vulnerabilities-catalog. No official CISA alert bearing that slug was located. The official alert containing this CVE set is titled "CISA Adds Three Known Exploited Vulnerabilities to Catalog." The ingested law_name asserting four CVEs conflates two same-day alerts. Corrected.
VERIFICATION NOTE. cisa.gov blocks automated fetch (bot detection). Alert title, the three CVE entries, required actions, BOD 26-04 authority, and the Forensics Triage Requirements were confirmed from official cisa.gov alert-page and KEV-catalog content via indexed retrieval, and corroborated across six independent security-press accounts. url_validation_status=verified reflects that chain, not a direct HTTP 200.
CORPUS GAP. BOD 26-04, "Prioritizing Security Updates Based on Risk" (issued June 2026, replacing BOD 22-01), is NOT in the Docket Daily corpus. Per established Docket Daily taxonomy, CISA Binding Operational Directives are classified instrument_type=regulation under Cybersecurity Law. This is the operative directive behind every KEV alert now being ingested; every alert row cites an authority the corpus does not contain. Highest-priority ingest.