Two Joomla page-builder RCEs hit CISA KEV, remediation due today
CISA added CVE-2026-48908 (JoomShaper SP Page Builder) and CVE-2026-56290 (Page Builder CK) to KEV on July 7. Both CVSS 10.0, unauth file-upload to RCE. FCEB deadline: July 10.
// hacker_posts
Vulnerabilities, breaches, advisories and threat intel — covered in plain English and French.
CISA added CVE-2026-48908 (JoomShaper SP Page Builder) and CVE-2026-56290 (Page Builder CK) to KEV on July 7. Both CVSS 10.0, unauth file-upload to RCE. FCEB deadline: July 10.
Gitea's Docker template shipped REVERSE_PROXY_TRUSTED_PROXIES=* — any client can send X-WEBAUTH-USER: admin and impersonate any account. CVSS 9.8. Patched in 1.26.3, skip to 1.26.4.
Microsoft shipped Malware Protection Engine 1.1.26060.3008 on July 9 to close a race condition in mpengine.dll that hands SYSTEM to any local user. Public PoC has been circulating for a month.
A shadow-MMU use-after-free in KVM/x86 lets a root guest reach into the host on Intel VMX and AMD SVM. Stable kernels shipped the fix on July 4; embargo lifted July 6 with a public PoC.
CISA added the Langflow /api/v1/responses IDOR (CVE-2026-55255, CVSS 9.9) to KEV on July 7. Sysdig first observed exploitation on June 25. Third Langflow flaw to hit KEV in seven months.