The US cybersecurity agency CISA on Tuesday warned that vulnerabilities in Adobe ColdFusion, Langflow, and two Joomla extensions have been exploited in the wild.

Tracked as CVE-2026-48282 (CVSS score of 10/10), the ColdFusion bug was flagged as exploited only days after Adobe rolled out patches for it on June 30. It is a path traversal issue that allows attackers to execute arbitrary code.

The Langflow security defect, tracked as CVE-2026-55255 (CVSS score of 9.9), is described as a cross-tenant insecure direct object reference (IDOR) weakness that allows attackers to execute flows belonging to other users by supplying a flow UUID. It was patched in Langflow version 1.9.1.

On June 26, cybersecurity firm Sysdig warned that hackers had started exploiting the critical-severity vulnerability in the wild, despite there being no public proof-of-concept (PoC) exploit at the time.

As part of the observed attacks, a threat actor performed host reconnaissance, harvested flow IDs, replayed the IDs to trigger the IDOR, and chained in CVE-2026-33017, a remote code execution (RCE) bug in Langflow that was patched in March.