Meet us a Black Hat! Become a Black Kite Ranger to help protect the cyber ecosystem.Learn more
BlackKite: Home
Menu
blog

FOCUS FRIDAY: TPRM Insights on Critical Vulnerabilities in JoomShaper SP Page Builder, Langflow, and Apache ActiveMQ

Published

Jul 10, 2026

Authors

Ferdi Gül

Introduction

This week's Focus Friday covers three FocusTags® addressing actively exploited and newly critical vulnerabilities across a Joomla CMS extension, an AI workflow platform, and the Apache ActiveMQ message broker: a CISA KEV-listed unauthenticated RCE in JoomShaper's SP Page Builder with confirmed in-the-wild exploitation that plants hidden Super Administrator backdoors; a CISA KEV-listed IDOR vulnerability in Langflow that allows any authenticated user to execute another user's AI flows without authorization; and a nine-CVE cluster in Apache ActiveMQ including four pre-authentication denial-of-service vulnerabilities and a default Web Console privilege escalation flaw that grants low-privilege accounts admin access. Two of the three tags received CISA KEV listings on July 7, 2026, establishing this week as a high-urgency period for TPRM teams managing web CMS infrastructure and AI platform exposure.

The JoomShaper Jope SP Page Builder vulnerability (CVE-2026-48908) represents the week's most immediately dangerous disclosure: unauthenticated file upload to PHP web shell execution through an exposed component endpoint, requiring no credentials whatsoever against Joomla sites running the affected extension. Active exploitation has already been observed in the wild, with attackers systematically planting hidden Super Administrator accounts using the pattern “Web Editor” or “Admin Backup” with @secure.local email addresses — creating persistent re-entry paths that survive patch application unless administrators also conduct a full user audit and file-system scan. The CISA KEV listing on July 7, 2026 confirms federal agency recognition of this active exploitation. The Langflow IDOR flaw (CVE-2026-55255) pairs with last week's Langflow cron injection RCE (CVE-2026-5027) to create a compounding risk picture for any vendor running Langflow: where last week's flaw allowed unauthenticated takeover, this week's vulnerability allows any authenticated user to silently access and execute another user's AI automation flows — a critical data isolation failure in multi-tenant AI workflow environments.

For third-party risk management professionals, all three tags this week highlight the expanding attack surface created by technology categories that vendors rarely list in standard assessments: Joomla CMS extensions, AI workflow automation platforms, and middleware message brokers. JoomShaper's SP Page Builder presence as a vendor-installed extension is almost never disclosed in third-party questionnaires. Langflow deployments are similarly invisible to traditional TPRM programs but increasingly central to vendor AI automation pipelines. Apache ActiveMQ's role as an enterprise message broker means a broker crash can stall every downstream payment, order, and event pipeline depending on it. Black Kite's FocusTags® translate these signals into actionable vendor intelligence without requiring vendors to self-disclose technology they typically don't surface.

Filtered view of vendors with JoomShaper SP Page Builder FocusTag® on the Black Kite platform.

Filtered view of vendors with JoomShaper SP Page Builder FocusTag® on the Black Kite platform.

JoomShaper SP Page Builder (CVE-2026-48908)

What is this vulnerability?

CVE-2026-48908 (CVSS 9.8 / CVSS 4.0: 10.0, CWE-284: Improper Access Control) is a critical unauthenticated Remote Code Execution vulnerability in JoomShaper's SP Page Builder, one of the most widely deployed page builder extensions for the Joomla CMS. The vulnerability exists in the asset.uploadCustomIcon controller task, reachable via the standard Joomla request path: index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon. This task — designed to handle custom icon uploads for administrative use — processes uploaded files without any authentication check and without any server-side restriction on the uploaded file type. The code path fails to use Joomla's built-in upload validation helpers that enforce an allowlist of safe file extensions, and it writes the uploaded file directly to a directory under the web root. An unauthenticated attacker therefore only needs to POST a PHP file to this endpoint and the server executes it — a direct, two-step path from network access to full server-side code execution with no login required. Unpublishing the SP Page Builder component does not prevent exploitation.

Active exploitation of CVE-2026-48908 has been confirmed in the wild prior to patch release. Attackers are exploiting this zero-day to upload PHP web shell backdoors and then using that access to create hidden Joomla Super Administrator accounts — typically with plausible-sounding display names such as 'Web Editor' or 'Admin Backup' and email addresses at the @secure.local domain. These backdoor accounts persist across patch application: even after updating SP Page Builder to 6.6.2, an already-compromised site retains the unauthorized Super Administrator account unless the administrator conducts an explicit user audit and removes it. This two-layer persistence mechanism — web shell plus admin account — means remediation requires more than patching. A public PoC exploit is available. CVE-2026-48908 was added to CISA's Known Exploited Vulnerabilities catalog on July 7, 2026. It is listed in the EU Vulnerability Database under EUVD-2026-38110. Approximately 3,983 internet-facing Joomla sites running com_sppagebuilder are identifiable on Shodan. Affects: SP Page Builder versions up to and including 6.6.1. Fixed in: SP Page Builder 6.6.2.

Why should TPRM professionals care?

Joomla CMS and its extension ecosystem is one of the most widely deployed web publishing platforms in the world, used by organizations across every sector for customer-facing websites, partner portals, product catalogs, digital documentation, and customer service infrastructure. SP Page Builder is among the most popular Joomla extensions, meaning its installation footprint across vendor web infrastructure is substantial — yet its presence is almost never surfaced in third-party risk assessments, technology disclosure questionnaires, or vendor software inventories. For TPRM professionals, this creates a visibility gap: a vendor's Joomla site may be actively compromised via this vulnerability while the vendor's security team has not yet identified it, precisely because the attack requires zero credentials and exploits an endpoint that most monitoring configurations do not specifically alert on.

The backdoor persistence mechanism amplifies the TPRM risk dimension significantly. When a vendor site is compromised via CVE-2026-48908, attackers gain not just temporary code execution but a persistent Super Administrator account with full control over the Joomla installation — including access to every configured integration, stored user data, connected database content, and any API keys or credentials embedded in the CMS configuration. If the vendor's Joomla instance handles customer data, processes contact forms, or integrates with backend business systems, the blast radius of this compromise extends well beyond a defaced website. The active exploitation pattern — systematic creation of @secure.local backdoor accounts across compromised sites — indicates organized threat actor activity targeting this vulnerability at scale, meaning the window between disclosure and exploitation was effectively zero.

What questions should TPRM professionals ask vendors?

  1. Has SP Page Builder been updated to version 6.6.2 or later across all Joomla installations? Given active exploitation prior to patch release, what version is currently confirmed installed?
  2. Has a full Joomla User Manager audit been conducted to identify and remove unauthorized Super Administrator accounts — specifically looking for accounts with unusual display names (e.g., 'Web Editor', 'Admin Backup') or email addresses using the @secure.local domain?
  3. Has a file-system audit of the Joomla installation directory been performed to detect PHP web shells or unexpected scripts in upload directories? A compromised server may retain a PHP file manager backdoor even after the SP Page Builder endpoint is patched, requiring active remediation beyond version upgrade.
  4. Have web server access logs been reviewed for POST requests to the asset.uploadCustomIcon endpoint that may indicate prior exploitation? What is the earliest date of suspicious activity in logs, and has any confirmed compromise been investigated as a potential data breach?
  5. re Joomla installations restricted from public internet access where operationally feasible? For internet-facing Joomla sites, what Web Application Firewall or file upload restriction controls are in place to prevent unauthorized file execution even if additional vulnerabilities emerge?

Remediation recommendations

  • Update SP Page Builder to version 6.6.2 or later immediately across all Joomla installations. This is the only release that patches the unauthorized file upload path in the asset.uploadCustomIcon endpoint.
  • Conduct a mandatory Joomla User Manager audit: check for any Super Administrator accounts with names like 'Web Editor' or 'Admin Backup' and email addresses using the @secure.local domain. Delete any unauthorized accounts found, and rotate credentials for all legitimate Super Administrator accounts as a precaution.
  • Perform a file-system scan of the Joomla installation directory and all web-root subdirectories for unexpected PHP scripts, particularly in upload directories or components directories. PHP file manager tools and web shells placed by attackers must be identified and deleted — patching alone does not remove existing backdoors.
  • Review web server logs retroactively for POST activity targeting the asset.uploadCustomIcon endpoint. If exploitation indicators are found, treat as a confirmed breach requiring full incident response including credential rotation, user audit, and data access review.
  • Implement server-side file type restrictions at the web server level to block execution of PHP files from upload directories as a defense-in-depth measure for all CMS installations.
Black Kite's JoomShaper SP Page Builder FocusTag® details critical insights on the event for TPRM professionals.

Black Kite's JoomShaper SP Page Builder FocusTag® details critical insights on the event for TPRM professionals.

Langflow - Jul2026 (CVE-2026-55255)

What is this vulnerability?

CVE-2026-55255 (CVSS 8.4, EPSS 0.23%, GitHub Advisory GHSA-qrpv-q767-xqq2) is a high-severity Insecure Direct Object Reference (IDOR) vulnerability in Langflow, the widely deployed open-source platform for building and deploying AI-powered agents and automated workflows. The vulnerability resides in the /api/v1/responses endpoint and its underlying get_flow_by_id_or_endpoint_name helper function in src/backend/base/langflow/helpers/flow.py. When a user requests access to a flow via its UUID (flow_id), the helper function queries the database to locate the flow directly by its identifier without verifying whether the authenticated requester is the owner or an authorized viewer of that flow. As a result, any authenticated Langflow user can access or execute a flow belonging to any other user simply by supplying the victim's flow UUID in the API request — bypassing Langflow's access control model entirely for this endpoint.

In multi-user or multi-tenant Langflow deployments, this vulnerability breaks the fundamental data isolation expectation: every user's flows, agent configurations, connected tool definitions, API key bindings, and workflow execution results should be visible and executable only by their owner and explicitly authorized collaborators. CVE-2026-55255 eliminates this boundary for the /api/v1/responses endpoint, allowing cross-user flow execution and access with only a valid account credential. Public PoC exploits have been reported. CVE-2026-55255 was added to CISA's Known Exploited Vulnerabilities catalog on July 7, 2026, alongside the SP Page Builder KEV listing. It is listed in the EU Vulnerability Database under EUVD-2026-38517. No active exploitation in the wild has been reported at time of publication beyond PoC availability. Affects: Langflow versions prior to 1.9.1. Fixed in: Langflow 1.9.1.

Why should TPRM professionals care?

Langflow is increasingly deployed across AI engineering teams as the orchestration layer for AI agent workflows — connecting large language models to internal data sources, APIs, databases, and business automation pipelines. Flows configured in Langflow frequently contain embedded API keys, database connection strings, internal service endpoints, and business logic that is considered proprietary. An IDOR vulnerability that allows any authenticated user to read and execute another user's flows represents a complete failure of the access control model for this data: an attacker with any Langflow account — including a low-privilege user account, a contractor account, or a compromised account — can enumerate and execute flows belonging to other users, potentially including flows connected to sensitive internal systems, flows that perform actions on behalf of privileged service accounts, or flows that expose API credentials embedded in their configuration.

For TPRM professionals, the Langflow Jul2026 tag pairs directly with last week's Langflow Jun2026 (Latest) FocusTag® (CVE-2026-5027, cron injection RCE). Together, these two CVEs create a compounding risk picture: CVE-2026-5027 allowed unauthenticated access to RCE, while CVE-2026-55255 allows any authenticated user to cross access boundaries and execute other users' flows without restriction. Any vendor running Langflow prior to 1.9.1 (and simultaneously prior to 1.10.0 for the cron injection fix) is exposed on both vectors. The CISA KEV listing confirms this vulnerability's severity beyond its CVSS 8.4 score, and TPRM teams should treat Langflow version verification as an active remediation engagement priority against any vendor known to deploy AI automation tooling.

What questions should TPRM professionals ask vendors?

  1. Has Langflow been upgraded to version 1.9.1 or later to remediate CVE-2026-55255? Additionally, has version 1.10.0 (addressing CVE-2026-5027, the cron injection RCE from last week's FocusTag®) also been applied? What is the currently deployed Langflow version confirmed via package manifest?
  2. Is the Langflow /api/v1/responses API endpoint accessible only to authenticated internal users, or is it reachable from external networks? For any internet-facing Langflow deployment, what authentication and network access controls restrict the API surface?
  3. Have Langflow access logs for the /api/v1/responses endpoint been reviewed for anomalous patterns — specifically requests from users accessing flow UUIDs they do not own — that may indicate prior exploitation of CVE-2026-55255?
  4. Do any Langflow flows contain embedded API keys, database credentials, internal service endpoint URLs, or other sensitive configuration material? If so, have those credentials been rotated as a precaution following the period of exposure to this IDOR vulnerability?
  5. Is account creation in the Langflow deployment restricted to authorized users only, and are there periodic access reviews to identify stale or unauthorized accounts? Given the authenticated attacker requirement, account hygiene is a critical compensating control.

Remediation recommendations

  • Upgrade Langflow to version 1.9.1 or later immediately to remediate CVE-2026-55255. For complete remediation of the Langflow vulnerability cluster, upgrade to version 1.10.0 or later, which also addresses CVE-2026-5027 (cron injection RCE). Both upgrades should be applied in sequence if not already completed.
  • Restrict the Langflow API surface to trusted internal networks only; eliminate any direct public internet access to Langflow's /api/v1/responses endpoint and the broader API. Deploy identity-aware proxy or VPN-gating for any Langflow instance that requires external access.
  • Review access logs for the /api/v1/responses endpoint for cross-user flow access patterns. If anomalous activity is detected, treat as a potential data access incident and review which flows were accessed, what data those flows could have exposed, and whether embedded credentials were present.
  • Audit all Langflow flows for embedded sensitive credentials or API keys. Rotate any API keys, database passwords, or service account tokens that are embedded in flow configurations that were accessible during the vulnerability window, regardless of whether exploitation has been confirmed.
  • Enforce least-privilege account management for Langflow: restrict new account creation to authorized personnel, conduct periodic access reviews to deactivate stale accounts, and implement MFA for all Langflow user accounts.
Black Kite's Langflow - Jul2026 FocusTag® details critical insights on the event for TPRM professionals.

Black Kite's Langflow - Jul2026 FocusTag® details critical insights on the event for TPRM professionals.

ActiveMQ - Jul2026 (CVE-2026-54475, CVE-2026-53917, CVE-2026-53916, CVE-2026-52760, CVE-2026-50750, CVE-2026-50734, CVE-2026-49877, CVE-2026-49434, and CVE-2026-49432)

What is this vulnerability?

A cluster of nine vulnerabilities — CVE-2026-54475, CVE-2026-53917, CVE-2026-53916, CVE-2026-52760, CVE-2026-50750, CVE-2026-50734, CVE-2026-49877, CVE-2026-49434, and CVE-2026-49432 — have been identified in Apache ActiveMQ Classic, one of the most widely deployed open-source Java message broker platforms in enterprise, financial services, and critical infrastructure environments. CVSS v3 scores across the cluster range from 6.1 (stored XSS) to 8.2 (temporary destination isolation bypass). Apache reports no in-the-wild exploitation and no public PoC for any of the nine CVEs at time of publication. None are listed in CISA's Known Exploited Vulnerabilities catalog. All nine are fixed in Apache ActiveMQ 6.2.7 (6.x branch, released June 29, 2026) and 5.19.8 (5.x branch, released June 29, 2026). Approximately 2,498 ActiveMQ instances are detectable on Shodan across affected version strings.

CVE-2026-54475 (CVSS 8.2, EPSS 0.59%): Temporary Destination Isolation Bypass. The broker verifies temporary destination ownership only on the client side. A second authenticated connection can consume messages from another connection's temporary destination, exposing reply/request data between separate tenants or sessions sharing the same broker. CVE-2026-49877 (CVSS 8.1, EPSS 0.51%): Web Console Admin Privilege Escalation. Default Jolokia authorization settings in the Jetty configuration do not restrict the /admin/* path, granting non-admin (low-privilege) Web Console users unauthorized access to admin operations including addQueue and removeQueue. CVE-2026-53917 (CVSS 7.5, EPSS 0.80%): Authenticated OpenWire Property Map DoS. An authenticated user can crash the broker by sending an OpenWire message with a crafted large encoded size value for the property map, triggering OOM. CVE-2026-49434 (CVSS 7.6, EPSS 0.66%): LdapNetworkConnector SSRF. The LdapNetworkConnector can be abused to instantiate a second broker with attacker-controlled remote properties, causing the broker to fetch an attacker-specified URL.

The four pre-authentication denial-of-service vulnerabilities are operationally the most immediately dangerous: CVE-2026-53916 (CVSS 7.5, EPSS 0.80%) — an unauthenticated STOMP NIO client can send header bytes that never terminate, causing unbounded JVM heap exhaustion; CVE-2026-50734 (CVSS 7.5, EPSS 0.80%) — a crafted WireFormatInfo frame with a malicious large size value during wire-format negotiation causes broker OOM; CVE-2026-50750 (CVSS 7.5, EPSS 0.71%) — repeated unauthenticated BrokerInfo commands without ConnectionInfo cause broker OOM; CVE-2026-49432 (CVSS 7.5, EPSS 0.84%) — STOMP headers with negative content-length overflow connection buffers. CVE-2026-52760 (CVSS 6.1, EPSS 0.56%) is a stored XSS where an authenticated producer embeds a script in a JMS message ID that executes with administrator session privileges when an admin browses the queue.

Why should TPRM professionals care?

Apache ActiveMQ is deployed at the infrastructure layer of enterprise environments as the message broker that coordinates communication between Java microservices, payment processors, order management systems, event pipelines, and legacy enterprise integration components. A crashed ActiveMQ broker — which any of the four pre-authentication DoS vulnerabilities can trigger without credentials — does not fail in isolation: it stalls every downstream service that depends on message delivery, potentially including payment processing, order fulfillment, inventory synchronization, and customer notification pipelines simultaneously. For TPRM professionals, this class of availability vulnerability carries a distinct risk profile from confidentiality or integrity flaws: the downstream business impact of a broker outage can be immediate and quantifiable in transaction volume, SLA penalties, and operational disruption.

CVE-2026-49877's Web Console admin privilege escalation adds a persistent misconfiguragion risk dimension: the incorrect default Jetty ACL configuration that grants low-privilege users admin access via Jolokia is present in all unpatched ActiveMQ deployments regardless of broker version, and it is not visible through standard monitoring. A vendor running pre-6.2.7 ActiveMQ may have had low-privilege Web Console accounts with implicit broker admin access for the entire deployment lifecycle. The LdapNetworkConnector SSRF (CVE-2026-49434) is particularly relevant for vendors that use LDAP-integrated ActiveMQ deployments, as it enables a second authenticated user to cause the broker to initiate outbound connections to attacker-controlled infrastructure.

What questions should TPRM professionals ask vendors?

  1. Have all Apache ActiveMQ instances been upgraded to version 6.2.7 (6.x branch) or 5.19.8 (5.x branch)? Both were released June 29, 2026 and address all nine CVEs. What is the confirmed installed version across all broker nodes?
  2. Are ActiveMQ broker ports (e.g., 61616 TCP for OpenWire, 61614 for STOMP) restricted from public internet exposure? Given that four of the nine CVEs are pre-authentication DoS vectors requiring only network access to the broker port, restricting broker port accessibility is the most critical compensating control for environments that cannot patch immediately.
  3. Has authentication been enforced on all ActiveMQ connectors, including STOMP connectors? Disabling unused transports (particularly unauthenticated STOMP connections) closes the pre-authentication attack surface for CVE-2026-53916 and CVE-2026-49432.
  4. Has the Web Console Jolokia configuration been audited post-upgrade to confirm that low-privilege user accounts no longer have access to /admin/* broker management operations? What Web Console roles are assigned to each user account, and when were these roles last reviewed?
  5. If the LdapNetworkConnector is in use: have LDAP search filters been restricted to tightly scoped, trusted configurations that prevent injection of attacker-controlled entries? Has LdapNetworkConnector use been audited for scope and necessity?

Remediation recommendations

  • Upgrade all Apache ActiveMQ instances to version 6.2.7 (6.x series) or 5.19.8 (5.x series) immediately. These are the only releases addressing all nine vulnerabilities across the cluster — both were released June 29, 2026 and are the current stable-supported versions.
  • Restrict all ActiveMQ broker ports (OpenWire on 61616, STOMP on 61614, AMQP on 5672, and administrative interfaces) to trusted internal network ranges. Do not expose broker ports to the public internet. Network-level restriction is the most effective compensating control for the four pre-authentication DoS CVEs.
  • Enable authentication on every ActiveMQ connector and disable unused transport protocols — particularly unauthenticated STOMP connectors where not operationally required. Authentication on STOMP eliminates the pre-authentication vector for CVE-2026-53916 and CVE-2026-49432.
  • After upgrading, audit Web Console user roles and Jolokia ACL configuration to confirm the /admin/* path restriction is in place and that low-privilege accounts no longer have access to broker management operations. Review all Web Console user accounts for appropriate role assignment.
  • If the LdapNetworkConnector is deployed, review and restrict LDAP search filter configurations to prevent abuse for SSRF via CVE-2026-49434. Monitor for anomalous outbound connections from broker hosts to external infrastructure.
Black Kite's ActiveMQ - Jul2026  FocusTag® details critical insights on the event for TPRM professionals.

Black Kite's ActiveMQ - Jul2026 FocusTag® details critical insights on the event for TPRM professionals.

How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities

This week's three FocusTags® collectively illustrate a risk pattern that defines the modern TPRM challenge: the most dangerous vulnerabilities are frequently in technology categories that vendors never voluntarily disclose in risk assessments. Joomla CMS extensions are not listed in standard software inventories. AI workflow automation platforms are not captured by traditional IT asset management. Enterprise message brokers are infrastructure-layer middleware that rarely appear in surface-level technology disclosures. Yet all three categories carry this week's most urgent vulnerabilities — two with active CISA KEV listings and one with four pre-authentication availability impact vectors — and all three are detectable through external signals that Black Kite's FocusTags® translate into actionable vendor intelligence.

The JoomShaper SP Page Builder tag demonstrates FocusTags®' capacity to identify vendor web infrastructure exposure that is invisible to questionnaire-based programs: internet-facing Joomla sites with com_sppagebuilder installed are detectable externally, and the active exploitation campaign planting @secure.local Super Administrator backdoors makes immediate engagement — not just patch tracking but mandatory forensic verification — the required TPRM response. The dual Langflow tagging over consecutive weeks (CVE-2026-5027 last week, CVE-2026-55255 this week, both CISA KEV-listed) illustrates how FocusTags® enable compounding risk tracking across disclosure cycles for a single vendor technology: TPRM teams can identify vendors with Langflow exposure and escalate engagement against both CVEs as a combined remediation requirement rather than discovering each in isolation. The ActiveMQ cluster demonstrates the operational efficiency value of FocusTags® for complex, multi-CVE disclosures: rather than requiring TPRM analysts to parse nine separate NVD entries and map them to vendor technology profiles, the single ActiveMQ - Jul2026 tag delivers the consolidated exposure signal, the specific upgrade version targets, and the prioritized remediation focus — broker port restriction for pre-authentication DoS, Web Console role audit for CVE-2026-49877 — directly into the TPRM workflow.

Strengthening TPRM Outcomes with Black Kite’s FocusTags®

Black Kite's FocusTag® technology provides TPRM teams with the intelligence infrastructure needed to keep pace with an accelerating threat landscape. By automatically correlating newly disclosed vulnerabilities with the technology profiles of vendors in your ecosystem, Black Kite transforms reactive patch tracking into proactive vendor risk management.

•  Instant Vendor Exposure Mapping: FocusTags® automatically identify which vendors in your portfolio are running affected products — including CMS extensions, AI platforms, and middleware that never appear in self-disclosed technology inventories.

•  Precision-Targeted Remediation Requests: Each FocusTag® includes specific, technically grounded vendor questions — moving beyond generic patch status inquiries to version-specific, control-specific questions that surface genuine remediation versus compliance theater.

•  Continuous Risk Score Integration: FocusTag® exposure feeds directly into Black Kite's vendor risk scores, ensuring that critical vulnerability exposure is immediately reflected in your third-party risk ratings without waiting for the next scheduled assessment cycle.

•  Operational Efficiency at Scale: By consolidating multi-product vulnerability intelligence into a single prioritized view, FocusTags® enable TPRM teams to manage concurrent threat events across diverse technology categories without scaling headcount.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags® in the Last 30 Days:

  • JoomShaper SP Page Builder : CVE-2026-48908, Critical Unauthenticated Remote Code Execution Vulnerability in JoomShaper SP Page Builder.
  • Langflow - Jul2026 : CVE-2026-55255, High-Severity Insecure Direct Object Reference Vulnerability in Langflow.
  • ActiveMQ - Jul2026 : CVE-2026-53916, CVE-2026-50734, CVE-2026-50750, CVE-2026-49432, CVE-2026-54475, CVE-2026-49877, CVE-2026-49434, CVE-2026-53917, CVE-2026-52760, Multiple Apache ActiveMQ Vulnerabilities.
  • SharePoint - Jul2026: CVE-2026-45659, High-Severity Deserialization of Untrusted Data Vulnerability in Microsoft SharePoint List Item Update Workflow Allowing Low-Privilege Network Remote Code Execution.
  • ProFTPD : CVE-2026-35025, High-Severity ACL Bypass Vulnerability in ProFTPD via /proc/self/root RNFR Path Prefix Allowing Authenticated Access to Restricted Directories.
  • Cacti - Jun2026 : CVE-2026-39893, CVE-2026-39948, CVE-2026-39955, CVE-2026-39938, Critical Pre-Authentication SQL Injection, Regex Validation Bypass, and Unauthenticated Local File Inclusion Vulnerabilities in Cacti.
  • Gogs - Jun2026: CVE-2026-52813, CVE-2026-52806, CVE-2026-52811, Critical Path Traversal, Git Hook Overwrite, Rebase Argument Injection, Arbitrary OS Command Execution, and Symlink File Write Vulnerabilities in Gogs Leading to Remote Code Execution and Persistent Backdoors.
  • Squidbleed: CVE-2026-47729, CVE-2026-50012, Critical Heap Over-Read Vulnerability in Squid Proxy FTP Directory-Listing Parser Leading to Cleartext HTTP Request and Token Disclosure.
  • UniFi OS Devices: CVE-2026-34908, CVE-2026-34909, CVE-2026-34910, CVE-2026-33000, CVE-2026-34911, Critical Improper Access Control, Path Traversal, Command Injection, and Information Disclosure Vulnerabilities in UniFi OS Devices.
  • pgAdmin - Jun2026: CVE-2026-12046, CVE-2026-12045, CVE-2026-12048, Critical Unauthenticated Remote Code Execution, AI Assistant Transaction Bypass, OS Command Execution, and Stored XSS Vulnerabilities in pgAdmin 4.
  • FreeBSD - Jun2026: CVE-2026-45257, High-Severity Local Privilege Escalation Vulnerability in FreeBSD KTLS sendfile(2) Handling Allowing Page Cache Modification and Root Compromise.
  • TinyProxy - Jun2026: CVE-2026-54388, CVE-2026-54387, CVE-2026-55202, Critical HTTP Request Smuggling, CL/TE Desynchronization, Request Injection, Cache Poisoning, Access Control Bypass, and StatHost Bypass Vulnerabilities in TinyProxy.
  • NGINX Rift Chain : CVE-2026-42945, CVE-2026-46376, Critical Heap-Based Buffer Overflow and Remote Code Execution Vulnerability in NGINX ngx_http_rewrite_module.
  • FortiBleed Breach: Active exploitation of Fortinet vulnerabilities has led to confirmed breach activity, enabling attackers to compromise exposed Fortinet environments and creating significant third-party risk for affected organizations.
  • Langflow - Jun2026 (Latest): CVE-2026-5027, High-Severity Path Traversal and Unauthenticated Remote Code Execution Vulnerability in Langflow.
  • Jenkins - Jun2026 : CVE-2026-53435, CVE-2026-53441, High-Severity Deserialization Type Bypass, User Impersonation, Arbitrary File Read, Script Console Remote Code Execution, and Stored XSS Vulnerabilities in Jenkins.
  • MongoDB - Jun2026 : CVE-2026-11933, CVE-2026-9740, CVE-2026-9750, CVE-2026-9743, High-Severity Use-After-Free Memory Disclosure, Unauthenticated Denial of Service, Metadata Corruption, and Null Pointer Dereference Vulnerabilities in MongoDB.
  • LiteSpeed cPanel Plugin : CVE-2026-54420, High-Severity Privilege Escalation to Root Vulnerability in LiteSpeed cPanel Plugin.
  • SimpleHelp - Jun2026 : CVE-2026-48558, Critical OIDC Authentication Bypass and Administrative Account Takeover Vulnerability in SimpleHelp.
  • Automatic Tank Gauge (ATG) Systems : Critical Internet-Exposed Automatic Tank Gauge Systems Enabling Unauthenticated Remote Command Execution.
  • LiteLLM : CVE-2026-42271, High-Severity Authenticated Command Execution Vulnerability in LiteLLM AI Proxy Server.

See Black Kite's full CVE Database and the critical TPRM vulnerabilities that have an applied  FocusTags® at https://blackkite.com/cve-database.

References

https://nvd.nist.gov/vuln/detail/CVE-2026-48908
https://mysites.guru/blog/sp-page-builder-zero-day-uploadcustomicon-rce/
https://www.cve.org/CVERecord?id=CVE-2026-48908
https://nvd.nist.gov/vuln/detail/CVE-2026-55255
https://github.com/langflow-ai/langflow/security/advisories/GHSA-qrpv-q767-xqq2
https://webflow.sysdig.com/blog/understanding-langflow-cve-2026-55255-and-why-higher-cvss-vulnerabilities-arent-always-the-most-exploited
https://activemq.apache.org/components/classic/security
https://activemq.apache.org/components/classic/download/
https://securityonline.info/apache-activemq-vulnerabilities-cve-2026-54475/
https://nvd.nist.gov/vuln/detail/CVE-2026-54475
https://nvd.nist.gov/vuln/detail/CVE-2026-53917
https://nvd.nist.gov/vuln/detail/CVE-2026-53916
https://nvd.nist.gov/vuln/detail/CVE-2026-52760
https://nvd.nist.gov/vuln/detail/CVE-2026-50750
https://nvd.nist.gov/vuln/detail/CVE-2026-50734
https://nvd.nist.gov/vuln/detail/CVE-2026-49877
https://nvd.nist.gov/vuln/detail/CVE-2026-49434
https://nvd.nist.gov/vuln/detail/CVE-2026-49432