(TLP:CLEAR) Weekly Vulnerabilities to Prioritize – July 9, 2026
Created: Thursday, July 9, 2026 - 13:43
Categories: Cybersecurity, Security Preparedness
The below vulnerabilities have been identified by WaterISAC analysts as important for water and wastewater utilities to prioritize in their vulnerability management efforts. WaterISAC shares critical vulnerabilities that affect widely used products and may be under active exploitation. WaterISAC draws additional awareness in alerts and advisories when vulnerabilities are confirmed to be impacting, or have a high likelihood of impacting, water and wastewater utilities. Members are encouraged to regularly review these vulnerabilities, many of which are often included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog.
Adobe ColdFusion Path Traversal Vulnerability
CVSS 3.1: 10.0CVEs: CVE-2026-48282
Description: ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability that could lead to arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed. CISA added this vulnerabilities to its Known Exploited Vulnerability Catalog.
Source: https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html
Additional Reading:
- CVE-2026-48282: Mitigating a Critical Vulnerability in Adobe ColdFusion
- Attackers exploit critical Adobe ColdFusion vulnerability (CVE-2026-48282)
JoomShaper SP Page Builder Unrestricted Upload of File with Dangerous Type Vulnerability
CVSS 4.0: 10.0
CVEs: CVE-2026-48908
Description: A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code. CISA added this vulnerabilities to its Known Exploited Vulnerability Catalog.
Original Source: https://www.cve.org/CVERecord?id=CVE-2026-48908
Langflow Authorization Bypass Through User-Controlled Key Vulnerability
CVSS v3.1: 8.4
CVE: CVE-2026-55255
Description: Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim’s flow ID in the request. This vulnerability is fixed in 1.9.1. CISA added this vulnerabilities to its Known Exploited Vulnerability Catalog.
Source: https://github.com/langflow-ai/langflow/security/advisories/GHSA-qrpv-q767-xqq2
Microsoft Defender Elevation of Privilege Vulnerability
CVSS v3.1: 7.8
CVE: CVE-2026-50656
Description: Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as “RoguePlanet.”
Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50656
Linux Kernel KVM/x86 Shadow Paging Use-After-Free Vulnerability
CVSS: N/A
CVEs: CVE-2026-53359.
Original Source: https://www.cve.org/CVERecord?id=CVE-2026-53359
Joomlack Page Builder Improper Access Control Vulnerability
CVSS 4.0: 10.0
CVEs: CVE-2026-56290
Description: The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE. CISA added this vulnerabilities to its Known Exploited Vulnerability Catalog.
Original Source: https://www.cve.org/CVERecord?id=CVE-2026-56290
