Vulnerability Intelligence Report — July 8, 2026
CISA adds 4 new KEVs: ColdFusion, Joomla, Langflow — Adobe ColdFusion CVE-2026-48282 (CVSS 10.0) due Friday | GhostLock: 15-year-old Linux kernel root/container escape via futex | Ubiquiti 11 new UniFi OS vulns (max severity command injection) | Writer AI WriteOut cross-tenant session leak | RedWing Android banking malware-as-a-service | Accenture confirms breach — 35 GB data stolen | CISA orders feds to patch ColdFusion by Friday
Previous reports: July 7, 2026 | July 6, 2026
Wednesday, July 8, 2026 — CISA broke its week-long KEV silence in a big way, adding four actively exploited vulnerabilities yesterday: Adobe ColdFusion CVE-2026-48282 (CVSS 10.0), two Joomla page builder CVEs (CVE-2026-48908 and CVE-2026-56290, both CVSS 10.0), and a Langflow IDOR vulnerability (CVE-2026-55255, CVSS 8.4). All four have a Friday July 10 deadline — organisations have just two days to patch. The day’s biggest story is “GhostLock” CVE-2026-43499: a 15-year-old use-after-free in Linux’s futex/rt-mutex code that gives any local user root access and can also escape containers. Nebula Security’s exploit is 97% reliable and Google awarded $92,337 through kernelCTF. Ubiquiti dropped patches for 11 new UniFi OS vulnerabilities including multiple CVSS 9.9 command injection flaws. Writer AI patched the “WriteOut” vulnerability that could let agent previews leak session tokens across tenants. The RedWing Android banking malware-as-a-service is being rented on Telegram for as little as $300/month. And Accenture confirmed a breach after a hacker offered 35 GB of stolen source code and data for sale.
Quick Reference — Most Important Items Today
GhostLock CVE-2026-43499: 15-year-old Linux kernel root/container escape via futex UAF — 97% reliable exploit — public PoC released
Adobe ColdFusion CVE-2026-48282: CVSS 10.0 — NEW CISA KEV — deadline FRIDAY July 10 — actively exploited — path traversal → RCE
Joomla Page Builders: CVE-2026-48908 (SP Page Builder, CVSS 10.0) + CVE-2026-56290 (Page Builder CK, CVSS 10.0) — NEW KEVs — deadline Friday
Langflow CVE-2026-55255: NEW KEV — IDOR allows authenticated users to execute any flow — deadline Friday July 10
Ubiquiti UniFi OS: 11 new CVEs — multiple CVSS 9.9 command injection — path traversal — SQL injection — patch immediately
Writer AI WriteOut: Cross-tenant session token leak via agent previews — patched by Writer
RedWing Android Banking Malware: Rented as MaaS on Telegram — $300/mo — mimics Google Play, Galaxy Store, AppGallery
Accenture Breach: 35 GB of source code and data stolen — hacker offering for sale on forum — company confirms
GhostLock (container escape): Identical futex flaw can also escape container environments — widespread impact
Overdue KEV: SharePoint +4 | SimpleHelp +6 | Cisco Unified CM +10 | PTC Windchill +10 | Ubiquiti (old) +12 | Oracle PeopleSoft +23 | Ivanti Sentry +24 | Check Point +27 (ransomware)
GhostLock CVE-2026-43499 — 15-Year-Old Linux Kernel Root/Container Escape (Public PoC)
Software affected: Linux kernel — futex/rt-mutex subsystem. Affected code has shipped by default in essentially every mainstream Linux distribution since 2011 — approximately 15 years.
CVE: CVE-2026-43499 | Dubbed “GhostLock” | Use-after-free in the kernel’s rt_mutex (real-time mutex) code, triggered via the futex subsystem | No special permissions needed — ordinary threading calls from any local program are sufficient. Nebula Security’s working exploit is 97% reliable in testing and also escapes containers. Google awarded the team $92,337 through its kernelCTF bug bounty program. Public exploit code has been published.
Status: This is a severe local privilege escalation vulnerability. Any logged-in user can gain full root control of an unpatched system. The vulnerability also enables container escape — a compromised container can break out to the host. Nebula Security has published working exploit code, making this a race condition: organisations must patch before attackers weaponise the published code. The flaw affects Linux servers, desktops, cloud instances, and container environments. Cloud providers and multi-tenant hosting platforms are at the highest risk.
Recommended action: Apply Linux kernel patches immediately as distributions release them. Prioritise multi-tenant servers, container hosts, and any system where unprivileged users have shell access. Restrict local user access where possible until patching is complete. Monitor for signs of kernel-level privilege escalation.
Official source: The Hacker News: GhostLock | NVD: CVE-2026-43499 | Nebula Security Research | Google kernelCTF
CISA Adds 4 New KEVs — Adobe ColdFusion, Joomla Page Builders, Langflow — Deadline Friday
Software affected: Adobe ColdFusion 2025.9/2023.20 and earlier; JoomShaper SP Page Builder for Joomla; Joomlack Page Builder CK for Joomla; Langflow (AI workflow tool) prior to 1.9.1.
CVE: CVE-2026-48282 (Adobe ColdFusion, CVSS 10.0, path traversal); CVE-2026-48908 (SP Page Builder, CVSS 10.0, unrestricted file upload); CVE-2026-56290 (Page Builder CK, CVSS 10.0, unauthenticated arbitrary file upload); CVE-2026-55255 (Langflow, CVSS 8.4, IDOR allowing authenticated users to execute any flow). All added to CISA KEV catalog on July 7 with a deadline of July 10, 2026.
Status: CISA has ordered federal agencies to patch all four by Friday. Adobe ColdFusion CVE-2026-48282 was confirmed as actively exploited by KEVIntel before CISA added it to KEV — this is a rapid escalation from “active exploitation” to “CISA KEV mandate” in just two days. The two Joomla page builder CVEs both involve unauthenticated file upload leading to remote code execution — Joomla is widely used in education, government, and small-to-medium business environments. The Langflow vulnerability allows an authenticated attacker to execute any AI workflow belonging to another user — particularly dangerous in multi-tenant AI development platforms.
Recommended action: Patch all four by Friday July 10. Prioritise Adobe ColdFusion (CVSS 10.0, active exploitation confirmed, CISA KEV mandate). For Joomla: update SP Page Builder and Page Builder CK extensions. For Langflow: update to version 1.9.1 or later.
Official source: The Hacker News: CISA adds 4 KEVs | BleepingComputer: CISA ColdFusion deadline | CISA KEV Catalog
Ubiquiti UniFi OS — 11 New Critical Vulnerabilities (Multiple CVSS 9.9)
Software affected: Ubiquiti UniFi OS — various devices and versions.
CVE: Multiple new CVEs across 11 vulnerabilities including CVE-2026-47369 (CVSS 9.9, command injection), CVE-2026-47370 (CVSS 9.9, command injection), CVE-2026-54402 (CVSS 9.9, command injection), CVE-2026-47368 (CVSS 8.6, path traversal), CVE-2026-54403 (CVSS 8.6, path traversal → auth bypass), CVE-2026-54404 (CVSS 8.8, SQL injection), and others spanning SSRF, CORS misconfiguration, and improper access control.
Status: Ubiquiti has released security updates patching 11 critical vulnerabilities in UniFi OS including multiple maximum-severity command injection flaws that allow low-privileged attackers with network access to execute arbitrary commands. These are separate from the existing CISA KEV-listed UniFi vulnerabilities (CVE-2026-34908/909/910) which are now 12 days overdue. The sheer volume of critical vulnerabilities in a single product release is unusual and suggests Ubiquiti conducted a significant security audit. Organisations running UniFi should prioritise these patches.
Recommended action: Apply Ubiquiti UniFi OS security updates immediately. Prioritise the command injection and path traversal vulnerabilities. Restrict network access to UniFi management interfaces to trusted IPs only. Review existing KEV-listed UniFi CVEs (CVE-2026-34908/909/910) if not yet patched.
Official source: BleepingComputer: Ubiquiti UniFi OS | Ubiquiti Security Advisory | NVD (multiple entries)
Writer AI WriteOut — Cross-Tenant Session Token Leak (Patched)
Software affected: Writer AI — enterprise generative AI platform.
CVE: No CVE assigned. Dubbed “WriteOut” by Sand Security Research. A one-click session isolation vulnerability in Writer’s agent preview feature could leak session tokens across tenants. An attacker with no prior access could take over any Writer AI organization via nothing more than a malicious link.
Status: Sand Security Research found that Writer’s sandbox previews could forward session cookies into attacker-controlled agents, enabling cross-tenant compromise. From a compromised account, an attacker could access private chats, documents, and sensitive data related to agents, configurations, private models, connectors, and LLM credentials. The vulnerability could also be abused to seize administrative control depending on the victim’s role. Writer has patched the vulnerability and says there is no evidence of exploitation.
Recommended action: No customer action required — Writer patched server-side. Organisations using Writer AI agents should review access controls and ensure sensitive agent configurations are properly scoped. The vulnerability highlights the importance of session isolation in multi-tenant AI platforms.
Official source: The Hacker News: Writer WriteOut | Sand Security Research
RedWing Android Banking Malware-as-a-Service
Software affected: Android devices — any device vulnerable to sideloaded apps and SMS phishing.
CVE: No CVE — this is a malware-as-a-service (MaaS) operation. RedWing is a new Android malware variant being rented on Telegram for $300/month. It is a variant of the Oblivion rent-a-malware tool and allows low-skill criminals to take over victims’ phones, steal banking logins, and capture one-time authentication codes.
Status: Zimperium zLabs discovered the operation. RedWing is sold as a complete product with subscription tiers, referral discounts, guides, and how-to videos. A Telegram bot builds each buyer a custom dropper app on demand. The dropper builder can mimic Google Play, Galaxy Store, and AppGallery, or build fully custom pages with fake ratings and reviews. A substantial number of the resulting droppers and payloads currently evade conventional security tools. Infection starts with a phishing link that opens a fake app-store page.
Recommended action: Android users should only install apps from official app stores. Organisations should deploy mobile threat defence (MTD) solutions that can detect sideloaded apps and fake store pages. Monitor for SMS phishing campaigns targeting employees with fake app download links.
Official source: The Hacker News: RedWing Android MaaS | Zimperium zLabs Research
Accenture Confirms Breach — 35 GB of Source Code Stolen
Software affected: N/A — this is a corporate security incident. IT services giant Accenture has confirmed it suffered a security breach after a threat actor claimed to have stolen 35 GB of source code and other data from the company.
CVE: No CVE. This is a corporate breach notification. A hacker offered stolen Accenture data for sale on a hacking forum before the company confirmed the incident.
Status: Accenture confirmed the breach in a statement. The stolen data reportedly includes source code and internal documents. Accenture is one of the world’s largest IT services and consulting companies, working with a vast range of enterprise and government clients. The breach raises concerns about supply chain risk — any source code exfiltration from an IT services giant potentially exposes proprietary systems, client configurations, and internal infrastructure details that could be used in downstream attacks.
Recommended action: Accenture clients should contact their Accenture account teams for specific impact information. Organisations should review any systems, code, or configurations shared with Accenture. Monitor credential dark web markets for Accenture-related data disclosures.
Official source: BleepingComputer: Accenture Breach
KEV Deadline Watch
FRIDAY July 10 (2 days): Adobe ColdFusion CVE-2026-48282 (CVSS 10.0) — path traversal actively exploited — CISA KEV mandate. JoomShaper SP Page Builder CVE-2026-48908 (CVSS 10.0) — unauthenticated file upload. Joomlack Page Builder CK CVE-2026-56290 (CVSS 10.0) — unauthenticated file upload. Langflow CVE-2026-55255 (CVSS 8.4) — IDOR allowing authenticated flow execution.
Overdue — July 4 (+4 days): Microsoft SharePoint CVE-2026-45659 — deserialization RCE, actively attacked. Dedicated advisory.
Overdue — July 2 (+6 days): SimpleHelp CVE-2026-48558 — exploited to deploy stealer malware. Dedicated advisory.
Overdue — June 28 (+10 days): Cisco Unified CM CVE-2026-20230 — exploitation confirmed. PTC Windchill CVE-2026-12569.
Overdue — June 26 (+12 days): Ubiquiti UniFi OS CVE-2026-34908/909/910 — now joined by 11 new CVEs.
Overdue — June 15 (+23 days): Oracle PeopleSoft CVE-2026-35273 — ransomware, ShinyHunters.
Overdue — June 14 (+24 days): Ivanti Sentry CVE-2026-10520 — OS command injection, actively exploited.
Overdue — June 11 (+27 days): Check Point CVE-2026-50751 — known ransomware use.
Updates on Items from Previous Reports
GhostLock CVE-2026-43499: NEW — 15-year-old kernel root/container escape. Public PoC published. Patch immediately.
Adobe ColdFusion CVE-2026-48282: NEW KEV — deadline Friday July 10. Previously reported as actively exploited; now CISA confirmed.
Ubiquiti UniFi OS: 11 new CVEs including multiple CVSS 9.9. Patches released. ColdFusion advisory.
Writer AI WriteOut: NEW — cross-tenant session token leak via agent previews. Server-side patched.
RedWing Android MaaS: NEW — banking malware rented on Telegram at $300/month.
Accenture Breach: NEW — 35 GB of source code stolen. Hacker offering data for sale.
Januscape CVE-2026-53359: KVM guest-to-host VM escape. Patches being distributed. Dedicated advisory.
BeyondTrust CVE-2026-40138 + 40139: Both CVSS 9.2 — patches available. Dedicated advisory.
Gitea Docker CVE-2026-20896: CVSS 9.8 — threat actors probing. Dedicated advisory.
FortiBleed: Traced to INC and Lynx ransomware. Dedicated advisory.
FortiSandbox CVE-2026-25089 + CVE-2026-26083: Both CVSS 9.8 — active exploitation. Dedicated advisory.
Oracle EBS CVE-2026-46817: CVSS 9.8 — active exploitation. Dedicated advisory.
Cisco Unified CM CVE-2026-20230: 10 days overdue. Dedicated advisory.
Cisco SD-WAN CVE-2026-20262 + CVE-2026-20245: Escalating attacks. Dedicated advisory.
Opera GX: Patched. Dedicated advisory.
North Korean PolinRider: 108 malicious packages. Dedicated advisory.
Roundcube CVE-2024-42009: China-aligned exploitation. Dedicated advisory.
Oracle PeopleSoft CVE-2026-35273: 23 days overdue. ShinyHunters breach data confirmed.
WinRAR: Code execution — patch to 7.23. Dedicated advisory.
Exchange Online + 365 Copilot: Cloud-side patched.
FBI TeamPCP: Developer tool supply chain attacks — ongoing.
AI Agent Poisoning: SEO + hidden HTML prompt injection — new threat vector class.
FatFs: 7 CVEs in embedded filesystem — millions of IoT devices. No upstream fix.
Microsoft Defender: BlueHammer ransomware campaign + disable-Defender campaign.
Medtronic/ShinyHunters: 3.8 million patients affected.
This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including BleepingComputer, The Hacker News, Security.nl, CybersecurityNews.com, Cybersecurity Dive, and Tenable CVE feeds.
