
A flaw in a common website builder is under active attack. If your site runs Joomla, update it now.
US authorities flagged four actively-exploited flaws on 7 July, two of them in popular Joomla page builders. Attackers were planting backdoors within hours of the fixes.
On 7 July the US Cybersecurity and Infrastructure Security Agency added four flaws to its Known Exploited Vulnerabilities list and gave federal agencies until 10 July to fix them. That list is kept for flaws being used in real attacks, so a place on it is a signal to act rather than a routine advisory. Two of the four sit in tools that ordinary businesses run every day: page-builder add-ons for the Joomla website platform.
What is being attacked
All four are public-facing web software. Two are add-ons for Joomla, the system many small firms use to run their website: SP Page Builder (CVE-2026-48908) and Page Builder CK (CVE-2026-56290), both rated the maximum 10 out of 10 for severity. Each lets an attacker who is not even logged in upload a file and run their own code on the server behind the site. The other two are a top-severity flaw in Adobe ColdFusion (CVE-2026-48282, also 10 out of 10), a platform for building web applications, and a flaw in Langflow (CVE-2026-55255), the AI-app tool behind last week's AI-run ransomware case.
This is moving fast
The pattern is the same in each case: a fix comes out, and attackers pile in before businesses have applied it. Security researchers saw web shells, a kind of hidden remote-control backdoor, planted on Page Builder CK sites within hours of its fix landing on 27 June. On the SP Page Builder flaw, attackers have been quietly creating hidden administrator accounts and dropping backdoors. The ColdFusion bug was being exploited within hours of the flaw becoming public, days after Adobe's 30 June patch.
Why this lands on smaller firms
It is easy to file your website under marketing rather than IT, but a public site running an out-of-date plugin is one of the simplest ways into a business. The site sits on the internet by design, the flaw needs no password, and a foothold is worth money to an attacker. Plenty of smaller firms have a Joomla or WordPress site that a web designer set up years ago and nobody has updated since. That is exactly the gap being used here.
What to do
If you run a Joomla site with either builder, update it now: SP Page Builder to 6.6.2 or later, Page Builder CK to 3.6.0 or later. If you use Adobe ColdFusion, apply Adobe's fix. If you are not sure what your website is built on or who keeps it updated, that is the question to settle this week, because 'we don't really know' reads the same as 'unpatched' to an attacker.
What this means for your business
Your website is part of your attack surface, even when you think of it as just marketing. Keeping a site and its add-ons patched is unglamorous, and it is most of the defence. We can tell you what your public-facing systems actually run, keep them updated, and scan them for the kind of known flaw being used here, so an old plugin is not left standing as an open door. If nobody is clearly responsible for patching your website, that is worth fixing now.
#WEARECOBALT
Ready when you are.
Tell us what's slowing your business down. We'll tell you exactly how we'd fix it — plainly, with no obligation.