CISA Adds Three Exploited Vulnerabilities in JoomShaper, Langflow to KEV Catalog
CISA has added CVE-2026-48908, CVE-2026-55255, and CVE-2026-56290 to its Known Exploited Vulnerabilities (KEV) Catalog, citing active exploitation.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added three new vulnerabilities to its catalog of Known Exploited Vulnerabilities (KEV). The inclusion of these flaws, identified as CVE-2026-48908, CVE-2026-55255, and CVE-2026-56290, signifies that evidence of active exploitation has been observed in the wild, posing a significant risk to organizations.
CVE-2026-48908 specifically targets JoomShaper's SP Page Builder, an unrestricted file upload vulnerability that could allow attackers to upload dangerous file types. Another vulnerability, CVE-2026-55255, affects Langflow and involves an authorization bypass mechanism that can be exploited through a user-controlled key. The third addition, CVE-2026-56290, impacts Joomlack Page Builder and is categorized as an improper access control vulnerability.
These types of vulnerabilities are frequently leveraged by malicious cyber actors as an attack vector. Their inclusion in the KEV Catalog underscores the urgency for organizations to address them, particularly those operating within the federal government. CISA's Binding Operational Directive (BOD) 26-04 mandates that Federal Civilian Executive Branch (FCEB) agencies prioritize the remediation of vulnerabilities listed in the KEV Catalog, especially on publicly facing assets that could grant complete control of a system post-exploitation.
BOD 26-04 emphasizes a risk-based approach to vulnerability management, requiring agencies to focus on high-risk flaws first. This directive reinforces the critical role of the KEV Catalog in identifying and prioritizing the patching of vulnerabilities that pose the most immediate threat. The directive also outlines basic expectations for agencies to check for signs of compromise before applying patches, a crucial step in mitigating the impact of ongoing attacks.
While BOD 26-04 is specifically applicable to FCEB agencies, CISA strongly encourages all organizations, regardless of sector, to adopt similar risk-based vulnerability management practices. Prioritizing the remediation of vulnerabilities listed in the KEV Catalog is a proactive measure that can significantly enhance an organization's security posture against active threats.
CISA remains committed to continuously updating the KEV Catalog as new evidence of exploitation emerges. The agency relies on information from various sources to identify vulnerabilities that meet the criteria for inclusion, which include having a CVE ID, documented evidence of exploitation, and clear mitigation guidance.
Organizations that become aware of an exploited vulnerability not yet present in the KEV Catalog are encouraged to submit it for consideration through CISA's KEV Nomination Form. This collaborative effort helps ensure the catalog remains a comprehensive and up-to-date resource for the cybersecurity community, aiding in the collective defense against evolving cyber threats.