Cyber Threat Brief — July 8 2026
1. Joomla Page Builder Double-Tap — CVE-2026-48908 / CVE-2026-56290
TL;DR: CISA KEV’d two independent Joomla page builder plugins on July 7 — both CVSS 10.0 unauthenticated file upload to RCE, both actively exploited with webshell persistence and rogue admin creation.
What’s New:
- CVE-2026-48908 (SP Page Builder <=6.6.1):
asset.uploadCustomIcontask accepts any file type with no auth; attacker uploads PHP shell, readsconfiguration.phpfor DB creds, inserts rogue Super Admin - CVE-2026-56290 (Page Builder CK <=3.5.10): front-end upload endpoint gated only by CSRF token readable from any page; attacker chooses upload directory
- Both CISA KEV’d July 7; SP Page Builder exploited since late June, Page Builder CK exploited within hours of patch release
- SP Page Builder fixed in 6.6.2; Page Builder CK fixed in 3.6.0
- Identical kill chain: unauthenticated multipart POST -> PHP webshell -> DB credential theft -> admin persistence
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST to ?option=com_sppagebuilder&task=asset.uploadCustomIcon | URI pattern | T1190 | WAF / web access logs | Block and alert |
POST to Page Builder CK upload endpoint with .php file | URI pattern | T1190 | WAF / web access logs | Block and alert |
New .php files in images/ or media/ Joomla dirs | File creation | T1505.003 | File integrity / Sysmon EID 11 | Alert on PHP file creation in media paths |
Rogue Super Admin account in Joomla #__users table | Persistence | T1136.001 | Joomla admin audit log / DB query | Hunt for unexpected admin accounts |
Read of configuration.php from web process | Credential access | T1552.001 | Web server process monitoring | Alert on config file reads by web process children |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Web Shell Indicator (generic) | No Joomla-specific upload endpoint rule |
| Elastic | Webshell Detection via File Creation (generic) | No rule for Joomla component-specific upload abuse |
| Sigma | webshell_detection_file_creation.yml (generic) | Need Joomla com_sppagebuilder / com_ckbuilder URI-specific signatures |
Sources: CISA KEV Alert July 7 · mySites.guru SP Page Builder · CCB Belgium CVE-2026-56290
2. Gitea Docker Auth Bypass — CVE-2026-20896
TL;DR: Official Gitea Docker images ship with REVERSE_PROXY_TRUSTED_PROXIES = *, letting any remote attacker impersonate any user (including admin) via a single X-WEBAUTH-USER header — active probing confirmed July 7, 6,200+ instances exposed.
What’s New:
- Sysdig detected first ITW exploitation attempts 13 days after June 24 disclosure; initial recon from ProtonVPN exit node 159.26.98[.]241
- Automated scanning confirmed: port fingerprinting, Gitea deployment identification, then auth bypass attempts targeting admin accounts
- Public PoC on GitHub (rz1027/CVE-2026-20896) with detector script
- CVSS 9.8; affects all Gitea Docker images <= 1.26.2 with reverse proxy auth enabled
- Fixed in 1.26.3: wildcard removed, reverse-proxy auth now opt-in
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
X-WEBAUTH-USER header from non-proxy IPs | HTTP header injection | T1078.001 | Reverse proxy / WAF logs | Alert on header from untrusted source IPs |
| 159.26.98[.]241 (ProtonVPN) | Attacker IP | T1595.002 | Firewall / IDS | Block; known scanning source |
REVERSE_PROXY_TRUSTED_PROXIES = * in app.ini | Misconfiguration | T1562.001 | Config audit | Remediate to 127.0.0.0/8,::1/128 |
| Admin API key creation by unexpected user | Privilege escalation | T1098.001 | Gitea audit log | Hunt for new admin tokens |
| New repos, webhooks, or deploy keys post-compromise | Persistence | T1098 | Gitea audit log | Hunt for unauthorized repo/webhook changes |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No Gitea-specific detection; need proxy header injection rule |
| Elastic | None | No rule for X-WEBAUTH-USER abuse |
| Sigma | None | Need web_proxy_header_injection.yml for trusted proxy bypass pattern |
Sources: The Hacker News · SecurityWeek · GitHub PoC
3. Bad Epoll Linux Kernel LPE — CVE-2026-46242
TL;DR: A use-after-free race in the Linux kernel’s epoll subsystem (6.4+) gives any unprivileged local user root with 99% reliability — public PoC live, patch available since April but many distros still unpatched.
What’s New:
- PoC by Jaeyoung Chung (J-jaeyoung/bad-epoll) submitted to Google kernelCTF; 99% success rate on kernel 6.12
- 6-instruction race window in
ep_remove(): concurrent close clears epoll link while file release frees backing object, giving 8-byte use-after-free write - Cross-cache attack escalates UAF to
struct filecontrol -> kernel ROP chain -> root - Affects Linux 6.4+ kernels including Android (confirmed on Pixel 10, kernel 6.6)
- Fixed upstream April 24 (commit a6dc643c); many enterprise distros still awaiting backports
- No ITW exploitation yet, but Chrome renderer sandbox escape path noted by researchers
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Anomalous root process from low-privilege parent | Process ancestry | T1068 | auditd / Sysmon for Linux | Alert on uid=0 exec from uid>=1000 parent |
Rapid epoll_ctl + close syscall sequences | Syscall pattern | T1068 | auditd (syscall logging) | Hunt for high-frequency epoll race patterns |
| Kernel version >= 6.4 without April 2026 patch | Vulnerable config | T1068 | Asset inventory | Prioritize kernel updates |
| Unexpected kernel module loads post-exploitation | Persistence | T1547.006 | auditd / kernel logs | Alert on module loads from non-standard paths |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Linux Possible Access Or Modification Of sshd Related Files (post-exploitation) | No epoll-specific exploit detection rule |
| Elastic | Privilege Escalation via Named Pipe Impersonation (Windows-only, not applicable) | No Linux kernel race exploit detection |
| Sigma | proc_creation_lnx_susp_privilege_escalation.yml (generic) | Need epoll race-specific syscall audit rule |
Sources: The Hacker News · SecurityWeek PoC · GitHub PoC
4. Langflow IDOR Auth Bypass — CVE-2026-55255
TL;DR: CISA KEV’d July 7 — authenticated attackers can execute any other user’s AI flows via IDOR in /api/v1/responses, actively exploited since June 25 per Sysdig; this is Langflow’s third exploited CVE of 2026.
What’s New:
- IDOR in
/api/v1/responsesendpoint: flow identifier resolved without ownership check, letting any authenticated user execute another user’s flows - Active exploitation confirmed June 25 by Sysdig TRT; CISA and VulnCheck confirm ITW
- Cross-tenant access enables unauthorized invocation of AI workflows, data exposure, and potential RCE if target flows have code execution nodes
- Fixed in Langflow 1.9.2
- Third Langflow exploited CVE this year after CVE-2026-33017 (code injection) and CVE-2026-5027 (path traversal)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
Cross-user flow execution via /api/v1/responses | IDOR | T1078.004 | Langflow application logs | Alert on flow execution where caller != flow owner |
| Langflow version < 1.9.2 | Vulnerable version | T1190 | Asset inventory | Upgrade immediately |
| Anomalous flow execution volume per user | Abuse indicator | T1059 | Langflow audit logs | Baseline and alert on execution count anomalies |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No Langflow-specific detection |
| Elastic | None | No Langflow-specific detection |
| Sigma | None | Need Langflow API audit log parsing and cross-user execution rule |
Sources: CISA KEV Alert July 7 · Sysdig Blog
5. ChocoPoC Supply Chain RAT — Targeting Security Researchers
TL;DR: YesWeHack and Sekoia disclosed a live campaign weaponizing fake GitHub PoC repos with a PyPI-delivered RAT that steals browser credentials and executes arbitrary commands — at least 7 repos and 2,400+ package downloads confirmed.
What’s New:
- Malicious PoC repos add
frintPyPI package to requirements;frintinstallsskytextcontaining compiled Python extension with anti-sandbox trigger (only activates whenEXPLOIT_POC.pyexists in working dir) - RAT payload downloaded from Mapbox dataset after trigger fires; capabilities: shell/Python command execution, browser password/cookie/autofill/history theft, process enumeration, network config exfil
- 7 confirmed repos impersonating PoCs for: FortiWeb (CVE-2025-64446), PAN-OS (CVE-2026-0257), Ivanti Sentry (CVE-2026-10520), Check Point VPN (CVE-2026-50751), Joomla SP Page Builder (CVE-2026-48908), and 2 others
skytextpackage downloaded 2,400+ times (mostly Linux); downloads surge following new CVE disclosures- Campaign still live as of July 7 per Sekoia
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
PyPI packages frint, skytext | Malicious dependency | T1195.001 | Package manager logs / pip audit | Block and scan for installation |
| Mapbox dataset C2 for payload download | C2 infrastructure | T1102.001 | Proxy / DNS logs | Hunt for unusual Mapbox API calls from dev workstations |
EXPLOIT_POC.py trigger file check | Anti-sandbox evasion | T1497.001 | EDR / process monitoring | Alert on file existence checks for this filename |
| Browser credential store access from Python process | Credential theft | T1555.003 | EDR / Sysmon | Alert on Python accessing Chrome/Firefox credential DBs |
| GitHub repos: FortiWeb/PAN-OS/Ivanti/CheckPoint/Joomla fake PoCs | Lure repos | T1195.001 | Developer activity logs | Warn researchers; verify PoC repos before cloning |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Suspicious Python Process Accessing Browser Credentials (if available) | No PyPI supply chain trigger detection |
| Elastic | Suspicious Python Child Process (generic) | No PoC repo supply chain detection |
| Sigma | proc_creation_lnx_susp_python_browser_access.yml (if exists) | Need rule for pip installing known-malicious packages |
Sources: BleepingComputer · Sekoia Blog · The Hacker News
Status Updates
- CVE-2026-50656 (Windows Defender RoguePlanet): Still UNPATCHED zero-day. No new artifacts since June 30 Splunk ESCU Analytics Story release. Original brief.
- CVE-2026-20253 (Splunk Enterprise PostgreSQL Sidecar): Active ITW exploitation ongoing per Splunk PSIRT. Federal deadline passed June 21. No new artifacts. Original brief.
- CVE-2026-33017 / CVE-2026-5027 (Langflow): JADEPUFFER agentic ransomware campaign documented by Sysdig July 2 — first end-to-end AI-driven ransomware used Langflow CVE-2025-3248 for initial access, pivoted to Nacos database extortion. Sysdig JADEPUFFER blog.