Cyber Threat Brief — July 8 2026

⚠️ This report is AI-generated. Always validate findings.

1. Joomla Page Builder Double-Tap — CVE-2026-48908 / CVE-2026-56290

TL;DR: CISA KEV’d two independent Joomla page builder plugins on July 7 — both CVSS 10.0 unauthenticated file upload to RCE, both actively exploited with webshell persistence and rogue admin creation.

What’s New:

  • CVE-2026-48908 (SP Page Builder <=6.6.1): asset.uploadCustomIcon task accepts any file type with no auth; attacker uploads PHP shell, reads configuration.php for DB creds, inserts rogue Super Admin
  • CVE-2026-56290 (Page Builder CK <=3.5.10): front-end upload endpoint gated only by CSRF token readable from any page; attacker chooses upload directory
  • Both CISA KEV’d July 7; SP Page Builder exploited since late June, Page Builder CK exploited within hours of patch release
  • SP Page Builder fixed in 6.6.2; Page Builder CK fixed in 3.6.0
  • Identical kill chain: unauthenticated multipart POST -> PHP webshell -> DB credential theft -> admin persistence

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
POST to ?option=com_sppagebuilder&task=asset.uploadCustomIconURI patternT1190WAF / web access logsBlock and alert
POST to Page Builder CK upload endpoint with .php fileURI patternT1190WAF / web access logsBlock and alert
New .php files in images/ or media/ Joomla dirsFile creationT1505.003File integrity / Sysmon EID 11Alert on PHP file creation in media paths
Rogue Super Admin account in Joomla #__users tablePersistenceT1136.001Joomla admin audit log / DB queryHunt for unexpected admin accounts
Read of configuration.php from web processCredential accessT1552.001Web server process monitoringAlert on config file reads by web process children

Detection

SourceRuleGap
Splunk ESCUWeb Shell Indicator (generic)No Joomla-specific upload endpoint rule
ElasticWebshell Detection via File Creation (generic)No rule for Joomla component-specific upload abuse
Sigmawebshell_detection_file_creation.yml (generic)Need Joomla com_sppagebuilder / com_ckbuilder URI-specific signatures

Sources: CISA KEV Alert July 7 · mySites.guru SP Page Builder · CCB Belgium CVE-2026-56290


2. Gitea Docker Auth Bypass — CVE-2026-20896

TL;DR: Official Gitea Docker images ship with REVERSE_PROXY_TRUSTED_PROXIES = *, letting any remote attacker impersonate any user (including admin) via a single X-WEBAUTH-USER header — active probing confirmed July 7, 6,200+ instances exposed.

What’s New:

  • Sysdig detected first ITW exploitation attempts 13 days after June 24 disclosure; initial recon from ProtonVPN exit node 159.26.98[.]241
  • Automated scanning confirmed: port fingerprinting, Gitea deployment identification, then auth bypass attempts targeting admin accounts
  • Public PoC on GitHub (rz1027/CVE-2026-20896) with detector script
  • CVSS 9.8; affects all Gitea Docker images <= 1.26.2 with reverse proxy auth enabled
  • Fixed in 1.26.3: wildcard removed, reverse-proxy auth now opt-in

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
X-WEBAUTH-USER header from non-proxy IPsHTTP header injectionT1078.001Reverse proxy / WAF logsAlert on header from untrusted source IPs
159.26.98[.]241 (ProtonVPN)Attacker IPT1595.002Firewall / IDSBlock; known scanning source
REVERSE_PROXY_TRUSTED_PROXIES = * in app.iniMisconfigurationT1562.001Config auditRemediate to 127.0.0.0/8,::1/128
Admin API key creation by unexpected userPrivilege escalationT1098.001Gitea audit logHunt for new admin tokens
New repos, webhooks, or deploy keys post-compromisePersistenceT1098Gitea audit logHunt for unauthorized repo/webhook changes

Detection

SourceRuleGap
Splunk ESCUNoneNo Gitea-specific detection; need proxy header injection rule
ElasticNoneNo rule for X-WEBAUTH-USER abuse
SigmaNoneNeed web_proxy_header_injection.yml for trusted proxy bypass pattern

Sources: The Hacker News · SecurityWeek · GitHub PoC


3. Bad Epoll Linux Kernel LPE — CVE-2026-46242

TL;DR: A use-after-free race in the Linux kernel’s epoll subsystem (6.4+) gives any unprivileged local user root with 99% reliability — public PoC live, patch available since April but many distros still unpatched.

What’s New:

  • PoC by Jaeyoung Chung (J-jaeyoung/bad-epoll) submitted to Google kernelCTF; 99% success rate on kernel 6.12
  • 6-instruction race window in ep_remove(): concurrent close clears epoll link while file release frees backing object, giving 8-byte use-after-free write
  • Cross-cache attack escalates UAF to struct file control -> kernel ROP chain -> root
  • Affects Linux 6.4+ kernels including Android (confirmed on Pixel 10, kernel 6.6)
  • Fixed upstream April 24 (commit a6dc643c); many enterprise distros still awaiting backports
  • No ITW exploitation yet, but Chrome renderer sandbox escape path noted by researchers

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
Anomalous root process from low-privilege parentProcess ancestryT1068auditd / Sysmon for LinuxAlert on uid=0 exec from uid>=1000 parent
Rapid epoll_ctl + close syscall sequencesSyscall patternT1068auditd (syscall logging)Hunt for high-frequency epoll race patterns
Kernel version >= 6.4 without April 2026 patchVulnerable configT1068Asset inventoryPrioritize kernel updates
Unexpected kernel module loads post-exploitationPersistenceT1547.006auditd / kernel logsAlert on module loads from non-standard paths

Detection

SourceRuleGap
Splunk ESCULinux Possible Access Or Modification Of sshd Related Files (post-exploitation)No epoll-specific exploit detection rule
ElasticPrivilege Escalation via Named Pipe Impersonation (Windows-only, not applicable)No Linux kernel race exploit detection
Sigmaproc_creation_lnx_susp_privilege_escalation.yml (generic)Need epoll race-specific syscall audit rule

Sources: The Hacker News · SecurityWeek PoC · GitHub PoC


4. Langflow IDOR Auth Bypass — CVE-2026-55255

TL;DR: CISA KEV’d July 7 — authenticated attackers can execute any other user’s AI flows via IDOR in /api/v1/responses, actively exploited since June 25 per Sysdig; this is Langflow’s third exploited CVE of 2026.

What’s New:

  • IDOR in /api/v1/responses endpoint: flow identifier resolved without ownership check, letting any authenticated user execute another user’s flows
  • Active exploitation confirmed June 25 by Sysdig TRT; CISA and VulnCheck confirm ITW
  • Cross-tenant access enables unauthorized invocation of AI workflows, data exposure, and potential RCE if target flows have code execution nodes
  • Fixed in Langflow 1.9.2
  • Third Langflow exploited CVE this year after CVE-2026-33017 (code injection) and CVE-2026-5027 (path traversal)

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
Cross-user flow execution via /api/v1/responsesIDORT1078.004Langflow application logsAlert on flow execution where caller != flow owner
Langflow version < 1.9.2Vulnerable versionT1190Asset inventoryUpgrade immediately
Anomalous flow execution volume per userAbuse indicatorT1059Langflow audit logsBaseline and alert on execution count anomalies

Detection

SourceRuleGap
Splunk ESCUNoneNo Langflow-specific detection
ElasticNoneNo Langflow-specific detection
SigmaNoneNeed Langflow API audit log parsing and cross-user execution rule

Sources: CISA KEV Alert July 7 · Sysdig Blog


5. ChocoPoC Supply Chain RAT — Targeting Security Researchers

TL;DR: YesWeHack and Sekoia disclosed a live campaign weaponizing fake GitHub PoC repos with a PyPI-delivered RAT that steals browser credentials and executes arbitrary commands — at least 7 repos and 2,400+ package downloads confirmed.

What’s New:

  • Malicious PoC repos add frint PyPI package to requirements; frint installs skytext containing compiled Python extension with anti-sandbox trigger (only activates when EXPLOIT_POC.py exists in working dir)
  • RAT payload downloaded from Mapbox dataset after trigger fires; capabilities: shell/Python command execution, browser password/cookie/autofill/history theft, process enumeration, network config exfil
  • 7 confirmed repos impersonating PoCs for: FortiWeb (CVE-2025-64446), PAN-OS (CVE-2026-0257), Ivanti Sentry (CVE-2026-10520), Check Point VPN (CVE-2026-50751), Joomla SP Page Builder (CVE-2026-48908), and 2 others
  • skytext package downloaded 2,400+ times (mostly Linux); downloads surge following new CVE disclosures
  • Campaign still live as of July 7 per Sekoia

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
PyPI packages frint, skytextMalicious dependencyT1195.001Package manager logs / pip auditBlock and scan for installation
Mapbox dataset C2 for payload downloadC2 infrastructureT1102.001Proxy / DNS logsHunt for unusual Mapbox API calls from dev workstations
EXPLOIT_POC.py trigger file checkAnti-sandbox evasionT1497.001EDR / process monitoringAlert on file existence checks for this filename
Browser credential store access from Python processCredential theftT1555.003EDR / SysmonAlert on Python accessing Chrome/Firefox credential DBs
GitHub repos: FortiWeb/PAN-OS/Ivanti/CheckPoint/Joomla fake PoCsLure reposT1195.001Developer activity logsWarn researchers; verify PoC repos before cloning

Detection

SourceRuleGap
Splunk ESCUSuspicious Python Process Accessing Browser Credentials (if available)No PyPI supply chain trigger detection
ElasticSuspicious Python Child Process (generic)No PoC repo supply chain detection
Sigmaproc_creation_lnx_susp_python_browser_access.yml (if exists)Need rule for pip installing known-malicious packages

Sources: BleepingComputer · Sekoia Blog · The Hacker News


Status Updates

  • CVE-2026-50656 (Windows Defender RoguePlanet): Still UNPATCHED zero-day. No new artifacts since June 30 Splunk ESCU Analytics Story release. Original brief.
  • CVE-2026-20253 (Splunk Enterprise PostgreSQL Sidecar): Active ITW exploitation ongoing per Splunk PSIRT. Federal deadline passed June 21. No new artifacts. Original brief.
  • CVE-2026-33017 / CVE-2026-5027 (Langflow): JADEPUFFER agentic ransomware campaign documented by Sysdig July 2 — first end-to-end AI-driven ransomware used Langflow CVE-2025-3248 for initial access, pivoted to Nacos database extortion. Sysdig JADEPUFFER blog.