On July 7, 2026, the U.S. Cybersecurity and Infrastructure Security Agency added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. All three are under active exploitation, targeting widely used Joomla page builders and the Langflow low-code platform. The move triggers mandatory patching deadlines for federal agencies and raises the alarm for any organization running these tools.

What Actually Changed: The Three New Entries

CISA’s latest KEV update fills out the picture on a trio of flaws that attackers are already using in the wild. The additions include vulnerabilities in:

  • JoomShaper SP Page Builder – a popular drag-and-drop page design extension for Joomla sites, with over 200,000 active installs.
  • Joomlack Page Builder (also known as Page Builder CK) – another widely adopted Joomla page construction tool employed by thousands of websites.
  • Langflow – an open-source, low-code platform for building AI workflows and agents, often deployed in enterprise environments for rapid prototyping and RAG (retrieval-augmented generation) applications.

At the time of this writing, CISA has not publicly associated CVE identifiers with these entries, though the KEV catalog typically includes that information as soon as it becomes available from the vendor or research community. The agency’s criteria for KEV inclusion are strict: evidence of active exploitation, a clear remediation path, and a significant risk to federal information systems. The July 7 additions meet those thresholds, signaling immediate danger.

What It Means for You: Who Is Affected and How

The practical consequences vary depending on your role and infrastructure. Here’s a breakdown.

Website Owners and Joomla Administrators

If your Joomla site uses SP Page Builder or Page Builder CK, assume you are at risk until you patch. The nature of these page builder vulnerabilities is not yet detailed, but historically, flaws in Joomla extensions often lead to unauthorized access, remote code execution, or site defacement. Attackers commonly chain such issues to inject malware, steal user data, or use compromised sites for further attacks. Do not wait for a public exploit to appear—it’s already here.

For Joomla site operators, this is not a drill. Even if you’re not a federal agency, the active exploitation status means automated attack scripts are likely scanning for vulnerable versions right now. If you delay patching, a breach is a matter of when, not if.

Langflow Users and AI Developers

Langflow is a relative newcomer in the AI toolchain space, used for building and experimenting with large language model pipelines. An authorization flaw could allow attackers to bypass permissions, access sensitive workflows, or manipulate AI model interactions. For enterprises embedding Langflow into production systems, the exposure could include proprietary data leakage or backdooring of AI decision-making processes. Validate your Langflow deployments immediately and look for an update from the maintainers.

Federal Agencies and BOD 22-01 Compliance

Under Binding Operational Directive 22-01, federal civilian executive branch agencies must remediate KEV-listed vulnerabilities within strict timeframes—usually 14 days, though high-risk entries sometimes get a 7-day deadline. Agency IT security teams should check CDM dashboards and asset inventories for affected products today. If the software is present but no patch exists yet, CISA expects agencies to apply mitigations or remove the product until a fix is available.

IT Professionals and Managed Service Providers

If you manage Joomla sites for clients or run shared-hosting environments, you’re on the front lines. Scan your fleet immediately for SP Page Builder and Page Builder CK versions. The same goes for any client or internal system running Langflow. Automated patch management tools may already have updates queued; if not, manual updates are in order.

How We Got Here: A Pattern of Third-Party Risk

The July 2026 additions are not isolated events. They fit into a long-standing pattern where third-party Joomla extensions become the weakest link, even when the Joomla core is up to date. Here’s the context.

Joomla’s Extension Ecosystem and Attack Surface

Joomla powers about 2.5% of all websites, and its extension marketplace is vast. Page builders like SP Page Builder and Page Builder CK are heavily used because they let non-technical users craft complex layouts. But that popularity also paints a bright red target for attackers. In 2024 and 2025 alone, CISA added multiple Joomla-related vulnerabilities to the KEV, including issues in Joomla core and extensions like JCE Editor and Kunena Forum. The consistent thread: poor input validation, insecure deserialization, or missing authorization checks in extensions that are rarely audited as rigorously as the core CMS.

The Rise of Langflow and AI Platform Security

Langflow’s appearance in the KEV marks a notable expansion. The platform, hosted on GitHub with over 30,000 stars, gained rapid adoption for building AI chatbots, document analysis tools, and multi-step reasoning agents. Its Python-based, drag-and-drop interface makes it appealing to developers who might not have a strong security background. An authorization flaw in such a tool could allow attackers to craft malicious flows that exfiltrate data or pivot deeper into corporate networks, especially in environments where Langflow is connected to internal APIs and databases.

CISA’s KEV Catalog Evolution

Since its launch in November 2021, the KEV catalog has grown into the authoritative list of vulnerabilities that require immediate action. It now contains over 1,200 entries, and CISA frequently adds new ones based on threat intelligence from government partners, security researchers, and incident response teams. The catalog’s purpose is to shift organizations from a “patch everything” mindset to a risk-based prioritization: fix what attackers are actually using.

The July 7, 2026 update reinforces that message. By tying these three vulnerabilities directly to active exploitation, CISA is effectively telling the world: these are not theoretical problems; they are breaking things right now.

What to Do Now: Concrete Steps for Immediate Action

Time is critical. Here’s a prioritized checklist for different stakeholders.

For Joomla Site Owners

  1. Identify which page builder you use. Log into your Joomla administrator panel and go to Extensions → Manage. Look for “SP Page Builder” by JoomShaper or “Page Builder CK” by Joomlack.
  2. Check the version number. The latest SP Page Builder Pro release as of early July 2026 is 5.x; the free version may trail slightly. For Page Builder CK, visit Joomlack’s website or the JED listing for the most current release.
  3. Apply the update immediately. If an update exists, install it via the Joomla extension updater. If no update is available yet, contact the vendor or consider disabling the extension temporarily. In extreme cases, remove the extension backend until a patch is released.
  4. Scan for indicators of compromise (IoCs). Check recent file modifications, unusual admin accounts, and server logs for suspicious POST requests to the page builder endpoints. Use a Joomla security scanner like Akeeba Admin Tools or mySites.guru.
  5. Enable auto-updates for extensions. Many Joomla extensions support automatic updates. Turn this on if you haven’t already.

For Langflow Deployments

  1. Check your Langflow version. Run pip show langflow or check the Docker image tag.
  2. Look for an official advisory. Monitor the Langflow GitHub repository (github.com/langflow-ai/langflow) for a security announcement and patch release.
  3. Review authorization configurations. If the vulnerability is an authorization bypass, ensure that your Langflow instance is not exposed to the public internet. Use strong authentication, API keys, and network-level restrictions (VPN, firewall) until a patch is applied.
  4. Audit recent workflows. Look for unrecognized flows or components that might have been injected. Rotate any API keys or tokens embedded in Langflow projects.

For Agency Security Teams

  • Pull the affected software names from your continuous monitoring solutions immediately.
  • Create a POA&M (Plan of Action and Milestones) if patching can’t happen within the BOD deadline.
  • Follow CISA’s guidance on compensating controls and report status through CDM Federal Dashboard.

Outlook: What Comes Next

CISA’s July 2026 KEV expansion is a reminder that the attack surface keeps shifting. Joomla’s extension marketplace will continue to be a battleground, and the inclusion of Langflow signals that AI tools are now squarely in the crosshairs. Expect detailed CVEs and vendor advisories within days, along with proof-of-concept exploit code that will only intensify the threat.

The takeaway is clear: patch these now, and stay tuned. We’ll update this article as we learn more about the specific flaws and their fixes.