Patch all three if they're in your environment — FCEB agencies have mandatory remediation deadlines. CVE-2026-55255 is the one to watch beyond government networks: Langflow is increasingly common in AI agent pipelines, and an authorization bypass there can expose prompt logic, credentials, or downstream tool access to unauthenticated callers. The two Joomla extension entries (SP Page Builder and Joomlack) follow a now-familiar pattern — ransomware operators continue to mine CMS plugin ecosystems for unrestricted upload and broken access control bugs. The Langflow inclusion is a signal worth noting. AI workflow frameworks are becoming a meaningful part of the KEV catalog, not just classic CMS and VPN gear. If your team has stood up any Langflow instances — even internal prototypes — treat this as production-grade exposure until patched.