ELEVATED 6 min read 4 Jul 2026

Microsoft SharePoint CVE-2026-45659 Leads the Patch Validation Queue

Today's intelligence is consolidated into 28 priority findings plus 1 update to ongoing stories.

Key findings
01
Microsoft SharePoint Server CVE-2026-45659 needs patch and exposure validation
HIGH
CVSS 8.8 high; CWE-502 Deserialization of Untrusted Data; EPSS 87th percentile; validate SharePoint patch and exposure state. Classification: NEW. MSRC provides the vendor advisory and reporting keeps SharePoint exposure in the response queue; the local catalogue poll has no new entries since the last poll.
02
Update 2: UPDATE(patch_released): Cisco confirms active exploitation of Unified CM CVE-2026-20230
HIGH
CVSS 8.6 high · CWE-918 Server-Side Request Forgery · EPSS 99th percentile · CISA KEV (actively exploited). Recommended action: Upgrade to fixed Unified CM releases or disable WebDialer until patching is complete.
03
Ubuntu USN-8496-2 cifs-utils regression reopens Linux patch routing
HIGH
[High] Classification: NEW. Canonical reverted the prior cifs-utils security update after a Kerberos mount regression and published replacement package versions across supported Ubuntu releases.
04
ChocoPoC campaign weaponizes GitHub PoCs and PyPI dependencies against vulnerability researchers
MEDIUM
[Medium] Classification: NEW. Reporting and research describe malicious GitHub PoCs that install PyPI dependencies to deliver a RAT; the item is not suppressed by the published ledger.
05
GitHub Enterprise Server CVE-2026-9312 SSRF fixed before 3.21/3.22
CRITICAL
CVSS 9.2 critical · CWE-918 Server-Side Request Forgery · EPSS 93th percentile. Classification: NEW. NCSC-NL and NVD describe GitHub Enterprise Server SSRF affecting versions before 3.21 and 3.22.
06
GIMP CVE-2026-58381 code-execution path enters EU workstation routing
MEDIUM
CVSS 6.1 medium · CWE-415 Double Free · EPSS 2th percentile. Classification: NEW. CERT-Bund WID-SEC-2026-2187 maps GIMP CVE-2026-58381 to local denial-of-service with potential arbitrary code execution.
07
PHP CVE-2026-12184 and CVE-2026-14355 denial-of-service batch lands in CERT-Bund
LOW
[Unverified] Classification: NEW. CERT-Bund WID-SEC-2026-2186 identifies multiple PHP flaws allowing remote anonymous denial-of-service.
08
protobufjs CVE-2026-44293 can emit attacker-controlled JavaScript from crafted descriptors
HIGH
CVSS 7.7 high · CWE-94 Code Injection · EPSS 30th percentile. Classification: NEW. NVD says protobufjs before 7.5.6 and 8.0.2 can generate unsafe JavaScript during toObject conversion from crafted schemas.
09
Cisco ThousandEyes Virtual Appliance certificate handling permits root command execution
MEDIUM
CVSS 4.7 medium · CWE-74 Improper Neutralization of Special Elements in Output · EPSS 35th percentile. Classification: NEW. NVD describes authenticated remote command execution through crafted certificate upload, executing OS commands as root.
10
Snipe-IT CVE-2026-44832 lets users.edit holders escalate themselves to admin
HIGH
CVSS 8.7 high · CWE-281 Improper Preservation of Permissions · EPSS 23th percentile. Classification: NEW. NVD says Snipe-IT before 8.4.1 lets authenticated users with users.edit set admin permissions via API PATCH.
11
Jupyter Server CVE-2026-6657 weak CORS origin matching affects configured alloworiginpat
MEDIUM
CVSS 6.1 medium · CWE-346 Origin Validation Error · EPSS 10th percentile. Classification: NEW. NVD says jupyter-server 1.12.0 through 2.17.0 can bypass CORS origin validation when alloworiginpat uses prefix-style matching.
12
Apache ZooKeeper CVE-2026-24281 hostname-verification flaw
LOW
CWE-350 · EPSS 45th percentile. Classification: NEW. NVD published the record for Apache ZooKeeper ZKTrustManager hostname verification behavior.
13
Apache ZooKeeper CVE-2026-24308 ZKConfig handling flaw
MEDIUM
CVSS 6.5 medium · CWE-532 Insertion of Sensitive Information into Log File · EPSS 63th percentile. Classification: NEW. NVD published the record for Apache ZooKeeper ZKConfig configuration handling.
14
Quarkus CVE-2026-39852 cloud-native Java framework flaw
HIGH
CVSS 8.8 high · CWE-863 Incorrect Authorization · EPSS 35th percentile. Classification: NEW. NVD published the Quarkus record for cloud-native Java application deployments.
15
Microsoft Edge Chromium-based remote-code-execution patch wave
HIGH
CVSS 8.8 high · CWE-122 Heap-based Buffer Overflow. Classification: NEW. MSRC published Edge desktop RCE advisories; selected lead CVE had no 21-day ledger match.
16
Chromium memory-safety CVE batch routed through MSRC
CRITICAL
CVSS 9.6 critical · CWE-416 Use After Free · EPSS 23th percentile. Classification: NEW. MSRC published Chromium memory-safety records spanning GPU, Browser, Blink, DOM, FFmpeg, Bluetooth, Device, and related components.
17
Microsoft Edge for Android remote-code-execution and disclosure batch
HIGH
CVSS 7.5 high · CWE-367 Time-of-check Time-of-use Race Condition. Classification: NEW. MSRC published Edge for Android records including RCE and disclosure items, with no 21-day ledger match for the lead CVE.
18
Microsoft Edge security-feature-bypass batch
HIGH
CVSS 8.7 high · CWE-285 Improper Authorization. Classification: NEW. MSRC published Edge security-feature-bypass records including CVE-2026-57983, CVE-2026-58295, and CVE-2026-58523.
19
Chromium policy, extension, password, USB, and enterprise-control CVE batch
HIGH
CVSS 7.5 high · CWE-20 Improper Input Validation · EPSS 20th percentile. Classification: NEW. MSRC published Chromium control-plane CVEs covering policy, extension, password, USB/WebHID, and browser-management areas.
20
IGEL OS remote file-manipulation advisory reaches CERT-Bund
LOW
[Unverified] Classification: NEW. CERT-Bund published WID-SEC-2026-2188 for IGEL OS remote anonymous file manipulation; not present in the 21-day published ledger.

Microsoft SharePoint Server CVE-2026-45659 needs patch and exposure validation

Classification: NEW. MSRC provides the vendor advisory and reporting keeps SharePoint exposure in the response queue; the local catalogue poll has no new entries since the last poll.

Recommended action: Validate SharePoint patch state and internet exposure, then hunt recent SharePoint/IIS access paths.

Identifiers: CVE-2026-45659

Sources: [MSRC CVE-2026-45659](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45659); [BleepingComputer SharePoint exploitation report](https://www.bleepingcomputer.com/news/security/cisa-microsoft-sharepoint-rce-flaw-now-actively-exploited/)

Update 2: UPDATE(patchreleased): Cisco confirms active exploitation of Unified CM CVE-2026-20230

Recommended action: Upgrade to fixed Unified CM releases or disable WebDialer until patching is complete.

Identifiers: CVE-2026-20230

Sources: [Cisco Unified CM security advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-cXPnHcW); [BleepingComputer Cisco Unified CM report](https://www.bleepingcomputer.com/news/security/cisco-finally-confirms-attackers-exploiting-unified-cm-flaw/)

Ubuntu USN-8496-2 cifs-utils regression reopens Linux patch routing

Classification: NEW. Canonical reverted the prior cifs-utils security update after a Kerberos mount regression and published replacement package versions across supported Ubuntu releases.

Recommended action: Apply USN-8496-2 where Kerberos mounts broke and monitor for the complete replacement security fix.

Identifiers: USN-8496-2

Sources: [Ubuntu security notice USN-8496-2](https://ubuntu.com/security/notices/USN-8496-2)

ChocoPoC campaign weaponizes GitHub PoCs and PyPI dependencies against vulnerability researchers

Classification: NEW. Reporting and research describe malicious GitHub PoCs that install PyPI dependencies to deliver a RAT; the item is not suppressed by the published ledger.

Recommended action: Block named packages, inspect researcher endpoints, and move PoC testing into disposable sandboxes.

Identifiers: ChocoPoC / PyPI packages frint, skytext, slogsec, logcrypt.cryptography

Sources: [BleepingComputer ChocoPoC report](https://www.bleepingcomputer.com/news/security/new-chocopoc-malware-targets-researchers-via-trojanized-poc-exploits/); [YesWeHack ChocoPoC research note](https://www.yeswehack.com/news/chocopocs-vulnerability-researchers-trojanised-exploits)

GitHub Enterprise Server CVE-2026-9312 SSRF fixed before 3.21/3.22

Classification: NEW. NCSC-NL and NVD describe GitHub Enterprise Server SSRF affecting versions before 3.21 and 3.22.

Recommended action: Upgrade GHES to fixed 3.21/3.22 trains and review OAuth runner-management scopes.

Identifiers: CVE-2026-9312

Sources: [NCSC-NL NCSC-2026-0219](https://advisories.ncsc.nl/advisory?id=NCSC-2026-0219); [NVD CVE-2026-9312](https://nvd.nist.gov/vuln/detail/CVE-2026-9312)

GIMP CVE-2026-58381 code-execution path enters EU workstation routing

Classification: NEW. CERT-Bund WID-SEC-2026-2187 maps GIMP CVE-2026-58381 to local denial-of-service with potential arbitrary code execution.

Recommended action: Patch GIMP where untrusted image/project files are handled.

Identifiers: CVE-2026-58381

Sources: [CERT-Bund WID-SEC-2026-2187](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2187)

PHP CVE-2026-12184 and CVE-2026-14355 denial-of-service batch lands in CERT-Bund

Classification: NEW. CERT-Bund WID-SEC-2026-2186 identifies multiple PHP flaws allowing remote anonymous denial-of-service.

Recommended action: Patch PHP runtimes exposed through web workloads, prioritising internet-facing services.

Identifiers: CVE-2026-12184 / CVE-2026-14355

Sources: [CERT-Bund WID-SEC-2026-2186](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2186)

protobufjs CVE-2026-44293 can emit attacker-controlled JavaScript from crafted descriptors

Classification: NEW. NVD says protobufjs before 7.5.6 and 8.0.2 can generate unsafe JavaScript during toObject conversion from crafted schemas.

Recommended action: Update protobufjs to 7.5.6 or 8.0.2; treat untrusted protobuf descriptors as code-generation input.

Identifiers: CVE-2026-44293

Sources: [NVD CVE-2026-44293](https://nvd.nist.gov/vuln/detail/CVE-2026-44293)

Cisco ThousandEyes Virtual Appliance certificate handling permits root command execution

Classification: NEW. NVD describes authenticated remote command execution through crafted certificate upload, executing OS commands as root.

Recommended action: Patch ThousandEyes Virtual Appliance and restrict certificate-upload roles.

Identifiers: CVE-2026-20199

Sources: [NVD CVE-2026-20199](https://nvd.nist.gov/vuln/detail/CVE-2026-20199)

Snipe-IT CVE-2026-44832 lets users.edit holders escalate themselves to admin

Classification: NEW. NVD says Snipe-IT before 8.4.1 lets authenticated users with users.edit set admin permissions via API PATCH.

Recommended action: Upgrade Snipe-IT to 8.4.1 and audit recent user permission changes.

Identifiers: CVE-2026-44832

Sources: [NVD CVE-2026-44832](https://nvd.nist.gov/vuln/detail/CVE-2026-44832)

Jupyter Server CVE-2026-6657 weak CORS origin matching affects configured alloworiginpat

Classification: NEW. NVD says jupyter-server 1.12.0 through 2.17.0 can bypass CORS origin validation when alloworiginpat uses prefix-style matching.

Recommended action: Update jupyter-server and review alloworigin_pat patterns.

Identifiers: CVE-2026-6657

Sources: [NVD CVE-2026-6657](https://nvd.nist.gov/vuln/detail/CVE-2026-6657)

Apache ZooKeeper CVE-2026-24281 hostname-verification flaw

Classification: NEW. NVD published the record for Apache ZooKeeper ZKTrustManager hostname verification behavior.

Recommended action: Check ZooKeeper clusters and TLS trust settings.

Identifiers: CVE-2026-24281

Sources: [NVD CVE-2026-24281](https://nvd.nist.gov/vuln/detail/CVE-2026-24281)

Apache ZooKeeper CVE-2026-24308 ZKConfig handling flaw

Classification: NEW. NVD published the record for Apache ZooKeeper ZKConfig configuration handling.

Recommended action: Route alongside CVE-2026-24281 to platform owners running ZooKeeper estates.

Identifiers: CVE-2026-24308

Sources: [NVD CVE-2026-24308](https://nvd.nist.gov/vuln/detail/CVE-2026-24308)

Quarkus CVE-2026-39852 cloud-native Java framework flaw

Classification: NEW. NVD published the Quarkus record for cloud-native Java application deployments.

Recommended action: Route to Java platform owners and identify internet-facing Quarkus services.

Identifiers: CVE-2026-39852

Sources: [NVD CVE-2026-39852](https://nvd.nist.gov/vuln/detail/CVE-2026-39852)

Microsoft Edge Chromium-based remote-code-execution patch wave

Classification: NEW. MSRC published Edge desktop RCE advisories; selected lead CVE had no 21-day ledger match.

Recommended action: Push desktop Edge stable-channel validation across managed Windows, macOS, and Linux fleets.

Identifiers: CVE-2026-56645

Sources: [MSRC CVE-2026-56645](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56645)

Chromium memory-safety CVE batch routed through MSRC

Classification: NEW. MSRC published Chromium memory-safety records spanning GPU, Browser, Blink, DOM, FFmpeg, Bluetooth, Device, and related components.

Recommended action: Route to all Chromium-based browser owners, not only Microsoft Edge owners.

Identifiers: CVE-2026-13775

Sources: [MSRC CVE-2026-13775](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-13775)

Microsoft Edge for Android remote-code-execution and disclosure batch

Classification: NEW. MSRC published Edge for Android records including RCE and disclosure items, with no 21-day ledger match for the lead CVE.

Recommended action: Validate MDM rings for Edge on Android and high-risk BYOD groups.

Identifiers: CVE-2026-58299

Sources: [MSRC CVE-2026-58299](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58299)

Microsoft Edge security-feature-bypass batch

Classification: NEW. MSRC published Edge security-feature-bypass records including CVE-2026-57983, CVE-2026-58295, and CVE-2026-58523.

Recommended action: Route with RCE items because bypass bugs can weaken browser hardening and policy enforcement.

Identifiers: CVE-2026-57983

Sources: [MSRC CVE-2026-57983](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57983)

Chromium policy, extension, password, USB, and enterprise-control CVE batch

Classification: NEW. MSRC published Chromium control-plane CVEs covering policy, extension, password, USB/WebHID, and browser-management areas.

Recommended action: Validate enterprise browser policy baselines, extension controls, password-manager exposure, and USB/WebHID policy.

Identifiers: CVE-2026-13824

Sources: [MSRC CVE-2026-13824](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-13824)

IGEL OS remote file-manipulation advisory reaches CERT-Bund

Classification: NEW. CERT-Bund published WID-SEC-2026-2188 for IGEL OS remote anonymous file manipulation; not present in the 21-day published ledger.

Recommended action: Patch/track fixed IGEL OS builds and restrict remote management exposure.

Identifiers: WID-SEC-2026-2188

Sources: [CERT-Bund WID-SEC-2026-2188](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2188)

Rancher 2.13/2.14 authentication and role-binding fixes reach NCSC-NL

Classification: NEW. NCSC-NL covers Rancher 2.13.0-2.13.7 and 2.14.0-2.14.3 SAML assertion replay and stale project role-template binding fixes.

Recommended action: Patch Rancher and review SAML session handling plus project role bindings.

Identifiers: NCSC-2026-0220

Sources: [NCSC-NL NCSC-2026-0220](https://advisories.ncsc.nl/advisory?id=NCSC-2026-0220)

Red Hat Software Collections high-severity batch re-enters CERT-Bund routing

Classification: NEW. CERT-Bund WID-SEC-2026-2183 flags a Red Hat Software Collections high-severity batch spanning older CVEs.

Recommended action: Patch affected Red Hat Software Collections packages where still deployed.

Identifiers: WID-SEC-2026-2183

Sources: [CERT-Bund WID-SEC-2026-2183](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2183)

Dell PowerProtect Data Domain WID-SEC-2026-2189 high-severity batch

Classification: NEW. CERT-Bund published WID-SEC-2026-2189 for Dell PowerProtect Data Domain; alias checks had no 21-day ledger match.

Recommended action: Route to backup/storage owners and confirm fixed builds.

Identifiers: WID-SEC-2026-2189

Sources: [CERT-Bund WID-SEC-2026-2189](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2189)

WatchGuard Firebox WID-SEC-2026-2193 high-severity batch

Classification: NEW. CERT-Bund published WID-SEC-2026-2193 for WatchGuard Firebox; resolved aliases had no 21-day match.

Recommended action: Route to edge-firewall owners, especially externally managed appliances.

Identifiers: WID-SEC-2026-2193

Sources: [CERT-Bund WID-SEC-2026-2193](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2193)

CERTFR-2026-AVI-0831 Ubuntu Linux kernel vulnerability batch

Classification: NEW. CERT-FR published a 3 July Ubuntu Linux kernel advisory.

Recommended action: Map affected Ubuntu kernel packages to server and workstation maintenance windows.

Identifiers: CERTFR-2026-AVI-0831

Sources: [CERT-FR CERTFR-2026-AVI-0831](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0831/)

CERTFR-2026-AVI-0834 IBM product vulnerability batch

Classification: NEW. CERT-FR published a 3 July advisory covering multiple IBM products.

Recommended action: Route to IBM middleware/product owners for version scoping and vendor fix checks.

Identifiers: CERTFR-2026-AVI-0834

Sources: [CERT-FR CERTFR-2026-AVI-0834](https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0834/)

Coolify WID-SEC-2026-2192 high-severity multi-CVE batch

Classification: NEW. CERT-Bund published WID-SEC-2026-2192; it is distinct from the earlier Coolify WID-SEC-2026-2182 item.

Recommended action: Route to self-hosted deployment and developer-platform owners.

Identifiers: WID-SEC-2026-2192

Sources: [CERT-Bund WID-SEC-2026-2192](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2192)

Erlang/OTP WID-SEC-2026-2194 medium-severity batch

Classification: NEW. CERT-Bund published WID-SEC-2026-2194 with related CVE/GHSA aliases and no 21-day ledger match.

Recommended action: Route to messaging, telecom, and Erlang runtime owners.

Identifiers: WID-SEC-2026-2194

Sources: [CERT-Bund WID-SEC-2026-2194](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2194)

Ubuntu USN-8503-1 ncurses vulnerability

Classification: NEW. Ubuntu published USN-8503-1 for an ncurses vulnerability.

Recommended action: Include ncurses packages in routine Ubuntu patch validation.

Identifiers: USN-8503-1

Sources: [Ubuntu security notice USN-8503-1](https://ubuntu.com/security/notices/USN-8503-1)

All findings grounded in a13e intelligence sweeps through 05:30 UTC 4 July 2026.

New CitrixBleed Vulnerability Exploited Immediately After Public Disclosure

Hackers are targeting NetScaler appliances using public PoC code to retrieve arbitrary memory content in the HTTP response. The post New CitrixBleed Vulnerability Exploited Immediately After Public Disclosure appeared first on SecurityWeek .

Sources: https://www.securityweek.com/new-citrixbleed-vulnerability-exploited-immediately-after-public-disclosure/

Progress Kemp LoadMaster Pre-Auth RCE Flaw Faces Active Exploitation Attempts CVE-2026-8037

A recently disclosed critical security flaw impacting Progress Kemp LoadMaster is seeing active exploitation attempts, according to an advisory from eSentire's Threat Response Unit (TRU). The Canadian cybersecurity company said it identified exploitation attempts targeting CVE-2026-8037 (CVSS score:

Sources: https://thehackernews.com/2026/07/latest-progress-kemp-loadmaster-pre.html

Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials CVE-2025-5777

Threat actors associated with the Anubis ransomware operation have been observed exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to obtain initial access. "Although tactics differ between affiliates, common patterns emerged in tradecraft through use of legitimate Remote Management and Mo Known Exploited (CISA KEV).

Sources: https://thehackernews.com/2026/07/ransomware-groups-turn-to-citrix-bleed.html

browsersecuritychocopocciscocve-2026-12184cve-2026-13775cve-2026-13824cve-2026-20199cve-2026-20230cve-2026-24281cve-2026-24308

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.