ELEVATED 3 min read 5 Jul 2026

NetScaler CVE-2026-8451 Response and Schneider PowerLogic P7 Routing

Today's intelligence covers 13 findings: 12 new items and one material NetScaler update, with low-confidence NVD-only items kept behind asset-presence validation.

Key findings
01
Update 1: Citrix NetScaler CVE-2026-8451 now needs incident-response handling
HIGH
CVSS 8.8 high · CWE-125 Out-of-bounds Read · EPSS 39th percentile. Classification: UPDATED. The important change is exploitation/probing reported less than 24 hours after disclosure. The brief cites /saml/login traffic and NSC_TASS cookie overread behaviour, so exposed SAML IDP appliances should move beyond routine patch routing.
02
Schneider Electric PowerLogic P7 CVE-2026-9717 needs OT owner routing
HIGH
CVSS 8.6 high · CWE-78 OS Command Injection · EPSS 64th percentile. Classification: NEW. NVD describes OS command injection affecting PowerLogic P7 V02.003.001.000 and prior. The brief frames this as an OT routing issue because exploitation depends on a privileged authenticated user interacting with a network-exposed service in electrical protection and control environments.
03
Linux kernel CVE-2026-53223 enters platform patch mapping
HIGH
CVSS 7.1 high · EPSS 3th percentile. Classification: NEW. NVD and kernel.org references describe timestamping paths that can misread AF_PACKET receive skb control-buffer state as error-queue metadata.
04
NetScaler ADC/Gateway CVE-2026-10817 requires configuration-aware checks
MEDIUM
CVSS 6.9 medium · CWE-125 Out-of-bounds Read · EPSS 33th percentile. Classification: NEW. NVD ties this memory-overread issue to NetScaler ADC/Gateway configuration state. Product presence alone is not enough; the brief calls for checks against profile association and exposed service configuration.
05
NetScaler ADC/Gateway CVE-2026-13474 puts HTTP/2 profiles in scope
HIGH
CVSS 8.7 high · CWE-401 · EPSS 35th percentile. Classification: NEW. NVD ties CVE-2026-13474 to malformed HTTP/2 request handling under specific NetScaler ADC/Gateway profile conditions. Treat it with CVE-2026-10817 because both need configuration-aware owner checks.
06
blackbox_exporter CVE-2023-26735 stays in backlog validation
HIGH
CVSS 7.5 high · CWE-918 Server-Side Request Forgery · EPSS 57th percentile. Classification: NEW. The brief identifies a newly polled NVD record for blackbox_exporter v0.23.0. It also describes the item as disputed and low priority unless probe endpoints are exposed to the internet or tenants.
07
Sourcecodester CVE-2023-33677 is a presence-dependent SQL injection check
MEDIUM
CVSS 5.4 medium · CWE-89 SQL Injection · EPSS 32th percentile. Classification: NEW. NVD describes unauthenticated SQL injection in Sourcecodester Lost and Found Information System 1.0. The brief does not add exploitation evidence, so the item belongs in asset-presence triage.
08
Milesight CVE-2023-43261 needs targeted router inventory checks
HIGH
CVSS 7.5 high · CWE-532 Insertion of Sensitive Information into Log File · EPSS 99th percentile. Classification: NEW. NVD covers an information disclosure issue before v35.3.0.7 across several Milesight router models. The brief limits action to environments where these devices are known or suspected.
09
fzf CVE-2026-53432 can be absorbed into developer-tool baselines
MEDIUM
CVSS 5.6 medium · CWE-190 Integer Overflow or Wraparound · EPSS 15th percentile. Classification: NEW. NVD describes an integer overflow leading to a crash in FuzzyMatchV2. The brief places the operational impact as likely low, with the fixed version available in fzf 0.73.1.
10
Crafter CMS CVE-2017-15683 starts a legacy exposure check
HIGH
CVSS 8.6 high · CWE-91 XML Injection · EPSS 72th percentile. Classification: NEW. The 02:33 sweep identified this NVD record as new to the ledger, affecting Crafter CMS Crafter Studio 3.0.1. It should not crowd out active NetScaler or OT work, but legacy exposure should be checked.
11
Crafter CMS CVE-2017-15684 belongs with the same legacy batch
HIGH
CVSS 7.5 high · CWE-22 Path Traversal · EPSS 79th percentile. Classification: NEW. NVD records a directory traversal issue affecting Crafter CMS Crafter Studio 3.0.1. The brief routes it with CVE-2017-15683 if legacy Crafter CMS is present.
12
Crafter CMS CVE-2017-15685 adds XXE to the legacy batch
HIGH
CVSS 8.6 high · CWE-91 XML Injection · EPSS 74th percentile. Classification: NEW. NVD records an XXE issue affecting the same Crafter CMS Crafter Studio 3.0.1 line. The brief keeps this as a presence-driven backlog item.
13
Nagios XI CVE-2021-25296 needs legacy exposure validation before alerting
HIGH
CVSS 8.8 high · CWE-78 OS Command Injection · EPSS 99th percentile · CISA KEV (actively exploited). Classification: NEW. The brief identifies CVE-2021-25296 as newly polled from NVD for Nagios XI xi-5.7.5, but it does not include independent active-exploitation corroboration.

Update 1: Citrix NetScaler CVE-2026-8451 now needs incident-response handling

Classification: UPDATED. The important change is exploitation/probing reported less than 24 hours after disclosure. The brief cites /saml/login traffic and NSCTASS cookie overread behaviour, so exposed SAML IDP appliances should move beyond routine patch routing.

Recommended action: Validate Citrix CTX696604 remediation, review SAML IDP exposure, and hunt /saml/login anomalies plus suspicious NSCTASS cookie values.

Identifiers: CVE-2026-8451

Sources: [Citrix CTX696604](https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696604); [SecurityWeek NetScaler exploitation report](https://www.securityweek.com/new-citrixbleed-vulnerability-exploited-immediately-after-public-disclosure/)

Schneider Electric PowerLogic P7 CVE-2026-9717 needs OT owner routing

Classification: NEW. NVD describes OS command injection affecting PowerLogic P7 V02.003.001.000 and prior. The brief frames this as an OT routing issue because exploitation depends on a privileged authenticated user interacting with a network-exposed service in electrical protection and control environments.

Recommended action: Route to OT and energy asset owners for firmware inventory and Schneider SEVD-2026-160-03 mitigation review.

Identifiers: CVE-2026-9717

Sources: [NVD CVE-2026-9717](https://nvd.nist.gov/vuln/detail/CVE-2026-9717); [Schneider Electric SEVD-2026-160-03](https://download.schneider-electric.com/files?pDocRef=SEVD-2026-160-03&penDocType=Security+and+Safety+Notice&pFileName=SEVD-2026-160-03.pdf)

Linux kernel CVE-2026-53223 enters platform patch mapping

Classification: NEW. NVD and kernel.org references describe timestamping paths that can misread AFPACKET receive skb control-buffer state as error-queue metadata. The risk described in the brief is hardened-usercopy failure or adjacent heap disclosure, so owners need branch-level patch mapping rather than a generic Linux alert.

Recommended action: Map fleet kernel baselines against NVD affected ranges and kernel.org stable commits.

Identifiers: CVE-2026-53223

Sources: [NVD CVE-2026-53223](https://nvd.nist.gov/vuln/detail/CVE-2026-53223); [kernel.org stable commit](https://git.kernel.org/stable/c/1ee90b77b727df903033db873c75caac5c27ec98); [MSRC CVE-2026-53223](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-53223)

NetScaler ADC/Gateway CVE-2026-10817 requires configuration-aware checks

Classification: NEW. NVD ties this memory-overread issue to NetScaler ADC/Gateway configuration state. Product presence alone is not enough; the brief calls for checks against profile association and exposed service configuration.

Recommended action: Validate CTX696604 against LB, CS, and VPN virtual servers and service profile state.

Identifiers: CVE-2026-10817

Sources: [NVD CVE-2026-10817](https://nvd.nist.gov/vuln/detail/CVE-2026-10817); [Citrix CTX696604](https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696604)

NetScaler ADC/Gateway CVE-2026-13474 puts HTTP/2 profiles in scope

Classification: NEW. NVD ties CVE-2026-13474 to malformed HTTP/2 request handling under specific NetScaler ADC/Gateway profile conditions. Treat it with CVE-2026-10817 because both need configuration-aware owner checks.

Recommended action: Confirm whether HTTP/2 profiles are associated with exposed LB, CS, VPN virtual servers or services.

Identifiers: CVE-2026-13474

Sources: [NVD CVE-2026-13474](https://nvd.nist.gov/vuln/detail/CVE-2026-13474); [Citrix CTX696604](https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696604)

blackboxexporter CVE-2023-26735 stays in backlog validation

Classification: NEW. The brief identifies a newly polled NVD record for blackboxexporter v0.23.0. It also describes the item as disputed and low priority unless probe endpoints are exposed to the internet or tenants.

Recommended action: Treat as backlog validation unless blackbox_exporter probe endpoints are internet-facing or tenant-exposed.

Identifiers: CVE-2023-26735

Sources: [NVD CVE-2023-26735](https://nvd.nist.gov/vuln/detail/CVE-2023-26735)

Sourcecodester CVE-2023-33677 is a presence-dependent SQL injection check

Classification: NEW. NVD describes unauthenticated SQL injection in Sourcecodester Lost and Found Information System 1.0. The brief does not add exploitation evidence, so the item belongs in asset-presence triage.

Recommended action: Backlog only unless the product is present in a monitored estate or appears in hosted municipal or education environments.

Identifiers: CVE-2023-33677

Sources: [NVD CVE-2023-33677](https://nvd.nist.gov/vuln/detail/CVE-2023-33677)

Milesight CVE-2023-43261 needs targeted router inventory checks

Classification: NEW. NVD covers an information disclosure issue before v35.3.0.7 across several Milesight router models. The brief limits action to environments where these devices are known or suspected.

Recommended action: Route to IoT and router inventory checks only where Milesight UR5X, UR32L, UR32, UR35, or UR41 devices may be present.

Identifiers: CVE-2023-43261

Sources: [NVD CVE-2023-43261](https://nvd.nist.gov/vuln/detail/CVE-2023-43261)

fzf CVE-2026-53432 can be absorbed into developer-tool baselines

Classification: NEW. NVD describes an integer overflow leading to a crash in FuzzyMatchV2. The brief places the operational impact as likely low, with the fixed version available in fzf 0.73.1.

Recommended action: Include fzf 0.73.1 in developer workstation and package baseline updates.

Identifiers: CVE-2026-53432

Sources: [NVD CVE-2026-53432](https://nvd.nist.gov/vuln/detail/CVE-2026-53432)

Crafter CMS CVE-2017-15683 starts a legacy exposure check

Classification: NEW. The 02:33 sweep identified this NVD record as new to the ledger, affecting Crafter CMS Crafter Studio 3.0.1. It should not crowd out active NetScaler or OT work, but legacy exposure should be checked.

Recommended action: Backlog validation for any legacy Crafter CMS exposure.

Identifiers: CVE-2017-15683

Sources: [NVD CVE-2017-15683](https://nvd.nist.gov/vuln/detail/CVE-2017-15683)

Crafter CMS CVE-2017-15684 belongs with the same legacy batch

Classification: NEW. NVD records a directory traversal issue affecting Crafter CMS Crafter Studio 3.0.1. The brief routes it with CVE-2017-15683 if legacy Crafter CMS is present.

Recommended action: Route with the Crafter CMS batch only if legacy Crafter CMS is present.

Identifiers: CVE-2017-15684

Sources: [NVD CVE-2017-15684](https://nvd.nist.gov/vuln/detail/CVE-2017-15684)

Crafter CMS CVE-2017-15685 adds XXE to the legacy batch

Classification: NEW. NVD records an XXE issue affecting the same Crafter CMS Crafter Studio 3.0.1 line. The brief keeps this as a presence-driven backlog item.

Recommended action: Route with the Crafter CMS batch only if legacy Crafter CMS is present.

Identifiers: CVE-2017-15685

Sources: [NVD CVE-2017-15685](https://nvd.nist.gov/vuln/detail/CVE-2017-15685)

Nagios XI CVE-2021-25296 needs legacy exposure validation before alerting

Classification: NEW. The brief identifies CVE-2021-25296 as newly polled from NVD for Nagios XI xi-5.7.5, but it does not include independent active-exploitation corroboration.

Recommended action: Check for legacy Nagios XI xi-5.7.5 exposure and confirm vendor remediation before any customer alert.

Identifiers: CVE-2021-25296

Sources: [NVD CVE-2021-25296](https://nvd.nist.gov/vuln/detail/CVE-2021-25296)

All findings grounded in a13e intelligence sweeps through 05:30 UTC 5 July 2026.

cve-2017-15683cve-2017-15684cve-2017-15685cve-2021-25296cve-2023-26735cve-2023-33677cve-2023-43261cve-2026-10817cve-2026-13474cve-2026-53223

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.