ELEVATED 2 min read 7 Jul 2026

Watchlist: NEW: OpenVPN CVE-2026-11771 / WID-SEC-2026-2197 enters EU patch routing

Condensed watchlist digest of 20 public updates selected from 22 tracked findings under continued review, each summarising the exposure validation and fixed-version checks to confirm for affected deployments.

Key findings
01
NEW: OpenVPN CVE-2026-11771 / WID-SEC-2026-2197 enters EU patch routing
MEDIUM
Action: Route to remote-access owners; confirm exposed OpenVPN versions and patch window.
02
NEW: Keycloak CVE-2026-14613 / WID-SEC-2026-2198 remains unpatched in EU advisory feed
MEDIUM
CVSS 4.3 medium · EPSS 8th percentile. Action: Confirm exposed Keycloak versions, limit administrative exposure, and watch for fixed-version guidance.
03
NEW: Apache Camel CVE-2026-40047 / WID-SEC-2026-2203 high-severity advisory batch
CRITICAL
CVSS 9.1 critical · CWE-88 Argument Injection · EPSS 52th percentile. Action: Route to Java integration and middleware owners; check Camel component exposure and patch baselines.
04
NEW: n8n CVE-2025-71380 / WID-SEC-2026-2205 code-execution advisory
HIGH
CVSS 8.7 high · CWE-284 Improper Access Control · EPSS 33th percentile. Action: Identify self-hosted n8n nodes and prioritise internet-facing admin panels and credential-bearing workflows.
05
NEW: Roundcube CVE-2026-54432 / WID-SEC-2026-2207 gets CERT-Bund and CERT-FR routing
MEDIUM
Action: Route to webmail owners and hosted-app teams; verify Roundcube exposure before user-facing maintenance windows.
06
NEW: FreeRDP CVE-2026-57156 / WID-SEC-2026-2209 multi-CVE batch
MEDIUM
Action: Update desktop images, admin jump hosts, and thin-client environments that embed FreeRDP libraries.
07
NEW: GIMP CVE-2026-58379 / WID-SEC-2026-2204 code-execution and denial-of-service advisory
HIGH
CVSS 7.3 high · CWE-122 Heap-based Buffer Overflow · EPSS 14th percentile. Action: Map GIMP in workstation baselines and prioritise endpoints that open untrusted images.
08
NEW: Adobe ColdFusion CVE-2026-48282 exploitation enters response queue
CRITICAL
CVSS 10 critical · CWE-22 Path Traversal · EPSS 59th percentile. Action: Treat exposed ColdFusion servers as P1 inventory and patch-validation work; review admin consoles, WAF logs, and application roots.
09
NEW: Request Tracker CVE-2026-6841 / USN-8506-1 patch item
MEDIUM
CVSS 5.1 medium · CWE-79 Cross-site Scripting · EPSS 14th percentile. Action: Patch Ubuntu-hosted Request Tracker systems and check ticket attachment or privileged workflow exposure.
10
NEW: socat CVE-2026-56123 / USN-8511-1 patch item
CRITICAL
CVSS 9.2 critical · CWE-122 Heap-based Buffer Overflow · EPSS 23th percentile. Action: Update Linux baselines where socat is installed for tunnels, debugging, or service wrappers.
11
NEW: Gitea Docker CVE-2026-20896 probing follows patched release
CRITICAL
CVSS 9.8 critical · CWE-284 Improper Access Control · EPSS 52th percentile. Action: Find internet-reachable Gitea containers, verify fixed versions, and audit reverse-proxy trusted-proxy settings.
12
NEW: Langroid CVE-2026-54769 sandbox escape reaches host RCE
CRITICAL
CVSS 10 critical · CWE-94 Code Injection. Action: Patch Langroid where SQL/TableChatAgent workflows process untrusted or LLM-generated input; disable affected paths until patched.
13
NEW: Coder OIDC and workspace-app CVE batch hits developer control planes
MEDIUM
Action: Route to platform owners, prioritising OIDC-enabled deployments and exposed workspace-app subdomains.
14
NEW: Bad Epoll CVE-2026-46242 public PoC raises Linux local-root patch urgency
HIGH
CVSS 7.8 high · CWE-416 Use After Free · EPSS 3th percentile. Action: Map affected kernels and prioritise multi-user hosts, container workers, build systems, and developer workstations.
15
NEW: Craft CMS CVE-2026-55794 authenticated RCE fixed in 5.10.0
HIGH
CVSS 8.7 high · CWE-1336 · EPSS 21th percentile. Action: Upgrade to Craft CMS 5.10.0 or later and review editor/admin account activity and control-panel route headers.
16
NEW: Cilium CVE-2026-53935 cross-namespace service traffic hijack fixed
MEDIUM
CVSS 6.9 medium · CWE-601 Open Redirect. Action: Identify clusters using Local Redirect Policy, prioritise multi-tenant clusters, and patch affected branches.
17
NEW: Langroid CVE-2026-55615 Neo4jChatAgent prompt-to-Cypher injection fixed in 0.65.5
CRITICAL
CVSS 9.2 critical · CWE-74 Improper Neutralization of Special Elements in Output. Action: Upgrade Langroid to 0.65.5, keep dangerous operations disabled, and run graph agents with least-privilege database roles.
18
NEW: OpenRemote CVE-2026-54640 incomplete XXE fix leaves KNXProtocol file-read risk until 1.24.2
HIGH
CVSS 7.6 high · CWE-611 Improper Restriction of XML External Entity Reference. Action: Upgrade openremote-agent to 1.24.2 and restrict Manager API import access whilst checking KNX/ETS workflows.
19
Opera GX mod auto-install flaw patched in 130.0.5847.89
MEDIUM
Action: Inventory Opera GX usage, enforce version 130.0.5847.89 or later, and restrict unmanaged GX Mods.
20
PolinRider supply-chain campaign expands across open-source developer ecosystems
MEDIUM
Action: Block known PolinRider indicators from package, browser-extension, and IDE-task controls; rotate developer tokens where hosts may be exposed.

NEW: OpenVPN CVE-2026-11771 / WID-SEC-2026-2197 enters EU patch routing

Action: Route to remote-access owners; confirm exposed OpenVPN versions and patch window.

NEW: Keycloak CVE-2026-14613 / WID-SEC-2026-2198 remains unpatched in EU advisory feed

Action: Confirm exposed Keycloak versions, limit administrative exposure, and watch for fixed-version guidance.

NEW: Apache Camel CVE-2026-40047 / WID-SEC-2026-2203 high-severity advisory batch

Action: Route to Java integration and middleware owners; check Camel component exposure and patch baselines.

NEW: n8n CVE-2025-71380 / WID-SEC-2026-2205 code-execution advisory

Action: Identify self-hosted n8n nodes and prioritise internet-facing admin panels and credential-bearing workflows.

NEW: Roundcube CVE-2026-54432 / WID-SEC-2026-2207 gets CERT-Bund and CERT-FR routing

Action: Route to webmail owners and hosted-app teams; verify Roundcube exposure before user-facing maintenance windows.

NEW: FreeRDP CVE-2026-57156 / WID-SEC-2026-2209 multi-CVE batch

Action: Update desktop images, admin jump hosts, and thin-client environments that embed FreeRDP libraries.

NEW: GIMP CVE-2026-58379 / WID-SEC-2026-2204 code-execution and denial-of-service advisory

Action: Map GIMP in workstation baselines and prioritise endpoints that open untrusted images.

NEW: Adobe ColdFusion CVE-2026-48282 exploitation enters response queue

Action: Treat exposed ColdFusion servers as P1 inventory and patch-validation work; review admin consoles, WAF logs, and application roots.

NEW: Request Tracker CVE-2026-6841 / USN-8506-1 patch item

Action: Patch Ubuntu-hosted Request Tracker systems and check ticket attachment or privileged workflow exposure.

NEW: socat CVE-2026-56123 / USN-8511-1 patch item

Action: Update Linux baselines where socat is installed for tunnels, debugging, or service wrappers.

NEW: Gitea Docker CVE-2026-20896 probing follows patched release

Action: Find internet-reachable Gitea containers, verify fixed versions, and audit reverse-proxy trusted-proxy settings.

NEW: Langroid CVE-2026-54769 sandbox escape reaches host RCE

Action: Patch Langroid where SQL/TableChatAgent workflows process untrusted or LLM-generated input; disable affected paths until patched.

NEW: Coder OIDC and workspace-app CVE batch hits developer control planes

Action: Route to platform owners, prioritising OIDC-enabled deployments and exposed workspace-app subdomains.

NEW: Bad Epoll CVE-2026-46242 public PoC raises Linux local-root patch urgency

Action: Map affected kernels and prioritise multi-user hosts, container workers, build systems, and developer workstations.

NEW: Craft CMS CVE-2026-55794 authenticated RCE fixed in 5.10.0

Action: Upgrade to Craft CMS 5.10.0 or later and review editor/admin account activity and control-panel route headers.

NEW: Cilium CVE-2026-53935 cross-namespace service traffic hijack fixed

Action: Identify clusters using Local Redirect Policy, prioritise multi-tenant clusters, and patch affected branches.

NEW: Langroid CVE-2026-55615 Neo4jChatAgent prompt-to-Cypher injection fixed in 0.65.5

Action: Upgrade Langroid to 0.65.5, keep dangerous operations disabled, and run graph agents with least-privilege database roles.

NEW: OpenRemote CVE-2026-54640 incomplete XXE fix leaves KNXProtocol file-read risk until 1.24.2

Action: Upgrade openremote-agent to 1.24.2 and restrict Manager API import access whilst checking KNX/ETS workflows.

Opera GX mod auto-install flaw patched in 130.0.5847.89

Action: Inventory Opera GX usage, enforce version 130.0.5847.89 or later, and restrict unmanaged GX Mods.

PolinRider supply-chain campaign expands across open-source developer ecosystems

Action: Block known PolinRider indicators from package, browser-extension, and IDE-task controls; rotate developer tokens where hosts may be exposed.

cve-2025-71380cve-2026-11771cve-2026-14613cve-2026-20896cve-2026-40047cve-2026-46242cve-2026-48282cve-2026-53935cve-2026-54432cve-2026-54640

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.