CRITICAL 5 min read 8 Jul 2026

Joomla KEV exploitation and CISA ICS advisories lead today's top 10 patch priorities

Today's public brief is capped at 10 priority items, with additional monitored items retained below for routing and follow-up.

Key findings
01
NEW: JoomShaper SP Page Builder CVE-2026-48908 enters CISA KEV
CRITICAL
CVSS 10 critical · CWE-434 Unrestricted Upload of File with Dangerous Type · EPSS 52th percentile · CISA KEV (actively exploited). This is newly present in today's intelligence. CISA KEV active-exploitation listing; not listed as excluded from today's publication queue. The immediate operator task is narrow: Inventory Joomla SP Page Builder, patch/disable vulnerable versions, and hunt upload/webshell activity.
02
NEW: Joomlack Page Builder CVE-2026-56290 enters CISA KEV
CRITICAL
CVSS 10 critical · CWE-434 Unrestricted Upload of File with Dangerous Type · EPSS 28th percentile · CISA KEV (actively exploited). This is newly present in today's intelligence. CISA KEV active-exploitation listing; not listed as excluded from today's publication queue. The immediate operator task is narrow: Patch or disable vulnerable Joomla Page Builder installs and review upload telemetry.
03
Gitea CVE-2026-20896 active exploitation confirmed after prior publication
CRITICAL
CVSS 9.8 critical · CWE-284 Improper Access Control · EPSS 52th percentile. This is a material update in today's intelligence. Previously excluded as repeat coverage, but re-promoted because today's intelligence records active exploitation confirmation.
04
NEW: EGroupware CVE-2026-27823 file read/write to RCE path
CRITICAL
CVSS 9.3 critical · CWE-22 Path Traversal. This is newly present in today's intelligence. GHSA-backed global developer/collaboration finding; not listed as excluded from today's publication queue. The immediate operator task is narrow: Patch EGroupware, disable self-registration where unnecessary, and check setup-password integrity.
05
NEW: Better Auth CVE-2026-53512 OAuth refresh-token replay
CRITICAL
CVSS 9.1 critical · CWE-287 Improper Authentication. This is newly present in today's intelligence. GitHub advisory with patched version and configuration actions; not listed as excluded from today's publication queue.
06
NEW: Goploy CVE-2026-53552 cross-namespace IDOR enables deploy-plane RCE
CRITICAL
CVSS 9.6 critical · CWE-639 Authorization Bypass Through User-Controlled Key. This is newly present in today's intelligence. GitHub advisory candidate; not listed as excluded from today's publication queue. The immediate operator task is narrow: Restrict manager roles, patch when available, and audit deploy remote rewrites.
07
NEW: RHEL perl-HTTP-Daemon CVE-2026-8450 service-privilege code execution
CRITICAL
CVSS 9.1 critical · CWE-78 OS Command Injection · EPSS 65th percentile. This is newly present in today's intelligence. New CERT-Bund RHEL package advisory; not listed as excluded from today's publication queue. The immediate operator task is narrow: Identify RHEL systems using perl-HTTP-Daemon and apply updates.
08
CVE-2020-21468: A segmentation fault in the redis-server component of Redis 5.0.7 leads to a den CVE-2020-21468
HIGH
CVSS 7.5 high · EPSS 65th percentile. A segmentation fault in the redis-server component of Redis 5.0.7 leads to a denial of service (DOS). NOTE: the vendor cannot reproduce this issue in a released version, such as 5.0.7. Sources: https://nvd.nist.gov/vuln/detail/CVE-2020-21468
09
CVE-2020-21833: A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via: read_ CVE-2020-21833
HIGH
CVSS 8.8 high · CWE-787 Out-of-bounds Write · EPSS 70th percentile. A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via: read2004section_classes ../../src/decode.c:2440. Sources: https://nvd.nist.gov/vuln/detail/CVE-2020-21833
10
CVE-2020-21840: A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via bit_se CVE-2020-21840
HIGH
CVSS 8.8 high · CWE-787 Out-of-bounds Write · EPSS 69th percentile. A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via bitsearchsentinel ../../src/bits.c:1985. Sources: https://nvd.nist.gov/vuln/detail/CVE-2020-21840

NEW: JoomShaper SP Page Builder CVE-2026-48908 enters CISA KEV

This is newly present in today's intelligence. CISA KEV active-exploitation listing; not listed as excluded from today's publication queue.

The immediate operator task is narrow: Inventory Joomla SP Page Builder, patch/disable vulnerable versions, and hunt upload/webshell activity.

  • What the sources add
  • CVE-2026-48908 Source: https://www.joomshaper.com/page-builder
  • CVSS 10 critical · CWE-434 Unrestricted Upload of File with Dangerous Type · EPSS 52th percentile · CISA KEV (actively exploited). Source: https://www.joomshaper.com/page-builder
  • actively exploited Source: https://www.joomshaper.com/page-builder
  • Operator lens
  • Inventory Joomla SP Page Builder, patch/disable vulnerable versions, and hunt upload/webshell activity. Source: https://www.joomshaper.com/page-builder

Action: Inventory Joomla SP Page Builder, patch/disable vulnerable versions, and hunt upload/webshell activity.

Sources: [CISA KEV CVE-2026-48908](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?vulnId=CVE-2026-48908)

NEW: Joomlack Page Builder CVE-2026-56290 enters CISA KEV

This is newly present in today's intelligence. CISA KEV active-exploitation listing; not listed as excluded from today's publication queue.

The immediate operator task is narrow: Patch or disable vulnerable Joomla Page Builder installs and review upload telemetry.

  • What the sources add
  • CVE-2026-56290 Source: https://www.joomlack.fr/
  • CVSS 10 critical · CWE-434 Unrestricted Upload of File with Dangerous Type · EPSS 28th percentile · CISA KEV (actively exploited). Source: https://www.joomlack.fr/
  • actively exploited Source: https://www.joomlack.fr/
  • Operator lens
  • Patch or disable vulnerable Joomla Page Builder installs and review upload telemetry. Source: https://www.joomlack.fr/

Action: Patch or disable vulnerable Joomla Page Builder installs and review upload telemetry.

Sources: [CISA KEV CVE-2026-56290](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?vulnId=CVE-2026-56290)

Gitea CVE-2026-20896 active exploitation confirmed after prior publication

This is a material update in today's intelligence. Previously excluded as repeat coverage, but re-promoted because today's intelligence records active exploitation confirmation.

The immediate operator task is narrow: Verify Gitea 1.26.3/1.26.4+ or mitigations, audit proxy trusted-header settings, and review repo/secret access logs.

  • What the sources add
  • CVE-2026-20896 Source: https://www.securityweek.com/critical-gitea-flaw-under-active-exploitation-researchers-warn/
  • CVSS 9.8 critical · CWE-284 Improper Access Control · EPSS 52th percentile. Source: https://www.securityweek.com/critical-gitea-flaw-under-active-exploitation-researchers-warn/
  • not in CISA KEV at enrichment time Source: https://www.securityweek.com/critical-gitea-flaw-under-active-exploitation-researchers-warn/

Action: Verify Gitea 1.26.3/1.26.4+ or mitigations, audit proxy trusted-header settings, and review repo/secret access logs.

Sources: [SecurityWeek Gitea exploitation report](https://www.securityweek.com/critical-gitea-flaw-under-active-exploitation-researchers-warn/)

All findings grounded in a13e intelligence sweeps through 04:30 UTC 08 July 2026.

NEW: EGroupware CVE-2026-27823 file read/write to RCE path

This is newly present in today's intelligence. GHSA-backed global developer/collaboration finding; not listed as excluded from today's publication queue.

The immediate operator task is narrow: Patch EGroupware, disable self-registration where unnecessary, and check setup-password integrity.

  • What the sources add
  • CVE-2026-27823 Source: https://github.com/advisories/GHSA-h9qx-v5xp-ph8p
  • CVSS 9.3 critical · CWE-22 Path Traversal. Source: https://github.com/advisories/GHSA-h9qx-v5xp-ph8p
  • not in CISA KEV at enrichment time Source: https://github.com/advisories/GHSA-h9qx-v5xp-ph8p
  • Operator lens
  • Patch EGroupware, disable self-registration where unnecessary, and check setup-password integrity. Source: https://github.com/advisories/GHSA-h9qx-v5xp-ph8p

Action: Patch EGroupware, disable self-registration where unnecessary, and check setup-password integrity.

Sources: [GitHub advisory GHSA-h9qx-v5xp-ph8p](https://github.com/advisories/GHSA-h9qx-v5xp-ph8p)

NEW: Better Auth CVE-2026-53512 OAuth refresh-token replay

This is newly present in today's intelligence. GitHub advisory with patched version and configuration actions; not listed as excluded from today's publication queue.

The immediate operator task is narrow: Upgrade to better-auth 1.6.11, migrate OAuth provider where feasible, and revoke suspicious refresh tokens.

  • What the sources add
  • CVE-2026-53512 Source: https://github.com/advisories/GHSA-pw9m-5jxm-xr6h
  • CVSS 9.1 critical · CWE-287 Improper Authentication. Source: https://github.com/advisories/GHSA-pw9m-5jxm-xr6h
  • not in CISA KEV at enrichment time Source: https://github.com/advisories/GHSA-pw9m-5jxm-xr6h
  • Operator lens
  • Upgrade to better-auth 1.6.11, migrate OAuth provider where feasible, and revoke suspicious refresh tokens. Source: https://github.com/advisories/GHSA-pw9m-5jxm-xr6h

Action: Upgrade to better-auth 1.6.11, migrate OAuth provider where feasible, and revoke suspicious refresh tokens.

Sources: [GitHub advisory GHSA-pw9m-5jxm-xr6h](https://github.com/advisories/GHSA-pw9m-5jxm-xr6h)

NEW: Goploy CVE-2026-53552 cross-namespace IDOR enables deploy-plane RCE

This is newly present in today's intelligence. GitHub advisory candidate; not listed as excluded from today's publication queue.

The immediate operator task is narrow: Restrict manager roles, patch when available, and audit deploy remote rewrites.

  • What the sources add
  • CVE-2026-53552 Source: https://github.com/advisories/GHSA-26rh-24rg-j3vv
  • CVSS 9.6 critical · CWE-639 Authorization Bypass Through User-Controlled Key. Source: https://github.com/advisories/GHSA-26rh-24rg-j3vv
  • not in CISA KEV at enrichment time Source: https://github.com/advisories/GHSA-26rh-24rg-j3vv

Action: Restrict manager roles, patch when available, and audit deploy remote rewrites.

Sources: [GitHub advisory GHSA-26rh-24rg-j3vv](https://github.com/advisories/GHSA-26rh-24rg-j3vv)

NEW: RHEL perl-HTTP-Daemon CVE-2026-8450 service-privilege code execution

This is newly present in today's intelligence. New CERT-Bund RHEL package advisory; not listed as excluded from today's publication queue.

The immediate operator task is narrow: Identify RHEL systems using perl-HTTP-Daemon and apply updates.

  • What the sources add
  • CVE-2026-8450 Source: https://github.com/libwww-perl/HTTP-Daemon/commit/945d35141d94490f749640bd4390acd6a2193995.patch
  • CVSS 9.1 critical · CWE-78 OS Command Injection · EPSS 65th percentile. Source: https://github.com/libwww-perl/HTTP-Daemon/commit/945d35141d94490f749640bd4390acd6a2193995.patch
  • not in CISA KEV at enrichment time Source: https://github.com/libwww-perl/HTTP-Daemon/commit/945d35141d94490f749640bd4390acd6a2193995.patch
  • Operator lens
  • Identify RHEL systems using perl-HTTP-Daemon and apply updates. Source: https://github.com/libwww-perl/HTTP-Daemon/commit/945d35141d94490f749640bd4390acd6a2193995.patch

Action: Identify RHEL systems using perl-HTTP-Daemon and apply updates.

Sources: [CERT-Bund WID-SEC-2026-2218](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2218)

CVE-2020-21468: A segmentation fault in the redis-server component of Redis 5.0.7 leads to a den CVE-2020-21468

A segmentation fault in the redis-server component of Redis 5.0.7 leads to a denial of service (DOS). NOTE: the vendor cannot reproduce this issue in a released version, such as 5.0.7.

Sources: https://nvd.nist.gov/vuln/detail/CVE-2020-21468

CVE-2020-21833: A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via: read CVE-2020-21833

A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via: read2004sectionclasses ../../src/decode.c:2440.

Sources: https://nvd.nist.gov/vuln/detail/CVE-2020-21833

CVE-2020-21840: A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via bitse CVE-2020-21840

A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via bitsearchsentinel ../../src/bits.c:1985.

Sources: https://nvd.nist.gov/vuln/detail/CVE-2020-21840

Also tracked

  • A DoS attack in the web application of D-Link DIR-X1860 before v1.10WWB09Beta a · CVE-2021-41441 · High
  • NEW: Hitachi Energy PROMOD V CVE-2026-10763 CISA ICS advisory · CVE-2026-10763 · High
  • NEW: RHEL 389-ds-base CVE-2026-11610/CVE-2026-11774 fixes · CVE-2026-11610 · High
  • NEW: Terraform Enterprise CVE-2026-14468 information disclosure enters EU routing · CVE-2026-14468 · High
  • NEW: xwiki CVE-2026-34151 information-disclosure fix · CVE-2026-34151 · High
  • Better Auth CVE-2026-53514 invitation flow trusts unverified email ownership · CVE-2026-53514 · High
  • NEW: Better Auth CVE-2026-53516 OAuth auto-link account takeover · CVE-2026-53516 · High
  • NEW: Digi PortServer TS / Digi One SP IA CVE-2026-12352 advisory · CVE-2026-12352 · Medium
  • NEW: keras CVE-2026-12480 HDF5 file-read bypass · CVE-2026-12480 · Medium
  • NEW: onnxruntime CVE-2026-14647 out-of-bounds advisory · CVE-2026-14647 · Medium
  • NEW: Siemens Mendix Studio Pro CVE-2026-48192 CISA ICS advisory · CVE-2026-48192 · Medium
  • NEW: Weblate CVE-2026-50127 outbound URL guard misses private ranges · CVE-2026-50127 · Medium
  • NEW: Kite CVE-2026-53487 authenticated cluster RBAC bypass · CVE-2026-53487 · Medium
  • NEW: CKAN MCP Server CVE-2026-53509 SSRF fix bypass reaches v0.4.106 · CVE-2026-53509 · Medium
  • NEW: KEDA CVE-2026-53572 PostgreSQL scaler parameter injection · CVE-2026-53572 · Medium
  • NEW: MSRC curl/TLS/SSH transport CVE batch · CVE-2026-8458 · Medium
  • The web management console of CheckMK Enterprise Edition (versions 1.5.0 to 2.0. · CVE-2021-40905 · Unknown
  • A design flaw in all versions of Go-Ethereum allows an attacker node to send 512 · CVE-2022-23328 · Unknown
  • Extensis Portfolio v4.0 was discovered to contain hardcoded credentials which al · CVE-2022-24255 · Unknown
  • Synaman v5.1 and below was discovered to contain weak file permissions which all · CVE-2022-26250 · Unknown
  • LMS Doctor Simple 2 Factor Authentication Plugin For Moodle Affected: 2021072900 · CVE-2022-28986 · Unknown
  • NEW: Devolutions Server CVE-2026-14536 security-control bypass · CVE-2026-14536 · Notscored
  • NEW: Hydro-Quebec charging-station backend CVE-2026-20744 CISA ICS advisory · CVE-2026-20744 · Unknown
  • NEW: GIMP image-processing multi-CVE workstation batch
  • NEW: OpenSSH multiple-vulnerability advisory lands in CERT-Bund
  • NEW: Zimbra Collaboration before 10.1.19 needs XSS patch validation
  • NEW: UNKMassTraction exploits Roundcube n-days against research departments
  • NEW: PolinRider supply-chain compromise spans packages and extensions
  • NEW: Tenda firmware hidden admin backdoor remains unpatched
  • NEW: vLLM WID-SEC-2026-0987 multi-vulnerability update lands in EU queue
  • NEW: NCSC-NL UniFi product vulnerabilities fixed
  • NEW: BeyondTrust PRA/RS authentication-bypass batch reaches CERT-Bund routing
  • NEW: DriveLock On-Premise and Cloud high-severity batch
  • NEW: Apache Airflow multi-CVE workflow-platform batch
cisa-kevcve-2020-21468cve-2020-21833cve-2020-21840cve-2026-20896cve-2026-27823cve-2026-48908cve-2026-53512cve-2026-53552cve-2026-56290

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.