ELEVATED 1 min read 13 Jul 2026

UniFi OS Controller Exposure Leads Today's Intel Queue

Today’s intelligence is consolidated into exactly 12 priority findings: 11 NEW items and 1 UPDATED jscrambler supply-chain item, with no extra watchlist or prior-day topics included.

Key findings
01
NEW - UniFi OS SSRF and command-injection batch requires controller exposure review
HIGH
[High] Severity: HIGH. Identifiers: CVE-2026-54401 / CVE-2026-54402. NVD records CVE-2026-54401 as low-privilege network SSRF that can lead to privilege escalation in UniFi OS devices or instances.
02
NEW - node-tar fixes three archive parsing denial-of-service CVEs
HIGH
[High] Severity: MEDIUM. Identifiers: CVE-2026-59871 / CVE-2026-59873 / CVE-2026-59874. NVD records three node-tar flaws fixed across 7.5.18 and 7.5.19. The batch covers all-digit PAX path or linkpath type confusion, missing bounds for decompressed data and entry counts, and a negative base-256 tar entry size loop in tar.replace.
03
NEW - Fortra BoKS Manager legacy client upgrade path can execute commands on the master
LOW
[Unverified] Severity: HIGH. NVD records CVE-2026-9863 as OS command injection in BoKS Manager client upgrade and patch tooling for legacy tar-based client installations.
04
NEW - WatchGuard Fireware admin-surface code execution and file-write paths
HIGH
[High] Severity: HIGH. Identifiers: CVE-2026-13053 / CVE-2026-13054. NVD records CVE-2026-13053 as an out-of-bounds write in the Fireware OS CLI that can let an authenticated privileged user execute arbitrary code through a crafted command.
05
NEW - AWS Advanced JDBC Wrapper cache deserialization can execute code from poisoned entries
LOW
[Unverified] Severity: HIGH. NVD records CVE-2026-14265 in AWS Advanced JDBC Wrapper 3.3.0 through 4.0.0. The evidence describes a shared Redis or Valkey query-cache condition where an actor with write access can poison serialised cache entries that application servers later deserialize through ObjectInputStream without class filtering.
06
NEW - IBM web server plug-in response handling exposes RCE and denial-of-service paths
HIGH
[High] Severity: HIGH. Identifiers: CVE-2026-8858 / CVE-2026-10852. NVD records CVE-2026-8858 for remote code execution and denial of service in the WebSphere Web Server Plug-in when an attacker impersonates an application server and sends crafted responses.
07
NEW - GIMP PSD parser integer overflow can corrupt heap memory
HIGH
[High] Severity: HIGH. NVD and Red Hat describe CVE-2026-58384 as an integer overflow in GIMP’s RLE channel PSD parser path. A crafted PSD can cause an undersized heap allocation for the RLE row-length table, after which per-row writes corrupt heap memory and may lead to denial of service or arbitrary code execution.
08
NEW - UniFi OS with Protect can escalate low-privileged network access on host devices
HIGH
[High] Severity: HIGH. NVD records CVE-2026-55112 as improper access control in UniFi OS with the UniFi Protect Application. Under certain conditions, a network-access attacker with low privileges can escalate privileges on the host device. NVD lists the primary CVSS 3.1 score as 8.8.
09
NEW - WatchGuard Mobile VPN with SSL allows local escalation to SYSTEM
HIGH
[High] Severity: HIGH. WatchGuard advisory WGSA-2026-00027 and NVD describe a local privilege escalation in the Windows Mobile VPN with SSL client. A local attacker can escalate to NT AUTHORITY\SYSTEM on clients up to and including 2026.2. WatchGuard lists the advisory status as resolved.
10
NEW - js-yaml ordered-map parsing can trigger quadratic CPU denial of service
HIGH
[High] Severity: MEDIUM. NVD and GitHub describe YAML11_SCHEMA ordered-map parsing in js-yaml 5.0.0 before 5.2.1. The parser performs a linear duplicate-key scan on every insertion, so crafted ordered-map documents can drive O(n^2) CPU consumption.
11
NEW - MediaWiki user and timeline CVEs affect data exposure and extension processing
HIGH
[High] Severity: MEDIUM. Identifiers: CVE-2026-58036 / CVE-2026-8857. NVD records CVE-2026-58036 for sensitive information exposure in MediaWiki user and permission code paths. CVE-2026-8857 affects the Wikimedia timeline component across versions before 1.46.0, 1.45.4, 1.44.6, and 1.43.9.
12
UPDATED - jscrambler npm compromise expands to multiple runtime-dropper releases
MEDIUM
[Medium] Severity: HIGH. Identifiers: npm:jscrambler@8.14.0 / 8.16.0 / 8.17.0 / 8.18.0 / 8.20.0. Status change: scope expanded. The earlier public item covered jscrambler 8.14.0 as a preinstall-based npm compromise.

Situation report

Findings 01-12 cover today's retained queue: Finding 01 covers CVE-2026-54401 and CVE-2026-54402; Finding 02 covers CVE-2026-59871, CVE-2026-59873, and CVE-2026-59874; Finding 03 covers CVE-2026-9863; Finding 04 covers CVE-2026-13053 and CVE-2026-13054; Finding 05 covers CVE-2026-14265; Finding 06 covers CVE-2026-8858 and CVE-2026-10852; Finding 07 covers CVE-2026-58384; Finding 08 covers CVE-2026-55112; Finding 09 covers CVE-2026-13079; Finding 10 covers CVE-2026-59870; Finding 11 covers CVE-2026-58036 and CVE-2026-8857; Finding 12 covers the jscrambler package versions 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0.

The main operational theme is exposure routing. Network-controller and administration surfaces need reachability checks first, while dependency and middleware items need owner assignment against applications that process untrusted input, shared cache state, archives, YAML, wiki content, or image files.

Two owner queues should remain caveated during triage: Fortra BoKS Manager and AWS Advanced JDBC Wrapper have narrow evidence today, so local deployment and version evidence should decide urgency. The jscrambler update is broader because the suspicious release set expanded and later versions can run through normal import paths, so lockfile, cache, CI, and developer-workstation searches should include every listed version.

cve-2026-13053cve-2026-13079cve-2026-14265cve-2026-54401cve-2026-55112cve-2026-58036cve-2026-58384cve-2026-59870cve-2026-59871cve-2026-8858

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.