Situation report
Findings 01-12 cover today's retained queue: Finding 01 covers CVE-2026-54401 and CVE-2026-54402; Finding 02 covers CVE-2026-59871, CVE-2026-59873, and CVE-2026-59874; Finding 03 covers CVE-2026-9863; Finding 04 covers CVE-2026-13053 and CVE-2026-13054; Finding 05 covers CVE-2026-14265; Finding 06 covers CVE-2026-8858 and CVE-2026-10852; Finding 07 covers CVE-2026-58384; Finding 08 covers CVE-2026-55112; Finding 09 covers CVE-2026-13079; Finding 10 covers CVE-2026-59870; Finding 11 covers CVE-2026-58036 and CVE-2026-8857; Finding 12 covers the jscrambler package versions 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0.
The main operational theme is exposure routing. Network-controller and administration surfaces need reachability checks first, while dependency and middleware items need owner assignment against applications that process untrusted input, shared cache state, archives, YAML, wiki content, or image files.
Two owner queues should remain caveated during triage: Fortra BoKS Manager and AWS Advanced JDBC Wrapper have narrow evidence today, so local deployment and version evidence should decide urgency. The jscrambler update is broader because the suspicious release set expanded and later versions can run through normal import paths, so lockfile, cache, CI, and developer-workstation searches should include every listed version.