What changed
Finding 01 adds CVE-2026-39808 and CVE-2026-25089 as Critical FortiSandbox command-injection vulnerabilities with verified active exploitation and a CISA patch order. Finding 02 identifies CVE-2026-54567 as an incomplete-fix variant of CVE-2026-27641 in Flask-Reuploaded, while Finding 03 records security updates for the Critical CVE-2026-53412 affecting Zoom Workplace and VDI Client for Windows.
Finding 04 reports SAP’s July updates for Critical CVE-2026-44747. Finding 05 identifies CVE-2026-54076 as an incomplete fix of CVE-2026-44221 that permits read-only ArcadeDB users to mutate the database schema. Finding 06 adds Critical CVE-2026-55579, concerning Pheditor’s hard-coded default ‘admin’ password without a forced change.
Finding 07 records xgrammar’s version 0.1.32 patch for CVE-2026-25048. Finding 08 adds NVIDIA’s update for CVE-2026-24157 in NeMo Framework. Findings 09 and 10 add separate WatchGuard FireWare OS issues: CVE-2026-13084 can cause denial of service on VPN systems using IKEv2, while CVE-2026-8247 permits network-adjacent, unauthenticated code execution.
Finding 11 adds CVE-2026-8108, a local denial-of-service risk in Fuji Electric Tellus. Finding 12 adds CVE-2026-8921, which permits a low-privileged local attacker to escalate privileges in ASUS Business Manager. Finding 13 adds the similarly local, low-privilege prerequisite for CVE-2026-48344 in Adobe Creative Cloud Desktop Application.
Finding 14 identifies an incomplete fix for CVE-2026-50197 in Skipper, where an oversized body can bypass OPA deny-on-presence Rego policies. Finding 15 adds CVE-2026-35188, a Medium-severity OpenSSL double-free issue involving malformed OCSP responses, for which an update is available.
Why it matters
Finding 01 warrants the fastest response because both retained CVEs have verified exploitation and appear in CISA KEV. The remaining findings do not have confirmed exploitation in the available evidence and should not inherit Finding 01’s exploitation status.
Findings 02, 05 and 14 each concern incomplete remediation, but the affected components and bypass conditions differ. They therefore require separate validation against the linked Flask-Reuploaded, ArcadeDB and Skipper advisories rather than one shared remediation assumption.
Findings 08, 12 and 13 can result in code execution or privilege escalation but depend on different prerequisites: user interaction for NVIDIA NeMo Framework, and prior low-privileged local execution for ASUS Business Manager and Adobe Creative Cloud Desktop Application. Finding 10 instead exposes affected WatchGuard systems to a network-adjacent, unauthenticated path.
- Recommended actions
- FortiSandbox owner: For Finding 01, identify every FortiSandbox deployment affected by CVE-2026-39808 or CVE-2026-25089, follow the CISA-directed remediation urgently, and investigate those systems for compromise because exploitation is verified for both CVEs.
- Flask-Reuploaded owner: For Finding 02, determine exposure to CVE-2026-54567 and CVE-2026-27641, then verify the current linked advisory’s remediation rather than treating commit d64c6b2f71cb73734fc38baa0e3e156926361288 for CVE-2026-27641 as proof that the incomplete-fix variant is resolved.
- Zoom owner: For Finding 03, update Zoom Workplace for Windows to 7.0.0 or later and update each Zoom Workplace VDI Client for Windows branch beyond the affected versions specified for CVE-2026-53412.
- SAP owner: For Finding 04, identify SAP NetWeaver Application Server ABAP instances affected by CVE-2026-44747 and apply the relevant July 2026 SAP security update.
- ArcadeDB owner: For Finding 05, assess CVE-2026-54076 and CVE-2026-44221 separately, then test that read-only accounts cannot mutate database schema after applying the linked advisory’s current remediation.
- Pheditor owner: For Finding 06, inventory Pheditor installations affected by CVE-2026-55579, replace the default ‘admin’ password immediately, and ensure deployments require a credential change before use.
- xgrammar owner: For Finding 07, upgrade CVE-2026-25048-affected deployments to xgrammar 0.1.32 or later and verify that untrusted multi-level nested syntax cannot terminate the consuming service.
- NVIDIA NeMo owner: For Finding 08, apply NVIDIA’s update for CVE-2026-24157 and restrict the opening or processing of untrusted checkpoints, files and linked content until coverage is confirmed.
- WatchGuard VPN owner: For Finding 09, identify FireWare OS systems using VPN with IKEv2 and apply WatchGuard’s update for CVE-2026-13084, prioritising externally reachable services that process IKEv2 IKE_AUTH messages.
- WatchGuard appliance owner: For Finding 10, apply WatchGuard’s update for CVE-2026-8247 and restrict network-adjacent access to affected FireWare OS systems until remediation is verified.
- Fuji Electric Tellus owner: For Finding 11, apply the update referenced by the linked advisory for CVE-2026-8108 and limit low-privileged local code execution on affected systems.
- ASUS endpoint owner: For Finding 12, apply ASUS’s update for CVE-2026-8921 and review which users or processes can execute low-privileged code on systems running Business Manager.
- Adobe endpoint owner: For Finding 13, apply Adobe’s update for CVE-2026-48344 and investigate whether low-privileged users can influence resources used by AGSService.
- Skipper owner: For Finding 14, assess CVE-2026-50197 against the latest linked advisory and test OPA deny-on-presence Rego policies with oversized request bodies before accepting the remediation.
- OpenSSL owner: For Finding 15, apply an OpenSSL release containing the fix for CVE-2026-35188 and reduce requests to untrusted servers until the update is verified.
Evidence limits
No affected-version or fixed-version detail is available here for Finding 01, and the source excerpt does not establish which FortiSandbox releases remediate CVE-2026-39808 or CVE-2026-25089.
For Findings 02, 05, 06 and 14, the captured GitHub excerpts establish the advisory subjects but do not provide complete affected-version and fixed-version information. The recorded fixes for CVE-2026-27641 and CVE-2026-44221 do not establish fixes for CVE-2026-54567 and CVE-2026-54076 respectively, while no fixed revision is stated for CVE-2026-55579 or CVE-2026-50197.
Findings 08 through 13 and Finding 15 contain score differences between the retained assessment and the linked ZDI pages. The report preserves High for CVE-2026-24157, CVE-2026-8247, CVE-2026-13084, CVE-2026-8108, CVE-2026-8921 and CVE-2026-48344, and Medium for CVE-2026-35188, without attempting to reconcile the differing numerical scores.
Finding 03 supplies affected-version boundaries but not a fixed revision for CVE-2026-53412. Finding 04 states that SAP released updates but does not provide the exact remediated release for CVE-2026-44747. Finding 07 identifies xgrammar 0.1.32 as patched for CVE-2026-25048.