CRITICAL 6 min read 19 Jul 2026

CISA confirms active exploitation of two Critical FortiSandbox command-injection flaws

What changed Finding 01 elevates CVE-2026-39808 and CVE-2026-25089 following their addition to CISA’s exploited catalogue, with both assessed Critical and exploitation confirmed.

Key findings
01
CVE-2026-39808: CISA confirms exploitation of two FortiSandbox command-injection flaws
CRITICAL
CVE-2026-39808 and CVE-2026-25089 are both assessed at CVSS 9.1 and classified as OS command injection. CISA’s Known Exploited Vulnerabilities evidence confirms active exploitation of each CVE, while the captured reporting says researchers observed abuse attempts and that CISA issued a patch order.
02
CVE-2026-27641: Flask-Reuploaded incomplete fix leaves a case-folding bypass
CRITICAL
The GitHub advisory describes CVE-2026-54567 as an extension-denylist bypass caused by case-folding asymmetry in the name-override path and as an incomplete-fix variant of CVE-2026-27641.
03
CVE-2026-53412: Zoom patches a Windows flaw that may permit account takeover
CRITICAL
CVE-2026-53412 is assessed Critical at CVSS 9.8 and classified as improper input validation. The captured reporting says the issue may allow an unauthenticated user to conduct account takeover through network access.
04
CVE-2026-44221: ArcadeDB incomplete fix leaves read-only users able to change schema
CRITICAL
The GitHub advisory identifies CVE-2026-54076 as an incomplete-fix variant of CVE-2026-44221 and says read-only users can mutate database schema.
05
CVE-2026-55579: Pheditor default credentials can enable full application compromise
CRITICAL
The GitHub advisory says Pheditor uses the hard-coded default password ‘admin’ without forcing a change, enabling full application compromise.
06
ViteVenom reporting and CVE-2026-50197 evidence diverge
HIGH
The captured report concerns seven malicious npm packages targeting Vite developers and using blockchain-based command-and-control to deliver a remote-access trojan.
07
Public exploit code is available for CVE-2026-15718
MEDIUM
The captured reporting says public exploit code exists for CVE-2026-15718 but that no attacks in the wild were known.
08
CVE-2026-60137: WordPress wp2shell evidence is mixed across three retained CVEs
INFO
The Rapid7 reporting describes CVE-2026-63030 as an unauthenticated remote-code-execution vulnerability affecting WordPress Core.
09
CVE-2026-63030: WordPress Core is exposed to unauthenticated remote code execution
INFO
The Rapid7 report describes CVE-2026-63030 as a Critical unauthenticated remote-code-execution vulnerability affecting WordPress Core.
10
Seven malicious npm packages target Vite developers
INFO
The captured reporting describes seven malicious npm packages targeting the Vite frontend ecosystem. It says the ViteVenom campaign expanded ChainVeil and used blockchain-based command-and-control to deliver a remote-access trojan for credential theft, file exfiltration and persistence.
11
Windows 10 migration delays extend lifecycle exposure
INFO
The captured reporting says one in six machines still runs Windows 10 as migration stalls and patch deadlines approach.
12
HollowByte can strand memory on tested glibc systems
INFO
The captured reporting says an incomplete 11-byte TLS message can make an unpatched OpenSSL server reserve up to 131 KB of memory. On the glibc systems tested by Okta, that memory remained unavailable until the process restarted.
13
OpenSSL shipped the HollowByte fix without a conventional advisory signal
INFO
The captured report says OpenSSL fixed HollowByte after 11-byte TLS requests were found capable of stranding memory on glibc systems.
14
LegacyHive targets Windows user hives after compromise
INFO
The captured reporting describes LegacyHive as proof-of-concept code for a local privilege-escalation vulnerability targeting Windows user hives.
15
Attackers chained two SonicWall zero-days before disclosure
INFO
The captured reporting says attackers exploited CVE-2026-15409 and CVE-2026-15410 as a chain beginning three weeks before the vendor disclosed and patched the defects.

What changed

Finding 01 elevates CVE-2026-39808 and CVE-2026-25089 following their addition to CISA’s exploited catalogue, with both assessed Critical and exploitation confirmed.

Finding 02 identifies CVE-2026-54567 as an incomplete-fix variant of CVE-2026-27641 in Flask-Reuploaded. The former is assessed High, while the latter is Critical and has a recorded fix.

Finding 03 reports a released Zoom security update for Critical CVE-2026-53412, which may permit unauthenticated account takeover through network access.

Finding 04 identifies CVE-2026-54076 as an incomplete-fix variant of CVE-2026-44221 affecting ArcadeDB authorisation. CVE-2026-44221 is assessed Critical with a recorded fix, while CVE-2026-54076 is High and has no recorded fix.

Finding 05 reports that Pheditor’s hard-coded default ‘admin’ password can enable full application compromise. CVE-2026-55579 is assessed Critical, but its publication status and remediation state remain unconfirmed.

Finding 06 combines reporting on seven malicious Vite-targeting npm packages with separate High-severity technical evidence for CVE-2026-50197. The captured reporting does not establish that the CVE belongs to that campaign.

Finding 07 reports public exploit code for CVE-2026-15718 but no known in-the-wild attacks. Although the article describes the relevant Firefox flaws as critical, the CVE-specific assessment is Medium.

Finding 08 introduces WordPress wp2shell evidence involving CVE-2026-60137 and CVE-2026-63030, while also retaining CVE-2026-25089. The WordPress source independently supports unauthenticated remote code execution for CVE-2026-63030, but not an association between WordPress and CVE-2026-25089.

Finding 09 separately describes CVE-2026-63030 as an unauthenticated WordPress Core remote-code-execution vulnerability. The CVE-specific evidence assesses CVE-2026-60137 as Critical and CVE-2026-63030 as High, conflicting with the source’s Critical description of CVE-2026-63030.

Finding 10 expands the reported reach of the ViteVenom campaign to seven malicious npm packages targeting Vite developers and using blockchain-based command-and-control to deliver a remote-access trojan.

Finding 11 highlights continuing Windows 10 exposure as migration stalls, with the source reporting that one in six machines still runs the older operating system.

Finding 12 reports that HollowByte can make an unpatched OpenSSL server reserve up to 131 KB in response to an incomplete 11-byte TLS message, with tested glibc systems retaining that memory until process restart.

Finding 13 independently records that OpenSSL shipped a HollowByte fix in June without a CVE, advisory or identifying changelog entry.

Finding 14 introduces LegacyHive proof-of-concept code targeting Windows user hives through the Windows User Profile Service, with the reported outcome being privileged read-write access to other users’ hives.

Finding 15 reports that attackers chained CVE-2026-15409 and CVE-2026-15410 against SonicWall customers before the vendor disclosed and patched the defects.

Why it matters

Finding 01 requires immediate attention because both retained FortiSandbox CVEs have verified exploitation, whereas Findings 02, 03, 04, 05, 08 and 09 contain Critical assessments but do not provide equivalent confirmation of exploitation for their Critical CVEs.

Finding 15 also presents confirmed exploitation, but its SonicWall-specific exposure and remediation evidence must remain separate from the FortiSandbox conclusions in Finding 01.

Findings 06 and 10 indicate software supply-chain risk to Vite developers through malicious npm packages, but only Finding 10 cleanly supports the campaign details. Finding 06’s CVE-2026-50197 evidence describes a separate HTTP request-smuggling issue and must not be treated as part of ViteVenom.

Findings 12 and 13 describe the same OpenSSL HollowByte condition and an unusually difficult remediation signal: a fix was shipped, but no CVE, advisory or changelog note identifies it.

Finding 07’s public exploit code increases the need to verify Firefox exposure, but the evidence explicitly says no in-the-wild attacks were known and the CVE-specific severity remains Medium.

Finding 11 represents a lifecycle and patching concern rather than evidence of a particular exploited vulnerability, while Finding 14 describes a post-compromise Windows privilege-escalation tool rather than an initial-access route.

  • Recommended actions
  • FortiSandbox owner: Treat Finding 01 as the lead remediation priority. Identify deployments affected by CVE-2026-39808 or CVE-2026-25089, follow the linked remediation guidance and investigate relevant management-surface activity because exploitation is verified for both CVEs.
  • Application owner: For Finding 02, inventory Flask-Reuploaded use and verify the linked advisory’s remediation separately for Critical CVE-2026-27641 and High CVE-2026-54567. Do not assume the recorded CVE-2026-27641 fix also resolves the incomplete-fix variant.
  • Unified communications owner: For Finding 03, identify Zoom Workplace and Zoom Workplace VDI Client installations on Windows, compare installed versions with the affected versions in the linked reporting and deploy the applicable CVE-2026-53412 update.
  • Database owner: For Finding 04, inventory ArcadeDB deployments and verify the linked advisory’s remediation for CVE-2026-44221 and CVE-2026-54076 independently, because only CVE-2026-44221 has a recorded fix.
  • Application owner: For Finding 05, locate reachable Pheditor deployments, determine whether the default ‘admin’ password remains usable and replace default credentials with unique credentials. Consult the linked advisory for CVE-2026-55579 updates because no fix is recorded in the available evidence.
  • WordPress owner: For Finding 08, identify WordPress Core exposure to CVE-2026-60137 and CVE-2026-63030 and follow the linked WordPress-specific guidance. Route CVE-2026-25089 separately as an exploited command-injection issue rather than assuming it affects WordPress.
  • WordPress owner: For Finding 09, prioritise verification of CVE-2026-63030 exposure in WordPress Core, but retain the CVE-specific High assessment and escalate the Critical-versus-High severity conflict rather than resolving it from the source headline. Assess CVE-2026-60137 independently.
  • Reverse-proxy owner: For Finding 06, identify use of components affected by CVE-2026-50197 and verify the recorded fix through the linked GitHub advisory. Treat the accompanying ViteVenom reporting as separate until a source establishes a relationship.
  • Browser owner: For Finding 07, inventory Firefox installations affected by CVE-2026-15718 and apply the relevant Mozilla update, while monitoring for any change from public proof-of-concept availability to confirmed exploitation.
  • Software engineering owner: For Finding 10, compare developer and build-environment npm inventories with the seven packages named in the linked ViteVenom reporting, remove confirmed malicious dependencies and investigate reported credential theft, file exfiltration or persistence indicators.
  • Endpoint lifecycle owner: For Finding 11, quantify remaining Windows 10 devices, confirm their support or ESU position and assign migration or compensating-control plans before applicable patch deadlines.
  • TLS service owner: For Finding 12, identify internet-facing services using OpenSSL on glibc systems and verify whether their installed OpenSSL release contains the June HollowByte fix.
  • Vulnerability-management owner: For Finding 13, track HollowByte by affected OpenSSL release rather than waiting for a CVE, because the source says the fix shipped without a CVE, advisory or identifying changelog entry.
  • Windows detection owner: For Finding 14, review detection coverage for unexpected user-hive mounting and privileged access to other users’ hives, focusing on already-compromised Windows systems because LegacyHive is described as a post-compromise tool.
  • SonicWall owner: For Finding 15, identify products covered by the vendor’s advisory for CVE-2026-15409 and CVE-2026-15410, confirm the disclosed patches are installed and investigate activity predating disclosure because attackers reportedly chained both vulnerabilities.

Evidence limits

Finding 01 has verified exploitation for CVE-2026-39808 and CVE-2026-25089, but no fixed-version value is present in the CVE-specific evidence; remediation details must therefore come from the linked guidance.

Finding 02 records a fix for CVE-2026-27641 but not CVE-2026-54567, and the latter’s CVE publication status is unknown.

Finding 03 provides no fixed-version value in the CVE-specific evidence, despite the source reporting that Zoom released updates for CVE-2026-53412.

Finding 04 records a fix for CVE-2026-44221 but not CVE-2026-54076, whose CVE publication status is unknown.

Finding 05 does not establish exploitation, a fixed version or published CVE status for CVE-2026-55579.

Finding 06 contains an unresolved subject mismatch: the captured source concerns ViteVenom, while the CVE-specific evidence for CVE-2026-50197 concerns HTTP request smuggling and records a fix. No association between the two is established.

Finding 07 contains a severity conflict. The source calls the relevant Firefox flaws critical, but the narrower CVE-specific conclusion for CVE-2026-15718 is Medium. Public exploit code is reported, but in-the-wild attacks are not.

Finding 08 does not independently connect CVE-2026-25089 to WordPress, although its CVE-specific evidence confirms exploitation. CVE-2026-60137 and CVE-2026-63030 also carry unresolved severity conflicts, and no fixed-version values are recorded for either.

Finding 09 retains the narrower CVE-specific conclusions of Critical for CVE-2026-60137 and High for CVE-2026-63030. Both are marked as conflicting, and neither has confirmed exploitation or a recorded fix.

Finding 10 is supported by one captured report and has no CVE-specific technical assessment in the available evidence.

Finding 11 provides an industry-wide adoption estimate but does not identify a specific vulnerability, affected-version boundary or universal remediation state.

Finding 12 provides test observations for glibc systems but does not establish that every OpenSSL deployment retains memory in the same way.

Finding 13 has no CVE or formal advisory identifier, limiting conventional vulnerability-scanner and advisory-based tracking.

Finding 14 supports a local privilege-escalation proof of concept and post-compromise utility, but it does not establish remote initial access or observed in-the-wild exploitation.

Finding 15 establishes exploitation and patch availability for CVE-2026-15409 and CVE-2026-15410, but the captured excerpt does not provide affected product versions or patch identifiers.

cve-2026-15409cve-2026-15718cve-2026-27641cve-2026-39808cve-2026-44221cve-2026-50197cve-2026-53412cve-2026-55579cve-2026-60137cve-2026-63030

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.