Saturday, July 18, 2026

Today's Security Snapshot

Critical vulnerabilities, curated daily for security professionals

Today's Security Brief

Saturday's disclosures are led by web application and open-source platform vulnerabilities, headlined by a maximum-severity flaw in PrestaShop's ps_facetedsearch module and a cluster of critical issues in IBM Langflow OSS. Yesterday brought 30 critical CVEs (down 6% from 32) and 56 high-priority CVEs (down 31% from 81). Notable entries include CVE-2026-54159 (CVSS 10) in PrestaShop ps_facetedsearch, CVE-2026-8635, CVE-2026-8476, and CVE-2026-8481 (all CVSS 9.9) in IBM Langflow OSS, and CVE-2026-48062 (CVSS 9.8) in CodeIgniter4. The activity skews toward remote code execution and injection weaknesses in widely deployed e-commerce, CMS, and application frameworks, with WordPress plugins and PHP-based platforms prominent. Vendor patches were not yet reflected for these entries at disclosure, so teams should track upstream advisories and prioritize mitigations for internet-facing deployments; 10 CVEs carry confirmed active exploitation.

  • PrestaShop ps_facetedsearch (CVE-2026-54159, CVSS 10) is the day's highest-severity flaw, affecting a widely used e-commerce faceted search module
  • 30 critical CVEs disclosed, down 6% from the prior day's 32
  • 56 high-priority CVEs disclosed, down 31% from the prior day's 81
  • IBM Langflow OSS accounts for three critical RCE-class issues (CVE-2026-8635, CVE-2026-8476, CVE-2026-8481, all CVSS 9.9), alongside CodeIgniter4 (CVE-2026-48062, CVSS 9.8)
  • Patch availability stands at 0% at disclosure, concentrated in web frameworks, WordPress plugins, and open-source application platforms
  • 10 CVEs show confirmed active exploitation, spanning Microsoft SharePoint, SonicWall SMA1000, and Fortinet FortiSandbox

Immediate action: Prioritize PrestaShop ps_facetedsearch, IBM Langflow OSS, and CodeIgniter4 deployments, along with the actively exploited SharePoint, SonicWall SMA1000, and Fortinet FortiSandbox systems, for immediate review and mitigation. With no vendor patches reflected for the new critical items at disclosure, monitor upstream advisories closely and apply interim mitigations or access restrictions on internet-facing instances until fixes are published.

How to read this brief

CVSS score (e.g. 9.1) — severity from 0–10. Red marks critical (9+), orange high (7–8.9).

Exploitability — how hard the flaw is to attack, read from the CVSS vector:

  • Network / Adjacent / Local / Physical — how close an attacker must get. Network means reachable over the internet.
  • No / Low / High privileges — the access they need first. No privileges means no login required.
  • No interaction / User interaction — whether a victim has to do something (open a file, click a link). No interaction means fully automatable.

The lower the bar on all three, the easier to exploit at scale — “Network · No privileges · No interaction” is the worst case: hit from anywhere, no credentials, no victim action.

Actively exploited — confirmed under attack in the wild (CISA’s Known Exploited Vulnerabilities catalog). Prioritize these regardless of score.

EPSS · Nth percentile — FIRST.org’s estimated chance a flaw is exploited within 30 days. We flag it only in the top 10% — a statistical signal it’s unusually likely to be targeted, separate from whether attacks are confirmed.

💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove

Section Navigation