Saturday, July 11, 2026

Today's Security Snapshot

Critical vulnerabilities, curated daily for security professionals

🎯 SSCV Profile

See how vulnerabilities affect your specific environment

CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework

Risk scores will be adjusted based on your selected environment

Today's Security Brief

Saturday's disclosures center on infrastructure and developer-facing software, with Apache IoTDB (CVE-2026-40008, CVSS 9.8) and OpenPLC (CVE-2026-14480, CVSS 9.9) exposing industrial and time-series data systems to remote compromise. The set includes 28 critical CVEs, down 7% from the prior day's 30, alongside 67 high-priority issues, up 10% from 61. Browser and IDE users are affected by two Google Chrome flaws (CVE-2026-15113 and CVE-2026-15115) and JetBrains IntelliJ IDEA (CVE-2026-59792, CVSS 9.6), while a Kubernetes MCP server (CVE-2026-61459, CVSS 9.8) and Red Hat OpenShift AI (CVE-2026-15378, CVSS 9.3) extend the risk into cloud and AI tooling. Remote code execution and authentication bypass dominate, and six vulnerabilities across Joomla extensions, Adobe ColdFusion, and Langflow carry confirmed active exploitation. No vendor patches were confirmed available at disclosure, so teams should track upstream advisories and apply mitigations as fixes ship.

  • Apache IoTDB (CVE-2026-40008, CVSS 9.8) and OpenPLC (CVE-2026-14480, CVSS 9.9) expose industrial and data-platform infrastructure to remote compromise
  • 28 critical CVEs disclosed, a 7% decrease from the prior day's 30
  • 67 high-priority CVEs disclosed, a 10% increase from the prior day's 61
  • Remote code execution and authentication bypass dominate, affecting Google Chrome, JetBrains IntelliJ IDEA, Red Hat OpenShift AI, and a Kubernetes MCP server
  • 0% of the day's critical CVEs had vendor patches confirmed available at disclosure
  • 6 vulnerabilities show active exploitation, including Adobe ColdFusion, Langflow, and multiple Joomla page-builder extensions

Immediate action: Prioritize the actively exploited issues in Adobe ColdFusion, Langflow, and the Joomla page-builder extensions (SP Page Builder, Page Builder CK, iCagenda, Balbooa Forms), then address Apache IoTDB, OpenPLC, and the Chrome and IntelliJ IDEA flaws affecting developer endpoints. With no patches confirmed at disclosure, monitor vendor advisories closely and apply available mitigations or access restrictions until updates are released.

How to read this brief

CVSS score (e.g. 9.1) — severity from 0–10. Red marks critical (9+), orange high (7–8.9).

Exploitability — how hard the flaw is to attack, read from the CVSS vector:

  • Network / Adjacent / Local / Physical — how close an attacker must get. Network means reachable over the internet.
  • No / Low / High privileges — the access they need first. No privileges means no login required.
  • No interaction / User interaction — whether a victim has to do something (open a file, click a link). No interaction means fully automatable.

The lower the bar on all three, the easier to exploit at scale — “Network · No privileges · No interaction” is the worst case: hit from anywhere, no credentials, no victim action.

Actively exploited — confirmed under attack in the wild (CISA’s Known Exploited Vulnerabilities catalog). Prioritize these regardless of score.

EPSS · Nth percentile — FIRST.org’s estimated chance a flaw is exploited within 30 days. We flag it only in the top 10% — a statistical signal it’s unusually likely to be targeted, separate from whether attacks are confirmed.

💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove

Section Navigation