Wednesday, July 8, 2026 Archive

Archived Security Snapshot

Critical vulnerabilities, curated daily for security professionals

🎯 SSCV Profile

See how vulnerabilities affect your specific environment

CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework

Risk scores will be adjusted based on your selected environment

Archived Security Brief

Enterprise infrastructure led yesterday's disclosures, with Dell PowerProtect Data Domain, Apache Airflow, and the Gitea self-hosted Git server all carrying critical remote-exploitation flaws. The day brought 23 critical CVEs (down 34% from 35) and 65 high-priority CVEs (down 24% from 86), a lower overall volume weighted toward high-impact enterprise targets. Standouts include CVE-2026-53481 and CVE-2026-53483 (CVSS 9.8) in Dell PowerProtect Data Domain, CVE-2026-33264 (CVSS 9.8) in Apache Airflow, and CVE-2026-13019 (CVSS 9.8) in Esri Portal for ArcGIS. Four vulnerabilities have confirmed active exploitation, including Adobe ColdFusion (CVE-2026-48282) and Langflow (CVE-2026-55255), spanning web application builders and AI orchestration tooling. Patches were not yet published for the disclosed set at collection time, so teams should prioritize vendor advisories and interim mitigations for exposed data-protection, CI/CD, and web-facing systems.

  • Dell PowerProtect Data Domain carries two CVSS 9.8 flaws (CVE-2026-53481, CVE-2026-53483) threatening backup and data-protection infrastructure
  • 23 critical CVEs disclosed, down 34% from the prior day's 35
  • 65 high-priority CVEs disclosed, down 24% from the prior day's 86
  • Remote code execution and authentication bypass dominate, affecting Apache Airflow, Gitea, Esri Portal for ArcGIS, and Coder
  • Patch availability stood at 0% at collection time, leaving mitigation and vendor advisories as the primary response
  • Four CVEs are under active exploitation, including Adobe ColdFusion (CVE-2026-48282) and Langflow (CVE-2026-55255)

Immediate action: Prioritize Dell PowerProtect Data Domain, Apache Airflow, Gitea, and Esri Portal for ArcGIS, along with the actively exploited Adobe ColdFusion and Langflow instances, for immediate review and network exposure reduction. With no patches published for the disclosed set at collection time, apply vendor mitigations, restrict external access, and monitor advisories for fixes as they are released.

How to read this brief

CVSS score (e.g. 9.1) — severity from 0–10. Red marks critical (9+), orange high (7–8.9).

Exploitability — how hard the flaw is to attack, read from the CVSS vector:

  • Network / Adjacent / Local / Physical — how close an attacker must get. Network means reachable over the internet.
  • No / Low / High privileges — the access they need first. No privileges means no login required.
  • No interaction / User interaction — whether a victim has to do something (open a file, click a link). No interaction means fully automatable.

The lower the bar on all three, the easier to exploit at scale — “Network · No privileges · No interaction” is the worst case: hit from anywhere, no credentials, no victim action.

🔴 Actively exploited — confirmed under attack in the wild (CISA’s Known Exploited Vulnerabilities catalog). Prioritize these regardless of score.

EPSS · Nth percentile — FIRST.org’s estimated chance a flaw is exploited within 30 days. We flag it only in the top 10% — a statistical signal it’s unusually likely to be targeted, separate from whether attacks are confirmed.

💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove

Section Navigation