Thursday, July 9, 2026 Archive

Archived Security Snapshot

Critical vulnerabilities, curated daily for security professionals

🎯 SSCV Profile

See how vulnerabilities affect your specific environment

CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework

Risk scores will be adjusted based on your selected environment

Archived Security Brief

Thursday's disclosures were led by a maximum-severity flaw in CoreWCF (CVE-2026-54782, CVSS 10) alongside critical issues in the Snowflake Snowpark Python SDK and Apache Gravitino, concentrating risk in data-platform and web-application infrastructure. The set includes 16 critical CVEs, down 30% from the prior day's 23, and 65 high-priority CVEs, unchanged day-over-day. Notable entries include CVE-2026-15062 (CVSS 9.6) in the Snowflake Snowpark Python SDK, CVE-2026-41042 (CVSS 9.1) in Apache Gravitino, and CVE-2026-9074 (CVSS 9.1) in IBM API Connect, spanning developer tooling, WordPress plugins, and enterprise API gateways. Four vulnerabilities carry confirmed active exploitation, affecting Adobe ColdFusion, Langflow, and Joomla-based page builders. Patches were not yet available for any of the disclosed critical issues at time of publication, so teams should prioritize mitigations and exposure reduction until vendor fixes ship.

  • CoreWCF CVE-2026-54782 (CVSS 10) headlines the day, with critical flaws also affecting the Snowflake Snowpark Python SDK and Apache Gravitino
  • 16 critical CVEs disclosed, down 30% from the prior day's 23
  • 65 high-priority CVEs, unchanged from the previous day
  • Attack surface spans web-application frameworks, data platforms, and API gateways including IBM API Connect (CVE-2026-9074) and Microsoft Dynamics 365 Customer Voice (CVE-2026-47646)
  • Patch availability stands at 0% for the critical set, requiring interim mitigations for exposed systems
  • Four CVEs show confirmed active exploitation, including Adobe ColdFusion and Langflow

Immediate action: Prioritize CoreWCF, Snowflake Snowpark SDK, Apache Gravitino, and IBM API Connect deployments for immediate review, and restrict exposure on actively exploited Adobe ColdFusion and Langflow instances. With no vendor patches yet available for the critical issues, apply network segmentation, access controls, and vendor-recommended mitigations while monitoring for patch releases.

How to read this brief

CVSS score (e.g. 9.1) — severity from 0–10. Red marks critical (9+), orange high (7–8.9).

Exploitability — how hard the flaw is to attack, read from the CVSS vector:

  • Network / Adjacent / Local / Physical — how close an attacker must get. Network means reachable over the internet.
  • No / Low / High privileges — the access they need first. No privileges means no login required.
  • No interaction / User interaction — whether a victim has to do something (open a file, click a link). No interaction means fully automatable.

The lower the bar on all three, the easier to exploit at scale — “Network · No privileges · No interaction” is the worst case: hit from anywhere, no credentials, no victim action.

🔴 Actively exploited — confirmed under attack in the wild (CISA’s Known Exploited Vulnerabilities catalog). Prioritize these regardless of score.

EPSS · Nth percentile — FIRST.org’s estimated chance a flaw is exploited within 30 days. We flag it only in the top 10% — a statistical signal it’s unusually likely to be targeted, separate from whether attacks are confirmed.

💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove

Section Navigation