Friday, July 10, 2026 Archive

Archived Security Snapshot

Critical vulnerabilities, curated daily for security professionals

🎯 SSCV Profile

See how vulnerabilities affect your specific environment

CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework

Risk scores will be adjusted based on your selected environment

Archived Security Brief

Friday's disclosures center on web-facing platforms and content management extensions, with Metabase (CVE-2026-59827, CVSS 9.9), the Xen hypervisor stack (CVE-2025-58146 XAPI and CVE-2025-27462/27463 Windows PV drivers, CVSS 9.4), and multiple WordPress plugins carrying near-maximum severity. The day brought 30 critical CVEs, up 88% from the prior day's 16, alongside 61 high-priority vulnerabilities, down 6% from 65. Notable critical entries include CVE-2026-15158 (CVSS 9.8) in Blocksy Companion, CVE-2026-14261 and CVE-2026-12116 in Xerte Online Tools, and CVE-2026-15282 (CVSS 9.8) in the Instant Appointment plugin. Attack patterns are dominated by remote code execution and authentication weaknesses in publicly exposed applications, with WordPress plugins, Joomla page builders, and virtualization infrastructure among the most affected products. No vendor patches were recorded at disclosure time, so teams should prioritize inventory review and compensating controls while awaiting fixes; four vulnerabilities have confirmed active exploitation.

  • Metabase (CVE-2026-59827, CVSS 9.9) and the Xen hypervisor stack (XAPI and Windows PV drivers, CVSS 9.4) lead the day's critical exposures across analytics and virtualization infrastructure
  • Critical CVEs rose to 30, an 88% increase from the prior day's 16
  • High-priority CVEs totaled 61, a 6% decrease from the prior day's 65
  • Remote code execution and authentication bypass dominate, affecting WordPress plugins (Blocksy Companion, Super Forms, Instant Appointment) and Xerte Online Tools
  • Patch availability stood at 0% at disclosure, leaving web applications and hypervisor components without vendor fixes at publication
  • Four vulnerabilities show confirmed active exploitation, including Adobe ColdFusion (CVE-2026-48282) and Langflow (CVE-2026-55255)

Immediate action: Prioritize public-facing systems running Metabase, Xen/XAPI hypervisors, Adobe ColdFusion, Langflow, and Joomla/WordPress deployments, as these carry the highest-severity and actively exploited flaws. With no vendor patches available at disclosure, apply access restrictions, network segmentation, and monitoring for the affected services until fixes are released, and track the four exploited CVEs for emergency remediation as updates ship.

How to read this brief

CVSS score (e.g. 9.1) — severity from 0–10. Red marks critical (9+), orange high (7–8.9).

Exploitability — how hard the flaw is to attack, read from the CVSS vector:

  • Network / Adjacent / Local / Physical — how close an attacker must get. Network means reachable over the internet.
  • No / Low / High privileges — the access they need first. No privileges means no login required.
  • No interaction / User interaction — whether a victim has to do something (open a file, click a link). No interaction means fully automatable.

The lower the bar on all three, the easier to exploit at scale — “Network · No privileges · No interaction” is the worst case: hit from anywhere, no credentials, no victim action.

🔴 Actively exploited — confirmed under attack in the wild (CISA’s Known Exploited Vulnerabilities catalog). Prioritize these regardless of score.

EPSS · Nth percentile — FIRST.org’s estimated chance a flaw is exploited within 30 days. We flag it only in the top 10% — a statistical signal it’s unusually likely to be targeted, separate from whether attacks are confirmed.

💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove

Section Navigation