Sunday, July 12, 2026 Archive

Archived Security Snapshot

Critical vulnerabilities, curated daily for security professionals

Archived Security Brief

Sunday's disclosures are dominated by MervinPraison PraisonAI, which accounts for three of the day's critical vulnerabilities, alongside a broad cluster of Joomla and Drupal extension flaws. The set includes 7 critical CVEs (down 75% from 28 the prior day) and 44 high-priority CVEs (down 34% from 67). Standouts include CVE-2026-61447 (CVSS 10, PraisonAI), CVE-2026-57827 (CVSS 10, RSJoomla RSFiles), and CVE-2026-48282 (CVSS 9.5, Adobe ColdFusion). Remote code execution and injection flaws in web application platforms and CMS extensions are the prevailing pattern, with the Joomla ecosystem particularly heavily represented across both the critical and actively exploited sets. No vendor patches were confirmed available at disclosure, so teams should prioritize mitigations and exposure reduction while monitoring for vendor advisories.

  • MervinPraison PraisonAI is the most affected product, with three critical CVEs including CVE-2026-61447 (CVSS 10) and CVE-2026-61445 (CVSS 9.9)
  • 7 critical CVEs disclosed, down 75% from 28 the prior day
  • 44 high-priority CVEs disclosed, down 34% from 67 the prior day
  • Remote code execution and injection flaws dominate, affecting RSJoomla RSFiles (CVSS 10), Phoca Download, Drupal Flag attendance field, and TONYC Imager
  • 0% of critical vulnerabilities had vendor patches available at disclosure, requiring interim mitigations
  • 6 vulnerabilities show confirmed active exploitation, including Adobe ColdFusion (CVE-2026-48282) and Langflow (CVE-2026-55255)

Immediate action: Prioritize Adobe ColdFusion, Langflow, and MervinPraison PraisonAI deployments, along with the affected Joomla extensions (SP Page Builder, Page Builder CK, Balbooa Forms, iCagenda), given confirmed exploitation and CVSS 9.5+ scores. With no vendor patches confirmed available, apply available mitigations, restrict external exposure, and monitor vendor channels for forthcoming updates.

How to read this brief

CVSS score (e.g. 9.1) — severity from 0–10. Red marks critical (9+), orange high (7–8.9).

Exploitability — how hard the flaw is to attack, read from the CVSS vector:

  • Network / Adjacent / Local / Physical — how close an attacker must get. Network means reachable over the internet.
  • No / Low / High privileges — the access they need first. No privileges means no login required.
  • No interaction / User interaction — whether a victim has to do something (open a file, click a link). No interaction means fully automatable.

The lower the bar on all three, the easier to exploit at scale — “Network · No privileges · No interaction” is the worst case: hit from anywhere, no credentials, no victim action.

Actively exploited — confirmed under attack in the wild (CISA’s Known Exploited Vulnerabilities catalog). Prioritize these regardless of score.

EPSS · Nth percentile — FIRST.org’s estimated chance a flaw is exploited within 30 days. We flag it only in the top 10% — a statistical signal it’s unusually likely to be targeted, separate from whether attacks are confirmed.

💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove

Section Navigation