Tuesday, July 14, 2026 Archive

Archived Security Snapshot

Critical vulnerabilities, curated daily for security professionals

Archived Security Brief

Two maximum-severity flaws in VITEC Flamingo (CVE-2026-60121 and CVE-2026-61498, both CVSS 9.8) lead the day's disclosures, alongside a critical issue in Google Cloud BigQuery, Dataform, and Colab Enterprise (CVE-2026-14934, CVSS 9.4). Critical CVEs rose to 40 from 5 the prior day (+700%), while high-priority CVEs climbed to 90 from 35 (+157%), across 130 total disclosures. Additional critical vulnerabilities affect the EVbee Service (CVE-2026-22093, CVSS 9.5) and several web platforms including Mura CMS and ChurchCRM. The disclosures span EV charging infrastructure, cloud data platforms, WordPress plugins, and Joomla extensions, with remote code execution and authentication weaknesses recurring across the set. No vendor patches were confirmed available at disclosure, so teams should prioritize inventory and compensating controls while monitoring for fixes; three CVEs, including Joomla Balbooa Forms and iCagenda extensions, have confirmed active exploitation.

  • VITEC Flamingo carries two CVSS 9.8 flaws (CVE-2026-60121, CVE-2026-61498), the highest-severity issues of the day
  • Critical CVEs rose to 40 from 5 the prior day (+700%)
  • High-priority CVEs rose to 90 from 35 the prior day (+157%)
  • Remote code execution and authentication weaknesses recur across cloud, CMS, and EV-charging products, including Google Cloud BigQuery (CVE-2026-14934) and EVbee Service (CVE-2026-22093)
  • Patch availability stands at 0% at disclosure, affecting VITEC Flamingo, Mura CMS, and multiple WordPress and Joomla components
  • Three CVEs show confirmed active exploitation, including Joomla Balbooa Forms and iCagenda extensions and Cisco IOS

Immediate action: Prioritize VITEC Flamingo, Google Cloud BigQuery/Dataform/Colab Enterprise, and the actively exploited Joomla Balbooa Forms and iCagenda extensions for immediate review and mitigation. With no vendor patches confirmed available at disclosure, apply available compensating controls, restrict network exposure, and monitor vendor advisories for fixes.

How to read this brief

CVSS score (e.g. 9.1) — severity from 0–10. Red marks critical (9+), orange high (7–8.9).

Exploitability — how hard the flaw is to attack, read from the CVSS vector:

  • Network / Adjacent / Local / Physical — how close an attacker must get. Network means reachable over the internet.
  • No / Low / High privileges — the access they need first. No privileges means no login required.
  • No interaction / User interaction — whether a victim has to do something (open a file, click a link). No interaction means fully automatable.

The lower the bar on all three, the easier to exploit at scale — “Network · No privileges · No interaction” is the worst case: hit from anywhere, no credentials, no victim action.

Actively exploited — confirmed under attack in the wild (CISA’s Known Exploited Vulnerabilities catalog). Prioritize these regardless of score.

EPSS · Nth percentile — FIRST.org’s estimated chance a flaw is exploited within 30 days. We flag it only in the top 10% — a statistical signal it’s unusually likely to be targeted, separate from whether attacks are confirmed.

💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove

Section Navigation