Wednesday, July 15, 2026 Archive

Archived Security Snapshot

Critical vulnerabilities, curated daily for security professionals

Archived Security Brief

Wednesday's brief is dominated by Microsoft Windows and Windows Server, which account for multiple critical remote-code-execution and privilege issues, alongside a maximum-severity JetBrains YouTrack vulnerability. The set includes 48 critical CVEs (up 20% from 40) and 92 high-priority CVEs (up 2% from 90). Standout entries are CVE-2026-62422 (CVSS 10) in JetBrains YouTrack, CVE-2026-57092 (CVSS 9.9) in Microsoft Windows, and CVE-2026-54990 (CVSS 9.8) affecting Windows 11 and Windows Server 2025. Attack patterns concentrate on remote code execution and authentication bypass across enterprise platforms, developer tooling (sigstore-js, vitest), and web infrastructure. Vendor patch data was not yet reflected at collection time, so teams should treat these as unpatched pending vendor confirmation and prioritize verification of fixed builds. Seven CVEs show confirmed active exploitation, including SonicWall SMA1000 and Microsoft SharePoint Server.

  • Microsoft Windows and Windows Server carry several critical RCE and privilege-escalation flaws, including CVE-2026-57092 (CVSS 9.9) and CVE-2026-54990 (CVSS 9.8)
  • Critical CVEs rose to 48, a 20% increase over the prior day's 40
  • High-priority CVEs edged up to 92, a 2% increase over the prior day's 90
  • Remote code execution and authentication bypass dominate, spanning JetBrains YouTrack (CVSS 10), Google Chrome, and developer tooling (sigstore-js, vitest)
  • Patch availability was not yet reflected at collection time (0%); treat critical Windows and YouTrack issues as unpatched pending vendor confirmation
  • Seven CVEs show confirmed active exploitation, including SonicWall SMA1000 (CVE-2026-15409, CVSS 10) and Microsoft SharePoint Server

Immediate action: Prioritize Microsoft Windows, Windows Server, and JetBrains YouTrack for immediate review, and validate SonicWall SMA1000 and SharePoint Server given confirmed active exploitation. Patch status was not yet reflected at collection time, so confirm fixed builds directly with each vendor and apply mitigations where updates are pending.

How to read this brief

CVSS score (e.g. 9.1) — severity from 0–10. Red marks critical (9+), orange high (7–8.9).

Exploitability — how hard the flaw is to attack, read from the CVSS vector:

  • Network / Adjacent / Local / Physical — how close an attacker must get. Network means reachable over the internet.
  • No / Low / High privileges — the access they need first. No privileges means no login required.
  • No interaction / User interaction — whether a victim has to do something (open a file, click a link). No interaction means fully automatable.

The lower the bar on all three, the easier to exploit at scale — “Network · No privileges · No interaction” is the worst case: hit from anywhere, no credentials, no victim action.

Actively exploited — confirmed under attack in the wild (CISA’s Known Exploited Vulnerabilities catalog). Prioritize these regardless of score.

EPSS · Nth percentile — FIRST.org’s estimated chance a flaw is exploited within 30 days. We flag it only in the top 10% — a statistical signal it’s unusually likely to be targeted, separate from whether attacks are confirmed.

💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove

Section Navigation