Thursday, July 16, 2026 Archive

Archived Security Snapshot

Critical vulnerabilities, curated daily for security professionals

Archived Security Brief

Thursday's brief centers on several maximum-severity flaws in widely deployed web and infrastructure software, including Metabase, NocoBase, and Apache Tomcat, alongside actively exploited weaknesses in SonicWall SMA1000 appliances and Microsoft SharePoint Server. The set includes 18 critical CVEs (down 62% from 48 the prior day) and 34 high-priority CVEs (down 63% from 92), a lighter volume overall but weighted toward perfect and near-perfect scores. Notable entries include CVE-2026-50148 (CVSS 10) in Metabase, CVE-2026-52887 (CVSS 10) in NocoBase, and CVE-2026-59083 (CVSS 9.1) in Apache Tomcat, with CVE-2026-44986 (CVSS 9.9) affecting Penpot. Remote code execution, authentication bypass, and single-sign-on weaknesses dominate the pattern, spanning developer platforms, WordPress plugins, and edge network devices. Patch data was not yet reflected for these disclosures at brief time, so teams should confirm fixed versions directly against vendor advisories before deploying.

  • Maximum-severity remote code execution flaws affect Metabase (CVE-2026-50148, CVSS 10) and NocoBase (CVE-2026-52887, CVSS 10), both widely used data and low-code platforms
  • 18 critical CVEs disclosed, down 62% from 48 the prior day
  • 34 high-priority CVEs disclosed, down 63% from 92 the prior day
  • Attack patterns center on RCE, authentication bypass, and SSO/SAML weaknesses across Penpot, Apache Tomcat, Grav, and OpenWrt
  • Patch availability recorded at 0% at brief time; confirm fixed versions against each vendor advisory before remediating
  • 9 vulnerabilities show confirmed active exploitation, including SonicWall SMA1000 (CVE-2026-15409, CVSS 10) and Microsoft SharePoint Server (CVE-2026-56164)

Immediate action: Prioritize the actively exploited SonicWall SMA1000, Microsoft SharePoint Server, and Microsoft ADFS issues, then address the maximum-severity Metabase, NocoBase, and 9router flaws on internet-facing and internal platforms. Patch availability was not yet reflected at brief time, so verify fixed releases and interim mitigations directly with each vendor before scheduling deployment.

How to read this brief

CVSS score (e.g. 9.1) — severity from 0–10. Red marks critical (9+), orange high (7–8.9).

Exploitability — how hard the flaw is to attack, read from the CVSS vector:

  • Network / Adjacent / Local / Physical — how close an attacker must get. Network means reachable over the internet.
  • No / Low / High privileges — the access they need first. No privileges means no login required.
  • No interaction / User interaction — whether a victim has to do something (open a file, click a link). No interaction means fully automatable.

The lower the bar on all three, the easier to exploit at scale — “Network · No privileges · No interaction” is the worst case: hit from anywhere, no credentials, no victim action.

Actively exploited — confirmed under attack in the wild (CISA’s Known Exploited Vulnerabilities catalog). Prioritize these regardless of score.

EPSS · Nth percentile — FIRST.org’s estimated chance a flaw is exploited within 30 days. We flag it only in the top 10% — a statistical signal it’s unusually likely to be targeted, separate from whether attacks are confirmed.

💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove

Section Navigation