Sunday, July 19, 2026 Archive

Archived Security Snapshot

Critical vulnerabilities, curated daily for security professionals

Archived Security Brief

Sunday's disclosures concentrate on network infrastructure and application-delivery software, led by a maximum-severity flaw in the @fastify http-proxy module (CVE-2026-16117, CVSS 10) and a critical weakness in VMware's Avi Load Balancer (CVE-2026-47865, CVSS 9.8). The set includes 4 critical CVEs, down 87% from 30 the prior day, alongside 61 high-priority CVEs, up 9% from 56. Additional critical issues affect the OpenHTJ2K image codec (CVE-2026-51807, CVSS 9.8) and SurrealDB (CVE-2025-71392, CVSS 9.4). Attack patterns skew toward remote code execution and request-routing abuse in proxy and load-balancer components, with SonicWall SMA1000 appliances and Microsoft SharePoint among products showing confirmed exploitation. Patches are not yet reflected as available for the tracked critical issues (0%), so teams should prioritize mitigations and vendor advisory monitoring.

  • @fastify http-proxy carries a CVSS 10 flaw (CVE-2026-16117), the day's highest-severity disclosure
  • Critical CVEs fell to 4, an 87% drop from 30 the prior day
  • High-priority CVEs rose to 61, a 9% increase from 56
  • Remote code execution and request-routing abuse dominate, affecting VMware Avi Load Balancer and proxy components
  • Patch availability sits at 0% for tracked critical issues, requiring interim mitigations
  • 10 CVEs show confirmed active exploitation, including SonicWall SMA1000 and Microsoft SharePoint

Immediate action: Prioritize the @fastify http-proxy module, VMware Avi Load Balancer, and SonicWall SMA1000 appliances, which represent the highest-impact and actively exploited exposures. With no vendor patches yet confirmed for the tracked critical issues, apply available mitigations, restrict exposed management interfaces, and monitor vendor advisories for fixes.

How to read this brief

CVSS score (e.g. 9.1) — severity from 0–10. Red marks critical (9+), orange high (7–8.9).

Exploitability — how hard the flaw is to attack, read from the CVSS vector:

  • Network / Adjacent / Local / Physical — how close an attacker must get. Network means reachable over the internet.
  • No / Low / High privileges — the access they need first. No privileges means no login required.
  • No interaction / User interaction — whether a victim has to do something (open a file, click a link). No interaction means fully automatable.

The lower the bar on all three, the easier to exploit at scale — “Network · No privileges · No interaction” is the worst case: hit from anywhere, no credentials, no victim action.

Actively exploited — confirmed under attack in the wild (CISA’s Known Exploited Vulnerabilities catalog). Prioritize these regardless of score.

EPSS · Nth percentile — FIRST.org’s estimated chance a flaw is exploited within 30 days. We flag it only in the top 10% — a statistical signal it’s unusually likely to be targeted, separate from whether attacks are confirmed.

💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove

Section Navigation