← All briefings
Daily security briefing — 2026-07-07
CERT / PSIRT advisories
177
On July 7, 2026, security advisory activity was robust, with 177 advisories issued and 2,697 CVEs published. Notably, four new vulnerabilities were added to the Known Exploited Vulnerabilities (KEV) catalog, including CVE-2026-48282 affecting Adobe ColdFusion and CVE-2026-48908 related to JoomShaper SP Page Builder. Critical advisories included updates from Adobe and several from Siemens, highlighting vulnerabilities in Mendix Studio Pro and SINEC OS. Additionally, several critical CVEs were published, such as CVE-2026-34037, CVE-2026-34047, and CVE-2026-34048, all related to the Coolify tool, which poses significant risks to server management.
Added to the KEV catalog
Exploitation observed in the wild — remediate first.
Notable advisories
Critical/high or exploited items from national CERTs and vendor PSIRTs.
Notable CVEs
Highest-severity CVEs published this day from the NVD and GitHub Advisory firehose — the sharpest items behind the day’s numbers.
- criticalCVE-2026-34037CVE-2026-34037: Coolify is an open-source and self-hostable tool for managing servers, applications, and databCVSS 9.9
- criticalCVE-2026-34047CVE-2026-34047: Coolify is an open-source and self-hostable tool for managing servers, applications, and databCVSS 9.9
- criticalCVE-2026-34048CVE-2026-34048: Coolify is an open-source and self-hostable tool for managing servers, applications, and databCVSS 9.9
- criticalCVE-2026-13019CVE-2026-13019: Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missiCVSS 9.8
- criticalCVE-2026-53483CVE-2026-53483: Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 tCVSS 9.8
- criticalCVE-2026-53481CVE-2026-53481: Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 tCVSS 9.8
- criticalCVE-2026-14345CVE-2026-14345: The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WorCVSS 9.8
- criticalCVE-2026-12375CVE-2026-12375: The uncanny-automator-pro WordPress plugin before 7.3.0.6 was distributed with malicious code CVSS 9.8
- criticalCVE-2026-33264CVE-2026-33264: A bug in `BaseSerialization.deserialize()` allowed unrestricted `import_string()` of attacker-CVSS 9.8
- criticalCVE-2026-59705CVE-2026-59705: mem0's openmemory/api component contains an unauthenticated access vulnerability that allows uCVSS 9.8
- criticalCVE-2011-10043CVE-2011-10043: Module::Load versions before 0.22 for Perl allow arbitrary modules outside of @INC to be loadeCVSS 9.8
- criticalCVE-2026-59800CVE-2026-59800: 9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated POCVSS 9.8
Highest exploitation probability
EPSS (FIRST.org) scores among CVEs published this day.
Get this briefing by email. One free message every morning after 06:00 UTC — same data, zero noise, one-click unsubscribe.
Subscribe. Tracking specific products instead? Watch them from any
product page and get alerted only when they ship a new advisory.