← All briefings
Daily security briefing — 2026-07-08
CERT / PSIRT advisories
134
On July 8, 2026, the security advisory landscape was marked by a significant number of advisories, with 134 from CERT/PSIRT and 1,665 CVEs published. Notable advisories included multiple high-severity vulnerabilities in Langflow, Red Hat Enterprise Linux, BeyondTrust Privileged Remote Access, and IBM Operational Decision Manager, among others. In terms of critical vulnerabilities, CVE-2026-54782 in CoreWCF and CVE-2026-56843 in WebPros Plesk both received a CVSS score of 10, highlighting their severity. Other critical CVEs of interest included vulnerabilities in Fluentd and various WordPress plugins, all of which pose serious risks if left unaddressed.
Notable advisories
Critical/high or exploited items from national CERTs and vendor PSIRTs.
Notable CVEs
Highest-severity CVEs published this day from the NVD and GitHub Advisory firehose — the sharpest items behind the day’s numbers.
- criticalCVE-2026-52831GHSA-v5px-423j-pf7p: Nuclio: Unsanitized cron trigger event headers/body injected into CronJob shell command lCVSS 10
- criticalCVE-2026-54782CVE-2026-54782: CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. CVSS 10
- criticalCVE-2026-56843CVE-2026-56843: Incorrect authorization in the XML-RPC API of WebPros Plesk before 18.0.78.4 allows a low-privCVSS 9.9
- criticalCVE-2026-9695CVE-2026-9695: An Improper Authentication vulnerability affecting DELMIA Apriso from Release 2020 through ReleCVSS 9.8
- criticalCVE-2026-44024CVE-2026-44024: Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaSCVSS 9.8
- criticalCVE-2026-58480CVE-2026-58480: Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitraryCVSS 9.8
- criticalCVE-2026-9701CVE-2026-9701: The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all vCVSS 9.8
- criticalCVE-2026-8307CVE-2026-8307: Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerabilCVSS 9.8
- criticalCVE-2026-12153CVE-2026-12153: The WP Learn Manager plugin for WordPress is vulnerable to authorization bypass in all versionCVSS 9.8
- criticalCVE-2026-53649GHSA-xqhv-chqm-fhcc: Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCECVSS 9.6
- criticalCVE-2026-15062CVE-2026-15062: SQL injection vulnerabilities in the Snowflake Snowpark Python SDK (snowpark-python) versions CVSS 9.6
- criticalCVE-2026-59702CVE-2026-59702: repomix contains a server-side request forgery vulnerability in the POST /api/pack endpoint thCVSS 9.3
Highest exploitation probability
EPSS (FIRST.org) scores among CVEs published this day.
Get this briefing by email. One free message every morning after 06:00 UTC — same data, zero noise, one-click unsubscribe.
Subscribe. Tracking specific products instead? Watch them from any
product page and get alerted only when they ship a new advisory.