← All briefings
Daily security briefing — 2026-07-09
CERT / PSIRT advisories
219
On July 9, 2026, there were 219 advisories from CERT/PSIRT, but no new additions to the Known Exploited Vulnerabilities (KEV) list. Significant advisories included high-severity updates for Aqua Security Trivy, Linux Kernel, and Netty, as well as new vulnerabilities in GitLab, Red Hat Enterprise Linux, and FreeRDP that allow for code execution. Notably, several critical CVEs were published today, including CVE-2026-59726 for Ruflo, CVE-2026-59827 for Metabase, and CVE-2026-15158 for the Blocksy Companion plugin, all of which pose serious risks such as remote code execution and arbitrary file uploads. Other critical vulnerabilities affecting various applications were also reported, emphasizing the need for immediate attention from security teams.
Notable advisories
Critical/high or exploited items from national CERTs and vendor PSIRTs.
Notable CVEs
Highest-severity CVEs published this day from the NVD and GitHub Advisory firehose — the sharpest items behind the day’s numbers.
- criticalCVE-2026-59726CVE-2026-59726: Ruflo is an agent meta-harness for Claude Code and Codex. Prior to 3.16.3, ruflo's default docCVSS 10
- criticalCVE-2026-59827CVE-2026-59827: Metabase is an open-source business intelligence and embedded analytics tool. Prior to 1.58.15CVSS 9.9
- criticalCVE-2026-15158CVE-2026-15158: The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload in all versiCVSS 9.8
- criticalCVE-2026-12116CVE-2026-12116: A vulnerability in the Xerte Online Tools allows for RCE through the antivirus binary path in CVSS 9.8
- criticalCVE-2026-14245CVE-2026-14245: The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerablCVSS 9.8
- criticalCVE-2026-52778GHSA-px5m-h76g-p7p8: YesWiki has Unsafe eval() in its Formula Calculato, Leading to Remote Code Execution & DeCVSS 9.8
- criticalCVE-2026-5955CVE-2026-5955: Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerabilCVSS 9.8
- criticalCVE-2026-58123CVE-2026-58123: Hermes WebUI before 0.51.788 contains an unauthenticated remote code execution vulnerability tCVSS 9.8
- criticalCVE-2026-2342CVE-2026-2342: Improper neutralization of input during web page generation ('cross-site scripting') vulnerabilCVSS 9.3
- criticalCVE-2026-47646CVE-2026-47646: Improper neutralization of input during web page generation ('cross-site scripting') in DynamiCVSS 9.3
- criticalCVE-2026-14261CVE-2026-14261: A vulnerability in the Xerte Online Tools allows for authentication bypass and remote code exeCVSS 9.1
- criticalCVE-2026-59826CVE-2026-59826: Metabase is an open-source business intelligence and embedded analytics tool. From 1.55.0 untiCVSS 9.1
Highest exploitation probability
EPSS (FIRST.org) scores among CVEs published this day.
Get this briefing by email. One free message every morning after 06:00 UTC — same data, zero noise, one-click unsubscribe.
Subscribe. Tracking specific products instead? Watch them from any
product page and get alerted only when they ship a new advisory.