← All briefings
Daily security briefing — 2026-07-10
CERT / PSIRT advisories
207
On July 10, 2026, the security advisory landscape saw the addition of two significant Known Exploited Vulnerabilities (KEVs): CVE-2026-56291, related to Balbooa Forms, and CVE-2026-48939, concerning iCagenda, both involving unrestricted file uploads. The day also featured critical advisories, including CISA's update on two KEVs and a critical vulnerability impacting Roundcube Webmail (CVE-2025-49113). Additionally, multiple high-severity advisories were issued regarding vulnerabilities in the Linux kernel, with updates highlighting various issues that could lead to denial of service. Notable CVEs included several critical vulnerabilities with CVSS scores of 10, such as GHSA-m5f5-28qr-9g9r, related to PrestaShop, and CVE-2026-54769, affecting the Langroid framework. Overall, while CERT/PSIRT output was relatively quiet, the notable CVEs indicate ongoing security challenges.
Added to the KEV catalog
Exploitation observed in the wild — remediate first.
Notable advisories
Critical/high or exploited items from national CERTs and vendor PSIRTs.
Notable CVEs
Highest-severity CVEs published this day from the NVD and GitHub Advisory firehose — the sharpest items behind the day’s numbers.
- criticalCVE-2026-54159GHSA-m5f5-28qr-9g9r: prestashop/ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenCVSS 10
- criticalCVE-2026-54769CVE-2026-54769: Langroid is a framework for building large-language-model-powered applications. Versions priorCVSS 10
- criticalCVE-2026-50551GHSA-56mp-4f3v-fgj2: SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell ContentCVSS 9.9
- criticalCVE-2026-54158GHSA-5xfx-xj4h-5p7r: SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML()CVSS 9.9
- criticalCVE-2026-54067GHSA-mvjr-vv3c-w4qv: SiYuan: Stored XSS to RCE via CSS-snippet breakout in renderSnippet()CVSS 9.9
- criticalCVE-2026-14480CVE-2026-14480: OpenPLC Runtime v3 contains an authenticated arbitrary file write vulnerability in the legacy CVSS 9.9
- criticalCVE-2026-55500CVE-2026-55500: 9Router is an AI router & token saver. Prior to 0.4.80, the /api/settings/database endpoint alCVSS 9.9
- criticalCVE-2026-14894CVE-2026-14894: The Super Forms – Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary FilCVSS 9.8
- criticalCVE-2026-61459CVE-2026-61459: MCP Server Kubernetes before 3.9.0 contains an argument injection vulnerability in structured CVSS 9.8
- criticalCVE-2026-56765CVE-2026-56765: Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint expCVSS 9.8
- criticalCVE-2026-12761CVE-2026-12761: The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPCVSS 9.8
- criticalCVE-2026-15282CVE-2026-15282: The Instant Appointment plugin for WordPress is vulnerable to arbitrary file uploads due to miCVSS 9.8
Highest exploitation probability
EPSS (FIRST.org) scores among CVEs published this day.
Get this briefing by email. One free message every morning after 06:00 UTC — same data, zero noise, one-click unsubscribe.
Subscribe. Tracking specific products instead? Watch them from any
product page and get alerted only when they ship a new advisory.