CISA stopped reliably sending KEV alerts.
We didn't.
CyberComply monitors the CISA Known Exploited Vulnerabilities catalog 24/7 and alerts you the moment a new KEV drops — before the deadline clock starts ticking without you knowing.
KEV Intelligence Brief — July 8, 2026
Issued: Wednesday, July 8, 2026 Audience: Federal contractors, DevOps/platform teams, security operations leaders Scope: 8 KEV additions spanning June 25 – July 7, 2026
Three patch deadlines in this batch have already passed. Two more expire in 48 hours. If your organization runs any of the affected products and has not confirmed remediation, stop reading and start patching.
Deadline Watch: Overdue and Expiring in 48 Hours
Four vulnerabilities in this batch carry deadlines that are either past or critically imminent, and the combination of affected products should command immediate leadership attention.
Microsoft SharePoint Server (CVE-2026-45659) — deadline July 4, now four days overdue — exposes a deserialization of untrusted data vulnerability that enables authenticated network code execution. Deserialization flaws in SharePoint have historically been weaponized for lateral movement and credential harvesting within enterprise environments. "Authenticated" does not mean low risk here; threat actors routinely obtain valid credentials through phishing or prior compromises before pivoting to exploitation. Any SharePoint Server instance that has not received the relevant patch should be treated as potentially compromised. Pull authentication logs, review service account activity, and apply CISA's Forensics Triage Requirements before simply patching and moving on.
SimpleHelp (CVE-2026-48558) — deadline July 2, six days overdue — is arguably the most operationally dangerous entry in this batch. When OIDC authentication is configured, the platform accepts identity tokens without verifying their cryptographic signatures, allowing an unauthenticated remote attacker to forge a token, impersonate an arbitrary technician, and obtain a fully authenticated session — potentially bypassing MFA entirely. SimpleHelp is remote support software, meaning successful exploitation grants an attacker keyboard-level access to endpoints that technicians routinely service. Organizations should immediately audit active technician sessions for anomalies, rotate all API keys and service credentials associated with the platform, and verify whether OIDC was enabled in their deployment configuration. If patching is not immediately feasible, disable OIDC authentication and restrict access to trusted IP ranges at the network perimeter.
PTC Windchill and FlexPLM (CVE-2026-12569) and Cisco Unified CM (CVE-2026-20230) both carried a June 28 deadline, now ten days past. PTC's improper input validation flaw allows unauthenticated remote code execution via a malformed network request — a critical severity class that should have prompted emergency patching windows in any defense-industrial or manufacturing environment running Windchill or FlexPLM. These platforms manage product lifecycle and supply chain data; their compromise carries intellectual property and operational security implications beyond typical IT incidents. Cisco Unified CM's SSRF vulnerability (CVE-2026-20230) enables unauthenticated file writes to the underlying OS, creating a reliable staging mechanism for privilege escalation to root. Voice and communications infrastructure is frequently underpatched relative to enterprise IT assets; operations teams should validate patch status against all Unified CM and Unified CM SME nodes, including those in telephony DMZs that may be outside standard vulnerability scan scope.
Unauthenticated File Upload: A Coordinated Attack Surface Across CMS Ecosystems
Three of the July 7 additions — all sharing a July 10 patch deadline — target content management and page builder ecosystems with unauthenticated or minimally authenticated file upload primitives, a class of vulnerability that provides direct, reliable paths to webshell deployment and persistent access.
JoomShaper SP Page Builder (CVE-2026-48908) allows fully unauthenticated users to upload arbitrary files and execute PHP code. Joomlack Page Builder (CVE-2026-56290) reaches the same outcome — unauthenticated arbitrary file upload leading to remote code execution — through an improper access control flaw. The appearance of two distinct Joomla ecosystem page builders in a single KEV batch strongly suggests active scanning and exploitation campaigns targeting this component class. Any internet-facing Joomla installation running either plugin should be treated as high-priority regardless of perceived traffic or sensitivity. Teams should immediately pull web server logs for anomalous POST requests to file upload endpoints, audit the webroot for recently created PHP files in unexpected directories, and apply vendor patches before the July 10 deadline.
Adobe ColdFusion (CVE-2026-48282) rounds out this cluster with a path traversal vulnerability leading to arbitrary code execution. ColdFusion has a well-documented exploitation history; threat actors have maintained working tooling against ColdFusion path traversal and file disclosure primitives across multiple CVE generations. Internet-facing ColdFusion instances are high-confidence targets. BOD 26-04 obligations are explicit: patch by July 10 or discontinue use. If patching cannot be completed before the deadline, isolate the instance from the internet immediately and initiate forensic triage per CISA guidance.
AI Tooling Adds a New Attack Surface to Monitor
Langflow (CVE-2026-55255) — also deadline July 10 — introduces an authorization bypass through user-controlled key that allows an authenticated attacker to execute any flow belonging to another user by supplying a victim's flow ID in the request. This is a significant finding in the context of how Langflow is typically deployed: as a multi-user AI workflow orchestration platform, often with flows that invoke external APIs, execute code, or process sensitive data. The vulnerability enables privilege escalation between tenants without requiring any credential compromise. Organizations that have deployed Langflow in shared or multi-tenant configurations should audit flow ownership and execution logs immediately, apply available patches, and evaluate whether cross-user flow execution has occurred for any high-privilege or externally connected flows.
Summary Deadline Table
| CVE | Product | Deadline | Status | |---|---|---|---| | CVE-2026-20230 | Cisco Unified CM | 2026-06-28 | Overdue — 10 days | | CVE-2026-12569 | PTC Windchill/FlexPLM | 2026-06-28 | Overdue — 10 days | | CVE-2026-48558 | SimpleHelp | 2026-07-02 | Overdue — 6 days | | CVE-2026-45659 | Microsoft SharePoint | 2026-07-04 | Overdue — 4 days | | CVE-2026-48282 | Adobe ColdFusion | 2026-07-10 | 48 hours | | CVE-2026-48908 | JoomShaper SP Page Builder | 2026-07-10 | 48 hours | | CVE-2026-55255 | Langflow | 2026-07-10 | 48 hours | | CVE-2026-56290 | Joomlack Page Builder | 2026-07-10 | 48 hours |
Sources: CISA KEV Catalog · CISA BOD 26-04 · Adobe Security Bulletins · Microsoft Security Response Center · Cisco Security Advisories · PTC Security Advisories · SimpleHelp Security Advisories · CISA Forensics Triage Guidance
Free KEV Alerts
- Real-time notification the moment a KEV drops
- Vendor and product details
- BOD 26-04 remediation deadline included
Pro Alerts Coming Soon
- Real-time notification the moment a KEV drops
- Filtered to your specific vendor watchlist
- Urgency scoring (Critical / Urgent / Standard)
- Direct patch links included
Stay ahead of CISA.
Common Vulnerability and Exposure
CVEs form a database of known security vulnerabilities that are actively tracked and managed by a group of organizations, such as the U.S. National Cyber Security Alliance. CVEs are an important tool for network security management because they not only provide an inventory of existing vulnerabilities, but also provide information about how the vulnerability can be exploited and instructions on how to protect against it.
Search the KEV Catalog by Vendor or Product
Search for CVEs by vendor or product to identify known exploited vulnerabilities in your environment
Upcoming Patch Due Dates
via Binding Operational Directive 26-04
BOD 26-04 is CISA's current vulnerability remediation directive for Federal Civilian Executive Branch (FCEB) agencies, updating the KEV-driven framework introduced under BOD 22-01 with a more risk-based approach to prioritization. While binding only on FCEB agencies, its framework increasingly influences contractor expectations through procurement requirements, FedRAMP programs, and agency security clauses.
Loading...
Cyber Security News
You may have missed...
*
Inside a cyberattack: How hackers steal data
The truth about cybersecurity is that it's almost impossible to keep hackers outside of an organization, particularly as the cybercrime industry ...
Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities
... Hacker News, adding the use of generic lures indicates a "larger ... The development marks the first time a Chinese hacking group has been ...
What Happens if China Hacks the US Water Supply? I Went to a Secret War Game to Find Out
Evacuated hospitals. In a closed-door simulation, insurers played out their response to a mass disruption by China's Volt Typhoon hackers—and found a ...
Accenture Confirms Breach After Hackers Claim Source Code Theft | Security Magazine
The company confirmed a data breach after a hacker claimed to have taken 35GB of data, including source code. “The claimed theft of source code ...
American Hackers-for-Hire Proposal Sparks Heavy Criticism
The United States could get its own hack-for-hire network of contractors deputized by the federal government to penetrate foreign adversaries ...
New Ghost Phishing Wave Is Breaking Traditional Email Security - The Hacker News
Cybersecurity Webinars. Control Rogue AI. How to Secure AI Agents Before They Go Rogue. Learn how to secure AI agents with practical controls for ...
Mexico's New Cyber Plan Faces Its First Real Test - Dark Reading
The Latin American nation's cybersecurity plan — still in the expansion phase — has to survive its own knockout round during the FIFA World Cup.
Hacked, leaked, and held for ransom: The worst breaches of 2026 so far | TechCrunch
From a massive DOGE data breach and the hacking of critical energy and water systems to the hack of an FBI surveillance system, here are the most ...
A Hacker's Arrest Reveals Microsoft Can Track Users Via a Windows Device ID | PCMag
The FBI used a Microsoft device identifier, dubbed GDID, to link a teenager to a hack attributed to Scattered Spider, raising privacy red flags ...
Updated daily
