Vulnerability Intelligence Report — July 10, 2026

Vulnerability Intelligence Report — July 10, 2026

Vulnerability Intelligence Report — July 10, 2026
KEV DEADLINES TODAY: ColdFusion, 2x Joomla, Langflow | XRING: Unpatched XQUIC flaw crashes HTTP/3 servers globally | Zimbra critical XSS in Classic Web Client | WP-SHELLSTORM: 1.4M WordPress sites targeted via Breeze/JCE exploits | GigaWiper: Iranian-linked destructive Windows backdoor | Helix vishing group targets SharePoint | Microsoft expects more AI-discovered security bugs
Previous reports: July 9, 2026 | July 8, 2026

Friday, July 10, 2026 — today is the KEV remediation deadline for four actively exploited vulnerabilities: Adobe ColdFusion CVE-2026-48282 (CVSS 10.0), two Joomla page builder CVEs (both CVSS 10.0), and Langflow CVE-2026-55255 (CVSS 8.4). Federal agencies must patch today under BOD 26-04. The day’s biggest technical story is XRING: an unpatched vulnerability in Alibaba’s XQUIC library (used for QUIC and HTTP/3) that lets any remote client crash servers with a short burst of ordinary traffic. There is no fix available, no CVE assigned — operators must disable HTTP/3 or QPACK dynamic tables. Zimbra urged customers to patch a critical XSS vulnerability in its Classic Web Client. A WP-SHELLSTORM investigation exposed a webshell access brokerage that targeted 1.4 million WordPress sites, primarily exploiting the Breeze caching plugin and Joomla’s JCE editor. GigaWiper (aka BLUERABBIT) is a destructive Windows backdoor linked to Iranian threat actors, bundling disk wiping, fake ransomware, and spyware. And a new Helix vishing group is using phone-based social engineering to steal SharePoint data.


Quick Reference — Most Important Items Today

KEV DEADLINE TODAY: Adobe ColdFusion CVE-2026-48282 (CVSS 10.0) | Joomla SP Page Builder + Page Builder CK (both CVSS 10.0) | Langflow CVE-2026-55255 — PATCH TODAY

XRING XQUIC: Unpatched flaw crashes HTTP/3 servers via 260 bytes of normal traffic — no fix, no CVE — affects Alibaba Tengine, Taobao, Alipay

Zimbra XSS: Critical cross-site scripting in Classic Web Client — Zimbra urges immediate patching

WP-SHELLSTORM: Webshell brokerage targeted 1.4M WordPress sites — exploited Breeze caching plugin + Joomla JCE editor

GigaWiper / BLUERABBIT: Destructive Windows backdoor — disk wiping, fake ransomware, spyware — linked to Iranian threat actors

Helix Vishing Group: New voice phishing campaign targeting SharePoint data theft — Microsoft 365 account compromise

Ill Bloom Crypto Theft: Weak randomness in wallet recovery phrases — $5M+ drained from 431 wallets

Injective SDK on npm: Cryptocurrency wallet stealer disguised as legitimate SDK — check npm dependencies

Forg365 AI Phishing: AI-powered Microsoft 365 phishing platform — auto-generates convincing login pages

Overdue KEV: SharePoint +6 | SimpleHelp +8 | Cisco Unified CM +12 | Ubiquiti (old) +14 | Oracle PeopleSoft +25 | Ivanti Sentry +26 | Check Point +29 (ransomware)


KEV Deadline — Today (July 10): ColdFusion, Joomla Page Builders, Langflow

Software affected: Adobe ColdFusion 2025.9/2023.20 and earlier; JoomShaper SP Page Builder; Joomlack Page Builder CK; Langflow prior to 1.9.1.

CVE: CVE-2026-48282 (ColdFusion, CVSS 10.0, path traversal); CVE-2026-48908 (SP Page Builder, CVSS 10.0, unauthenticated file upload); CVE-2026-56290 (Page Builder CK, CVSS 10.0, unauthenticated file upload); CVE-2026-55255 (Langflow, CVSS 8.4, IDOR).

Status: Today is the CISA KEV remediation deadline. Federal agencies under BOD 26-04 must patch today. The Australia Cyber Security Centre has reported large-scale coordinated attacks against WordPress, Joomla, and other CMS platforms. The Joomla page builder vulnerabilities are being actively exploited in these campaigns. ColdFusion CVE-2026-48282 was confirmed as actively exploited by KEVIntel before CISA added it. Organisations that do not patch today face CISA enforcement action. After today, the KEV calendar will have no active deadlines again.

Recommended action: Patch all four today. Prioritise ColdFusion (active exploitation confirmed, CVSS 10.0). For Joomla: update SP Page Builder and Page Builder CK. For Langflow: update to 1.9.1.

Official source: BleepingComputer: CISA ColdFusion deadline | CISA KEV Catalog | ColdFusion advisory | Joomla advisory | Langflow advisory


XRING — Unpatched XQUIC Flaw Crashes HTTP/3 Servers (No Fix Available)

Software affected: XQUIC — Alibaba’s open-source QUIC and HTTP/3 library. Affects all releases through v1.9.4 (latest). Used in Alibaba’s Tengine (Nginx-based web server), which fronts Alibaba Cloud, CDN, Taobao, and Alipay. Any server embedding XQUIC with default QPACK settings is exposed.

CVE: No CVE assigned as of July 10. Dubbed “XRING” by FoxIO researcher Sebastien Fery. The flaw requires no authentication and no malformed packets — approximately 260 bytes of ordinary QPACK traffic takes the server process down via a single wrong variable in the QPACK dynamic table handling.

Status: There is no fixed release and no CVE as of publication. Every XQUIC release through v1.9.4 is affected. The vulnerability allows any remote client to crash an HTTP/3 server with a short burst of completely legal traffic. This is a denial-of-service vulnerability affecting any service using XQUIC for HTTP/3 — including Alibaba’s extensive cloud and e-commerce infrastructure. Until a patch ships, operators must either disable HTTP/3 entirely or set SETTINGS_QPACK_MAX_TABLE_CAPACITY to 0, which disables QPACK’s dynamic table compression. This is a significant concern for any organisation deploying HTTP/3 via XQUIC.

Recommended action: No patch available. Either disable HTTP/3 support on XQUIC-based servers, or set SETTINGS_QPACK_MAX_TABLE_CAPACITY to 0. Monitor for patch releases from the XQUIC project.

Official source: The Hacker News: XRING XQUIC | FoxIO Research


Zimbra — Critical XSS in Classic Web Client (Patch Urged)

Software affected: Zimbra Collaboration Suite — Classic Web Client.

CVE: CVE pending. A critical cross-site scripting (XSS) vulnerability affecting the Classic Web Client used to access the Zimbra Collaboration suite. Zimbra’s security team has urged all customers to patch immediately.

Status: Zimbra has urged customers to patch this critical XSS vulnerability as soon as possible. Zimbra is a widely deployed open-source email and collaboration platform used by enterprises, universities, and government organisations globally. XSS in the webmail client is a common attack vector for credential theft and email interception. Given the recent China-linked Roundcube exploitation campaigns targeting academic institutions, Zimbra users should treat this as urgent.

Recommended action: Apply the Zimbra security patch for the Classic Web Client XSS vulnerability immediately. Review webmail access logs for signs of XSS exploitation.

Official source: BleepingComputer: Zimbra XSS | Zimbra Security Advisory


WP-SHELLSTORM — Webshell Brokerage Targeting 1.4 Million WordPress Sites

Software affected: WordPress sites running out-of-date plugins — primarily the Breeze caching plugin and Joomla’s JCE editor.

CVE: No single CVE — this is a large-scale webshell access brokerage operation tracked as WP-SHELLSTORM by SOCRadar. The crew breaks into sites at scale, plants hidden backdoor webshells, and packages that access for resale. An exposed server revealed the inner workings: hacking tools, activity logs, and target lists naming more than 1.4 million websites.

Status: SOCRadar discovered an exposed server on June 11, 2026, left open for three weeks. The exposed data revealed a mass site-hacking operation targeting WordPress and Joomla sites. The two flaws most exploited were in the Breeze caching plugin (WordPress) and the JCE editor (Joomla). Far fewer than 1.4 million were actually broken into, but the scale of targeting is significant. Australia has separately reported large-scale coordinated attacks against CMS platforms, suggesting this may be part of a broader campaign ecosystem. Organisations running WordPress or Joomla should ensure the Breeze caching plugin and JCE editor are updated.

Recommended action: Update the Breeze caching plugin (WordPress) and JCE editor (Joomla) to latest versions. Audit WordPress/Joomla installations for unauthorised files or webshells. Review file integrity against known-good baselines.

Official source: The Hacker News: WP-SHELLSTORM | SOCRadar Research


GigaWiper / BLUERABBIT — Iranian-Linked Destructive Windows Backdoor

Software affected: Windows systems — this is malware, not a software vulnerability. GigaWiper (also tracked as BLUERABBIT by Binary Defense) is a destructive backdoor that bundles three destructive capabilities into one tool: full disk wiping, Windows drive overwriting, and fake ransomware that scrambles files with a key it never saves.

CVE: No CVE — this is a malware analysis report from Microsoft. The backdoor is offered as a command-and-control platform where operators can choose which destructive capability to deploy. Binary Defense, citing Google Threat Intelligence Group, ties the malware to likely Iranian threat actors.

Status: Microsoft has published an analysis of GigaWiper, describing it as a destructive Windows backdoor that combines disk wiping, fake ransomware, and spyware capabilities. The same malware files appear in a separate Binary Defense report under the name BLUERABBIT, and both analyses share matching command servers. The Iranian attribution aligns with ongoing destructive cyber operations targeting critical infrastructure and corporate networks. There is no patch to chase — this is what an attacker runs after they are already inside, making early detection and offline backups the primary defense.

Recommended action: Ensure endpoint detection and response (EDR) solutions can detect GigaWiper/BLUERABBIT indicators of compromise. Maintain offline, immutable backups. Monitor for disk wiping or fake ransomware activity as signs of post-compromise destructive operations.

Official source: The Hacker News: GigaWiper | Microsoft Security | Binary Defense BLUERABBIT Report


KEV Deadline Watch

TODAY (July 10) — LAST CHANCE: Adobe ColdFusion CVE-2026-48282 (CVSS 10.0, path traversal, actively exploited). JoomShaper SP Page Builder CVE-2026-48908 (CVSS 10.0). Joomlack Page Builder CK CVE-2026-56290 (CVSS 10.0). Langflow CVE-2026-55255 (CVSS 8.4).

AFTER TODAY: KEV calendar fully clears. No active deadlines for the foreseeable future.

Overdue — July 4 (+6 days): Microsoft SharePoint CVE-2026-45659 — actively attacked. Dedicated advisory.

Overdue — July 2 (+8 days): SimpleHelp CVE-2026-48558 — stealer malware. Dedicated advisory.

Overdue — June 28 (+12 days): Cisco Unified CM CVE-2026-20230. PTC Windchill CVE-2026-12569.

Overdue — June 26 (+14 days): Ubiquiti UniFi OS CVE-2026-34908/909/910 — now 14 new UniFi CVEs.

Overdue — June 15 (+25 days): Oracle PeopleSoft CVE-2026-35273 — ShinyHunters.

Overdue — June 14 (+26 days): Ivanti Sentry CVE-2026-10520.

Overdue — June 11 (+29 days): Check Point CVE-2026-50751 — known ransomware use.


Updates on Items from Previous Reports

XRING XQUIC: NEW — Unpatched flaw crashes HTTP/3 servers. No CVE, no fix. Disable HTTP/3 or QPACK.

Zimbra XSS: NEW — Critical XSS in Classic Web Client. Zimbra urges immediate patching.

WP-SHELLSTORM: NEW — 1.4M WordPress sites targeted. Breeze caching plugin + Joomla JCE editor exploited.

GigaWiper / BLUERABBIT: NEW — Iranian-linked destructive Windows backdoor.

KEV Deadlines TODAY: ColdFusion, Joomla x2, Langflow — patch today. ColdFusion advisory | Joomla advisory | Langflow advisory.

GhostLock CVE-2026-43499: Linux kernel root/container escape. Dedicated advisory.

Microsoft RoguePlanet CVE-2026-50656: Defender privesc — patched. Dedicated advisory.

Ubiquiti UniFi: 14 new CVEs across OS, Connect, Talk, Access. OS advisory | Connect/Talk/Access advisory.

GhostApproval: Symlink flaw in 6 AI coding assistants. Dedicated advisory.

Friendly Fire + HalluSquatting: AI agent attack vectors. Dedicated advisory.

FortiBleed: INC and Lynx ransomware. Dedicated advisory.

FortiSandbox CVE-2026-25089 + 26083: Both CVSS 9.8. Dedicated advisory.

Oracle EBS CVE-2026-46817: CVSS 9.8. Dedicated advisory.

Cisco Unified CM + SD-WAN: Both overdue. Unified CM | SD-WAN.

Januscape CVE-2026-53359: KVM VM escape. Dedicated advisory.

BeyondTrust CVE-2026-40138 + 40139: CVSS 9.2. Dedicated advisory.

Gitea Docker CVE-2026-20896: CVSS 9.8. Dedicated advisory.

Writer AI WriteOut: Cross-tenant session leak. Dedicated advisory.

Oracle PeopleSoft CVE-2026-35273: 25 days overdue. ShinyHunters.

Accenture Breach: 35 GB source code stolen — confirmed.

WinRAR: Code execution — patch to 7.23. Dedicated advisory.

Exchange Online + 365 Copilot: Cloud-side patched.

FBI TeamPCP: Developer tool supply chain attacks — ongoing.

AI Agent Poisoning: SEO + hidden HTML prompt injection.

FatFs: 7 CVEs — IoT devices. No upstream fix.

Microsoft Defender: BlueHammer + RoguePlanet patched.

Medtronic/ShinyHunters: 3.8 million patients affected.


This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including BleepingComputer, The Hacker News, Security.nl, CybersecurityNews.com, Cybersecurity Dive, and Tenable CVE feeds.

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!