This brief covers the trailing ~48 hours (June 30 – July 2, 2026). Every item below was confirmed against its primary source — a CISA advisory or KEV entry, a vendor PSIRT bulletin, or the original researcher’s finding — with the disclosure date verified on the primary page.
SharePoint Server RCE (CVE-2026-45659) added to CISA KEV after confirmed exploitation
CISA · July 1, 2026
CISA added Microsoft SharePoint Server flaw CVE-2026-45659 (CVSS 8.8) to its Known Exploited Vulnerabilities catalog on July 1, citing evidence of active exploitation. The bug is a deserialization of untrusted data (CWE-502) that lets an authenticated attacker with only Site Member permissions execute code remotely; Microsoft patched it in May 2026 for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, having originally rated it “Exploitation Less Likely.” Federal Civilian Executive Branch agencies must remediate by July 4, 2026.
“Microsoft SharePoint Server contains a deserialization of untrusted data vulnerability which allows an authorized attacker to execute code over a network.” — CISA
Source: CISA alert · CISA KEV catalog · The Hacker News
Adobe patches seven CVSS 10.0 flaws in ColdFusion and Campaign Classic
Adobe PSIRT · June 30, 2026
Adobe issued Priority 1 bulletins for ColdFusion (APSB26-68) and Campaign Classic (APSB26-69) resolving multiple maximum-severity vulnerabilities. Seven carry a CVSS score of 10.0: ColdFusion unrestricted file-upload flaws CVE-2026-48276 and CVE-2026-48283, improper input-validation flaws CVE-2026-48277, CVE-2026-48281 and CVE-2026-48316, and path-traversal flaw CVE-2026-48282, all leading to arbitrary code execution, plus Campaign Classic incorrect-authorization RCE CVE-2026-48286. Fixes ship in ColdFusion 2023 Update 21, ColdFusion 2025 Update 10, and Campaign Classic ACC v7 build 9397. Adobe says it is aware of no exploitation in the wild.
“The frontier AI capabilities we are using are also available to attackers, and the window between public vulnerability disclosure and active exploitation is compressing from days to hours.” — Aanchal Gupta, Chief Security Officer, Adobe
Source: Adobe APSB26-68 (ColdFusion) · Adobe APSB26-69 (Campaign Classic) · The Hacker News
Oracle E-Business Suite Payments flaw (CVE-2026-46817) exploited in the wild; ~950 instances exposed
Defused / Shadowserver · July 1, 2026
Threat-intelligence firm Defused reported active exploitation of CVE-2026-46817 (CVSS 9.8), an unauthenticated HTTP takeover in the File Transmission component of Oracle Payments within E-Business Suite, with the first honeypot hits observed June 27 — before any public proof-of-concept existed. Oracle patched the flaw (affecting EBS 12.2.3 through 12.2.15) in its May 2026 Critical Patch Update. Shadowserver reports roughly 950 EBS instances reachable from the internet. The flaw is not yet listed in CISA’s KEV catalog.
“CVE-2026-46817 (CVSS 9.8 unauth HTTP takeover in Oracle E-Business) is being exploited. Over the weekend, we observed an actor exploiting the vulnerability on our Oracle E-Business honeypots. This vulnerability has no known previous exploitation and no public POC code exists.” — Defused
Source: Oracle May 2026 Critical Patch Update · NVD · BleepingComputer
This brief covers the trailing ~48 hours (June 30 – July 2, 2026).
Primary sources: