This brief covers the trailing ~48 hours (July 12–14, 2026). Every item below was verified against its primary source — vendor advisories, CISA, and the original researchers — before inclusion.
Microsoft’s record July Patch Tuesday fixes 570 flaws, including two actively exploited zero-days
Microsoft MSRC · July 14, 2026
Microsoft’s July 2026 Patch Tuesday is its largest ever, addressing roughly 570 vulnerabilities (59 rated Critical), including two zero-days exploited in the wild: CVE-2026-56155, an Active Directory Federation Services elevation-of-privilege flaw (CVSSv3 7.8) credited to Microsoft’s DART incident-response team, and CVE-2026-56164, a SharePoint Server elevation-of-privilege flaw (CVSSv3 5.3) affecting SharePoint 2016, 2019, and Subscription Edition, credited in part to Mandiant and Google Cloud researchers. A third zero-day, the publicly disclosed BitLocker bypass CVE-2026-50661, was also patched. All are fixed as of today; none appeared in CISA’s KEV catalog at publication time. Microsoft notes that enabling AMSI with Full request-body scanning mitigates the SharePoint flaw.
“Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate privileges locally.” — Microsoft advisory for CVE-2026-56155
Source: MSRC CVE-2026-56155, MSRC CVE-2026-56164 · BleepingComputer, Tenable
SAP patches CVSS 9.9 NetWeaver ABAP memory corruption on July Patch Day
SAP · July 14, 2026
SAP’s July 2026 Security Patch Day delivers 20 new and updated security notes, led by CVE-2026-44747 (CVSS 9.9), a memory corruption bug in NetWeaver Application Server ABAP that can expose data and cause system unavailability; disabling affected ICF nodes in transaction SICF is a temporary workaround. Also fixed are CVE-2026-27690 (CVSS 9.1), an unauthenticated HTTP request-smuggling flaw in Approuter in non–Cloud Foundry deployments, and CVE-2026-44761 (CVSS 9.1), hardcoded sample OAuth2 credentials in Commerce Cloud that allow unauthenticated data access if sample scripts were retained in production. Patches are available; no exploitation has been reported.
“The vulnerability affects SAP Approuter deployments in non-Cloud Foundry environments and allows an unauthenticated attacker to send a specially crafted HTTP request that leads to request-response desynchronization.” — Onapsis
Source: SAP Security Patch Day – July 2026, Onapsis · SecurityWeek
Jscrambler npm packages backdoored with cross-platform credential stealer
Jscrambler / Socket · July 13–14, 2026
A threat actor used a compromised npm publishing credential to push malicious versions (8.16–8.20) of Jscrambler’s npm package starting July 11; the first clean version is 8.22. The poisoned versions — downloaded 1,479 times before removal — used a preinstall hook to drop Rust-based infostealer binaries for Linux, macOS, and Windows that harvest developer credentials, cloud secrets, cryptocurrency wallets, AI coding-assistant and MCP server configurations, and browser data, exfiltrating over TLS. Dependent packages including jscrambler-webpack-plugin, gulp-jscrambler, grunt-jscrambler, and jscrambler-metro-plugin were also affected. Users should remove affected versions, scan for malware, and rotate all credentials and API keys.
“Our investigation indicates that the attacker was able to publish the package using an NPM publishing credential. We have revoked and rotated all relevant credentials, passwords, and secrets, and have implemented additional security controls around our publishing process while the investigation continues.” — Jscrambler security advisory
Source: Jscrambler advisory, Socket · SecurityWeek
CISA adds 18-year-old Cisco IOS CSRF flaw to KEV catalog
CISA · July 13, 2026
CISA added CVE-2008-4128 to the Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The 2008-era flaw comprises cross-site request forgery weaknesses in the HTTP administration interface of Cisco IOS 12.4 on Cisco 871 Integrated Services Routers, letting attackers trick authenticated admins into executing arbitrary commands. Under BOD 26-04, federal civilian agencies must remediate by July 16, 2026 — a reminder that long-lived admin interfaces on aging network gear remain an active attack surface.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.” — CISA alert, July 13, 2026
Source: CISA alert, KEV catalog · SC Media
Still developing
Adobe / CISA · July 7–8, 2026 — Maximum-severity ColdFusion flaw CVE-2026-48282 (ColdFusion 2025.9, 2023.20 and earlier; unauthenticated remote code execution) was exploited within hours of Adobe’s patch release and added to CISA’s KEV catalog on July 7 with a three-day federal remediation deadline. Shadowserver tracks nearly 800 ColdFusion instances still exposed online. Source: CISA alert · BleepingComputer
AssuranceAmerica · July 9, 2026 — The U.S. auto insurer disclosed a breach affecting 6,998,886 people after attackers compromised an employee’s credentials in March and copied files containing names, contact details, policy and claims data, and driver’s license numbers — the largest U.S. driver’s-license breach disclosed this year. Source: BleepingComputer
This brief covers the trailing ~48 hours (July 12–14, 2026).
Primary sources: Microsoft MSRC (CVE-2026-56155) · Microsoft MSRC (CVE-2026-56164) · SAP Security Patch Day July 2026 · Jscrambler security advisory · Socket research · CISA KEV alert (July 13) · CISA KEV catalog