This brief covers the trailing ~48 hours (July 16–18, 2026). Every item below was verified against its primary source — vendor advisory, researcher writeup, or CISA KEV entry — before inclusion.
wp2shell: pre-authentication RCE in WordPress core, emergency releases 6.9.5 and 7.0.2 pushed as forced updates
Searchlight Cyber / WordPress.org · July 17, 2026
Searchlight Cyber’s Assetnote research team (Adam Kues) disclosed wp2shell, a pre-authentication remote code execution flaw in WordPress core that chains a REST API batch-route confusion with SQL injection — a default install with zero plugins is exploitable by an anonymous HTTP request. Affected versions are 6.9.0–6.9.4 and 7.0.0–7.0.1; WordPress shipped 6.9.5 and 7.0.2 on July 17 and enabled forced automatic updates, while 6.8.6 backports a fix for the SQL injection component on the 6.8 branch. No CVE ID or CVSS score had been assigned at publication, technical details are being withheld, and no in-the-wild exploitation had been reported as of July 18. If you cannot update immediately, block both /wp-json/batch/v1 and ?rest_route=/batch/v1 at the WAF or disable anonymous REST access.
“The attack has no preconditions and can be exploited by an anonymous user in a stock install of WordPress with no plugins.” — Searchlight Cyber security advisory
Source: Searchlight Cyber advisory · WordPress 7.0.2 release post · The Hacker News
CISA adds two actively exploited Fortinet FortiSandbox command injection flaws to KEV
CISA · July 16, 2026
CISA added CVE-2026-25089 (CVSS 9.8) and CVE-2026-39808, both OS command injection vulnerabilities in Fortinet FortiSandbox, to the Known Exploited Vulnerabilities catalog on evidence of active exploitation. CVE-2026-25089 allows a remote, unauthenticated attacker to execute arbitrary commands via specially crafted HTTP requests. Fortinet published fixes in its June advisories, so patches are available; federal agencies are on a short remediation clock under BOD 22-01.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” — CISA, KEV catalog alert
Source: CISA alert · SecurityWeek
SharePoint deserialization RCE CVE-2026-58644 lands in KEV two days after Patch Tuesday
CISA / Microsoft · July 16, 2026
CVE-2026-58644 (CVSS 9.8), a critical deserialization-of-untrusted-data vulnerability in Microsoft SharePoint Server that allows an unauthorized attacker to execute arbitrary code, was added to the KEV catalog in the same July 16 update. Microsoft patched it in the July 14 Patch Tuesday release and had initially flagged it only as an attractive target with no known exploitation — the KEV addition confirms exploitation evidence emerged within roughly 48 hours of the patch. Federal agencies have until July 19 to remediate. This lands on top of an already rough month for on-prem SharePoint: CISA is separately tracking active exploitation of CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164, with Shadowserver counting roughly 10,000 internet-exposed SharePoint servers.
Source: CISA alert · BleepingComputer
Still developing
SonicWall SMA1000 zero-days under active exploitation — SonicWall / Rapid7 · July 14, 2026. SonicWall confirmed two zero-days in SMA1000-series secure remote-access appliances: CVE-2026-15409 (CVSS 10.0), an SSRF in the Work Place interface, and CVE-2026-15410 (CVSS 7.2), a post-authentication code injection in the Appliance Management Console. Rapid7 has observed targeted zero-day exploitation of internet-facing appliances since at least late June. Patches are available. Source: BleepingComputer · The Hacker News
Microsoft’s record July Patch Tuesday: 570+ fixes, two exploited zero-days — Microsoft · July 14, 2026. The July update fixed CVE-2026-56155, an actively exploited AD FS elevation-of-privilege flaw, and CVE-2026-56164, an actively exploited SharePoint Server elevation-of-privilege flaw that CISA added to KEV the same day with a July 17 federal deadline. Source: BleepingComputer · CISA alert
LegacyHive Windows zero-day PoC published, no patch available — July 15, 2026. A researcher going by “Nightmare Eclipse” released a proof-of-concept exploit abusing the Windows User Profile Service for local privilege escalation to admin-level access, hours after Patch Tuesday. It affects supported Windows desktop and Server versions including fully patched systems, and has no CVE ID yet. Source: BleepingComputer
This brief covers the trailing ~48 hours (July 16–18, 2026).
Primary sources: Searchlight Cyber — wp2shell advisory · WordPress.org — 7.0.2 release · CISA — July 16 KEV additions · CISA — July 14 KEV additions · CISA KEV catalog