This brief covers notable cyber security developments from the trailing ~48 hours (July 10–12, 2026). Every item below was verified against its primary source — vendor advisory, CISA alert, or the original research — before inclusion.
CISA adds two actively exploited Joomla extension flaws to the KEV catalog
CISA · July 10, 2026
CISA added CVE-2026-48939 (iCagenda) and CVE-2026-56291 (Balbooa Forms) to the Known Exploited Vulnerabilities catalog based on evidence of active exploitation. Both are unrestricted upload of file with dangerous type vulnerabilities in popular Joomla extensions — a bug class that typically leads to webshell deployment and full site takeover. CISA did not publish CVSS scores in the alert; under BOD 26-04, federal civilian agencies must prioritize rapid remediation of KEV-listed flaws on publicly exposed assets.
“These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risks to the federal enterprise.” — CISA
Source: CISA alert · KEV catalog
Progress tells ShareFile customers to shut down Storage Zone Controllers over “credible external security threat”
Progress Software · July 10, 2026
Progress Software ordered every organization running an on-premises ShareFile Storage Zone Controller to immediately shut down the Windows server hosting it, citing a “credible external security threat.” There is no patch to apply instead; Progress has also temporarily disabled access to affected accounts and listed Storage Zone Controller customers as “not operational” on its status page. The company says it has no indication of unauthorized access to any ShareFile accounts or data, but has not disclosed the nature of the threat or a restart timeline. Cloud-only ShareFile accounts are not affected. The same component was exploited in the wild in 2023 (CVE-2023-24489) while the product belonged to Citrix.
Source: ShareFile status page · The Hacker News · BleepingComputer
Coinspect discloses “Ill Bloom” weak-randomness wallet flaw; more than $5M already drained
Coinspect · July 10, 2026
Security firm Coinspect disclosed Ill Bloom, a weak-randomness flaw in the recovery-phrase generation of certain software wallets — mostly older or lesser-known mobile apps, some dating to 2018 — that lets attackers derive private keys and is being actively exploited. Coinspect confirmed a coordinated sweep on May 27 that drained about $3.1 million from 431 wallets, with total outflows from exposed wallets now past $5 million across Bitcoin, Ethereum, Rootstock, Tron, and Polygon. Hardware wallets and most mainstream software wallets are not affected; Coinspect published a free address checker at illbloom.org and warns that matched wallets should be treated as compromised.
“If funds recently moved without your permission, this vulnerability may be why.” — Coinspect
Source: The Hacker News · Cointelegraph
PraisonAI RCE via unsandboxed LLM-generated code scores a perfect CVSS 10.0
CVE Program (VulnCheck) · July 11, 2026
CVE-2026-61447 (CVSS 4.0: 10.0) is a critical remote code execution flaw in the PraisonAI agent framework before version 1.6.78. The CodeAgent._execute_python() method runs Python code generated by the LLM with no AST validation, import restrictions, or sandboxing, so an unauthenticated attacker who can submit prompts can steer the model into producing arbitrary code that executes on the host and exfiltrates environment secrets. No in-the-wild exploitation has been confirmed and the fix is to upgrade to 1.6.78 or later. It is not in the KEV catalog.
PraisonAI “executes LLM-generated Python code without AST validation, import restrictions, or sandbox enforcement.” — CVE-2026-61447 record
Source: GitHub security advisory · NVD · VulnCheck advisory
Still developing
Microsoft Defender “RoguePlanet” patched, then researcher reports new Defender bugs
Microsoft MSRC · July 9, 2026 (updated July 11)
Microsoft remediated CVE-2026-50656 (CVSS 7.8), the RoguePlanet privilege-escalation race condition in the Malware Protection Engine that could spawn a SYSTEM shell, in engine version 1.1.26060.3008 — no customer action required. The researcher who disclosed it (Chaotic Eclipse) has since reported that the accompanying hardening can leak 8 bytes of data and that Defender’s caching of oversized Zone.Identifier streams can be abused via a malicious SMB server to exhaust disk space on Windows 11 25H2 and Server 2025; Microsoft told The Hacker News it is “aware of this report and are investigating.”
Source: Microsoft MSRC · The Hacker News
Zimbra patches critical stored XSS in Classic Web Client reported by Google TAG
Zimbra · July 7, 2026
Zimbra released ZCS 10.1.19 to fix a critical stored cross-site scripting flaw in the Classic Web Client that lets specially crafted emails execute malicious scripts in a user’s session on open, exposing session data, account settings, and mailbox contents. No CVE ID or CVSS score has been published yet. The reporter — Google’s Threat Analysis Group — typically surfaces bugs used by state-backed actors, though exploitation has not been confirmed.
Source: Zimbra security advisories · BleepingComputer
This brief covers the trailing ~48 hours (July 10–12, 2026).
Primary sources: CISA KEV alert · ShareFile status · PraisonAI GHSA · NVD CVE-2026-61447 · MSRC CVE-2026-50656 · Zimbra advisories