{
  "source": "https://genztech.blog/cve-watchlist/",
  "license": "Free to cite with attribution + link",
  "updated": "2026-07-06",
  "items": [
    {
      "id": "CVE-2026-8037",
      "product": "Progress Kemp LoadMaster",
      "type": "Command injection → RCE",
      "cvss": 9.6,
      "status": "actively exploited",
      "kev": false,
      "action": "Patch now; take management interfaces off the internet",
      "date": "2026-07-06",
      "note": "Attacks on internet-facing load balancers observed from June 29.",
      "post": "/p/kemp-loadmaster-cve-2026-8037-exploited/"
    },
    {
      "id": "CVE-2026-45659",
      "product": "Microsoft SharePoint Server (on-prem)",
      "type": "Unsafe deserialization → RCE",
      "cvss": 8.8,
      "status": "actively exploited",
      "kev": true,
      "action": "Apply the May 2026 patch — every unpatched on-prem server is a target",
      "date": "2026-07-05",
      "note": "Added to CISA's Known Exploited Vulnerabilities catalog July 2 after confirmed exploitation.",
      "post": "/p/sharepoint-cve-2026-45659-actively-exploited/"
    },
    {
      "id": "CVE-2026-35273",
      "product": "Oracle PeopleSoft",
      "type": "Unauthenticated SSRF → RCE",
      "cvss": 9.8,
      "status": "exploited, patched",
      "kev": true,
      "action": "Apply Oracle's June 10 emergency patch; assume compromise if exposed pre-patch",
      "date": "2026-07-04",
      "note": "Exploited as a zero-day by ShinyHunters — 300+ servers at 100+ orgs, exposed SSNs and banking data at Nissan.",
      "post": "/p/oracle-peoplesoft-cve-2026-35273-shinyhunters-breach/"
    },
    {
      "id": "CVE-2026-46242",
      "product": "Linux kernel (epoll)",
      "type": "Local privilege escalation → root",
      "cvss": 7.8,
      "status": "disclosed",
      "kev": false,
      "action": "Patch — affects desktops, servers and Android; patching is the only real mitigation",
      "date": "2026-07-06",
      "note": "\"Bad Epoll\" — any unprivileged local user can escalate to root; a working PoC exploit is public (NVD: CVSS 7.8). Fix is upstream; check your distro's backport.",
      "post": "/p/linux-kernel-bad-epoll-local-root-cve-2026-46242/"
    },
    {
      "id": "CVE-2026-43503",
      "product": "Linux kernel (DirtyClone)",
      "type": "Local privilege escalation → root",
      "cvss": 8.8,
      "status": "disclosed",
      "kev": false,
      "action": "Update to a kernel with the full DirtyFrag patch chain (v7.1-rc5+) — partial patching leaves you exposed",
      "date": "2026-07-04",
      "note": "Escalates via network-packet cloning on default Debian/Ubuntu/Fedora; silent, no disk traces (JFrog: CVSS 8.8). Fixed upstream May 24.",
      "post": "/p/dirtyclone-cve-2026-43503-linux-kernel-local-root/"
    },
    {
      "id": "CVE-2026-33825",
      "product": "Microsoft Defender (BlueHammer)",
      "type": "Race condition → SYSTEM privilege escalation",
      "cvss": 7.8,
      "status": "exploited, patched",
      "kev": true,
      "action": "Apply the April 14 Patch Tuesday fix; audit for rollback-engine abuse",
      "date": "2026-07-01",
      "note": "Exploited in the wild by racing Defender's own rollback engine; KEV-listed April 22, later tied to ransomware.",
      "post": "/p/bluehammer-defender-zero-day-cve-2026-33825/"
    },
    {
      "id": "CVE-2026-6682…6688 (7)",
      "product": "FatFs filesystem library (IoT firmware)",
      "type": "Memory corruption → code execution via rigged USB/SD",
      "cvss": 7.6,
      "status": "disclosed",
      "kev": false,
      "action": "Audit your vendored FatFs copy + wrapper code — affects cameras, drones, ICS, hardware wallets",
      "date": "2026-07-06",
      "note": "Disclosed by runZero with public PoC images; 7.6 is the highest of the seven (three at 7.6, no criticals). Only CVE-2026-6684 is fixed upstream (R0.16) — the maintainer is unresponsive.",
      "post": "/p/fatfs-flaws-rigged-usb-code-execution/"
    }
  ]
}