(TLP CLEAR) Weekly Vulnerabilities to Prioritize – July 16, 2026
Created: Thursday, July 16, 2026 - 14:40
Categories: Cybersecurity, Security Preparedness
The below vulnerabilities have been identified by WaterISAC analysts as important for water and wastewater utilities to prioritize in their vulnerability management efforts. WaterISAC shares critical vulnerabilities that affect widely used products and may be under active exploitation. WaterISAC draws additional awareness in alerts and advisories when vulnerabilities are confirmed to be impacting, or have a high likelihood of impacting, water and wastewater utilities. Members are encouraged to regularly review these vulnerabilities, many of which are often included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog.
Fortinet FortiSandbox OS Command Injection Vulnerabilities
CVSS 3.1: 9.1, 9.1
CVEs: CVE-2026-25089, CVE-2026-39808
Description: Command Injection vulnerabilities in Fortinet Sandbox OS may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests, and execute unauthorized code or commands. CISA added these vulnerabilities to its Known Exploited Vulnerability Catalog.
Sources:
- https://fortiguard.fortinet.com/psirt/FG-IR-26-141
- https://fortiguard.fortinet.com/psirt/FG-IR-26-100
SonicWall SMA1000 Zero-Day Vulnerabilities
Description: See WaterISAC’s notification regarding these vulnerabilities.
Microsoft SharePoint Server Vulnerabilities
Description: See WaterISAC’s notification and CISA’s alert regarding these vulnerabilities.
Oracle E-Business Suite Improper Privilege Management Vulnerability
CVSS 3.1: 9.8
CVEs: CVE-2026-46817
Description: Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments. Successful attacks of this vulnerability can result in takeover of Oracle Payments. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CISA added this vulnerabilities to its Known Exploited Vulnerability Catalog.
Source: https://www.oracle.com/security-alerts/cspumay2026.html
Microsoft Active Directory Federation Services Insufficient Granularity of Access Control Vulnerability
CVSS v3.1: 7.8
CVE: CVE-2026-56155
Description: Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate privileges locally. CISA added this vulnerabilities to its Known Exploited Vulnerability Catalog.
Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56155
Sandbox Escape in ServiceNow AI Platform
CVSS v4.0: 9.5
CVE: CVE-2026-6875
Description: ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability could enable an unauthenticated user, in certain circumstances, to execute code within the ServiceNow platform. ServiceNow addressed this vulnerability by deploying a security update to hosted instances. Relevant security updates have also been provided to ServiceNow self-hosted customers and partners. Further, the vulnerability is addressed in the listed patches and family releases, which have been made available to hosted and self-hosted customers, as well as partners. We are not currently aware of exploitation against ServiceNow instances. We recommend customers promptly apply appropriate updates or upgrade to a patched release if they have not already done so.
Source: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB3137947
Ivanti Xtraction Path Traversal Vulnerability
CVSS v3.1: 7.7
CVEs: CVE-2026-14903
Description: Path traversal in Ivanti Xtraction before version 2026.2.1 allows a remote authenticated attacker to read arbitrary files outside the web root.
Original Source: https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Xtraction-CVE-2026-14902-CVE-2026-14903?language=en_US
Gitea Docker image Vulnerability
CVSS 3.1: 9.8
CVEs: CVE-2026-20896
Description: Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as X-WEBAUTH-USER are enabled.
Original Source: https://github.com/go-gitea/gitea/security/advisories/GHSA-f75j-4cw6-rmx4
Roundcube Webmail XSS Vulnerability
CVSS: N/A
CVEs: CVE-2024-42009
Description: A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
Original Source: https://github.com/roundcube/roundcubemail/releases
KNX Association KNX Protocol Connection Authorization Option 1 Overly Restrictive Account Lockout Mechanism Vulnerability
CVSS 3.1: 7.5
CVEs: CVE-2023-4346
Description: KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to being locked and users being unable to reset them to gain access to the device. The BCU key feature on the devices can be used to create a password for the device, but this password can often not be reset without entering the current password. If the device is configured to interface with a network, an attacker with access to that network could interface with the KNX installation, purge all devices without additional security options enabled, and set a BCU key, locking the device. Even if a device is not connected to a network, an attacker with physical access to the device could also exploit this vulnerability in the same way. CISA added this vulnerabilities to its Known Exploited Vulnerability Catalog.
Original Source: https://www.cve.org/CVERecord?id=CVE-2023-4346
Cisco IOS Cross-Site Request Forgery Vulnerability
CVSS: N/A
CVEs: CVE-2008-09-18
Description: Multiple cross-site request forgery (CSRF) vulnerabilities in the HTTP Administration component in Cisco IOS 12.4 on the 871 Integrated Services Router allow remote attackers to execute arbitrary commands via (1) a certain “show privilege” command to the /level/15/exec/- URI, and (2) a certain “alias exec” command to the /level/15/exec/-/configure/http URI. NOTE: some of these details are obtained from third party information. CISA added this vulnerabilities to its Known Exploited Vulnerability Catalog.
Original Source: https://www.cve.org/CVERecord?id=CVE-2008-4128
