Wednesday 15 July

Good morning,
Brisbane.

Queensland alert: 15/03:00 EST Marine Wind Warning Summary for Queensland

Updated 1m ago
Brisbane now10°Clear
Active alerts1warning
Top moverARM-5.09%
Critical CVEs20tracked

The morning wire — news & briefings

LocalBrisbane & Queensland
8
Local · Lead story

Launceston General Hospital experiencing 'impacted' capacity due to high demand

Tasmania's top health official says the Launceston General Hospital is experiencing "impacted" capacity and is urging patients to only attend if it is a medical emergency.

ABC News·
View 4 more local stories
WorldInternational desk
8
World · Lead story

Israeli strike on police post in north Gaza kills seven, officials say

A senior officer in the Hamas-run police force was among those killed in the strike, which Israel's military says targeted "terrorists".

BBC World·
View 4 more world stories
CyberThreat reporting
8
Cyber · Lead story

Progress confirms ShareFile zero-day flaw behind Storage Zone shutdown

Progress Software has confirmed that a high-severity zero-day vulnerability is behind the emergency shutdown of ShareFile Storage Zone Controllers last week and has released security updates to patch the flaw. [...]

BleepingComputer·
View 4 more cyber stories
TechnologyTechnology & AI
8
Technology · Lead story

The Download: Claude’s inner workings, and the future of world models

This is today’s edition of The Download, our weekday newsletter that provides a daily dose of what’s going on in the world of technology. What Anthropic’s latest AI discovery does—and doesn’t—show —James O’Donnell When Anthropic announced last week that it had

MIT Technology Review·
View 4 more technology stories

Security desk — threats & advisories

Vulnerability intelligence

Priority CVEs

Known exploitation, severity and likelihood — ranked for action.

CVE-2026-56290Joomlack Page Builder Ck
KEV10.0 critical

The Joomla extension Page Builder CK is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.

EPSS 2.9%
Recommended action
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
CVE-2026-48908Ollyo Sp Page Builder
KEV10.0 critical

A vulnerability in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, ultimately resulting in the upload and execution of PHP code.

EPSS 1.6%
Recommended action
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
CVE-2026-48939Joomlic Icagenda
KEV10.0 critical

A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.

EPSS 1.5%
Recommended action
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
CVE-2026-12569Ptc Flexplm
KEV9.3 critical

A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data.  * This advisory also applies to all CPS versions * The identified vulnerability also impacts Windchill and FlexPLM releases prior to 11.0 M030

EPSS 1.2%
Recommended action
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
View 16 more priority CVEs
CVE-2025-71338Flowiseai Flowise
10.0 critical

Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can exploit unsanitized fileName parameters with ../ sequences to overwrite critical files like package.json and achieve remote code execution when the application restarts.

EPSS 0.6%
10.0 critical

Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collection and, where the builder has published a PUBLIC write query, modifies every document of that collection with one HTTP request. enrichContext at packages/server/src/sdk/workspace/queries/queries.ts:121-138 substitutes parameter values into the raw JSON body of a query, then JSON.parses the result. The validator validateQueryInputs at packages/server/src/api/controllers/query/index.ts:61-71 rejects only Handlebars markers ({{, }}) in user input and does not escape JSON metacharacters (", \, }). A parameter value containing a closing quote and additional keys lifts attacker-controlled fields into the parsed filter object. For Mongo find, the parsed filter passes directly to collection.find() (packages/server/src/integrations/mongodb.ts:506-510). Duplicate-key JSON parsing overrides the builder's {name: "..."} with {name: {$exists: true}} and returns every document. The same primitive against an updateMany query (mongodb.ts:577-585) widens the filter scope to the full collection while the builder-controlled $set body runs against every matched document. The authorized middleware at packages/server/src/middleware/authorized.ts:141-148 short-circuits when the query's role is PUBLIC. CSRF is not enforced on this path. POST /api/v2/queries/:queryId (packages/server/src/api/routes/query.ts:63) accepts the call with no session, only an x-budibase-app-id header that is public from the published-app URL. This vulnerability is fixed in 3.39.12.

EPSS 0.5%
CVE-2026-53753Kidocode Crawl4ai
9.8 critical

Crawl4AI is an open-source LLM friendly web crawler & scraper. Prior to 0.8.7, the _safe_eval_expression() function in the computed fields feature uses an AST validator that only blocks attributes starting with underscore. Python generator and frame object attributes (gi_frame, f_back, f_builtins) do NOT start with underscore, enabling a complete sandbox escape to achieve arbitrary code execution. The attack requires no authentication (JWT disabled by default) and is triggered via POST /crawl with a crafted extraction schema. This vulnerability is fixed in 0.8.7.

EPSS 0.4%
CVE-2026-48930Nodejs Node.Js
9.8 critical

A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

EPSS 0.4%
CVE-2026-14241Mozilla Firefox
9.8 critical

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152.0.4.

EPSS 0.2%
9.3 critical

Feast before 0.63.0 contains an unsafe deserialization vulnerability that allows unauthenticated or unauthorized attackers to achieve remote code execution by sending a crafted gRPC request to the registry server. The user_defined_function.body field of an OnDemandFeatureView spec is decoded from base64 and passed to dill.loads() before any authorization check is performed, enabling attackers to embed a malicious serialized Python object with an arbitrary __reduce__ method to execute OS commands as the feast service account.

EPSS 0.9%
CVE-2026-50549Anysphere Cursor
9.3 critical

Cursor is a code editor built for programming with AI. Prior to 3.0, Cursor runs agent terminal commands in a sandbox by default. Before a Write, the agent canonicalizes the target path to confirm it stays inside the workspace, but when canonicalization fails it falls back to the original path and writes without approval. A malicious agent can create an in-workspace symlink that points outside the workspace and force canonicalization to fail — either because the target does not exist or because read permission is removed from the path — so the agent writes through the symlink to an arbitrary location without approval. A malicious agent could write arbitrary files outside the workspace under the user's privileges. This enables non-sandboxed Remote Code Execution — for example by overwriting the cursorsandbox helper so later commands run unsandboxed — with no user interaction beyond a benign prompt. This vulnerability is fixed in 3.0.

EPSS 0.6%
CVE-2026-50548Anysphere Cursor
9.3 critical

Cursor is a code editor built for programming with AI. Prior to 3.0, Cursor runs agent terminal commands in a sandbox by default, and the sandbox grants write access to the command's working directory. A flaw was identified in how the agent could modify the working_directory parameter, which could cause the sandbox to include writable paths outside the intended workspace. A malicious agent could set working_directory to a sensitive location and write arbitrary files outside the workspace under the user's privileges. This enables non-sandboxed Remote Code Execution — for example by overwriting the cursorsandbox helper so later commands run unsandboxed — with no user interaction beyond a benign prompt. This vulnerability is fixed in 3.0.

EPSS 0.6%
CVE-2025-71333Flowiseai Flowise
9.3 critical

Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the chatId and chatflowId parameters to upload malicious files to arbitrary directories, potentially enabling remote code execution and server compromise.

EPSS 0.6%
CVE-2026-31928Daktronics Dmp 5000 Firmware
9.3 critical

The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using these accounts provides full system access.

EPSS 0.6%
9.3 critical

Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request parameter is retrieved via the raw accessor grv() (rather than gfrv() with FILTER_VALIDATE_IS_REGEX validation) and concatenated directly into RLIKE SQL clauses in lib/html_graph.php and lib/html_tree.php, which are reachable pre-authentication through graph_view.php on installations with guest graph viewing enabled. Because the unbalanced-quote payload bypasses the regex validation that would otherwise reject it, an unauthenticated attacker can inject arbitrary SQL to compromise the confidentiality, integrity, and availability of the database. This advisory is similar to GHSA-69gg-mjfm-jjpc. This issue has been fixed in version 1.2.31.

EPSS 0.5%
9.3 critical

RTKLIB through 2.4.3 contains an out-of-bounds write vulnerability in decode_type1033 function that fails to clamp length counters to destination buffer size, allowing up to 191-byte overflow into fixed 64-byte descriptor fields. An attacker controlling an NTRIP or serial RTCM3 correction stream can craft a valid CRC-bearing type-1033 message to corrupt adjacent rtcm_t object members, potentially achieving arbitrary code execution or denial of service.

EPSS 0.4%
CVE-2026-11720Google Mcp Toolbox For Databases
9.3 critical

A path traversal vulnerability exists in the HTTP tool URL builder of googleapis/mcp-toolbox. When constructing downstream API requests, the URL builder substitutes user-controlled pathParams into the configured tool path and parses the resulting string as a relative URL. While it checks that the input does not alter the scheme, host, or user info, it relies on ResolveReference for the final URL resolution. Because dot segments (../) are normalized during this resolution step, an attacker can supply path parameters containing directory traversal sequences to escape the operator-configured path scope. This allows the client to coerce the toolbox into making requests to unintended endpoints on the same target host while forwarding the toolbox's configured credentials (e.g., bypassing a restricted path like /api/v1/users/{{.id}} to reach /admin/secrets).

EPSS 0.4%
CVE-2026-56123Dest Unreach Socat
9.2 critical

socat versions 1.8.0.0 through 1.8.1.1 contain a heap-based buffer overflow vulnerability that allows a malicious SOCKS5 proxy server to overwrite adjacent heap memory by exploiting a sign-extension flaw in the DOMAINNAME reply parser. During connection setup, the domain name length byte is read through a signed char field causing a negative bytes_to_read value that is implicitly converted to size_t, resulting in an unbounded heap write into the 262-byte reply buffer with attacker-controlled size and content.

EPSS 0.3%
9.1 critical

IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.

EPSS 0.3%
9.0 critical

Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron plugin utilizes commands in the app.json file to manage system cron running as the Dokku user. An app.json cron command utilizing special shell characters - including, but not limited to, > or ; - can break out of the Docker container and execute commands on the host as the Dokku user. This vulnerability is fixed in 0.38.7.

EPSS 0.3%
Uses NVD data but is not endorsed or certified by the NVD. KEV: CISA · EPSS: FIRST.org
Windows watch

Microsoft Windows CVEs

Windows CVEs from the current patch cycle, plus recent actively exploited entries from CISA.

CVE-2008-4250Microsoft Windows
KEVunknown

Microsoft Windows contains a buffer overflow vulnerability in the Windows Server Service that allows remote attackers to execute arbitrary code via a crafted RPC request that triggers an overflow during path canonicalization.

EPSS 98.8%
Recommended action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CVE-2026-47291Microsoft Windows HTTP.sys
9.8 critical

Integer overflow or wraparound in Windows HTTP.sys allows an unauthorized attacker to execute code over a network.

EPSS 21.5%
CVE-2026-45657Microsoft Windows Kernel
9.8 critical

Use after free in Windows Kernel allows an unauthorized attacker to execute code over a network.

EPSS 15.5%
CVE-2026-44815Microsoft Windows DHCP Client
9.8 critical

Stack-based buffer overflow in Windows DHCP Client allows an unauthorized attacker to execute code over a network.

EPSS 1.1%
View 8 more Windows CVEs
CVE-2026-49172Microsoft Windows FTP Service
9.8 critical

Heap-based buffer overflow in Windows FTP Service allows an unauthorized attacker to execute code over a network.

EPSS
CVE-2026-42904Microsoft Windows TCP/IP
9.6 critical

Heap-based buffer overflow in Windows TCP/IP allows an unauthorized attacker to elevate privileges over an adjacent network.

EPSS 0.4%
CVE-2026-49798Microsoft Windows Kernel
9.3 critical

Use after free in Windows Kernel allows an unauthorized attacker to elevate privileges locally.

EPSS
CVE-2026-45602Microsoft Windows DHCP Server
9.1 critical

No cwe for this issue in Windows DHCP Server allows an unauthorized attacker to perform tampering over a network.

EPSS 0.4%
CVE-2026-58608Microsoft Windows Print Spooler Components
8.8 high

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Print Spooler Components allows an authorized attacker to execute code over a network.

EPSS
CVE-2026-54999Microsoft Windows TCP/IP
8.8 high

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an unauthorized attacker to execute code over an adjacent network.

EPSS
CVE-2026-54107Microsoft Windows Win32K
8.8 high

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K allows an authorized attacker to elevate privileges locally.

EPSS
CVE-2026-50342Microsoft Windows MIDI Service Module
8.8 high

Improper access control in Windows MIDI Service Module allows an authorized attacker to elevate privileges locally.

EPSS
Uses NVD data but is not endorsed or certified by the NVD. KEV: CISA · EPSS: FIRST.org
Queensland

Warnings & disruptions

Market motion — indexes & movers

^GSPCS&P 500
7,547.44+0.43%
7.6k7.5k7.4k
6 July7 days14 July
^IXICNasdaq Composite
26,140.87+1.03%
26.3k25.9k25.5k
6 July7 days14 July
^AXJOS&P/ASX 200
A$8,809+0.03%
8,8578,7678,677
6 July7 days13 July
US movers · 7 days
NVDANVIDIA
203.53-3.52%
211201191
2 July7 days13 July
TSLATesla
395.01+0.06%
420405391
6 July7 days14 July
AAPLApple
314.96-0.74%
323315307
6 July7 days14 July
MSFTMicrosoft
390.99+1.53%
396384373
2 July7 days13 July
GOOGLAlphabet
358.94+1.82%
373362351
6 July7 days14 July
AMZNAmazon
246.79-0.21%
251245238
6 July7 days14 July
METAMeta Platforms
663.29+1.00%
678627577
6 July7 days14 July
AMDAdvanced Micro Devices
554.87+3.83%
574536498
6 July7 days14 July
TSMTaiwan Semiconductor
421.58-2.89%
461441420
2 July7 days13 July
ARMARM Holdings
283.76-5.09%
339308276
6 July7 days14 July
ASX ETFs · 7 days
VASVanguard Australian Shares Index ETF
A$109-0.03%
110109107
6 July7 days14 July
VDHGVanguard Diversified High Growth Index ETF
A$76+0.03%
76.5976.0275.46
6 July7 days14 July
WBCWestpac Banking
A$37-0.70%
36.9036.0835.25
6 July7 days14 July
XROXero
A$71+0.80%
75.7172.0968.47
6 July7 days14 July
WTCWiseTech Global
A$35+4.29%
39.3936.0132.64
6 July7 days14 July
NXTNEXTDC
A$13-3.19%
14.1613.5012.84
6 July7 days14 July
Delayed indicators for context only · Not financial advice · US data: Alpha Vantage (Yahoo Finance fallback) · ASX data: Yahoo Finance

Conditions — daily signals

Brisbane now

Clear

10°
Feels 7°H 19° · L 9°
24% rainUV 512 km/h
4 am10°0%
5 am9°0%
6 am9°0%
7 am9°0%
8 am11°0%
Air qualityUnavailable
Weather: Open-Meteo · Air quality: CAMS/Open-Meteo
Today in context

Daily signals

Australian dollarUS$0.694Latest reference rate
BitcoinA$92,387Up 3.0% in 24h
Public holidayNoRegular Queensland business day
Daylight6:37 am–5:10 pmSunrise to sunset
System

Source status

19 sources updated successfully.

View all source timestamps
Krebs on Security BBC World Bureau of Meteorology BleepingComputer BBC Technology ABC News Yahoo Finance Open-Meteo Brisbane News MIT Technology Review CISA The Hacker News Alpha Vantage CoinGecko Frankfurter NVD CISA KEV FIRST EPSS Nager.Date

End of brief. Context shifts — original sources remain the authority.