Last week brought a heavy load for defenders. This weekly CVE report from CVE WATCHTOWER counts 1,571 new vulnerabilities between July 6 and July 12, 2026. Among them, 125 rated critical and 510 rated high. More importantly, CISA added six actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.
The week in numbers
The volume alone tells a story. Of the 1,571 new CVEs, 123 carried a CVSS score of 9.0 or higher. Ten hit the maximum score of 10.0. Meanwhile, only a handful showed confirmed exploitation. Therefore, the KEV list stays the sharpest signal for triage.
Six flaws under active attack
Every new KEV addition this week enables remote code execution. That makes them urgent for any exposed system.
A wave of Joomla file-upload bugs
Four of the six KEV entries target Joomla extensions. SP Page Builder, iCagenda, Page Builder CK, and Balbooa Forms all share the same weakness. Each one lets an unauthenticated attacker upload a file and run PHP code. Three of them score a perfect 10.0. So if you run these extensions, patch or remove them today.
ColdFusion and Langflow round out the list
Adobe ColdFusion also made the catalog. CVE-2026-48282 is a path traversal flaw rated 10.0, and it leads to code execution without user interaction. The sixth entry, CVE-2026-55255, is an IDOR bug in the Langflow AI platform, rated 8.4.
AI agent frameworks draw fire
This weekly CVE report also flags a clear trend. Several critical bugs hit AI and LLM tooling this week. PraisonAI, Langroid, Ruflo, and Crawl4AI each disclosed remote code execution issues rated 10.0. In most cases, the frameworks ran model-generated or request-supplied code without proper checks. As agent tools spread, expect attackers to probe them harder.
What to do now
Start with the six KEV entries, since attackers already use them. Next, review your exposure to the critical ColdFusion and Joomla flaws. Then work down the 123 high-scoring CVEs by asset value.
Patching everything at once is not realistic. Therefore, prioritize internet-facing systems and known-exploited bugs first. Beyond that, treat this weekly CVE report as a filter, not a to-do list. A steady weekly rhythm beats a frantic scramble.
Note on exploitation status: only the six KEV entries are confirmed as actively exploited. For the remaining new CVEs, no public exploitation has been confirmed at the time of writing.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.