Weekly CVE triage for IT teams
CVE triage for sysadmins in five minutes.
What to patch now. What can wait. What you can ignore.
New subscribers get the CVE triage cheat sheet, a one-page printable, in the welcome email. The weekly digest lands every Wednesday. Free, unsubscribe anytime.
Source-linked. Human-reviewed. Wednesday mornings.
A sample of the latest issue
JUN 17 · Nº040An attacker can escalate privileges through the WebRender graphics component in Firefox and Thunderbird.
The call: Update Firefox to 152 (or ESR 140.12 / ESR 115.37) and Thunderbird to 152 (or ESR 140.12) through your package manager or Mozilla's update channel.
Plus 4 more calls in the latest issue. See the whole thing
Source-linked
Every verdict links to a primary source.
NVD, CISA KEV, MSRC, GHSA, or a vendor PSIRT. Skeptical readers can click through to verify in place.
Human-reviewed
A working sysadmin edits before it ships.
Issues are reviewed and edited before they go out, not auto-published from a feed. CVEs that aren’t actionable before standup don’t make the cut.
Editorial verdicts
One call per CVE. Four minutes total.
Patch now, patch this week, track, or doesn’t apply. These reviews are editorial and unpaid.
Today's digest, in full
The other 4 calls for Wednesday, June 17.
The four-verdict model
Every CVE gets one of these four calls.
No CVSS-jargon dump, no “threat actor postulated to leverage” sentences. You read the verdict, then the one-line action, then move on.
- Patch now
Exploited in the wild, or exposed and trivially exploitable. Today’s change window.
- Patch this week
Real risk, no active exploitation yet. Slot it into your next maintenance window.
- Track
Worth knowing about. No action needed today; check back if the advisory changes.
- Doesn't apply
Affected versions you don’t run, or a vendor branch you’ll never see. Skip with confidence.
Who reads this
Built for IT teams who do their own patching.
For sysadmins
The lone admin running fifty servers.
You don’t have time to read three feeds and a Discord. One email, one verdict per CVE, before standup.
Built for thisFor MSPs
Twenty clients, twenty stacks.
Each CVE is tagged by vendor and product, so a quick scan picks out what matters to your fleet. Forward the digest to whoever’s on rotation.
Built for thisFor IT managers
Brief leadership in one paragraph.
The intro summarizes what shipped, what’s on fire, and what to ignore. Forwardable in one click to whoever signs off on the change window.
Built for thisFor lean IT teams
No Tenable, no Qualys, no full-time analyst.
The digest is the triage layer you don’t have to staff.
Built for thisThe archive
Recent digests.
Firefox sandbox escape, a Dell RCE, and a Pacemaker crasher walk into your queue
CVE-2026-12289 lets attackers break out of Firefox/Thunderbird's WebRender sandbox (CVSS 8.8). Dell OpenManage and Pacemaker CIB also carry 8.6+ bugs, plus a command injection in Galaxy NG and a TLS bypass between Harvester and Rancher.
WordPress RCE at 9.8 unauthed, Defender privesc unpatched, OpenSSL nonce fail
A PHP Object Injection in a Salesforce/CF7 WordPress plugin needs no login and scores CVSS 9.8. Microsoft Defender's Malware Protection Engine has a local-to-SYSTEM escalation (CVSS 7.8) with no fix shipped yet. OpenSSL silently ignores IVs in AES-OCB mode, breaking encryption guarantees.
PeopleSoft takeover exploited in the wild, plus a 9.1 CMS forgery bug in OpenSSL
An unauthenticated PeopleSoft PeopleTools compromise (CVE-2026-35273) is already being exploited. Also: a CVSS 9.1 CMS AuthEnvelopedData forgery affecting OpenSSL, Node.js, and QEMU (CVE-2026-34182), a Zoom mobile privilege escalation, a public exploit for a Revo Uninstaller kernel driver, and a SQLite FTS5 heap overflow.
MariaDB Galera hits CVSS 10.0: unauthenticated RCE through a clustering feature
A shell injection in wsrep_notify_cmd gives attackers full code execution on MariaDB Galera clusters with no auth required. Also: a Chrome macOS use-after-free (8.8), a 389 Directory Server heap smash reachable by any domain user (7.6), and a MongoDB server-side JS memory leak (8.8).
From the blog
Playbooks the digest can't fit.
Two Struts CVEs, one incomplete fix, and the enterprise Java visibility problem
CVE-2023-50164 and CVE-2024-53677 hit the same file upload component in Apache Struts, a year apart. The second arrived because the fix for the first didn't go far enough. The real exposure is organizations that don't know where Struts lives in their stack.
ReadPatching Ivanti Sentry Closes the Door. It Doesn't Evict the Guest.
Shadowserver found backdoored Ivanti Sentry instances within 48 hours of the PoC and said the rest are most likely compromised. The patch is step one, not the answer.
ReadregreSSHion proved 'hard to exploit' is not a patch window
CVE-2024-6387 got filed under 'low priority' because it's slow on 64-bit. The CVSS score measured exploit difficulty, not what a root RCE in sshd actually puts at risk.
ReadStart here
The ones worth reading first.
- The same handful of mechanisms account for most of the catalog
- 900 old bugs, one answer: patch what's supported, retire what isn't
- Five critical Fortinet CVEs in 28 months is not a streak of bad luck
- The year on-premise Exchange became the most-attacked software on earth
- CitrixBleed: the patch closed the leak but left the stolen keys working
- BlueKeep: the wormable RDP bug Microsoft patched Windows XP for
- A new critical Confluence RCE stopped being news. That's the problem.
- Does this CVE actually apply to you? Three filters before you patch
- A defensible software inventory you can build with the tools you already have
- When breaking the maintenance window is cheaper than waiting
Get the cheat sheet and the digest
CVE triage for sysadmins in five minutes.
What to patch now. What can wait. What you can ignore.
- 01 The CVE triage cheat sheet, a one-page printable decision tree, in the welcome email.
- 02 The weekly digest, one email every Wednesday, around four minutes to read.
Free. Unsubscribe anytime.