Analyst decision point
This daily CVE digest is an intake queue, not a list of confirmed incidents.
- Evidence
- Generated from NVD, CISA KEV, and EPSS across 55 CVEs.
- Mapping
- ATT&CK mapping is intentionally absent at digest level. Map behavior only from reviewed exploitation evidence.
- Next action
- Sort by exploit signal, product exposure, business criticality, and telemetry availability.
Attack understanding
Turn vulnerability volume into defender priorities
The digest is designed to help a defender decide what to inspect first without converting CVSS or EPSS into unsupported attack claims.
Total intake
NVD records inside the source window.
High / critical
Severity triage candidates, not incident evidence.
CISA KEV
Known exploited entries require faster exposure review.
Exploit signals
Records with exploitation context in the generated intake.
This digest separates vulnerability prioritization from threat behavior. Do not infer malware, vendor compromise, actor identity, or ATT&CK techniques from a CVE list alone.
Automation Boundary
This digest is automated CVE intake, not a reviewed threat-activity claim. It ranks public NVD records with EPSS enrichment and CISA KEV context so defenders have a daily review queue. Items without an exploitation signal should be treated as vulnerability-prioritization leads, not evidence of active intrusion.
Daily Counts
- NVD CVEs published in the source window: 55
- High or critical CVEs considered for ranking: 27
- CISA KEV additions on 2026-07-12: 0
- Ranked items published here: 10
Top 10 CVE Intake
| Rank | CVE | CVSS | EPSS percentile | CVE summary |
|---|---|---|---|---|
| 1 | CVE-2026-15481 | HIGH 8.8 | 71.5% | A security flaw has been discovered in Trendnet TEW-635BRM up to 1.00.03. This vulnerability affects the function ipoa_test of the file /sbin/rc of t... |
| 2 | CVE-2026-59260 | HIGH 8.8 | 49.4% | OpenWrt luci-app-samba4 read ACL grants file.exec permission on /usr/sbin/smbd, allowing authenticated delegated users to execute the Samba daemon wi... |
| 3 | CVE-2026-58281 | HIGH 8.3 | 49.0% | Deserialization of untrusted data in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. |
| 4 | CVE-2026-15491 | HIGH 7.3 | 45.9% | A weakness has been identified in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. This affects an unknown part. This manipul... |
| 5 | CVE-2026-15484 | HIGH 8.8 | 37.0% | A vulnerability was detected in TRENDnet TEW-821DAP 1.12B01. The affected element is the function sub_41EC14 of the file /goform/tools_nslookup of th... |
| 6 | CVE-2026-15483 | HIGH 8.8 | 37.0% | A security vulnerability has been detected in TRENDnet TEW-821DAP 1.12B01. Impacted is the function sub_41EC14 of the file /goform/tools_nslookup of... |
| 7 | CVE-2026-15480 | HIGH 8.8 | 37.0% | A vulnerability was identified in Trendnet TEW-635BRM up to 1.00.03. This affects the function start_httpd of the file /sbin/rc of the component Web... |
| 8 | CVE-2026-58596 | HIGH 8.3 | 36.9% | Untrusted pointer dereference in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a network. |
| 9 | CVE-2026-56260 | CRITICAL 9.1 | 34.0% | Crawl4AI before 0.8.7 contains an arbitrary file write vulnerability in the Docker API server's /screenshot and /pdf endpoints. The output_path param... |
| 10 | CVE-2026-56271 | CRITICAL 9.8 | 31.7% | Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audie... |
Source Notes
The source window is 2026-07-11T18:30:00.000Z to 2026-07-12T18:29:59.999Z. AttackTrace uses NVD publication timestamps, CISA KEV date-added values, and FIRST EPSS enrichment. Reviewed threat-activity briefs remain separate and require source-backed exploitation or campaign evidence.
Ranked CVEs
A security flaw has been discovered in Trendnet TEW-635BRM up to 1.00.03. This vulnerability affects the function ipoa_test of the file /sbin/rc of the component IPoA WAN Connection Setup. Performing a manipulation of t...
Open NVD recordOpenWrt luci-app-samba4 read ACL grants file.exec permission on /usr/sbin/smbd, allowing authenticated delegated users to execute the Samba daemon with caller-controlled command-line arguments. Attackers can pass arbitr...
Open NVD recordDeserialization of untrusted data in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.
Open NVD recordA weakness has been identified in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. This affects an unknown part. This manipulation causes missing authentication. The attack is possible to be carr...
Open NVD recordA vulnerability was detected in TRENDnet TEW-821DAP 1.12B01. The affected element is the function sub_41EC14 of the file /goform/tools_nslookup of the component ssi. The manipulation results in buffer overflow. It is po...
Open NVD recordA security vulnerability has been detected in TRENDnet TEW-821DAP 1.12B01. Impacted is the function sub_41EC14 of the file /goform/tools_nslookup of the component ssi. The manipulation of the argument nslookup_target le...
Open NVD recordA vulnerability was identified in Trendnet TEW-635BRM up to 1.00.03. This affects the function start_httpd of the file /sbin/rc of the component Web Service. Such manipulation of the argument device_name leads to stack-...
Open NVD recordUntrusted pointer dereference in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a network.
Open NVD recordCrawl4AI before 0.8.7 contains an arbitrary file write vulnerability in the Docker API server's /screenshot and /pdf endpoints. The output_path parameter accepts arbitrary filesystem paths without validation, allowing a...
Open NVD recordFlowise before 3.1.0 (affected versions 3.0.13 and earlier) uses weak hardcoded default JWT secrets ('auth_token', 'refresh_token') and default audience and issuer values ('AUDIENCE', 'ISSUER') in the enterprise passpor...
Open NVD recordDefender review
How to use this digest
This digest is an intake queue. Treat it as a prioritization input, then verify product presence, exposure, patch state, and detection coverage in your own environment.
Investigate
- 01Identify which ranked CVEs affect products present in your environment.
- 02Separate externally exposed systems from internal-only assets.
- 03Compare KEV, EPSS, vendor, and NVD source status before assigning urgency.
Detect
- 01Check whether affected products produce logs useful for exploitation attempts.
- 02Avoid creating ATT&CK detections until sources describe observed behavior.
- 03Record missing telemetry as a coverage gap for product owners.
Respond
- 01Patch or mitigate based on exposure and exploit signal.
- 02Promote only source-backed exploitation cases into reviewed threat activity.
- 03Archive non-applicable products so the queue stays usable tomorrow.
Separate KEV-backed exploitation from high CVSS records with no exploit signal.
Confirm affected products and versions before assigning remediation urgency.
Record evidence gaps instead of converting unknowns into exposure claims.
Escalate reviewed threat-activity candidates only when exploitation or campaign evidence exists.
Evidence presentation
Source window and ranking boundary
Ranking is derived from public vulnerability feeds. It should guide review order, not replace asset inventory or incident evidence.
Source window starts 2026-07-11T18:30:00.000Z.
Source window ends 2026-07-12T18:29:59.999Z.
NVD provides vulnerability details and CVSS context.
CISA KEV and EPSS provide exploitation and probability context.
Record history
Update history
Update history
- Published
- 2026-07-12
- Generated
- 2026-07-13T16:19:57.205Z
- CVEs included
- 55