CVE WatchlistTop 10 CVEs for July 16, 2026
CVE watchlist

Automated CVE intake

Top 10 CVEs for July 16, 2026

Automated daily CVE intake for July 16, 2026: 247 NVD CVEs, 134 high or critical entries, and 3 CISA KEV additions in the source window.

247 NVD CVEs134 high/critical3 KEV

Analyst decision point

This daily CVE digest is an intake queue, not a list of confirmed incidents.

Evidence
Generated from NVD, CISA KEV, and EPSS across 247 CVEs.
Mapping
ATT&CK mapping is intentionally absent at digest level. Map behavior only from reviewed exploitation evidence.
Next action
Sort by exploit signal, product exposure, business criticality, and telemetry availability.

Attack understanding

Turn vulnerability volume into defender priorities

The digest is designed to help a defender decide what to inspect first without converting CVSS or EPSS into unsupported attack claims.

Total intake

247

NVD records inside the source window.

High / critical

134

Severity triage candidates, not incident evidence.

CISA KEV

3

Known exploited entries require faster exposure review.

Exploit signals

0

Records with exploitation context in the generated intake.

This digest separates vulnerability prioritization from threat behavior. Do not infer malware, vendor compromise, actor identity, or ATT&CK techniques from a CVE list alone.

Automation Boundary

This digest is automated CVE intake, not a reviewed threat-activity claim. It ranks public NVD records with EPSS enrichment and CISA KEV context so defenders have a daily review queue. Items without an exploitation signal should be treated as vulnerability-prioritization leads, not evidence of active intrusion.

Daily Counts

  • NVD CVEs published in the source window: 247
  • High or critical CVEs considered for ranking: 134
  • CISA KEV additions on 2026-07-16: 3
  • Ranked items published here: 10

Top 10 CVE Intake

RankCVECVSSEPSS percentileCVE summary
1CVE-2021-27137HIGH 8.191.8%An issue was discovered in router/upnp/src/ssdp.c in DD-WRT before 45724. An unsafe strcpy in the UPnP handling functionality allows an unauthenticat...
2CVE-2026-46339CRITICAL 10.090.6%9Router is an AI router & token saver. From 0.4.30 until 0.4.37, 9Router's src/proxy.js middleware did not protect /api/cli-tools/* and /api/mcp/*, a...
3CVE-2026-59865CRITICAL 9.386.7%Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, kiota info read x-ms-kiota-info.languagesInformation.<language>.dependencyIn...
4CVE-2026-59867HIGH 7.177.6%Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota resolved OpenAPI $ref values by fetching remote http(s) URLs and reading...
5CVE-2026-30618CRITICAL 9.874.2%xszyou Fay 4.3.1 contains a remote code execution vulnerability in its MCP STDIO server management and command execution handling. A remote attacker...
6CVE-2026-59861HIGH 7.570.9%Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.0, Kiota's Ruby generator embedded OpenAPI default fields, property names, and ot...
7CVE-2026-44596CRITICAL 9.869.2%Yamcs is a mission control framework. Prior to 5.12.7, the authentication endpoint POST /auth/token in yamcs-core, handled by yamcs-core/src/main/jav...
8CVE-2026-63305CRITICAL 9.269.1%AVideo through 29.0 contains an OS command injection vulnerability in the ffmpeg.json.php endpoint where notifyCode and callback parameters are conca...
9CVE-2026-63304CRITICAL 9.268.5%AVideo through 29.0 contains an OS command injection vulnerability in plugin/API/standAlone/functions.php where the listFFmpegProcesses() function in...
10CVE-2026-59866CRITICAL 9.368.5%Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota emitted x-ms-kiota-info clientClassName and clientNamespaceName values w...

Source Notes

The source window is 2026-07-15T18:30:00.000Z to 2026-07-16T18:29:59.999Z. AttackTrace uses NVD publication timestamps, CISA KEV date-added values, and FIRST EPSS enrichment. Reviewed threat-activity briefs remain separate and require source-backed exploitation or campaign evidence.

Ranked CVEs

01CVE-2021-27137HIGH 8.1EPSS 91.8%No exploit signal

An issue was discovered in router/upnp/src/ssdp.c in DD-WRT before 45724. An unsafe strcpy in the UPnP handling functionality allows an unauthenticated remote attacker to send a request that would overflow an internal f...

Open NVD record
02CVE-2026-46339CRITICAL 10.0EPSS 90.6%No exploit signal

9Router is an AI router & token saver. From 0.4.30 until 0.4.37, 9Router's src/proxy.js middleware did not protect /api/cli-tools/* and /api/mcp/*, allowing unauthenticated registration of customPlugins through src/app/...

Open NVD record
03CVE-2026-59865CRITICAL 9.3EPSS 86.7%No exploit signal

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, `kiota info` read x-ms-kiota-info.languagesInformation.<language>.dependencyInstallCommand plus dependency name and version values from an OpenAPI d...

Open NVD record
04CVE-2026-59867HIGH 7.1EPSS 77.6%No exploit signal

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota resolved OpenAPI $ref values by fetching remote http(s) URLs and reading local absolute or out-of-tree file paths, allowing `kiota generate` o...

Open NVD record
05CVE-2026-30618CRITICAL 9.8EPSS 74.2%No exploit signal

xszyou Fay 4.3.1 contains a remote code execution vulnerability in its MCP STDIO server management and command execution handling. A remote attacker can access the publicly exposed MCP management interface and configure...

Open NVD record
06CVE-2026-59861HIGH 7.5EPSS 70.9%No exploit signal

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.0, Kiota's Ruby generator embedded OpenAPI default fields, property names, and other schema-derived strings through CodeMethodWriter.cs and SanitizeFor...

Open NVD record
07CVE-2026-44596CRITICAL 9.8EPSS 69.2%No exploit signal

Yamcs is a mission control framework. Prior to 5.12.7, the authentication endpoint POST /auth/token in yamcs-core, handled by yamcs-core/src/main/java/org/yamcs/http/auth/AuthHandler.java, lacked any rate limiting, acco...

Open NVD record
08CVE-2026-63305CRITICAL 9.2EPSS 69.1%No exploit signal

AVideo through 29.0 contains an OS command injection vulnerability in the ffmpeg.json.php endpoint where notifyCode and callback parameters are concatenated into a shell command without escaping. Attackers who can craft...

Open NVD record
09CVE-2026-63304CRITICAL 9.2EPSS 68.5%No exploit signal

AVideo through 29.0 contains an OS command injection vulnerability in plugin/API/standAlone/functions.php where the listFFmpegProcesses() function interpolates unsanitized keyword parameters inside single quotes without...

Open NVD record
10CVE-2026-59866CRITICAL 9.3EPSS 68.5%No exploit signal

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota emitted x-ms-kiota-info clientClassName and clientNamespaceName values without identifier or path sanitization as both generated client class...

Open NVD record

Defender review

How to use this digest

This digest is an intake queue. Treat it as a prioritization input, then verify product presence, exposure, patch state, and detection coverage in your own environment.

Investigate

  1. 01Identify which ranked CVEs affect products present in your environment.
  2. 02Separate externally exposed systems from internal-only assets.
  3. 03Compare KEV, EPSS, vendor, and NVD source status before assigning urgency.

Detect

  1. 01Check whether affected products produce logs useful for exploitation attempts.
  2. 02Avoid creating ATT&CK detections until sources describe observed behavior.
  3. 03Record missing telemetry as a coverage gap for product owners.

Respond

  1. 01Patch or mitigate based on exposure and exploit signal.
  2. 02Promote only source-backed exploitation cases into reviewed threat activity.
  3. 03Archive non-applicable products so the queue stays usable tomorrow.
CVE

Separate KEV-backed exploitation from high CVSS records with no exploit signal.

CVE

Confirm affected products and versions before assigning remediation urgency.

CVE

Record evidence gaps instead of converting unknowns into exposure claims.

CVE

Escalate reviewed threat-activity candidates only when exploitation or campaign evidence exists.

Evidence presentation

Source window and ranking boundary

Ranking is derived from public vulnerability feeds. It should guide review order, not replace asset inventory or incident evidence.

SRC

Source window starts 2026-07-15T18:30:00.000Z.

SRC

Source window ends 2026-07-16T18:29:59.999Z.

SRC

NVD provides vulnerability details and CVSS context.

SRC

CISA KEV and EPSS provide exploitation and probability context.

Record history

Update history

Update history

Published
2026-07-16
Generated
2026-07-17T19:00:10.631Z
CVEs included
247