██████╗██╗   ██╗██████╗ ██████╗     ██████╗██╗  ██╗
 ██╔════╝╚██╗ ██╔╝██╔══██╗██╔══██╗   ██╔════╝╚██╗██╔╝
 ██║      ╚████╔╝ ██████╔╝██████╔╝ ● ██║      ╚███╔╝ 
 ██║       ╚██╔╝  ██╔══██╗██╔══██╗   ██║      ██╔██╗ 
 ╚██████╗   ██║   ██████╔╝██║  ██║   ╚██████╗██╔╝ ██╗
  ╚═════╝   ╚═╝   ╚═════╝ ╚═╝  ╚═╝    ╚═════╝╚═╝  ╚═╝
────────────────────────────────── STAY SHARP ───

SharePoint Flaw Exploited: CISA Flags Critical Code Execution Bug

Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. July 02, 2026

Share

cybr.cx Daily Digest — July 02, 2026


Critical Vulnerabilities

⚠️ Actively exploited — CVE-2026-45659 | Microsoft SharePoint Server | CVSS: N/A (KEV)
A deserialization of untrusted data vulnerability in Microsoft SharePoint Server allows an authenticated attacker to execute arbitrary code over the network. CISA added this to the Known Exploited Vulnerabilities catalogue on July 1st with a remediation deadline of July 4th — patch immediately and treat that holiday-weekend deadline as a hard stop, not a suggestion. If you have internet-facing SharePoint instances, assume targeting is active.

⚠️ Actively exploited — CVE-2026-48558 | SimpleHelp | CVSS: N/A (KEV)
SimpleHelp's OIDC authentication flow accepts identity tokens without verifying their cryptographic signatures, allowing a completely unauthenticated remote attacker to bypass authentication entirely. The remediation deadline passed today (July 2nd). If you're running SimpleHelp with OIDC enabled and haven't patched, treat it as compromised and investigate accordingly.

⚠️ Actively exploited — CVE-2026-12569 | PTC Windchill and FlexPLM | CVSS: N/A (KEV)
An improper input validation flaw in PTC's Windchill and FlexPLM platforms allows unauthenticated remote attackers to execute arbitrary code via a malicious network request. These are enterprise PLM systems common in manufacturing and defence supply chains — a high-value target. Remediation deadline has already passed; if you haven't patched, you're overdue.

⚠️ Actively exploited — CVE-2026-20230 | Cisco Unified Communications Manager | CVSS: N/A (KEV)
An SSRF vulnerability in Cisco Unified CM and Unified CM SME allows unauthenticated remote attackers to write arbitrary files to the underlying operating system. File write via SSRF on a communications platform is a reliable stepping stone to full system compromise. Remediation deadline also lapsed; prioritise immediately.

CVE-2026-13777 / CVE-2026-13783 / CVE-2026-13784 | Google Chrome < 150.0.7871.47 | CVSS: 8.8
Three separate heap corruption vulnerabilities patched in the latest Chrome release — one in iOSWeb (iOS-specific heap corruption via crafted HTML) and two use-after-free bugs in the Views component requiring minimal UI interaction to trigger. All three are rated Critical by Chromium's own severity scale. Push the 150.0.7871.47 update enterprise-wide; the iOSWeb bug is particularly worth watching given the reduced sandboxing on iOS WebKit configurations.

CVE-2026-13774 | Google Chrome Extensions < 150.0.7871.47 | CVSS: 8.1
A use-after-free in Chrome's Extensions subsystem allows arbitrary code execution if a user installs a malicious extension — a realistic social-engineering vector. Same patch batch as above; also a good prompt to audit your browser extension allow-lists.

CVE-2026-49119 | Gradio < 6.16.0 | CVSS: 7.5
A path traversal flaw in Gradio's FileExplorer component allows unauthenticated attackers to escape the configured root directory by supplying crafted path segments that cause os.path.join to discard the root prefix entirely. Gradio is extremely common in ML/AI demo deployments — many of which are casually internet-exposed. Update to 6.16.0 and audit any instance where file access is enabled.

CVE-2026-58593 | NodeBB (ActivityPub federation) | CVSS: 7.5
NodeBB's ActivityPub inbound middleware verifies the HTTP-signature actor and checks object ID origin, but never validates that attributedTo matches the authenticated sender. An attacker can spoof content as any user on a federated instance. Relevant to anyone running federated community platforms; check your NodeBB version and monitor for upstream patches.


Headline News

Apple's "Hide My Email" Feature Was Leaking the Real Addresses It Was Designed to Hide

Apple's Hide My Email privacy feature — sold as a core part of iCloud+ — has been found to leak users' real email addresses under certain conditions, directly undermining the anonymisation guarantee users were paying for. The flaw means that senders or services receiving emails routed through Apple's relay could, in some scenarios, recover the underlying Apple ID address rather than the randomised alias. For privacy-conscious users who specifically adopted the feature to prevent data brokers, advertisers, or threat actors from correlating their identity across services, this is a significant trust failure. Security practitioners running enterprise Apple device programmes should note that staff using Hide My Email for operational security purposes may have inadvertently exposed their actual corporate or personal identities. Apple has not yet made a formal public statement at time of publishing.

Tata Data Breach Exposes Apple iPhone 18 Designs — and a Recurring Supply Chain Problem

A data breach at Tata — one of Apple's key manufacturing and supply chain partners — has leaked internal documents related to the unreleased iPhone 18, along with materials belonging to several other Tata clients. This is not an isolated incident; Tata has now suffered multiple breaches that have resulted in client IP spilling into the public domain, raising serious questions about third-party supply chain security controls at one of the world's largest contract manufacturers. For security teams, the more pressing concern isn't the leaked product specs — it's what else was in those document stores: engineering schematics, component sourcing, and potentially security-relevant hardware details. Organisations that rely on large contract manufacturers or outsourcing partners should treat this as a prompt to re-evaluate data segregation requirements and contractual security obligations with their own supply chain partners.


Schrödinger's Feed

The NSA's Laboratory for Physical Sciences, in coordination with the Army Research Office, has launched the QuantumEAGLe initiative — a joint programme explicitly focused on securing sovereign quantum hardware supply chains. The name stands for Quantum Ecosystem Advancement, Growth & Leadership, but the operational substance is more interesting: it signals that the U.S. intelligence community is now treating quantum hardware provenance as a national security problem, not just a research one. As post-quantum cryptography standards roll out at the software layer, the integrity of the physical quantum systems underpinning future infrastructure is becoming a parallel concern. Practitioners managing long-horizon cryptographic roadmaps should watch QuantumEAGLe — supply chain security for quantum hardware is going to become a procurement and compliance question faster than most teams expect.


/dev/random

Sony has remotely deleted 551 StudioCanal films from PlayStation users' libraries — movies those users had purchased outright, not rented. The mechanism is the standard "you bought a licence, not a file" clause buried in platform terms of service, but seeing it applied at scale to over half a thousand titles makes the abstract legal language suddenly very concrete. It's a useful real-world demonstration of why "ownership" in DRM-encumbered ecosystems is a threat model, not just a philosophical debate — your purchased content has an availability dependency on the continued goodwill of a corporate relationship you were never party to. Air-gap your movie collection accordingly.