One unauthenticated request was enough to own three different edge products this week.

CVEasy Weekly

This Week in Exposure

Week 29 · July 7 to July 13, 2026

This week the boxes at the edge of the network stopped asking for credentials. A ColdFusion server took a single POST and handed back SYSTEM. A NetScaler appliance leaked live session tokens that walk straight past a password and an MFA prompt. And a Gitea container read one HTTP header, believed whatever name it carried, and opened every private repository to a stranger. Three different products, one theme: the front door was answering to anyone who knocked, no login required.

Here is what mattered, ranked by real risk, not just CVSS.

Top Exposures This Week

1. Adobe ColdFusion: one POST, unauthenticated, running as SYSTEM

CVE-2026-48282 · Adobe ColdFusion (RDS FILEIO handler)

A forgotten RDS developer toggle exposes a small RPC bridge that lets the request pick its own destination. A single POST to /CFIDE/main/ide.cfm walks a path-traversal payload, lays a CFML webshell in the webroot, and runs it. Adobe shipped the fix on June 30 in APSB26-68, and NVD scored it CVSS 10.0.

Risk read: This is the rare finding where the max CVSS is not an exaggeration. It needs no credentials, and on Windows the webshell runs as NT AUTHORITY\SYSTEM. watchTowr published a reproducible write-up on July 2, honeypots recorded exploitation attempts within two hours, and CISA added the CVE to KEV on July 7 with a federal deadline of July 10 that has now passed. The catch TRIS surfaces: exposure hinges on whether the specific box has RDS on with a blank or known password, the exact state promoted forward from dev on a lot of production servers. Where that is true, the blast radius is every credential the SYSTEM account can reach.

Read the TRIS walk →

2. CitrixBleed 2: a NetScaler that leaks live session tokens

CVE-2026-8451 · Citrix NetScaler ADC and Gateway (SAML IdP role)

A bug in NetScaler's custom SAML XML parser turns into a pre-auth memory overread that spills live session tokens through the NSC_TASS cookie. Replaying one of those cookies bypasses the SAML flow, the password, and the MFA challenge in a single step. Citrix covered it in bulletin CTX696604 on June 30.

Risk read: The base CVSS lands in the high-8 range and gets a normal queue slot, which is the wrong signal. watchTowr shipped a full write-up inside 24 hours, Lupovis honeypots caught probes on July 1, and CrowdSec confirmed broader scanning on July 2, which lifts this to the top exploitation tier. The exposure is that a leaked token is a working session no MFA can revoke on its own, so any secret that passed through the appliance since its last restart is potentially in the memory an attacker can pull. Patch to the fixed 14.1 or 13.1 build, then hunt and rotate. If you cannot patch inside the day, disable the SAML IdP role.

Read the full breakdown →

3. Gitea Docker: one header hands over full admin

CVE-2026-20896 · Gitea (official Docker image)

The official Gitea Docker image ships with a wildcard REVERSE_PROXY_TRUSTED_PROXIES default that declares the entire internet a trusted proxy. So any source IP can attach an X-WEBAUTH-USER header, name any account, and be believed. A single curl with the header set to admin reads every private repository. NVD scores it CVSS 9.8.

Risk read: The header-parsing code is doing what it was told; the vulnerability is a deployment default that trusts everyone. Sysdig caught the first live probe from a ProtonVPN exit on July 7, testing the header and logging responses, consistent with an operator still building a target list. Roughly 6,200 instances are exposed. The exposure that raises this above a normal auth bypass is what admin on a source-hosting box buys next: admin on Gitea is the first link in a supply-chain chain when the target ships software. Pin 1.26.4, not 1.26.3, which shipped with a regression, then review the admin audit log for user and token creations no one owns.

Read the TRIS layer walk →

Threat Actor Spotlight

The activity on all three of this week's CVEs is, so far, opportunistic mass scanning documented by researchers, not a named crew, and I am not going to hang attribution on a probe from a ProtonVPN exit. The instructive precedent is the original CitrixBleed. CISA and Mandiant publicly reported that CVE-2023-4966, the NetScaler session-token bleed, was weaponized by ransomware affiliates, including LockBit, who replayed hijacked sessions to skip authentication entirely. That is the well-established lesson worth carrying into this week: a token-bleed on an internet-facing appliance rarely stays a research curiosity, and the access brokers who feed ransomware move fast on anything that bypasses a login. Hardening takeaway: for a session-token bleed, patching is not the end of the incident. Assume tokens minted before the patch are still valid, terminate active sessions, and rotate the secrets that transited the box, rather than trusting that the update alone closed the door.

Patch This First

Adobe ColdFusion CVE-2026-48282. It is CVSS 10.0, it needs no credentials, honeypots saw exploitation within two hours of the public write-up, and it is on KEV with a federal deadline that already passed on July 10. Confirm your ColdFusion servers are on the APSB26-68 build, and while you are there, turn RDS off on anything that does not need it. Then move to the NetScaler and Gitea items.

Signed CVEasy threat-intel IOC bundle current as of 2026-07-13. The desktop app verifies the ED25519 signature before import.

Every item this week was reachable with one request and no password. The reason the queue matters is that raw CVSS cannot tell you which of your boxes actually has RDS enabled, still exposes the SAML endpoint, or ships that wildcard proxy default. Two servers with the same CVE belong in different queues, and the one that decides itself on real exposure is the one worth your Monday. That is the gap TRIS exists to close, and the gap I want this letter to close for you every week.

Patch well,
Chris Boker
Founder, CVEasy AI

You are receiving CVEasy Weekly because you subscribed at cveasyai.com.
CVEasy AI · This Week in Exposure · Unsubscribe