Critical CVEs — July 04, 2026

havana trap, japanese americana, dancehall · 3:29

Listen on 93

Lyrics

[Verse 1]
Fourth of July, but the fireworks ain't the threat
Two CVEs dropped, and the patches aren't set
SharePoint Server's sitting cracked at the seam
Deserialization — uglier than it seems
An authorized user, already got access
Sends untrusted data through the network express
The server unwraps it, no question, no check
Executes whatever code — remote wreck

[Chorus]
CVE-2026-45659
SharePoint's got a hole in the server design
CVE-2026-48558
SimpleHelp's OIDC is opening the gate
Two vulns, Fourth of July, patch 'em today
Unauthorized code and auth bypass on the way
Critical severity, no time to debate
Lock it down before it's already too late

[Verse 2]
Now SimpleHelp's running authentication flow
OIDC configured, tokens coming in slow
But here's the twist — the system never verifies
The identity token, just accepts the lies
You submit your login, skip the proof entirely
The server waves you through, acting completely blindly
No attacker needs credentials, no password to crack
Just a crafted token and you're in through the back

[Chorus]
CVE-2026-45659
SharePoint's got a hole in the server design
CVE-2026-48558
SimpleHelp's OIDC is opening the gate
Two vulns, Fourth of July, patch 'em today
Unauthorized code and auth bypass on the way
Critical severity, no time to debate
Lock it down before it's already too late

[Bridge]
Microsoft and SimpleHelp, both shipping fixes
Check your vendor bulletins, skip the remixes
Deserialization means trusting the wrong input
Authentication bypass means the lock has no pivot
One lets code run from across the wire cold
One lets strangers past the bouncer, dressed in bold
Your network is the neighborhood, these are open doors
Patch cycle running — go and settle the scores

[Verse 3]
Security team's pulling double on the holiday
Two critical vulns ain't gonna patch and walk away
SharePoint deployments scattered enterprise-wide
SimpleHelp remote support — attackers could ride
Verify your OIDC config, disable if needed
Apply the Microsoft bulletin, don't leave it unheeded
Untrusted data in, malicious code out
That's the story of both — no room for doubt

[Verse 4]
Think about the SOC analyst staring at the screen
Holiday skeleton crew, quietest it's been
Threat actors know the timing, they love a long weekend
Reduced response capacity, defenses start bending
Don't let the calendar be the reason you're breached
Patch windows don't care if the cookout's in reach
Firewalls and updates, that's your celebration
Critical severity demands your full attention

[Outro]
July fourth, twenty twenty-six, mark the date
CVE-45659 and 48558 won't wait
Deserialization, authentication gone wrong
Patch your systems before they don't belong
Two alerts, one holiday, zero excuses
Critical vulns cost more than what a breach produces

← Canada Gazette — July 04, 2026 | IT Security News — July 04, 2026 →