Critical CVEs (3 of 3) — July 12, 2026

fife and drum blues acid breaks, psychedelic dream pop, rock americana, soulful soul · 4:37

Listen on 93

Lyrics

[Verse 1]
BeyondTrust Remote Support, door cracked open wide
CVE-2026-40139, nine point eight inside
Pre-authentication flaw, no password required
Unauthenticated stranger walking right through your firewall

The auth subsystem mangled every request it read
Improper processing let a stranger play the host instead
You don't need credentials when the bouncer can't read IDs
A remote attacker slips the lock and does exactly as they please

[Chorus]
July twelfth, twenty twenty-six, patch the critical list
CVEs stacking up, nothing here should be dismissed
BeyondTrust and Traefik, ArcGIS in the mix
Three vendors, four vulnerabilities — go apply the fix

[Verse 2]
Same vendor, different wound, this one scores a nine point nine
CVE-2026-40141, a web component out of line
Privileged Remote Access, insufficient validation gaps
Certain input parameters let attackers close the traps

They feed the application something ugly, something raw
The system swallows everything without a single flaw-check call
High severity label but the number tells the truth
Another BeyondTrust doorway missing bulletproof

[Chorus]
July twelfth, twenty twenty-six, patch the critical list
CVEs stacking up, nothing here should be dismissed
BeyondTrust and Traefik, ArcGIS in the mix
Three vendors, four vulnerabilities — go apply the fix

[Bridge]
Traefik is the traffic cop directing HTTP
A perfect ten on CVSS — the ceiling, you agree
CVE-2026-54763, BasicAuth and DigestAuth betrayed
Spoofed identity headers, the middleware stripped the wrong ones away
ForwardAuth got fooled by a canonical casing trick
Impersonate whoever you want and pivot quick
Before version two eleven fifty-one, three six twenty-two
Three seven six — those boundaries held nothing true

[Verse 3]
Esri Portal for ArcGIS, versions twelve point one and prior
Forgot your password? Good — that recovery flow's for hire
CVE-2026-13020, eight point one on the scale
A weak recovery mechanism lets a stranger take the mail

Windows, Linux, Kubernetes — the platform doesn't guard
A remote unauthorized attacker assuming ownership hard
They reset credentials they were never meant to own
Account takeover delivered straight — no foothold overthrown

[Chorus]
July twelfth, twenty twenty-six, patch the critical list
CVEs stacking up, nothing here should be dismissed
BeyondTrust and Traefik, ArcGIS in the mix
Three vendors, four vulnerabilities — go apply the fix

[Outro]
NVD confirmed, advisories dropped, the scores don't bluff
Nine point eight, nine point nine, a perfect ten is rough
Eight point one on ArcGIS, every single one demands attention
Update your software, close the gaps — zero room for good intention

← Critical CVEs (2 of 3) — July 12, 2026 | IT Security News — July 12, 2026 →