Critical CVEs (1 of 3) — July 18, 2026

breakstep synthwave, male-female duet, cinematic wall-of-sound, hypnotic and trancey, uptempo, plucky arpeggiated synths · 5:11

Listen on 93

Lyrics

[Verse 1]
Microsoft SharePoint's got a fractured seam
CVE-2026-58644, a deserialization scheme
Your server trusts the data packets rolling in
But the payload's been corrupted from within
Untrusted objects slip through every gate
The runtime unwraps them — already too late
No credentials needed, just a network line
An outsider's executing code that should be mine

[Chorus]
Patch the door before the data bleeds
These CVEs are live and planting seeds
SharePoint's cracking, FortiSandbox too
Unauthenticated strangers running through
Three critical flaws, July eighteen the date
Log the numbers, escalate — don't wait
Deserialization, injection in the shell
Unpatched systems ringing like a broken bell

[Verse 2]
Now Fortinet's got a wound that cuts real deep
CVE-2026-25089, the kind that doesn't sleep
FortiSandbox, the Cloud build, and the PaaS deploy
All carrying an injection flaw an attacker can employ
They craft a packet — malefic, purpose-built
The OS command runs clean without a jilt
No login, no handshake, no stolen keys
Just sculpted HTTP and they do what they please

[Chorus]
Patch the door before the data bleeds
These CVEs are live and planting seeds
SharePoint's cracking, FortiSandbox too
Unauthenticated strangers running through
Three critical flaws, July eighteen the date
Log the numbers, escalate — don't wait
Deserialization, injection in the shell
Unpatched systems ringing like a broken bell

[Bridge]
The word is perfidious — treacherous in quiet disguise
These vulnerabilities don't announce themselves, they temporize
Waiting in the architecture, patient as rust
Until an attacker's crafted request turns your sandbox to dust
CVE-2026-39808, the third name on the wall
FortiSandbox again, different path — same sprawl
HTTP requests, unauthorized code detonates
Unauthenticated entry — zero friction at the gates

[Verse 3]
Three CVEs, one vendor hit back-to-back
Fortinet's appliance bleeding through the cracks
FortiSandbox built to catch the malware loads
But injection flaws rewrite its own source roads
SharePoint on the enterprise, the intranet spine
Deserialized corruption running down the line
Beginner, intermediate — hear the signal clear
When the product name is famous, the blast radius is severe

[Chorus]
Patch the door before the data bleeds
These CVEs are live and planting seeds
SharePoint's cracking, FortiSandbox too
Unauthenticated strangers running through
Three critical flaws, July eighteen the date
Log the numbers, escalate — don't wait
Deserialization, injection in the shell
Unpatched systems ringing like a broken bell

[Outro]
58644 — deserialize with care
25089 — injected from thin air
39808 — HTTP strikes again
Memorize the numbers, know your enemy, then
Vendor alerts, your CISO needs to know
Fortinet, Microsoft — patch before you go

← Canada Gazette — July 18, 2026 | Critical CVEs (2 of 3) — July 18, 2026 →