Critical CVEs (2 of 3) — July 17, 2026

havana techno, country dancehall · 4:09

Listen on 93

Lyrics

[Verse 1]
Oracle E-Business Suite, the payments module's cracked wide open
CVE-2026-46817, no credentials even spoken
An unauthenticated stranger with just HTTP and a network cable
Can waltz through Oracle Payments, flip the system off the table
Improper privilege management means the keys were never guarded
Any ghost across the wire gets the access that was chartered

[Chorus]
Three CVEs on deck today, July seventeen, twenty-twenty-six
Critical vulnerabilities, plug the holes before they mix
Oracle, KNX, Microsoft — three different locks all broken
Patch them fast before the damage and the data gets unspoken
These aren't drills, these aren't theories — attackers read the same reports
Shore up every crumbling doorframe, reinforce the weakest ports

[Verse 2]
CVE-2023-4346, the KNX Protocol's the subject
Connection Authorization Option One — the lockout mechanism's wrecked
It swings so far restrictive that an attacker flips it sideways
Purge every single device across the network in a haze
Smart buildings, automation hubs — imagine nothing's responding
When one crafted sequence wipes the slate without a warning

[Chorus]
Three CVEs on deck today, July seventeen, twenty-twenty-six
Critical vulnerabilities, plug the holes before they mix
Oracle, KNX, Microsoft — three different locks all broken
Patch them fast before the damage and the data gets unspoken
These aren't drills, these aren't theories — attackers read the same reports
Shore up every crumbling doorframe, reinforce the weakest ports

[Bridge]
Then there's Microsoft's federation layer — ADFS in the crosshairs
CVE-2026-56155, insufficient access granularity declared
An authorized account already inside the perimeter
Exploits the fuzzy boundaries and climbs the org's parameter
Privilege elevation locally — sounds small until it isn't
When domain-level control gets handed to whoever's listening
Granularity matters, coarse controls become a skeleton key
One misconfigured boundary is all the attacker needs to see

[Verse 3]
So sketch the picture: payments hacked, smart buildings wiped and silent
A federation server bent, internal access turned compliant
Three separate vendors, three distinct attack paths intersecting
All catalogued and published now, every threat worth cross-referencing
CISA's watching, defenders scrambling, patch cycles accelerating
Because the CVE list waits for nobody — it keeps accumulating

[Chorus]
Three CVEs on deck today, July seventeen, twenty-twenty-six
Critical vulnerabilities, plug the holes before they mix
Oracle, KNX, Microsoft — three different locks all broken
Patch them fast before the damage and the data gets unspoken
These aren't drills, these aren't theories — attackers read the same reports
Shore up every crumbling doorframe, reinforce the weakest ports

← Critical CVEs (1 of 3) — July 17, 2026 | Critical CVEs (3 of 3) — July 17, 2026 →