Critical CVEs (1 of 3) — July 17, 2026

cloud rap, ambient techno hyphy · 4:28

Listen on 93

Lyrics

[Verse 1]
July seventeen, twenty twenty-six, patch your calendars today
Three critical vulnerabilities sliding through the gates
SharePoint's looking shaky when it reads data it don't trust
Deserialization cracks the door — attacker turns it to dust
CVE-2026-58644, Microsoft's the name
Untrusted data hits the server, code execution is the game
No credentials needed, just a packet on the wire
Remote attackers cooking up commands — your network's on the pyre

[Chorus]
Critical, critical, July's CVEs
Fortinet and Microsoft both bending at the knees
Inject the command, deserialize the load
Unauthenticated access — patch before you erode
CVE-2026-58644, 25089, 39808
Three doors wide open, close them before it's too late

[Verse 2]
Now Fortinet FortiSandbox — a sandbox meant to trap
But CVE-2026-25089 flipped the map
OS command injection, no login required
Crafted packets whispering orders the system never hired
FortiSandbox Cloud and PaaS — the whole family's stung
Unauthorized commands just rattle off the attacker's tongue
The product built to analyze is now the analyzed
Every unpatched instance sitting wide open, victimized

[Chorus]
Critical, critical, July's CVEs
Fortinet and Microsoft both bending at the knees
Inject the command, deserialize the load
Unauthenticated access — patch before you erode
CVE-2026-58644, 25089, 39808
Three doors wide open, close them before it's too late

[Bridge]
CVE-2026-39808 is knocking at the wall
Another FortiSandbox flaw — one more HTTP call
Crafted requests carrying hidden code inside
Unauthorized execution with nowhere left to hide
Two separate Fortinet flaws, same family, same pain
Command injection twice — they didn't plug the drain
SharePoint's got a third angle, data it can't verify
Deserialize the wrong packet and watch your server comply

[Verse 3]
So what's the takeaway when three crits drop the same week?
Attack surface multiplies when vendor patches spring a leak
No authentication needed — that's the sharpest blade
These aren't theoretical warnings, these are debts already made
Check your SharePoint versions, check your FortiSandbox fleet
Apply the vendor guidance, don't leave the remediation incomplete
An unauthenticated attacker needs one open crack
Patch the three of these today — don't leave the door ajar for that

[Chorus]
Critical, critical, July's CVEs
Fortinet and Microsoft both bending at the knees
Inject the command, deserialize the load
Unauthenticated access — patch before you erode
CVE-2026-58644, 25089, 39808
Three doors wide open, close them before it's too late

[Outro]
July seventeen — write it on the wall
Three critical CVEs and any one could make you fall
SharePoint, FortiSandbox, command injection, bad data chewed
Patch your systems, run the updates — don't get subdued

← Canada Gazette — July 17, 2026 | Critical CVEs (2 of 3) — July 17, 2026 →