[Verse 1] July seventeen, twenty twenty-six, patch your calendars today Three critical vulnerabilities sliding through the gates SharePoint's looking shaky when it reads data it don't trust Deserialization cracks the door — attacker turns it to dust CVE-2026-58644, Microsoft's the name Untrusted data hits the server, code execution is the game No credentials needed, just a packet on the wire Remote attackers cooking up commands — your network's on the pyre [Chorus] Critical, critical, July's CVEs Fortinet and Microsoft both bending at the knees Inject the command, deserialize the load Unauthenticated access — patch before you erode CVE-2026-58644, 25089, 39808 Three doors wide open, close them before it's too late [Verse 2] Now Fortinet FortiSandbox — a sandbox meant to trap But CVE-2026-25089 flipped the map OS command injection, no login required Crafted packets whispering orders the system never hired FortiSandbox Cloud and PaaS — the whole family's stung Unauthorized commands just rattle off the attacker's tongue The product built to analyze is now the analyzed Every unpatched instance sitting wide open, victimized [Chorus] Critical, critical, July's CVEs Fortinet and Microsoft both bending at the knees Inject the command, deserialize the load Unauthenticated access — patch before you erode CVE-2026-58644, 25089, 39808 Three doors wide open, close them before it's too late [Bridge] CVE-2026-39808 is knocking at the wall Another FortiSandbox flaw — one more HTTP call Crafted requests carrying hidden code inside Unauthorized execution with nowhere left to hide Two separate Fortinet flaws, same family, same pain Command injection twice — they didn't plug the drain SharePoint's got a third angle, data it can't verify Deserialize the wrong packet and watch your server comply [Verse 3] So what's the takeaway when three crits drop the same week? Attack surface multiplies when vendor patches spring a leak No authentication needed — that's the sharpest blade These aren't theoretical warnings, these are debts already made Check your SharePoint versions, check your FortiSandbox fleet Apply the vendor guidance, don't leave the remediation incomplete An unauthenticated attacker needs one open crack Patch the three of these today — don't leave the door ajar for that [Chorus] Critical, critical, July's CVEs Fortinet and Microsoft both bending at the knees Inject the command, deserialize the load Unauthenticated access — patch before you erode CVE-2026-58644, 25089, 39808 Three doors wide open, close them before it's too late [Outro] July seventeen — write it on the wall Three critical CVEs and any one could make you fall SharePoint, FortiSandbox, command injection, bad data chewed Patch your systems, run the updates — don't get subdued
← Canada Gazette — July 17, 2026 | Critical CVEs (2 of 3) — July 17, 2026 →