CISA has added three vulnerabilities to its Known Exploited Vulnerabilities catalog as of July 16, 2026. These include two critical vulnerabilities affecting Fortinet FortiSandbox and one affecting Microsoft SharePoint. The federal agencies are required to address these vulnerabilities by July 19, 2026. The vulnerabilities are noted for their high CVSS scores: CVE-2026-58644 for SharePoint scores 9.8, while CVE-2026-25089 and CVE-2026-39808 for FortiSandbox both score 9.1.
The SharePoint vulnerability involves deserialization of untrusted data, allowing attackers to execute unauthorized code, while the FortiSandbox vulnerabilities are related to improper command injection allowing remote command execution. Updates and patches have been issued by both Fortinet and Microsoft. IT professionals are advised to implement these patches immediately.