Microsoft’s July 2026 Patch Tuesday delivered fixes for a record 622 vulnerabilities — including two actively exploited zero-days in Active Directory and SharePoint — while CISA added five flaws to its Known Exploited Vulnerabilities catalog and an unpatched bug in AI code editor Cursor left more than 7 million developers exposed to silent code execution.
Microsoft’s Record 622-Vulnerability Patch Round
Microsoft’s July 2026 Patch Tuesday is the largest single-month patch release on record, resolving 622 vulnerabilities across Windows, Office, Azure, Exchange Server, and other products. Windows alone received fixes for 416 vulnerabilities, while the Office suite accounted for 164 patches, according to Microsoft’s release notes.
Two zero-days confirmed as exploited in the wild anchor the release. The first, CVE-2026-56155, affects Active Directory Federation Services (AD FS) and allows local privilege escalation to administrator. The second, CVE-2026-56164, is a SharePoint Server privilege escalation flaw exploitable over the network without authentication — a particularly dangerous combination, as SecurityWeek reported.
A third flaw drawing attention is CVE-2026-50661, a BitLocker security feature bypass requiring physical access that was publicly disclosed before Patch Tuesday. Satnam Narang, senior staff research engineer at Tenable, told SecurityWeek that the disclosure “could be related to a flurry of zero-day vulnerabilities disclosed by the researcher known as Nightmare-Eclipse or Chaotic-Eclipse, though no official confirmation was made.”
Other high-severity entries flagged by the Zero Day Initiative include:
- CVE-2026-57092 — Windows VMSwitch flaw, CVSS 9.9
- CVE-2026-50522 — SharePoint RCE, CVSS 9.8
- CVE-2026-56190 — Remote Desktop Protocol RCE
- CVE-2026-50518 — Windows DHCP Server RCE
- CVE-2026-55008 — Exchange Server XSS
- CVE-2026-55010 — Minecraft Bedrock Dedicated Server RCE
SharePoint Under Active Exploitation
SharePoint is the most urgent patching priority this month. CISA added CVE-2026-56164 to its Known Exploited Vulnerabilities (KEV) catalog on Tuesday, requiring federal agencies to patch within three days under Binding Operational Directive 26-04, according to CISA’s advisory.
A second SharePoint flaw, CVE-2026-58644 (CVSS 9.8), was not initially marked as exploited but Microsoft has since updated its advisory after detecting exploitation in the wild. CISA added it to the KEV catalog two days later, again with a three-day remediation deadline. Microsoft describes it as a deserialization of untrusted data issue: “In a network-based attack, an attacker authenticated as at least a Site Owner could write arbitrary code to inject and execute code remotely on the SharePoint Server,
Related news
- CISA Adds Exploited SharePoint RCE Zero-Day CVE-2026-58644 to KEV – The Hacker News
Sources
- Fresh SharePoint Vulnerability Exploited Soon After Disclosure – SecurityWeek
- Progress Confirms Zero-Day Vulnerability Behind ShareFile Disruption – SecurityWeek
- Microsoft Patches Record 622 Vulnerabilities, Including Two Exploited Zero-Days – SecurityWeek
- Unpatched Cursor Vulnerability Exposes Users to Code Execution – SecurityWeek
- CISA Urges Immediate Patching of Exploited SharePoint Vulnerabilities – SecurityWeek






