2026-07-11T1210Z-intel
One pipeline fire, in full · intel run of 2026-07-11 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-07-11/2026-07-11T1210Z-intel.md.
Run telemetry
- Items returned
- 2
- Duration
- 12m 05s
- Tool calls
- 12 WebFetch8 WebSearch28 bridge
- Cited sources
- 2 of 18 in slice
- Items returned
- 1
- Duration
- 14m 40s
- Tool calls
- 24 WebFetch15 WebSearch6 bridge
- Cited sources
- 1 of 16 in slice
- Items returned
- 0
- Duration
- 9m 37s
- Tool calls
- 14 WebFetch38 WebSearch9 bridge
- Cited sources
- 0 of 12 in slice
- Items returned
- 1
- Duration
- 11m 46s
- Tool calls
- 20 WebFetch22 WebSearch5 bridge
- Cited sources
- 0 of 12 in slice
Verification
Deep dive
—
Entries published (this run)
- Joomla file-upload RCE wave adds RSFiles! (CVE-2026-57827, unauth, CVSS 10.0) and Phoca Download (CVE-2026-57828, CVSS 9.0) vulnerability high
- Progress MOVEit Transfer: pre-auth SFTP DoS (CVE-2026-10699), admin table-scope bypass (CVE-2026-10698) and stored XSS (CVE-2026-11903), patched 2026.0.2 vulnerability notable
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
2 last_successful_fetch.
| Source | Change | From → To | Reason |
|---|---|---|---|
| anssi-fr | last_successful_fetch | 2026-07-10 → 2026-07-11 | primary source for the three MOVEit Transfer CVEs (CERTFR-2026-AVI-0856) |
| mysites-guru | last_successful_fetch | 2026-07-10 → 2026-07-11 | primary source for Joomla RSFiles!/Phoca Download file-upload RCE; candidate, another contributing run recorded |
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
No coverage gaps in this run · every source the brief needed returned usable content via its documented recipe.
Bridge invocations (this run)
9 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).
- jina ×8
- url ×1
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-07-11T1210Z-intel · Opus 4.8 · window 24 h · 2 entries published
Verification & coverage notes
Intraday fire, ~8 h after the previous run (2026-07-11T0409Z-intel). The 24 h window floor re-scanned a full day; the two published entries are the new, relevant delta the earlier fires today had not surfaced, both with primaries dated 2026-07-10. Quiet-window shape: four research streams surfaced five candidate items, two cleared the gate.
- Published (2): Joomla RSFiles!/Phoca Download file-upload RCE (CVE-2026-57827 unauth CVSS 10.0 / CVE-2026-57828 auth CVSS 9.0;
high) — new members of the tracked Joomla-extension file-upload wave, cleared the gate on the wave's demonstrated rapid disclosure-to-KEV pattern and the pre-auth CVSS 10.0 exposure on widely-deployed municipal Joomla; and Progress MOVEit Transfer three CVEs (CVE-2026-10699 pre-auth SFTP DoS / CVE-2026-10698 admin table-scope bypass / CVE-2026-11903 stored XSS;notable) — a clearly-relevant, national-CERT-surfaced (CERT-FR) patch-prioritisation item for a notorious internet-facing MFT product in the profiled public-sector/finance sectors; severity doubt on a clearly-relevant item resolved toward include at the priority the cited facts support. - borderline-drop: Keycloak 26.7.0 (CVE-2026-9796/9689/9798/11986) — the EU public-sector reference IdP is squarely relevant, but these four are a routine monthly release with no exploitation, no public PoC and no vendor-published CVSS, single-sourced to the vendor release notes (the four CVEs' GitHub issue links 403'd on direct fetch and the reader), and dated 2026-07-09 (~60 h, outside the 24 h floor). Below the bar the vulnerability gate sets (action beyond the regular patch cycle) on sourcing and recency both; recoverable via an update if exploitation emerges.
- out-of-window: CISA's forensic postmortem "Lessons from CISA's Cyber Incident" (the May GovCloud contractor credential leak) — surfaced as a candidate update on the store's existing May incident, but the primary was published 2026-06-09 (per Infosecurity Magazine, 2026-07-10), ~32 days stale. The 2026-07-08/10 trade-coverage wave (Infosecurity, SC Media, CyberScoop, Cybernews) is delayed pickup of a month-old CISA post, not a fresh CISA development, so there is no in-window delta to hang an update on — publishing it now would be the "month-old news as new" trap. The deep-read pinned this: jina metadata showed 2026-06-23 and the S4 stream reported 2026-07-09, but the authoritative date is 2026-06-09. Dropped on recency.
- Dedup: both published items are genuinely new CVEs absent from the 14-day in-context window and the store-wide CVE index; the Joomla item cites the existing
trend:joomla-extension-file-upload-rce-waveentity, whose summary was extended this run to record iCagenda, RSFiles! and Phoca as additional members (an entity-summary update, not a new entity — nothing added to the registry namespace). The research streams correctly excluded, without republishing, a long list of already-covered items today/this week (Zimbra, Gitea CVE-2026-20896, Cisco SD-WAN/ISE, BeyondTrust, Citrix NetScaler, Januscape, Langflow, Siemens SICAM 8, Sygnia AI-AWS, SentinelLabs e-gov watering hole, Talos wolfSSL batch, GigaWiper, GodDamn/PoisonX, ESET H1 report). - Verification / sourcing: Joomla item is multi-source (mySites.guru discoverer + RSJoomla! vendor advisory for RSFiles!; discoverer + vendor 6.1.3 fix + CVE-record assignment for Phoca). Resolved a Phoca CVSS discrepancy at deep-read: the mySites.guru post said the CVE was "pending" and rated it 7.7, but the authoritative CVE record (Joomla CNA) shows CVE-2026-57828 assigned at CVSS 4.0 9.0 — assigned after the blog; frontmatter uses the authoritative 9.0. MOVEit item's primary is the CERT-FR advisory; per-CVE CVSS/CWE/version detail corroborated against the Progress-assigned CVE records (verified on CVE.org, cited via the THREATINT mirror). Progress's own MOVEit community bulletin is a JS-only page that 401'd the reader this run, so it is not cited; a MOVEit version discrepancy (CERT-FR 2026.0.2 vs CVE metadata 2026.0.1 for the 2026.x branch) is flagged in the entry — defenders verify against their build.
- Fake-news / recency guards that fired in research (correctly excluded): a ~40-victim "Deadlock" EU ransomware leak-site mass-listing (incl. a Czech municipality and a Swiss manufacturer), a MedusaLocker claim against a Zurich cantonal Baudirektion (bd.zh.ch) domain, and French/Mayotte commune leak-site claims — all unverified leak-site relays with no victim confirmation or high-reliability journalism; two recycled-news traps (a January-2025 RTS Swiss federal-administration story and a June-2025 Fondation Radix story still indexed as if current); and out-of-window items (Accenture breach 3 days stale, EU NIS2/CJEU referral — flagged for the weekly). The bd.zh.ch cantonal item is flagged for a targeted internal check in a future run given the deployment's own Zurich nexus.
- Priority: no
criticaland nohigh-for-notification beyond the Joomla item'shigh(pre-auth CVSS 10.0 RCE within an actively-exploited wave, on infrastructure widely deployed across the constituency's municipal web estate — genuinely TL;DR-worthy patch-now signal). No deep dive: no candidate cleared the bar (deep_dives_todaywas 0; no active in-the-wild exploitation with constituency exposure to justify long-form treatment, and no depth manufactured to fill the slot). - ATT&CK: mapped against the pinned dataset (v19.1) — Joomla T1190/T1505.003; MOVEit T1190/T1499.004/T1059.007; all validated active, each naming a behavior the body describes.
- Coverage gaps: cert-eu (feed stale, freshest advisory 2026-06-10); ncsc-uk (freshest ~2026-04-07, index returned only a JS shell); cert-pl (freshest 2026-06-12, quiet); jpcert (in-window items low-severity single-vendor, below the bar); vulncheck, watchtowr, exodus-intelligence, calif-codex, xlab-qianxin, seqrite-labs, sophos-xops, sansec-research, volexity, fox-it-blog, sygnia (all reachable, no in-window content); industrialcyber-co (persistent anti-bot block on article pages via WebFetch AND the reader, feed-only reachable — flagged 7+ runs, classed handled by source_health via its recipe, a 403 never demotes). None are unrecovered transport failures that cost published coverage.
- Essential-coverage: missed=cisa-advisories, cisa-directives (the active-threats stream swept CISA KEV via the bridge fetcher but did not confirm a fetch of the CISA advisories/directives feeds this run; both were quiet on the previous fire ~8 h ago and cisa-advisories last returned 200 with no in-window addition — no evidence of an emergency advisory missed, but recorded as an essential miss for the next run's rotation).
- Watchlist: no products/suppliers configured — sweep is a no-op (S1 products 0/0, S4 suppliers 0/0); parseable line omitted per policy.
- source_health.py: 157/157 probed in 50 s (95 ok, 62 bridge-ok), zero UNSOLVED — no repair orders this run.
← Operations dashboard · day page 2026-07-11 · run-record contract: docs/pipeline.md