Clinical Cyber Dispatch · Free Edition · Issue date: 26 May 2026
Healthcare cyber intelligence — decision brief
Critical-Now CVEs
4
4 require exposure decision
Action Queue
3
3 with full remediation cards; 1 Critical-Now item in Decision Board for exposure review
Exploit signal
8 CISA KEV
8 also corroborated by VulnCheck. No VulnCheck-only additions this window.
Last verified
27 May 2026
17:13 UTC
Retained unresolved risk remains critical; see Retained CVE Watch for closure tracking.
CISO Quick Read
Critical-Now CVEs
4
Decision required
4 require exposure decision
Action Queue
3
3 with full remediation cards
Exposure review
1
1 Critical-Now item in Decision Board
Policy monitors
2
AI/CIRCIA monitoring only
This week's decision: Validate whether these 4 Critical-Now KEV items are locally exposed, and whether legacy Microsoft dependencies are true production use or residue: CVE-2026-48172 — LiteSpeed cPanel Plugin, CVE-2026-9082 — Drupal, CVE-2010-0249 — Microsoft Internet Explorer, and CVE-2010-0806 — Microsoft Internet Explorer. Patch with the applicable vendor bulletin/KB, or isolate, decommission, migrate, or formally except. Route AI policy items to monitoring/vendor-diligence, not binding-compliance work.
CISO Action Brief / Today’s Decisions
- Action Queue remediationScope: 3 Critical-Now CVEs with full remediation cards. Decision: assign remediation owner and exception path. Action: use the Action Queue cards for source-backed bulletin, fixed-version, mitigation, or decommission guidance.
- Critical-Now exposure reviewScope: 1 Critical-Now CVE outside the Action Queue: CVE-2010-0806 — Microsoft Internet Explorer. Decision: local product/vendor presence before emergency work. Action: confirm deployment in the Decision Board, then promote to remediation or document no exposure.
- Policy monitorsScope: AI/CIRCIA monitoring only. Decision: monitoring/vendor-diligence only. Action: route to CIO/CMIO, Privacy/Compliance, Procurement, and AI governance; do not treat as binding compliance until signed or final official action exists.
- Healthcare Incident WatchScope: verified material plus secondary-source awareness. Decision: awareness unless local scope exists. Action: review only when organization, vendor, or patient-data scope exists.
What changed since last issue
- 4 CRITICAL-NOW items this week; 3 have full Action Queue remediation cards; 1 remains in the Decision Board for exposure review. Use the Action Queue for the CVE-specific remediation path.
- Exploit-priority signal: 8 CISA KEV items; 8 also corroborated by VulnCheck. No VulnCheck-only additions this window.
- 7 healthcare incident/disclosure candidates reviewed; no verified-material action items. 3 secondary-source awareness cards are shown; 2 additional secondary-awareness items and 2 historical/context items remain tracked but not displayed.
How to use the Action Queue
Not every CVE in this brief requires the same response. Use this 3-step framework before assigning work:
- Patch / harden — for every CVE listed in the Action Queue. Listing on KEV is not a breach by itself; it means the patch or documented exception should ship within the deadline.
- Open a security investigation — only if you have environmental evidence of exploitation, such as IDS hits, suspicious authentication, or vendor-signature matches.
- Open a HIPAA breach risk assessment — only if evidence shows unauthorized access, acquisition, use, or disclosure of PHI/ePHI in your environment.
Action Queue — validate these 3 now
Free content: includes priority, HRS, deadline, action, evidence, and Source Pack. HRS is the Healthcare Relevance Score: a 0-100 operational score using clinical, data-path, device/OT, vendor, and identity axes. It is not CVSS; use it for validation. HRS rubric.
CVE-2026-9082 — Drupal: security vulnerability
Why healthcare should care Where it shows up: hospital websites, physician-practice pages, service-line pages, intranets, appointment/referral forms, donation pages, and portal handoff pages. What could happen: Attackers can use a vulnerable CMS to change trusted healthcare content, redirect users, capture credentials, tamper with forms, or pivot through the web host. Local check: identify affected Drupal/CMS instances, public exposure, form handling, portal or payment handoffs, admin activity, and vendor ownership before privacy escalation.
Required action
Patch to version 10.5.10 or later. If immediate patching is not possible, document exception, compensating controls, owner, and target remediation date.
Privacy / breach guardrail
Apply universal privacy/breach guardrail; escalate only with local evidence.
View sources and technical details
Last verified: 2026-05-27 13:13 ET
Source checked: 26 May 2026 19:41 ET (26 May 2026 23:41 UTC)
Freshness: current
Evidence note: Prioritized because CISA KEV, VulnCheck KEV affected a deployed healthcare-relevant technology category.
Fixed releases
- 10.5.10
CVE-2026-48172 — LiteSpeed cPanel Plugin: security vulnerability
Why healthcare should care Where it shows up: public, patient-facing, marketing, physician-practice, intranet, or vendor-managed WordPress properties. What could happen: A plugin or theme flaw can affect site integrity, redirects, credentials, or patient-facing trust depending on how the component is deployed. Local check: confirm deployment, affected version, WAF coverage, admin changes, fixed release, and whether patient-facing workflows are in scope.
Required action
Patch to version 2.4.7. If immediate patching is not possible, document exception, compensating controls, owner, and target remediation date.
Privacy / breach guardrail
Apply universal privacy/breach guardrail; escalate only with local evidence.
View sources and technical details
Last verified: 2026-05-27 13:13 ET
Source checked: 26 May 2026 19:41 ET (26 May 2026 23:41 UTC)
Freshness: current
Evidence note: Prioritized because CISA KEV, VulnCheck KEV affected a deployed healthcare-relevant technology category.
Fixed releases
- 2.4.7
CVE-2010-0249 — Microsoft Internet Explorer: Internet Explorer remote code execution
Why healthcare should care Where it shows up: kiosks, jump hosts, vendor-maintained workstations, old intranet apps, and medical-device or lab-console dependencies that still require legacy Internet Explorer. What could happen: If that browser is still usable, exploitation can become a legacy endpoint foothold toward trusted internal applications or clinical-network segments; it is not an automatic EHR or PHI finding. Local check: confirm the browser version, whether it can reach untrusted content, and whether the host has access to clinical, device, identity, or vendor support workflows.
Required action
Validate whether Internet Explorer 5.01, 6, 7, or 8 exists on affected legacy Windows platforms. Apply MS10-002 / KB978207 where still applicable, or decommission/isolate unsupported browser dependencies and document exception.
Privacy / breach guardrail
Apply universal privacy/breach guardrail; escalate only with local evidence.
View sources and technical details
- NVD record
- CISA KEV catalog entry
- Vendor advisory
- EPSS reference
- Primary source
- Microsoft MS10-002 bulletin
- Microsoft KB978207
Last verified: 2026-05-27 13:13 ET
Source checked: 26 May 2026 19:41 ET (26 May 2026 23:41 UTC)
Freshness: current
Evidence note: Prioritized because CISA KEV, vendor source affected a deployed healthcare-relevant technology category.
Exposure review: 1 CRITICAL-NOW item remains in the Decision Board: CVE-2010-0806 (Microsoft Internet Explorer).
Retained CVE Watch — 5 prior open items (5 critical/KEV) retained from prior issues and outside this week's Critical-Now and Action Queue.
Retention policy: CISA KEV, VulnCheck KEV, active-exploitation, and operational CRITICAL-priority items remain for 30 days unless resolved; HIGH items retain for 14 days; MEDIUM watch items retain for 7 days.
CVE-2026-6973 — Ivanti Endpoint Manager Mobile (EPMM)
Why retained: CISA KEV / critical-exploitation retention window (30 days)
Current action: Confirm whether this prior open item is resolved, accepted by exception, or still present.
Patch status: Fixed-release or mitigation path documented in CISA/Cisco source.
Source deadline: 2026-05-10. Age-out date: 2026-06-06 (10 days remaining).
KEV status: CISA KEV — federal mandate, patch by 2026-05-10.
CVE-2026-0300 — Palo Alto PAN-OS
Why retained: CISA KEV / critical-exploitation retention window (30 days)
Current action: Restrict the User-ID Authentication Portal to trusted zones and trusted IPs, monitor Threat ID 510019 where supported, and apply the branch-specific fixed PAN-OS release
Patch status: Fixed releases are available for several PAN-OS branches per Palo Alto Networks advisory (for example 12.1.4-h5, 11.2.7-h13, 11.2.10-h6, 11.1.4-h33, 11.1.6-h32, 11.1.10-h25, 11.1.13-h5, 10.2.10-h36, and 10.2.18-h6); some branch fixes remain ETA-based. Compensating control: restrict User-ID Authentication Portal access immediately.
Source deadline: Immediate. Age-out date: 2026-06-07 (11 days remaining).
KEV status: CISA KEV — federal mandate, patch by 2026-05-09.
CVE-2026-42208 — LiteLLM
Why retained: CISA KEV / critical-exploitation retention window (30 days)
Current action: Upgrade LiteLLM to 1.83.10 or 1.83.7 as applicable, review Postgres exposure, and rotate OpenAI, Anthropic, and Azure OpenAI keys if exposed
Patch status: YES — v1.83.10-stable.
Source deadline: Immediate. Age-out date: 2026-06-07 (11 days remaining).
KEV status: CISA KEV — federal mandate, patch by 2026-05-11.
CVE-2026-6692 — Slider Revolution / WordPress ecosystem
Why retained: VulnCheck KEV retention window (30 days)
Current action: Confirm whether this prior open item is resolved, accepted by exception, or still present.
Patch status: Fixed release available; confirm the exact version from the vendor source before closure.
Source deadline: Immediate. Age-out date: 2026-06-07 (11 days remaining).
KEV status: VulnCheck KEV.
CVE-2026-20182 — Cisco Catalyst SD-WAN
Why retained: CISA KEV / critical-exploitation retention window (30 days)
Current action: Review CISA Emergency Directive 26-03 and Cisco SD-WAN guidance, verify affected controllers/managers, apply the Cisco fixed release for the deployed train (20.9.9.1, 20.12.5.4, 20.12.6.2, 20.12.7.1, 20.15.4.4, 20.15.5.2, 20.15.506, 20.18.2.2), and document mitigation or exception status
Patch status: Fixed-release or mitigation guidance is documented in the CISA/Cisco source; verify the affected train and apply the Cisco fixed release (20.9.9.1, 20.12.5.4, 20.12.6.2, 20.12.7.1, 20.15.4.4, 20.15.5.2, 20.15.506, 20.18.2.2) or required mitigation.
Source deadline: 2026-05-17. Age-out date: 2026-06-13 (17 days remaining).
KEV status: CISA KEV — federal mandate, patch by 2026-05-17.
Landscape Watch
Sector read
7 healthcare incident/disclosure candidates reviewed; no verified-material action items. 3 secondary-source awareness cards are shown; 2 additional secondary-awareness items and 2 historical/context items remain tracked but not displayed. Vendor advisory watch: no reader action this week.
Named actor and tooling watch
Actor/tooling items are shown here as bounded Landscape Watch context. They become current healthcare alerts only when this window includes an HPH-sector source, healthcare victim, or healthcare-specific campaign evidence.
Background SOC context
These items are retained as low-prominence SOC context. They are not current healthcare alerts unless this window includes healthcare victim, HPH-sector, or campaign-specific evidence.
- Cobalt Strike — background SOC context. Generic IOC activity observed; no current healthcare-specific campaign verified. Evidence sources: AlienVault OTX threat pulses, ThreatFox IOC feed (Abuse.ch).
- Lazarus Group — background SOC context. Historical HPH relevance retained; current generic IOC mentions only. Evidence sources: AlienVault OTX threat pulses, ThreatFox IOC feed (Abuse.ch).
Medical device / OT watch: No material healthcare OT/ICS or medical-device signal crossed the action threshold this week.
Healthcare Incident Watch — no verified material action items
7 healthcare incident/disclosure candidates reviewed; no verified-material action items. 3 secondary-source awareness cards are shown; 2 additional secondary-awareness items and 2 historical/context items remain tracked but not displayed.
Source quality note: official notices, regulator postings, OCR/HHS portal entries, court/settlement documents, and company notices outrank secondary reporting. Methodology. Visible awareness items are concentrated in HIPAA Journal this week because no verified primary-source incident item cleared the display threshold. And other monitored feeds did not return stronger official incident evidence.
New lawsuit
26 May 2026 · HIPAA Journal
Mission Community Hospital Pays $1.55M to Settle Data Breach Lawsuit
Deanco Healthcare, LLC, the operator of Mission Community Hospital, an acute care hospital serving patients in the San Fernando Valley
Source date: 26 May 2026. Current because: new lawsuit.
Source quality: Secondary-source awareness; official notice not verified.
Reader relevance: Useful for litigation, privacy/compliance trend monitoring, and vendor-contract awareness; not evidence of a new breach wave.
Recent incident/disclosure window
21 May 2026 · HIPAA Journal
California & Washington Healthcare Providers Announce Data Breaches
Data breaches have been announced by Family Health Centers of San Diego, Totem Lake Family Dentistry, and Glendora Surgery Center.
Source date: 21 May 2026. Current because: recent incident/disclosure window.
Source quality: Secondary-source awareness; official notice not verified.
Reader relevance: Use as an awareness pointer for named entities and regional/vendor exposure. Local action depends on confirmed organizational, vendor, or patient-data scope.
Recent incident/disclosure window
20 May 2026 · HIPAA Journal
Verizon: Healthcare Sector Facing Sustained, Multi-vector Attacks
Verizon has published its 2026 Data Breach Investigations Report, which shows that the healthcare sector continues to be targeted by
Source date: 20 May 2026. Current because: recent incident/disclosure window.
Source quality: Secondary-source awareness; official notice not verified.
Reader relevance: Awareness item only. Review if your organization, vendor, region, service line, or patient-data relationship is in scope; do not initiate breach response from secondary reporting alone.
2 additional secondary-awareness items and 2 historical/context items remain tracked but not displayed unless local scope is confirmed.
Regulatory & Privacy
What we are watching
1 regulatory/privacy monitoring item elevated this window; no new binding rule was verified.
Standing watch: CIRCIA final rule timing, HIPAA Security Rule modernization, Health Care Cybersecurity and Resiliency Act movement, OCR settlement patterns, FDA medical-device cybersecurity, HHS HC3 sector alerts, CISA KEV healthcare exposure, and federal AI policy that changes healthcare vendor diligence.
This week: Review the monitor item below and route participation/readiness review to security, privacy, legal, and emergency-management owners. Last checked: 26 May 2026 23:37 UTC.
CIRCIA stakeholder update — monitor / consider participation
Status: Monitor / consider participation
What changed: CISA announced a revised CIRCIA stakeholder-engagement schedule. This is not a new binding reporting obligation.
Why healthcare cares: The update affects covered critical infrastructure incident-reporting scope and burden. Healthcare security, privacy, legal, and emergency-management leaders should monitor scope, burden, incident-reporting readiness, and ransomware-payment governance.
Reader action: Monitor the schedule and consider participation where Healthcare and Public Health Sector scope, incident-reporting burden, or reporting-readiness ownership is in scope.
Topic: CIRCIA
Status: Revised stakeholder schedule announced
Why we watch: Mandatory 72-hour cyber incident reporting and 24-hour ransomware payment reporting for covered healthcare...
This week’s action: Review the schedule; consider registering or submitting input if incident-reporting scope, ransomware-payment reporting, reporting burden, or HPH-sector impact affects your organization.
Standing watchlist (remaining reference items) · 10 items
No other standing item changed a deadline, owner, privacy posture, or security action this week.
Collapsed groups: 7 federal actions; 3 state or international items.
Standing-watch methodology and canonical source list: /methodology/.
Federal watch items
- HIPAA Security Rule update (NPRM 2024) — NPRM published Federal Register 2025-01-06. Final rule timeline not yet announced. Adds explicit MFA, encryption, and incident response controls. Why we watch: First substantive HIPAA Security Rule update in over a decade — closes longstanding gaps around MFA, vulnerability management, and incident-response evidence workflows. Forecast: If finalized substantially as proposed, expect heavier documentation, MFA, encryption, segmentation, testing, and incident-response evidence requirements. HHS OCR HIPAA Security Rule NPRM fact sheet: “Require the use of multi-factor authentication, with limited exceptions.” (Monitor; no action this week.) Source
- Health Care Cybersecurity and Resiliency Act of 2025 — Reported / not final. Senate companion under HELP Committee review. Provides authorities for HHS-CISA coordination and minimum cyber standards for healthcare entities. Why we watch: Would codify mandatory minimum cybersecurity standards for healthcare and authorize HHS-CISA cyber incident coordination — the closest thing to a sector-wide cyber baseline currently moving. Forecast: If the bill advances, anticipate procurement and governance pressure around baseline controls rather than an immediate compliance deadline. (Monitor; no action this week.) Source
- OCR HIPAA enforcement and incident-reporting activity — Routine OCR enforcement and reporting updates monitored. Watch for resolution agreements citing security-rule failures (risk analysis, MFA, log retention). Why we watch: OCR settlements reveal which control failures are actively being penalized — direct input into your control-prioritization roadmap. Forecast: Expect OCR enforcement patterns to keep rewarding demonstrable risk analysis, risk management, and evidence of security-rule follow-through. (Monitor; no action this week.) Source
- FDA medical-device cybersecurity guidance & safety communications — FDA pre-market cybersecurity guidance (2023) in effect. Watch for SaMD AI/ML cyber guidance and post-market vulnerability advisories. Why we watch: Vendor must demonstrate cybersecurity in pre-market submission. Post-market FDA safety communications can drive emergency clinical-engineering action. Forecast: Expect continued vendor-evidence pressure for device cybersecurity, especially patchability, post-market monitoring, and coordinated vulnerability disclosure. (Monitor; no action this week.) Source
- HHS HC3 / sector cyber alerts — Routine sector alerts and threat briefs monitored. Higher-frequency advisories during active campaign periods. Why we watch: HC3 issues healthcare-specific TTP intel (ransomware groups targeting clinics, telehealth-specific threats) often days ahead of industry coverage. Forecast: Expect this to remain a weekly threat-intel input, with higher action value when HC3 names a campaign, sector target, or mitigation. (Monitor; no action this week.) Source
- CISA KEV additions affecting healthcare-deployed software — Tracked daily. Healthcare-relevant additions surface in CVE Decision Board with operational priority Critical. Why we watch: CISA KEV addition = federal mandate (BOD 22-01 timelines) for FCEB agencies and a strong signal for healthcare. Immediate-action trigger. Forecast: Expect KEV additions to remain the strongest public signal for urgent patch governance and exception review in healthcare environments. (Monitor; no action this week.) Source
- White House / OMB / NIST / CAISI AI policy affecting healthcare — Active. Federal AI policy posture is shifting; watch for AI executive orders, NIST AI RMF updates, and CAISI evaluation guidance affecting healthcare AI deployments. Why we watch: Federal AI governance defines what evaluations, evidence, and assurances healthcare AI vendors must produce — direct procurement and validation impact. Forecast: Expect AI governance to translate into vendor-diligence questions before it becomes a single healthcare-specific compliance checklist. (Monitor; no action this week.) Source
State / international watch items
- Washington My Health My Data Act — State health-data privacy law in force. Watch for enforcement activity and vendor-contract implications involving non-HIPAA consumer health data. Why we watch: Healthcare-adjacent apps, digital front doors, marketing pixels, and wellness programs can create state-law privacy exposure even when HIPAA does not apply. Forecast: Expect continued state attention on consumer health data, especially web tracking, apps, and non-HIPAA wellness workflows. (Monitor; no action this week.) Source
- California CPPA / CCPA health-data privacy enforcement — State privacy enforcement monitored for health-data, tracking-technology, and vendor-processing implications. Why we watch: Large health systems with California patients or web properties need a view of privacy notices, tracking tech, and service-provider obligations outside HIPAA. Forecast: Expect California privacy enforcement to keep shaping tracking-technology reviews and service-provider contract evidence. (Monitor; no action this week.) Source
- EU AI Act / NIS2 healthcare supplier exposure — International regulatory posture monitored for multinational health systems and suppliers serving EU-regulated healthcare environments. Why we watch: EU AI and cyber-resilience obligations can affect vendor due diligence, clinical AI assurance, and supplier security evidence for global healthcare organizations. Forecast: Expect multinational suppliers to package EU AI and cyber evidence into healthcare procurement responses over the next planning cycle. (Monitor; no action this week.) Source
Official regulatory source update detected this window.
Last verified: 26 May 2026 23:37 UTC
AI & Clinical Automation Watch
Editorial read
No new AI-infrastructure CVE crossed the action threshold this window. Retained AI-infrastructure watch item: CVE-2026-42208 (LiteLLM).
This week: Keep retained AI gateway items visible until closure: verify fixed versions, validate exposure, and rotate provider keys if compromise cannot be ruled out.
No new AI-infrastructure CVE crossed the action threshold. Possible federal AI/cybersecurity executive-order activity is elevated this week due to reported federal activity and HHS AI oversight reporting.
1. AI Policy & Model Governance Elevated monitor
Potential AI/cybersecurity executive order monitor — elevated
Elevated monitorWhy healthcare cares: No signed binding action verified this week, but current reporting indicates a planned or postponed AI/cybersecurity action. Healthcare relevance: monitor future model-assurance, vendor-diligence, and critical-infrastructure cybersecurity expectations.
Recommended action: Treat as elevated monitoring, not a binding compliance change, unless an official White House, OMB, NIST/CAISI, HHS, FDA, or OCR source creates a binding obligation.
Confidence: Medium — reporting plus official negative checks
Source status: monitoring-level signal; canonical reporting not fully verified. — 2026-05-27
HHS AI oversight monitor
Elevated monitorWhy healthcare cares: HHS is expanding AI review of audits from states and federal grant recipients. Privacy/compliance relevance: monitor governance, accuracy, appeal safeguards, audit documentation, and funding-risk implications.
Recommended action: Route to privacy, compliance, and audit leadership for monitoring; do not initiate HIPAA/OCR notification workflows from this policy signal alone absent local evidence.
Confidence: Medium — agency/reporting source
Source ↗ — 2026-05-27
AI Infrastructure Watch No change
CVE-2026-42208 — LiteLLM: retained KEV AI gateway watch
Retained watchWhy healthcare cares: LiteLLM is an AI gateway/proxy pattern that can hold provider keys, prompts, query history, or patient-context workflow data in healthcare deployments. It remains on the retained CVE watch and ages out in 11 days unless resolved.
Recommended action: Keep the item visible until closed: verify patched LiteLLM versions, review Postgres query logs and LiteLLM application logs, and rotate OpenAI, Anthropic, and Azure OpenAI provider keys if exposure cannot be ruled out.
Confidence: High — retained CISA KEV / prior issue state
Source ↗ — 2026-05-27
Trending tactics: attackers continue to favor internet-reachable control planes, API gateways, and automation middleware because those systems often hold tokens, route requests, and bridge multiple clinical or administrative workflows. Treat AI gateways like identity-adjacent infrastructure: log access, narrow network reachability, and review prompt or key exposure before rotating credentials.
AI Action This Week
- Patch any AI gateway / inference component listed in AI Infrastructure Watch, including CVE-2026-42208.
- Forward any items in AI Policy & Model Governance to CIO/CMIO and procurement; refresh AI vendor diligence questions accordingly.
- If AI gateways may handle PHI, confirm BAA review, PHI-redaction, audit logging, and human-in-the-loop controls.
LiteLLM CVE-2026-42208 remediation reference: upgrade from 1.83.7 to 1.83.10-stable; review Postgres database log, query log, query history, and credentials table access; rotate OpenAI, Anthropic, and Azure OpenAI provider keys.
CVE Decision Board — compare action items and monitored CVEs
Operational priority, CVE, product, CVSS, EPSS, HRS, exploit intel, and deadline are shown as label/value fields for each row.
| Priority: CRITICAL-NOW | CVE: CVE-2026-48172 | Product: LiteSpeed cPanel Plugin | CVSS: 9.8 Critical | EPSS: 3% Low | HRS: 65 Moderate | Exploit Intel: CISA KEV Confidence: High | Deadline: Due 2026-05-29 |
Why healthcare-relevantCategory: Exploited enterprise platform Basis: The LiteSpeed User-End cPanel Plugin before version 2.4.5 allows privilege escalation, potentially granting root access to an attacker without proper authentication. Where it shows up: public, patient-facing, marketing, physician-practice, intranet, or vendor-managed WordPress properties. What could happen: A plugin or theme flaw can affect site integrity, redirects, credentials, or patient-facing trust depending on how the component is deployed. Local check: confirm deployment, affected version, WAF coverage, admin changes, fixed release, and whether patient-facing workflows are in scope. Healthcare concern: Healthcare relevance depends on patient services, referrals, billing, marketing pixels, or portal handoff; otherwise treat as web-platform remediation. Local validation: Confirm deployment on public, patient-facing, or vendor-managed properties, then verify fixed release, WAF coverage, and site-integrity monitoring. Remediation: Patch to version 2.4.7. | |||||||
| Priority: CRITICAL-NOW | CVE: CVE-2026-9082 | Product: Drupal | CVSS: 9.8 Critical | EPSS: 0% Low | HRS: 65 Moderate | Exploit Intel: CISA KEV Confidence: High | Deadline: Due 2026-05-27 |
Why healthcare-relevantCategory: Patient-facing digital risk Basis: Drupal is a CMS/web platform that may run patient-facing or public-trust healthcare web properties. Where it shows up: hospital websites, physician-practice pages, service-line pages, intranets, appointment/referral forms, donation pages, and portal handoff pages. What could happen: Attackers can use a vulnerable CMS to change trusted healthcare content, redirect users, capture credentials, tamper with forms, or pivot through the web host. Local check: identify affected Drupal/CMS instances, public exposure, form handling, portal or payment handoffs, admin activity, and vendor ownership before privacy escalation. Healthcare concern: If this instance supports a hospital site, physician-practice page, intranet, appointment request, referral, billing, donation, or portal handoff page, exploitation can alter trusted content, redirect patients or staff, harvest credentials, tamper with forms, or expose submitted form data. Local validation: Inventory public and vendor-managed Drupal/CMS properties, confirm affected version and modules, review WAF and admin-change logs, and determine whether any patient-access, billing, referral, identity, or portal-handoff workflow depends on the site. Remediation: Patch to version 10.5.10 or later. | |||||||
| Priority: CRITICAL-NOW | CVE: CVE-2010-0249 | Product: Microsoft Internet Explorer | CVSS: 8.8 High | EPSS: 0% Low | HRS: 92 Critical | Exploit Intel: CISA KEV Confidence: High | Deadline: Due 2026-06-03 |
Why healthcare-relevantCategory: Exploited enterprise platform Basis: This is a legacy Microsoft Internet Explorer 5.01/6/7/8 item with confirmed KEV status. Where it shows up: kiosks, jump hosts, vendor-maintained workstations, old intranet apps, and medical-device or lab-console dependencies that still require legacy Internet Explorer. What could happen: If that browser is still usable, exploitation can become a legacy endpoint foothold toward trusted internal applications or clinical-network segments; it is not an automatic EHR or PHI finding. Local check: confirm the browser version, whether it can reach untrusted content, and whether the host has access to clinical, device, identity, or vendor support workflows. Healthcare concern: The healthcare concern is residual dependency, not generic browser use: retired browser controls can survive on kiosks, jump hosts, vendor-maintained workstations, imaging/lab consoles, or intranet apps that bridge into clinical networks. Local validation: Validate whether Internet Explorer 5.01, 6, 7, or 8 exists on affected legacy Windows platforms and whether those hosts can browse untrusted content, reach vendor portals, or access clinical, device, or identity-adjacent internal applications. Remediation: Apply MS10-002 / KB978207 where still applicable. If the dependency is unsupported, decommission or isolate the browser path, remove default browsing capability, and document the exception owner. | |||||||
| Priority: CRITICAL-NOW | CVE: CVE-2010-0806 | Product: Microsoft Internet Explorer | CVSS: 8.8 High | EPSS: 0% Low | HRS: 92 Critical | Exploit Intel: CISA KEV Confidence: High | Deadline: Due 2026-06-03 |
Why healthcare-relevantCategory: Exploited enterprise platform Basis: This is a legacy Microsoft Internet Explorer 6/7 item with confirmed KEV status. Where it shows up: kiosk, jump host, vendor support workstation, retained legacy workstation, and compatibility workstation paths still dependent on Internet Explorer 6 or 7. What could happen: The practical risk is a legacy endpoint foothold on a trusted workstation that may bridge into clinical, device, or administrative networks; emergency treatment depends on confirmed local presence, and this is not an automatic EHR or PHI finding. Local check: validate IE 6/7 presence, browsing exposure, and network reach before escalating beyond endpoint containment and legacy-dependency removal. Healthcare concern: The risk is a conditional legacy endpoint foothold: if locally present and reachable, a vulnerable browser on a kiosk, jump host, vendor support workstation, or retained application workstation can expose a path toward clinical networks. Local validation: Validate whether Internet Explorer 6, Internet Explorer 6 SP1, or Internet Explorer 7 remains on managed endpoints, jump hosts, kiosks, vendor support systems, or retained legacy application workstations, then check whether those assets can reach care-delivery systems. Remediation: Apply MS10-018 / KB980182 where applicable. Where no supported mitigation exists, discontinue or isolate the unsupported browser dependency and record the compensating-control exception. | |||||||
| Priority: HIGH | CVE: CVE-2026-6555 | Product: ProSolution WP Client (WordPress) | CVSS: 9.8 Critical | EPSS: 58% High | HRS: 56 Moderate | Exploit Intel: Public PoC Confidence: Medium | Deadline: Due 2026-06-10 |
Why healthcare-relevantCategory: Patient-facing digital risk Basis: ProSolution WP Client (WordPress) has a file-upload validation exposure on WordPress sites where the vulnerable component is active. Where it shows up: WordPress sites with upload features tied to contact, referral, appointment, billing, or portal-support workflows. What could happen: File-upload flaws can lead to web-shell placement, malicious file hosting, form tampering, or redirects on a trusted healthcare domain. Local check: confirm whether uploads are enabled, whether files are executable or public, and whether the site connects to patient-facing workflows. Healthcare concern: File-upload flaws can lead to web-shell placement or malicious content hosting if the site supports patient, referral, billing, or portal-handoff workflows. Local validation: Confirm whether uploads are enabled, files are executable or public, and the site connects to patient-facing workflows. Remediation: Verify affected version against vendor source before closure. | |||||||
More monitored CVEs (3)
| Priority: HIGH | CVE: CVE-2026-4883 | Product: Piotnet Forms (WordPress) | CVSS: 9.8 Critical | EPSS: 41% Moderate | HRS: 72 High | Exploit Intel: Public PoC Confidence: Medium | Deadline: Due 2026-06-10 |
Why healthcare-relevantCategory: Patient-facing digital risk Basis: Piotnet Forms (WordPress) has a file-upload validation exposure on WordPress sites where the vulnerable component is active. Where it shows up: patient intake, appointment, referral, billing, contact, and physician-practice WordPress forms. What could happen: An upload flaw can place web shells or malicious files where attackers can tamper with forms, redirect users, or capture submissions. Local check: confirm the plugin version, active forms, upload storage, executable paths, portal or payment handoffs, and vendor-managed ownership. Healthcare concern: If used for appointment, intake, referral, billing, or contact forms, unrestricted upload can enable web-shell placement, form tampering, redirects, or credential capture. Local validation: Check public and vendor-managed WordPress properties for this plugin/version; verify upload forms, storage location, and portal or payment handoffs. Remediation: Verify affected version against vendor source before closure. | |||||||
| Priority: HIGH | CVE: CVE-2026-6960 | Product: BookingPress Pro (WordPress) | CVSS: 9.8 Critical | EPSS: 35% Moderate | HRS: 56 Moderate | Exploit Intel: Public PoC Confidence: Medium | Deadline: Due 2026-06-10 |
Why healthcare-relevantCategory: Patient-facing digital risk Basis: BookingPress Pro (WordPress) has a file-upload validation exposure on WordPress sites where the vulnerable component is active. Where it shows up: patient intake, appointment, referral, billing, contact, and physician-practice WordPress forms. What could happen: An upload flaw can place web shells or malicious files where attackers can tamper with forms, redirect users, or capture submissions. Local check: confirm the plugin version, active forms, upload storage, executable paths, portal or payment handoffs, and vendor-managed ownership. Healthcare concern: If used for appointment, intake, referral, billing, or contact forms, unrestricted upload can enable web-shell placement, form tampering, redirects, or credential capture. Local validation: Check public and vendor-managed WordPress properties for this plugin/version; verify upload forms, storage location, and portal or payment handoffs. Remediation: Verify affected version against vendor source before closure. | |||||||
| Priority: MONITOR | CVE: CVE-2026-6279 | Product: Avada Builder (fusion-builder) (WordPress) | CVSS: 9.8 Critical | EPSS: 28% Moderate | HRS: 72 High | Exploit Intel: Public PoC Confidence: Medium | Deadline: Due 2026-06-26 |
Why healthcare-relevantCategory: Patient-facing digital risk Basis: Avada Builder (fusion-builder) (WordPress) has code-execution risk on WordPress sites where the vulnerable plugin or theme is active. Where it shows up: marketing, service-line, physician-practice, intranet, and vendor-managed WordPress sites built with the affected theme or builder. What could happen: Server-side execution can enable persistence, redirect patients or staff, harvest credentials, or alter trusted health-system content. Local check: check builder/theme version, new admins, modified templates, PHP execution, WAF events, and whether the site connects to patient-access workflows. Healthcare concern: A compromised builder/theme can give server-side code execution on a public site, enabling persistence, redirects, credential harvesting, or content tampering. Local validation: Check marketing, service-line, physician-practice, and vendor-managed sites for the builder/theme version; review logs, new admins, modified templates, and PHP execution. Remediation: Verify affected version against vendor source before closure. | |||||||
Sort order favors KEV, confirmed exploitation, healthcare signal, EPSS, then CVSS. Priority is the operational decision; CVSS and EPSS are inputs.
Why these CVEs are Critical/High despite low EPSS
EPSS is short-term likelihood, not an operational priority label.
CVE-2026-48172 — LiteSpeed cPanel Plugin: privilege escalation. Low EPSS (3%), but CRITICAL-NOW because CISA KEV confirms exploitation.
CVE-2026-9082 — Drupal: SQL injection. Low EPSS (0%), but CRITICAL-NOW because CISA KEV confirms exploitation.
CVE-2010-0249 — Microsoft Internet Explorer: Internet Explorer remote code execution. Low EPSS (0%), but CRITICAL-NOW because CISA KEV confirms exploitation.
CVE-2010-0806 — Microsoft Internet Explorer: Internet Explorer remote code execution. Low EPSS (0%), but CRITICAL-NOW because CISA KEV confirms exploitation.
Methodology
8 CVEs analyzed · 8 CISA KEV items; 8 also corroborated by VulnCheck. No VulnCheck-only additions this window. Methodology and limitations are collapsed; standing methodology is available at /methodology/.
Public issue methodology is summary-only to preserve the decision-brief reading path.
Sources used this window include NVD, CISA KEV, VulnCheck KEV, EPSS, healthcare incident sources, and regulatory watch data.
Breach Notification Trigger Framework: CVE presence alone is not a breach assessment; escalate only with local evidence of exploitation, unauthorized access, or PHI/ePHI exposure.
Full standing methodology: /methodology/.