Clinical Cyber Dispatch · Issue 010 · Free Edition · Issue date: 22 June 2026

Healthcare cyber intelligence — decision brief

Critical-Now Items

3

Confirm local deployment; apply required actions

Vendor actions

3

One action table: required action, due date, sources per row

Exploit signal

3 CISA KEV

2 also corroborated by VulnCheck; No VulnCheck-only additions this window.

Last verified

22 June 2026

23:46 UTC

Retained unresolved risk remains critical; see Retained CVE Watch for closure tracking.

CISO Quick Read

Critical-Now: 3 items requiring local deployment confirmation and remediation by source due date.

CISA KEV: 3 items.

Policy / guidance updates: 2 material AI governance updates.

Retained watch: 13 items remain open.

Incident actions: 0 immediate breach-response actions from verified primary sources.

Decision: Validate deployment for all 3 Critical-Now products, apply the listed vendor action by the due date, and document exceptions. Escalate privacy only with local evidence of unauthorized PHI/ePHI access, use, acquisition, or disclosure. 3 items are past due.

HRS = Healthcare Relevance Score (1–100). It reflects healthcare operational relevance using clinical exposure, exploit/KEV signal, EPSS, and source-pack confidence. Full rubric: HRS rubric.

CISO Decision Brief

  1. Critical-Now remediationAll 3 Critical-Now items render in the Critical-Now Action Table with the required action, due date, and sources. Confirm local deployment and prioritize remediation by internet exposure, exploit evidence, business dependency, and HRS.
  2. Policy / guidance updates2 material policy/guidance updates verified from official sources this window — see the AI & Clinical Automation Watch. Route to AI governance, privacy/legal, procurement, and vendor risk for review.
  3. Healthcare Incident WatchNo incident in this issue requires immediate breach-response action based on verified primary sources. Three secondary-source awareness items are shown for vendor-risk, disclosure, litigation, or settlement monitoring. Review only if a named organization, vendor, geography, service line, or patient-data relationship is in scope.

What changed since last issue

CVE scope this issue: Decision Board shows all 8 tracked CVE rows — 3 Critical-Now (0 retained from prior issues, 3 newly elevated) and 5 additional monitored rows.

  • New Critical-Now items: 3
  • Retained Critical-Now items: 0
  • Retained watch items still open: 13
  • New policy / guidance updates: 2
  • Incident actions: 0 immediate action items from verified primary sources
  • 3 newly elevated Critical-Now items; 0 retained/open from the prior issue. Confirm local deployment for all 3; each card lists the required action, due date, and sources.
  • Exploit-priority signal: 3 CISA KEV items; 2 also corroborated by VulnCheck; No VulnCheck-only additions this window.
  • Incident Watch renders 3 visible items; 0 verified-material items require local scope review before action.

How to use Critical-Now Items

Use this sequence before assigning escalation work:

  1. Confirm local deployment, then remediate each Critical-Now item by its due date.
  2. Investigate only if local telemetry indicates exploitation.
  3. Start HIPAA breach risk assessment only with evidence of unauthorized PHI/ePHI access, use, or disclosure.

Critical-Now Actions

3 Critical-Now items this week. Every item renders in the Critical-Now Action Table below with the required action, local validation, due date, owner routing, and sources.

Free content: priority, HRS, deadline, action, and source references. HRS uses the Healthcare Relevance Score rubric. HRS rubric.

All 3 Critical-Now items render in the action table below. Each row lists the required action, local validation, due date, owner route, and sources.

Critical-Now Action Table
CVEProduct / vendorDue dateRequired actionLocal validationOwner routeSource Pack
CVE-2026-54420
64
LiteSpeed WHM Plugin; LiteSpeed cPanel PluginPast due 4 days (deadline 2026-06-18)Update LiteSpeed deployments to cPanel user-end plugin 2.4.8 or later; WHM Plugin 5.3.2.0 or later. The exploited issue is in the LiteSpeed user-end cPanel plugin; the WHM plugin update bundles the fixed cPanel plugin. Review cPanel logs for redisAble cPanel JSON API indicators, validate IPs, examine system logs, and remove the user-end plugin if immediate update is not possible. If immediate patching is not possible, document exception, compensating controls, owner, and target remediation date.confirm whether LiteSpeed User-End cPanel Plugin before 2.4.8 is installed in cPanel/WHM hosting environments.Start with CMDB/service owner. Pull in web platform owner, marketing/digital team, application owner, vulnerability management, and change owner.
Source Pack — View sources and technical details

Last verified: 2026-06-22 19:46 ET

Source checked: 22 June 2026 19:52 ET (22 June 2026 23:52 UTC)

Freshness: current

Evidence note: Prioritized because CISA KEV, VulnCheck KEV, vendor source identified LiteSpeed WHM Plugin; LiteSpeed cPanel Plugin as a deployed healthcare-relevant technology.

Fixed releases

  • cPanel user-end plugin 2.4.8 or later
  • WHM Plugin 5.3.2.0 or later
CVE-2026-48907
65
Widget Factory Joomla Content Editor / Limited JCEPast due 3 days (deadline 2026-06-19)Patch to JCE Editor version 2.6.44. If immediate patching is not possible, document exception, compensating controls, owner, and target remediation date.confirm whether Widget Factory Joomla Content Editor / Limited JCE before 2.9.99.5 is deployed, exposed, and owned locally.Start with CMDB/service owner. Pull in platform owner, vulnerability management, and change owner.
Source Pack — View sources and technical details

Last verified: 2026-06-22 19:46 ET

Source checked: 22 June 2026 19:52 ET (22 June 2026 23:52 UTC)

Freshness: current

Evidence note: Prioritized because CISA KEV, VulnCheck KEV, vendor source identified Widget Factory Joomla Content Editor / Limited JCE as a deployed healthcare-relevant technology.

Fixed releases

  • 2.9.99.5, 2.9.99.6, 3.10
CVE-2026-20253
39
Splunk EnterprisePast due 1 day (deadline 2026-06-21)Upgrade to Splunk Enterprise version 10.2.4 or later. If immediate patching is not possible, document exception, compensating controls, owner, and target remediation date.confirm whether Splunk Enterprise from 10.0.0 before 10.0.7, from 10.2.0 before 10.2.4 is deployed, exposed, and owned locally.Start with CMDB/service owner. Pull in platform owner, vulnerability management, and change owner.
Source Pack — View sources and technical details

Last verified: 2026-06-22 19:46 ET

Source checked: 22 June 2026 19:52 ET (22 June 2026 23:52 UTC)

Freshness: current

Evidence note: Prioritized because CISA KEV, vendor source identified Splunk Enterprise as a deployed healthcare-relevant technology.

Fixed releases

  • 10.0.7, 10.2.4
Download structured data:
Retained CVE Watch — 13 unique retained items remain open: 10 are Critical or KEV, 5 are High priority, 2 appear in both Critical/KEV and High categories. Items are retained from prior issues and outside this week's Critical-Now Items.

Retention policy: CISA KEV, VulnCheck KEV, active-exploitation, and operational CRITICAL-priority items remain for 30 days unless resolved; HIGH items retain for 14 days; MEDIUM watch items retain for 7 days.

CVE-2024-58348 — WordPress Background Image Cropper

Prior status: retained-watch. Current status: retained-watch.

Why retained: High-priority monitored CVE retention window

Material change: none.

Current action: Confirm whether this prior open item is resolved, accepted by exception, or still present.

Action this week: Confirm local deployment, then apply the vendor remediation or document an exception.

Patch status: No retained verified fixed version is available; keep exposure-decision review open and confirm current vendor guidance before closure.

Source deadline: not stated. Age-out date: 2026-06-25 (3 days remaining).

KEV status: Not listed in CISA/VulnCheck KEV catalogs (CVE is still tracked via NVD).

CVE-2026-10580 — Hippoo Mobile App for WooCommerce (WordPress)

Prior status: retained-watch. Current status: retained-watch.

Why retained: High-priority monitored CVE retention window

Material change: none.

Current action: Confirm whether this prior open item is resolved, accepted by exception, or still present.

Action this week: Confirm local deployment, then apply the vendor remediation or document an exception.

Patch status: No retained verified fixed version is available; keep exposure-decision review open and confirm current vendor guidance before closure.

Source deadline: not stated. Age-out date: 2026-06-25 (3 days remaining).

KEV status: Not listed in CISA/VulnCheck KEV catalogs (CVE is still tracked via NVD).

CVE-2026-46518 — Open-Emr Openemr

Prior status: retained-decision-board. Current status: retained-watch.

Why retained: High-priority monitored CVE retention window

Material change: none.

Current action: Last verified 2026-06-15: Upgrade Open-Emr Openemr to fixed release(s): 8.0.0.1. Document a formal exception with compensating controls if remediation is delayed

Action this week: Confirm local deployment, then apply the vendor remediation or document an exception.

Patch status: Last verified 2026-06-15: Fixed releases are available per the vendor advisory: 8.0.0.1.

Source deadline: not stated. Age-out date: 2026-06-29 (7 days remaining).

KEV status: Not listed in CISA/VulnCheck KEV catalogs (CVE is still tracked via NVD).

CVE-2026-11645 — Google Chrome / Chromium V8

Prior status: retained-watch. Current status: retained-watch.

Why retained: CISA/KEV/active-exploitation/Critical-Now retention window

Material change: none.

Current action: Last verified 2026-06-11: Upgrade Google Chrome / Chromium V8 to fixed release(s): 149.0.7827.103. CISA KEV required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable by 2026-06-23. Document a formal exception with compensating controls if remediation is delayed

Action this week: Confirm local deployment, then apply the vendor remediation or document an exception.

Patch status: Last verified 2026-06-11: Fixed releases are available per the vendor advisory: 149.0.7827.103.

Source deadline: not stated. Age-out date: 2026-07-11 (19 days remaining).

KEV status: CISA KEV.

CVE-2026-20245 — Cisco SD-WAN vsmart controller; Cisco catalyst SD-WAN manager

Prior status: still-critical-now. Current status: retained-watch.

Why retained: CISA/KEV/active-exploitation/Critical-Now retention window

Material change: none.

Current action: Review CISA Emergency Directive 26-03 and Cisco SD-WAN guidance, verify affected controllers/managers, apply the Cisco fixed release for the deployed train (20.9.9.1, 20.12.5.4, 20.12.6.2, 20.12.7.1, 20.15.4.4, 20.15.5.2, 20.15.506, 20.18.2.2), and document mitigation or exception status

Action this week: Confirm local deployment, then apply the vendor remediation or document an exception.

Patch status: Fixed-release or mitigation guidance is documented in the CISA/Cisco source; verify the affected train and apply the Cisco fixed release for the deployed train (20.9.9.1, 20.12.5.4, 20.12.6.2, 20.12.7.1, 20.15.4.4, 20.15.5.2, 20.15.506, 20.18.2.2) or the required mitigation.

Source deadline: not stated. Age-out date: 2026-07-11 (19 days remaining).

KEV status: CISA KEV.

CVE-2026-42271 — LiteLLM

Prior status: still-critical-now. Current status: retained-ai-watch.

Why retained: CISA/KEV/active-exploitation/Critical-Now retention window

Material change: none.

Current action: Last verified 2026-06-15: Upgrade LiteLLM to fixed release(s): 1.83.7. CISA KEV required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable by 2026-06-22. Review Postgres query logs, database query history, and application logs for unauthorized access before closure. Document a formal exception with compensating controls if remediation is delayed

Action this week: Confirm local deployment, then apply the vendor remediation or document an exception.

Patch status: Last verified 2026-06-15: Fixed releases are available per the vendor advisory: 1.83.7.

Source deadline: not stated. Age-out date: 2026-07-11 (19 days remaining).

KEV status: CISA KEV.

CVE-2026-45247 — Mirasvit Full Page Cache Warmer

Prior status: retained-watch. Current status: retained-watch.

Why retained: CISA/KEV/active-exploitation/Critical-Now retention window

Material change: none.

Current action: Last verified 2026-06-11: Patch to Mirasvit Full Page Cache Warmer version 1.11.12 or later. WAF/network security. Deadline: CRITICAL-NOW

Action this week: Confirm local deployment, then apply the vendor remediation or document an exception.

Patch status: Last verified 2026-06-11: Fixed releases are available per the vendor advisory: 1.11.12.

Source deadline: not stated. Age-out date: 2026-07-11 (19 days remaining).

KEV status: CISA KEV.

CVE-2026-50751 — Check Point Security Gateway / Remote Access VPN / Mobile Access / Quantum Spark where applicable

Prior status: still-critical-now. Current status: retained-watch.

Why retained: CISA/KEV/active-exploitation/Critical-Now retention window

Material change: none.

Current action: Last verified 2026-06-15: Upgrade Check Point Security Gateway / Remote Access VPN / Mobile Access / Quantum Spark where applicable to fixed release(s): r81.20, r81.10.17, r82.00.10. CISA KEV required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable by 2026-06-11. Document a formal exception with compensating controls if remediation is delayed

Action this week: Confirm local deployment, then apply the vendor remediation or document an exception.

Patch status: Last verified 2026-06-15: Fixed releases are available per the vendor advisory: r81.20; r81.10.17; r82.00.10.

Source deadline: not stated. Age-out date: 2026-07-11 (19 days remaining).

KEV status: CISA KEV.

CVE-2026-7654 — Admin Columns (WordPress)

Prior status: retained-watch. Current status: retained-watch.

Why retained: CISA/KEV/active-exploitation/Critical-Now retention window

Material change: none.

Current action: Confirm whether this prior open item is resolved, accepted by exception, or still present.

Action this week: Confirm local deployment, then apply the vendor remediation or document an exception.

Patch status: No retained verified fixed version is available; keep exposure-decision review open and confirm current vendor guidance before closure.

Source deadline: not stated. Age-out date: 2026-07-11 (19 days remaining).

KEV status: CISA KEV.

CVE-2026-10520 — Ivanti Sentry

Prior status: still-critical-now. Current status: retained-watch.

Why retained: CISA/KEV/active-exploitation/Critical-Now retention window

Material change: none.

Current action: Last verified 2026-06-15: Patch Ivanti Sentry to version R10.7.2 or later. Third-party/vendor management. Deadline: CRITICAL-NOW

Action this week: Confirm local deployment, then apply the vendor remediation or document an exception.

Patch status: Last verified 2026-06-15: Fixed releases are available per the vendor advisory: 10.5.2; 10.6.2.

Source deadline: not stated. Age-out date: 2026-07-15 (23 days remaining).

KEV status: CISA KEV.

CVE-2026-3018 — Newsletters (WordPress)

Prior status: still-critical-now. Current status: retained-watch.

Why retained: CISA/KEV/active-exploitation/Critical-Now retention window

Material change: none.

Current action: Confirm whether this prior open item is resolved, accepted by exception, or still present.

Action this week: Confirm local deployment, then apply the vendor remediation or document an exception.

Patch status: No retained verified fixed version is available; keep exposure-decision review open and confirm current vendor guidance before closure.

Source deadline: not stated. Age-out date: 2026-07-15 (23 days remaining).

KEV status: CISA KEV.

CVE-2026-35273 — Oracle PeopleSoft Enterprise PeopleTools

Prior status: still-critical-now. Current status: retained-watch.

Why retained: CISA/KEV/active-exploitation/Critical-Now retention window

Material change: none.

Current action: Last verified 2026-06-15: Patch Oracle PeopleSoft Enterprise PeopleTools to version 8.63 or later. Third-party/vendor management. Deadline: CRITICAL-NOW

Action this week: Confirm local deployment, then apply the vendor remediation or document an exception.

Patch status: Last verified 2026-06-15: Patch Oracle PeopleSoft Enterprise PeopleTools to version 8.63 or later. Third-party/vendor management. Deadline: CRITICAL-NOW.

Source deadline: not stated. Age-out date: 2026-07-15 (23 days remaining).

KEV status: CISA KEV.

CVE-2026-41699 — VMware spring for graphql

Prior status: retained-decision-board. Current status: retained-watch.

Why retained: CISA/KEV/active-exploitation/Critical-Now retention window

Material change: none.

Current action: Last verified 2026-06-15: Upgrade VMware spring for graphql to fixed release(s): 1.3.9, 1.4.6, 2.0.4. Document a formal exception with compensating controls if remediation is delayed

Action this week: Confirm local deployment, then apply the vendor remediation or document an exception.

Patch status: Last verified 2026-06-15: Fixed releases are available per the vendor advisory: 1.3.9; 1.4.6; 2.0.4.

Source deadline: not stated. Age-out date: 2026-07-15 (23 days remaining).

KEV status: CISA KEV.


Landscape Watch

Sector read

Incident Watch includes 4 healthcare incident/disclosure candidates; 0 verified-material items and 4 secondary-awareness items remain evidence-bounded. Vendor advisory watch: no reader action this week.

Named actor and tooling watch

Actor/tooling items are shown here as bounded Landscape Watch context. They become current healthcare alerts only when this window includes an HPH-sector source, healthcare victim, or healthcare-specific campaign evidence.

Background SOC context

These items are retained as low-prominence SOC context. They are not current healthcare alerts unless this window includes healthcare victim, HPH-sector, or campaign-specific evidence.

  • Cobalt Strike — background SOC context. Generic IOC activity observed; no current healthcare-specific campaign verified. Evidence sources: AlienVault OTX threat pulses, ThreatFox IOC feed (Abuse.ch).
  • LockBit — background SOC context. Generic activity observed; no current healthcare-specific campaign verified. Evidence sources: AlienVault OTX threat pulses, ThreatFox IOC feed (Abuse.ch).
  • QakBot — background SOC context. Generic activity observed; no current healthcare-specific campaign verified. Evidence sources: AlienVault OTX threat pulses, Feodo Tracker (Abuse.ch C2 blocklist).

Medical device / OT watch: No material healthcare OT/ICS or medical-device signal crossed the action threshold this week.

Healthcare Incident Watch — no verified material action items

4 healthcare incident/disclosure candidates reviewed; no verified-material action items. 3 secondary-source awareness cards are shown; 1 additional secondary-awareness item remain tracked but not displayed.

Source quality: official/regulator notices outrank secondary reporting. Methodology. Visible awareness items are concentrated in HIPAA Journal this week because no verified primary-source incident item cleared the display threshold. And other monitored feeds did not return stronger official incident evidence.

Recent incident/disclosure window

18 Jun 2026 · HIPAA Journal

HIPAA Violation Cases: Types & Consequences

Editorial summary: secondary-source awareness item selected for disclosure-pattern monitoring; do not treat it as a verified material action item without local scope or primary-source confirmation.

Currentness: source 18 Jun 2026; recent incident/disclosure window.

Source quality: Secondary-source awareness; official notice not verified.

Why selected: Current healthcare-sector cyber awareness reported for HIPAA Violation Cases: privacy, vendor-risk, settlement, disclosure, or social-engineering relevance.

Reader relevance: Awareness item: review whether your organization, vendor, region, service line, or patient-data relationship connects to HIPAA Violation Cases before acting; do not initiate breach response from secondary reporting alone.

New disclosure

18 Jun 2026 · HIPAA Journal

Heart Monitoring Device Manufacturer Discloses Cyberattack; Data Breach

Editorial summary: secondary-source awareness item selected for disclosure-pattern monitoring; do not treat it as a verified material action item without local scope or primary-source confirmation.

Currentness: source 18 Jun 2026; new disclosure.

Source quality: Secondary-source awareness; official notice not verified.

Why selected: Current healthcare-sector cyber awareness reported for Heart Monitoring Device Manufacturer Discloses Cyberattack: privacy, vendor-risk, settlement, disclosure, or social-engineering relevance.

Reader relevance: Awareness item: review whether your organization, vendor, region, service line, or patient-data relationship connects to Heart Monitoring Device Manufacturer before acting; do not initiate breach response from secondary reporting alone.

Recent incident/disclosure window

22 Jun 2026 · HIPAA Journal

ShinyHunters Data Extortion Group Threatens to Leak 8.8 TB of Stolen One Medical Data

Editorial summary: secondary-source awareness item selected for disclosure-pattern monitoring; do not treat it as a verified material action item without local scope or primary-source confirmation.

Currentness: source 22 Jun 2026; recent incident/disclosure window.

Source quality: Secondary-source awareness; official notice not verified.

Why selected: Current healthcare-sector cyber awareness reported for ShinyHunters Data Extortion Group Threatens to Leak 8.8 TB of Stolen O: privacy, vendor-risk, settlement, disclosure, or social-engineering relevance.

Reader relevance: Awareness item: review whether your organization, vendor, region, service line, or patient-data relationship connects to ShinyHunters Data Extortion Group Threatens to Leak 8.8 TB before acting; do not initiate breach response from secondary reporting alone.

1 additional secondary-awareness item remain tracked but not displayed unless local scope is confirmed.

Sector Readiness / Industry Guidance Watch

Non-binding healthcare-sector guidance and readiness events are shown here when current or future-dated source material changes planning, participation, or sector-awareness decisions.

Operation Vital Signs

Organizer: HSCC

Event date(s): July 21-22, 2026

Status: Consider participation / readiness planning

Reader action: Route to security, incident response, emergency management, privacy/legal, and clinical operations leaders if tabletop participation or lessons learned apply.

Official source


Regulatory & Privacy

What we are watching

No new binding rule, OCR enforcement action, FDA cybersecurity notice, or federal cyber-reporting deadline crossed the action threshold this window.

Standing watch: CIRCIA final rule timing, HIPAA Security Rule modernization, Health Care Cybersecurity and Resiliency Act movement, OCR settlement patterns, FDA medical-device cybersecurity, HHS HC3 sector alerts, CISA KEV healthcare exposure, and federal AI policy that changes healthcare vendor diligence.

This week: No binding healthcare privacy or cyber-reporting rule crossed the action threshold, but federal AI policy monitoring is elevated this week. Review the AI & Clinical Automation Watch for White House/HHS signals that may affect vendor diligence, model assurance, audit governance, and procurement questions. Last checked: 22 June 2026 23:50 UTC.

Regulatory action this week: None. No material movement this window; standing watch items remain available below for reference.

No standing item changed a deadline, owner, privacy posture, or security action this week.

Collapsed groups: 8 federal actions; 3 state or international items.

Standing-watch methodology and canonical source list: /methodology/.

Federal watch items

  • CIRCIA — Cyber Incident Reporting for Critical Infrastructure Act — Final rule pending; CISA NPRM published 2024-04; comment period closed 2024-07. Healthcare designated as covered critical infrastructure sector. Why we watch: Mandatory 72-hour cyber incident reporting and 24-hour ransomware payment reporting for covered healthcare entities once the final rule takes effect. Forecast: Expect a final-rule implementation runway; the operational burden will be evidence preservation, reporting clock ownership, and ransomware-payment governance. CISA CIRCIA overview: “report to CISA any covered cyber incidents no later than 72 hours.” (Monitor; no action this week.) Source
  • HIPAA Security Rule update (NPRM 2024) — NPRM published Federal Register 2025-01-06. Final rule timeline not yet announced. Adds explicit MFA, encryption, and incident response controls. Why we watch: First substantive HIPAA Security Rule update in over a decade — closes longstanding gaps around MFA, vulnerability management, and incident-response evidence workflows. Forecast: If finalized substantially as proposed, expect heavier documentation, MFA, encryption, segmentation, testing, and incident-response evidence requirements. HHS OCR HIPAA Security Rule NPRM fact sheet: “Require the use of multi-factor authentication, with limited exceptions.” (Monitor; no action this week.) Source
  • Health Care Cybersecurity and Resiliency Act of 2025 — Reported / not final. Senate companion under HELP Committee review. Provides authorities for HHS-CISA coordination and minimum cyber standards for healthcare entities. Why we watch: Would codify mandatory minimum cybersecurity standards for healthcare and authorize HHS-CISA cyber incident coordination — the closest thing to a sector-wide cyber baseline currently moving. Forecast: If the bill advances, anticipate procurement and governance pressure around baseline controls rather than an immediate compliance deadline. (Monitor; no action this week.) Source
  • OCR HIPAA enforcement and incident-reporting activity — Routine OCR enforcement and reporting updates monitored. Watch for resolution agreements citing security-rule failures (risk analysis, MFA, log retention). Why we watch: OCR settlements reveal which control failures are actively being penalized — direct input into your control-prioritization roadmap. Forecast: Expect OCR enforcement patterns to keep rewarding demonstrable risk analysis, risk management, and evidence of security-rule follow-through. (Monitor; no action this week.) Source
  • FDA medical-device cybersecurity guidance & safety communications — FDA pre-market cybersecurity guidance (2023) in effect. Watch for SaMD AI/ML cyber guidance and post-market vulnerability advisories. Why we watch: Vendor must demonstrate cybersecurity in pre-market submission. Post-market FDA safety communications can drive emergency clinical-engineering action. Forecast: Expect continued vendor-evidence pressure for device cybersecurity, especially patchability, post-market monitoring, and coordinated vulnerability disclosure. (Monitor; no action this week.) Source
  • HHS HC3 / sector cyber alerts — Routine sector alerts and threat briefs monitored. Higher-frequency advisories during active campaign periods. Why we watch: HC3 issues healthcare-specific TTP intel (ransomware groups targeting clinics, telehealth-specific threats) often days ahead of industry coverage. Forecast: Expect this to remain a weekly threat-intel input, with higher action value when HC3 names a campaign, sector target, or mitigation. (Monitor; no action this week.) Source
  • CISA KEV additions affecting healthcare-deployed software — Tracked daily. Healthcare-relevant additions surface in CVE Decision Board with operational priority Critical. Why we watch: CISA KEV addition = federal mandate (BOD 22-01 timelines) for FCEB agencies and a strong signal for healthcare. Immediate-action trigger. Forecast: Expect KEV additions to remain the strongest public signal for urgent patch governance and exception review in healthcare environments. (Monitor; no action this week.) Source
  • White House / OMB / NIST / CAISI AI policy affecting healthcare — Active. Federal AI policy posture is shifting; watch for AI executive orders, NIST AI RMF updates, and CAISI evaluation guidance affecting healthcare AI deployments. Why we watch: Federal AI governance defines what evaluations, evidence, and assurances healthcare AI vendors must produce — direct procurement and validation impact. Forecast: Expect AI governance to translate into vendor-diligence questions before it becomes a single healthcare-specific compliance checklist. (Monitor; no action this week.) Source

State / international watch items

  • Washington My Health My Data Act — State health-data privacy law in force. Watch for enforcement activity and vendor-contract implications involving non-HIPAA consumer health data. Why we watch: Healthcare-adjacent apps, digital front doors, marketing pixels, and wellness programs can create state-law privacy exposure even when HIPAA does not apply. Forecast: Expect continued state attention on consumer health data, especially web tracking, apps, and non-HIPAA wellness workflows. (Monitor; no action this week.) Source
  • California CPPA / CCPA health-data privacy enforcement — State privacy enforcement monitored for health-data, tracking-technology, and vendor-processing implications. Why we watch: Large health systems with California patients or web properties need a view of privacy notices, tracking tech, and service-provider obligations outside HIPAA. Forecast: Expect California privacy enforcement to keep shaping tracking-technology reviews and service-provider contract evidence. (Monitor; no action this week.) Source
  • EU AI Act / NIS2 healthcare supplier exposure — International regulatory posture monitored for multinational health systems and suppliers serving EU-regulated healthcare environments. Why we watch: EU AI and cyber-resilience obligations can affect vendor due diligence, clinical AI assurance, and supplier security evidence for global healthcare organizations. Forecast: Expect multinational suppliers to package EU AI and cyber evidence into healthcare procurement responses over the next planning cycle. (Monitor; no action this week.) Source

Last verified: 22 June 2026 23:50 UTC


AI & Clinical Automation Watch

Editorial read

No new AI-infrastructure CVE crossed the action threshold this window. Retained AI-infrastructure watch item: CVE-2026-42271 (LiteLLM).

This week: Keep retained AI gateway items visible until closure: verify fixed versions, validate exposure, and rotate provider keys if compromise cannot be ruled out.

AI Watch shows elevated decision-relevant items only. Additional AI policy, acquisition, and governance signals remain under internal monitoring unless they cross the public-action threshold.

Agentic-ai and healthcare ai-vendor watch areas stayed below the public-action threshold this week based on the official-source sweep.

1. AI Policy & Model Governance Material change

Health Industry AI Cybersecurity Governance Framework Implementation Guide

Material change

Why healthcare cares: Sector-specific implementation guidance for AI cybersecurity governance in healthcare: it sets the benchmark vendors, assessors, and customer security questionnaires will reference for AI governance, inventory, vendor diligence, model monitoring, and incident response.

Binding status: nonbinding sector guidance

Recommended action: Use the guide to update the AI governance charter, AI inventory, AI vendor diligence, procurement control language, model monitoring, incident response, and the AI risk acceptance process.

Owner route: CISO, CIO, CMIO, AI governance, privacy, compliance, clinical engineering, procurement, vendor risk

Retention timing: Review due: 2026-06-22. Age-out: 2026-07-11.

Confidence: High — official HSCC source

Source ↗ — 2026-06-22

Retained signed executive order — Advancing Artificial Intelligence Education for American Youth | 4/23/2025

Retained watch

Why healthcare cares: This signed executive order is a material AI policy/governance update. It shapes AI vendor assurance, model-assurance expectations, critical-infrastructure cybersecurity tooling, and the federal evaluation programs healthcare AI vendors may rely on. It does not by itself create healthcare-specific compliance duties.

Binding status: official executive order

Recommended action: Update AI vendor diligence and model-assurance questions, track cybersecurity evaluation requirements, maintain critical-infrastructure cyber tooling awareness, and schedule an AI governance review.

Owner route: CIO, CISO, CMIO, AI governance, privacy/legal, procurement, vendor risk

Prior status: retained-ai-watch. Current status: retained-ai-watch.

Material change: none.

Retention timing: Review due: 2026-06-22. Age-out: 2026-07-11.

Confidence: High — official White House source

Source ↗ — 2026-06-22

HHS AI oversight monitor

Elevated monitor

Why healthcare cares: HHS is expanding AI review of audits from states and federal grant recipients. Privacy/compliance relevance: monitor governance, accuracy, appeal safeguards, audit documentation, and funding-risk implications.

Recommended action: Route to privacy, compliance, and audit leadership for monitoring; do not initiate HIPAA/OCR notification workflows from this policy signal alone absent local evidence.

Confidence: Medium — agency/reporting source

Source ↗ — 2026-06-22

CVE-2026-42271 — LiteLLM: retained KEV AI gateway watch

Retained watch

Why healthcare cares: LiteLLM is an AI gateway/proxy-class component that can hold provider keys, prompts, query history, or patient-context workflow data in healthcare deployments. It remains on the retained CVE watch and ages out in 19 days unless resolved.

Recommended action: Keep the item visible until closed: verify patched LiteLLM versions, review application logs and database query logs, and rotate AI provider keys if exposure cannot be ruled out.

Prior status: unknown. Current status: retained-watch.

Material change: none.

Confidence: High — retained CISA KEV / prior issue state

Source ↗ — 2026-06-22

CVE-2026-42271 — LiteLLM

Retained watch

Why healthcare cares: Prior AI infrastructure risk remains open and tracked with explicit retention metadata. It remains on the retained CVE watch and ages out in 19 days unless resolved.

Recommended action: Confirm local deployment, verify the fixed-version mapping, and document closure or a formal exception.

Prior status: still-critical-now. Current status: retained-ai-watch.

Material change: none.

Retention timing: Age-out: 2026-07-11. 19 days remaining.

Confidence: High — retained ledger state

Source ↗ — 2026-06-22

HHS Cracks Down on Years of Unchecked Audit Findings | HHS.gov

Retained watch

Why healthcare cares: Retained from a prior issue pending source-confirmed change or age-out.

Recommended action: Re-check the source for changes affecting AI governance, vendor diligence, or security posture; close or carry forward with documented rationale.

Prior status: unknown. Current status: retained-ai-watch.

Material change: status change under review — reverify against the official source.

Retention timing: Review due: 2026-06-22. Age-out: 2026-07-22. 30 days remaining.

Confidence: Medium — HHS AI oversight official source

Source ↗ — 2026-06-22

Promoting Advanced Artificial Intelligence Innovation and Security

Retained watch

Why healthcare cares: Retained from a prior issue pending source-confirmed change or age-out.

Recommended action: Re-check the source for changes affecting AI governance, vendor diligence, or security posture; close or carry forward with documented rationale.

Prior status: retained-ai-watch. Current status: retained-ai-watch.

Material change: material change confirmed from official source.

Retention timing: Review due: 2026-06-11. Age-out: 2026-07-11. 19 days remaining.

Confidence: Medium — White House Presidential Actions government source

Source ↗ — 2026-06-22

AI Action This Week

  1. Patch any AI gateway / inference component listed in AI Infrastructure Watch, using the CVE-specific remediation and source evidence shown there.
  2. Forward any items in AI Policy & Model Governance to CIO/CMIO and procurement; refresh AI vendor diligence questions accordingly.
  3. If AI gateways may handle PHI, confirm BAA review, PHI-redaction, audit logging, and human-in-the-loop controls.

CVE Decision Board — compare action items and monitored CVEs

Operational priority, CVE, product, severity, likelihood, and deadline are shown.

Priority: CRITICAL-NOWCVE: CVE-2026-20253Product: Splunk Enterprise CVSS: 9.8
Critical
EPSS: 0%
Low
HRS: 39
Low
Exploit Intel: CISA KEV
Confidence: High
Deadline: Past due 1 day (deadline 2026-06-21)

Retention: Critical-Now / action listed. New this issue. First elevated: 2026-06-22. First seen: 2026-06-22. Age-out: 2026-07-22 (30 days remaining) unless resolved or source status changes. Retention reason: CISA KEV source status retained for 30 days or until resolved. Source deadline: 2026-06-21. Material change: none.

Why healthcare-relevant

Category: Exploited enterprise platform

Basis: Splunk Enterprise is retained because confirmed exploitation changes remediation priority even when healthcare-specific targeting is not proven.

Where it shows up: wherever Splunk Enterprise is deployed locally — that may be ordinary IT, patient-facing web, vendor-managed, identity, or care-supporting paths.

What could happen: Confirmed exploitation drives urgency, but healthcare impact depends on whether Splunk Enterprise is exposed, privileged, or connected to patient-access or clinical workflows.

Local check: validate Splunk Enterprise presence, affected version, internet reachability, privilege level, and business owner before escalating to privacy or clinical operations.

Healthcare concern: The healthcare question is where Splunk Enterprise sits: identity path, patient-facing web path, vendor-managed service, clinical support system, or ordinary back-office asset. The answer changes urgency and escalation.

Local validation: confirm whether Splunk Enterprise from 10.0.0 before 10.0.7, from 10.2.0 before 10.2.4 is deployed, exposed, and owned locally. Validate internet reachability, the business owner for Splunk Enterprise, compensating controls, and whether local evidence shows it supports patient-facing, operational, administrative, or PHI/ePHI-bearing workflows.

Remediation: Upgrade affected Splunk Enterprise to the source-listed fixed release for the matching branch: 10.0.7; 10.2.4. Document exception and compensating controls if remediation is delayed.

Priority: CRITICAL-NOWCVE: CVE-2026-48907Product: Widget Factory Joomla Content Editor / Limited JCE CVSS: 9.8
Critical
EPSS: 0%
Low
HRS: 65
Moderate
Exploit Intel: CISA KEV
Confidence: High
Deadline: Past due 3 days (deadline 2026-06-19)

Retention: Critical-Now / action listed. New this issue. First elevated: 2026-06-22. First seen: 2026-06-22. Age-out: 2026-07-22 (30 days remaining) unless resolved or source status changes. Retention reason: CISA KEV source status retained for 30 days or until resolved. Source deadline: 2026-06-19. Material change: none.

Why healthcare-relevant

Category: Exploited enterprise platform

Basis: Widget Factory Joomla Content Editor / Limited JCE is retained because confirmed exploitation changes remediation priority even when healthcare-specific targeting is not proven.

Where it shows up: wherever Widget Factory Joomla Content Editor / Limited JCE is deployed locally — that may be ordinary IT, patient-facing web, vendor-managed, identity, or care-supporting paths.

What could happen: Confirmed exploitation drives urgency, but healthcare impact depends on whether Widget Factory Joomla Content Editor / Limited JCE is exposed, privileged, or connected to patient-access or clinical workflows.

Local check: validate Widget Factory Joomla Content Editor / Limited JCE presence, affected version, internet reachability, privilege level, and business owner before escalating to privacy or clinical operations.

Healthcare concern: The healthcare question is where Widget Factory Joomla Content Editor / Limited JCE sits: identity path, patient-facing web path, vendor-managed service, clinical support system, or ordinary back-office asset. The answer changes urgency and escalation.

Local validation: confirm whether Widget Factory Joomla Content Editor / Limited JCE before 2.9.99.5 is deployed, exposed, and owned locally. Validate internet reachability, the business owner for Widget Factory Joomla Content Editor / Limited JCE, compensating controls, and whether local evidence shows it supports patient-facing, operational, administrative, or PHI/ePHI-bearing workflows.

Remediation: Upgrade affected Widget Factory Joomla Content Editor / Limited JCE to the source-listed fixed release for the matching branch: 2.9.99.5; 2.9.99.6; 3.10. Document exception and compensating controls if remediation is delayed.

Priority: CRITICAL-NOWCVE: CVE-2026-54420Product: LiteSpeed WHM Plugin; LiteSpeed cPanel Plugin CVSS: 8.5
High
EPSS: 0%
Low
HRS: 64
Moderate
Exploit Intel: CISA KEV
Confidence: High
Deadline: Past due 4 days (deadline 2026-06-18)

Retention: Critical-Now / action listed. New this issue. First elevated: 2026-06-22. First seen: 2026-06-22. Age-out: 2026-07-22 (30 days remaining) unless resolved or source status changes. Retention reason: CISA KEV source status retained for 30 days or until resolved. Source deadline: 2026-06-18. Material change: none.

Why healthcare-relevant

Category: Hosting control-plane risk

Basis: LiteSpeed WHM Plugin; LiteSpeed cPanel Plugin is a hosting control-plane dependency; the exploited issue is in the LiteSpeed user-end cPanel plugin.

Where it shows up: shared hosting, cPanel/WHM administration, public web properties, physician-practice sites, campaign pages, and vendor-managed healthcare web estates.

What could happen: A compromised cPanel user-end plugin can enable privilege escalation on the hosting server; healthcare impact depends on which hosted sites, forms, and workflows are actually present.

Local check: check LiteSpeed cPanel/WHM plugin versions, review redisAble cPanel JSON API indicators, validate detected IPs, and map hosted workflows before privacy escalation.

Healthcare concern: Healthcare relevance depends on whether cPanel/WHM hosting supports hospital, physician-practice, campaign, appointment, billing, referral, portal-handoff, or vendor-managed sites.

Local validation: confirm whether LiteSpeed User-End cPanel Plugin before 2.4.8 is installed in cPanel/WHM hosting environments. Verify update target: cPanel user-end plugin 2.4.8 or later; WHM Plugin 5.3.2.0 or later. Review cPanel logs for redisAble cPanel JSON API indicators, validate detected IPs, examine system logs, and map whether hosted sites support patient-facing, physician-practice, portal-handoff, or vendor-managed workflows.

Remediation: Update LiteSpeed deployments to cPanel user-end plugin 2.4.8 or later; WHM Plugin 5.3.2.0 or later. The exploited issue is in the LiteSpeed user-end cPanel plugin; the WHM plugin update bundles the fixed cPanel plugin. Review cPanel logs for redisAble cPanel JSON API indicators, validate IPs, examine system logs, and remove the user-end plugin if immediate update is not possible. If immediate patching is not possible, document exception, compensating controls, owner, and target remediation date.

Priority: HIGHCVE: CVE-2026-32966Product: Apache dolphinscheduler CVSS: 9.8
Critical
EPSS: 48%
Moderate
HRS: 64
Moderate
Exploit Intel: Public PoC
Confidence: Medium
Deadline: Due 2026-07-06

Retention: retained. New this issue. First elevated: 2026-06-22. First seen: 2026-06-22. Age-out: 2026-07-06 (14 days remaining) unless resolved or source status changes. Retention reason: HIGH-priority watch for Apache dolphinscheduler retained while exploit, healthcare, or source signal remains relevant. Source deadline: 2026-07-06. Material change: none.

Why healthcare-relevant

Category: Monitor only

Basis: If apache dolphinscheduler protects perimeter or remote access, prioritize externally reachable admin/login surfaces, VPN concentrators, and identity trust boundaries that gate clinical and business systems. Primary risk is control-plane compromise and downstream access expansion; treat PHI/ePHI impact as conditional on local evidence.

Where it shows up: local Apache dolphinscheduler deployments that support scheduled jobs, integrations, administrative operations, patient-facing services, vendor-managed workflows, or other care-supporting dependencies.

What could happen: If Apache dolphinscheduler is present and exposed, exploitation could disrupt or alter the local workflow it supports; treat PHI/ePHI or clinical impact as conditional on asset ownership, access path, and workflow evidence.

Local check: map Apache dolphinscheduler deployments to owners, affected versions, exposed interfaces, workflow dependency, and compensating controls before escalating beyond remediation tracking.

Healthcare concern: Healthcare concern for Apache dolphinscheduler depends on confirmed local deployment and which workflows depend on it — assess it as monitor only in your environment.

Local validation: confirm whether Apache dolphinscheduler before 3.4.2 is deployed, exposed, and owned locally. Validate internet reachability, the business owner for Apache dolphinscheduler, compensating controls, and whether local evidence shows it supports patient-facing, operational, administrative, or PHI/ePHI-bearing workflows.

Remediation: Upgrade affected Apache dolphinscheduler to the source-listed fixed release for the matching branch: 3.4.2. Document exception and compensating controls if remediation is delayed.

Priority: HIGHCVE: CVE-2026-32967Product: Apache dolphinscheduler CVSS: 9.1
Critical
EPSS: 43%
Moderate
HRS: 64
Moderate
Exploit Intel: Public PoC
Confidence: Medium
Deadline: Due 2026-07-06

Retention: retained. New this issue. First elevated: 2026-06-22. First seen: 2026-06-22. Age-out: 2026-07-06 (14 days remaining) unless resolved or source status changes. Retention reason: HIGH-priority watch for Apache dolphinscheduler retained while exploit, healthcare, or source signal remains relevant. Source deadline: 2026-07-06. Material change: none.

Why healthcare-relevant

Category: Monitor only

Basis: If apache dolphinscheduler protects perimeter or remote access, prioritize externally reachable admin/login surfaces, VPN concentrators, and identity trust boundaries that gate clinical and business systems. Primary risk is control-plane compromise and downstream access expansion; treat PHI/ePHI impact as conditional on local evidence.

Where it shows up: local Apache dolphinscheduler deployments that support scheduled jobs, integrations, administrative operations, patient-facing services, vendor-managed workflows, or other care-supporting dependencies.

What could happen: If Apache dolphinscheduler is present and exposed, exploitation could disrupt or alter the local workflow it supports; treat PHI/ePHI or clinical impact as conditional on asset ownership, access path, and workflow evidence.

Local check: map Apache dolphinscheduler deployments to owners, affected versions, exposed interfaces, workflow dependency, and compensating controls before escalating beyond remediation tracking.

Healthcare concern: Healthcare concern for Apache dolphinscheduler depends on confirmed local deployment and which workflows depend on it — assess it as monitor only in your environment.

Local validation: confirm whether Apache dolphinscheduler before 3.4.2 is deployed, exposed, and owned locally. Validate internet reachability, the business owner for Apache dolphinscheduler, compensating controls, and whether local evidence shows it supports patient-facing, operational, administrative, or PHI/ePHI-bearing workflows.

Remediation: Upgrade affected Apache dolphinscheduler to the source-listed fixed release for the matching branch: 3.4.2. Document exception and compensating controls if remediation is delayed.

More monitored CVEs (3)
Priority: HIGHCVE: CVE-2026-49268Product: Apache shiro CVSS: 9.1
Critical
EPSS: 38%
Moderate
HRS: 80
High
Exploit Intel: Public PoC
Confidence: Medium
Deadline: Due 2026-07-06

Retention: retained. New this issue. First elevated: 2026-06-22. First seen: 2026-06-22. Age-out: 2026-07-06 (14 days remaining) unless resolved or source status changes. Retention reason: HIGH-priority watch for Apache shiro retained while exploit, healthcare, or source signal remains relevant. Source deadline: 2026-07-06. Material change: none.

Why healthcare-relevant

Category: Monitor only

Basis: If apache shiro is deployed, map internet-facing and privileged admin surfaces first, then confirm whether the affected workflow touches patient portals, scheduling, billing, clinical messaging, or other ePHI-adjacent paths. Escalate to privacy review only when local telemetry indicates unauthorized access.

Where it shows up: local Apache shiro deployments that support scheduled jobs, integrations, administrative operations, patient-facing services, vendor-managed workflows, or other care-supporting dependencies.

What could happen: If Apache shiro is present and exposed, exploitation could disrupt or alter the local workflow it supports; treat PHI/ePHI or clinical impact as conditional on asset ownership, access path, and workflow evidence.

Local check: map Apache shiro deployments to owners, affected versions, exposed interfaces, workflow dependency, and compensating controls before escalating beyond remediation tracking.

Healthcare concern: Healthcare concern for Apache shiro depends on confirmed local deployment and which workflows depend on it — assess it as monitor only in your environment.

Local validation: confirm whether Apache shiro before 2.2.0, before 2.2.1, before 3.0.0-alpha-1 is deployed, exposed, and owned locally. Validate internet reachability, the business owner for Apache shiro, compensating controls, and whether local evidence shows it supports patient-facing, operational, administrative, or PHI/ePHI-bearing workflows.

Remediation: Upgrade affected Apache shiro to the source-listed fixed release for the matching branch: 3.0.0-alpha-2; 2.2.1. Document exception and compensating controls if remediation is delayed.

Priority: HIGHCVE: CVE-2026-12293Product: Mozilla Firefox; Mozilla Thunderbird CVSS: 9.8
Critical
EPSS: 28%
Moderate
HRS: 72
High
Exploit Intel: Public PoC
Confidence: Medium
Deadline: Due 2026-07-06

Retention: retained. New this issue. First elevated: 2026-06-22. First seen: 2026-06-22. Age-out: 2026-07-06 (14 days remaining) unless resolved or source status changes. Retention reason: HIGH-priority watch for Mozilla Firefox; Mozilla Thunderbird retained while exploit, healthcare, or source signal remains relevant. Source deadline: 2026-07-06. Material change: none.

Why healthcare-relevant

Category: Monitor only

Basis: If mozilla firefox, mozilla thunderbird is deployed, map internet-facing and privileged admin surfaces first, then confirm whether the affected workflow touches patient portals, scheduling, billing, clinical messaging, or other ePHI-adjacent paths. Escalate to privacy review only when local telemetry indicates unauthorized access.

Where it shows up: local Mozilla Firefox; Mozilla Thunderbird deployments that support scheduled jobs, integrations, administrative operations, patient-facing services, vendor-managed workflows, or other care-supporting dependencies.

What could happen: If Mozilla Firefox; Mozilla Thunderbird is present and exposed, exploitation could disrupt or alter the local workflow it supports; treat PHI/ePHI or clinical impact as conditional on asset ownership, access path, and workflow evidence.

Local check: map Mozilla Firefox; Mozilla Thunderbird deployments to owners, affected versions, exposed interfaces, workflow dependency, and compensating controls before escalating beyond remediation tracking.

Healthcare concern: Healthcare concern for Mozilla Firefox; Mozilla Thunderbird depends on confirmed local deployment and which workflows depend on it — assess it as monitor only in your environment.

Local validation: confirm whether Mozilla Firefox; Mozilla Thunderbird before 152.0.0 is deployed, exposed, and owned locally. Validate internet reachability, the business owner for Mozilla Firefox; Mozilla Thunderbird, compensating controls, and whether local evidence shows it supports patient-facing, operational, administrative, or PHI/ePHI-bearing workflows.

Remediation: Upgrade affected Mozilla Firefox; Mozilla Thunderbird to the source-listed fixed release for the matching branch: 152.0.0. Document exception and compensating controls if remediation is delayed.

Priority: MONITORCVE: CVE-2026-11551Product: Branda (WordPress) CVSS: 9.8
Critical
EPSS: 0%
Low
HRS: 56
Moderate
Exploit Intel: Public PoC
Confidence: Medium
Deadline: Due 2026-07-22

Retention: monitored. New this issue. First elevated: 2026-06-22. First seen: 2026-06-22. Age-out: 2026-06-29 (7 days remaining) unless resolved or source status changes. Retention reason: Branda (WordPress) retained for comparison unless exploit or source signal changes. Source deadline: 2026-07-22. Material change: none.

Why healthcare-relevant

Category: Patient-facing digital risk

Basis: The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29.

Where it shows up: public, patient-facing, marketing, physician-practice, intranet, or vendor-managed WordPress properties.

What could happen: A plugin or theme flaw can affect site integrity, redirects, credentials, or patient-facing trust depending on how the component is deployed.

Local check: confirm deployment, affected version, WAF coverage, admin changes, fixed release, and whether patient-facing workflows are in scope.

Healthcare concern: Healthcare relevance depends on patient services, referrals, billing, marketing pixels, or portal handoff; otherwise treat as web-platform remediation.

Local validation: confirm whether Branda (WordPress) version 3.4.29 or earlier is installed. Prioritize public-facing, patient-facing, marketing, appointment, location-directory, portal-handoff, or form-bearing sites that could run Branda (WordPress). Review administrator accounts, temporary-access activity, recent plugin/theme changes, unexpected files, and web logs before closure.

Remediation: Validate whether Branda (WordPress) is installed in the affected version range identified by the source. If present, confirm the vendor-supported fixed release before closure; apply compensating controls or disable affected functionality until remediation is verified.

Download structured data:

Sort order prioritizes exploitation signals and deadlines.

Why low-EPSS items can still be Critical-Now

Low EPSS does not mean low operational risk.

EPSS estimates short-term exploit probability; operational priority also weighs confirmed exploitation and source deadlines.

Examples this week: 3 low-EPSS items remain prioritized because exploitation/source signals override low EPSS.

Methodology

Public issue methodology is summary-only to preserve the decision-brief reading path.

Sources used this window include NVD, CISA KEV, VulnCheck KEV, EPSS, healthcare incident sources, and regulatory watch data.

Breach Notification Trigger Framework: CVE presence alone is not a breach assessment; escalate only with local evidence of exploitation, unauthorized access, or PHI/ePHI exposure.

Full standing methodology: /methodology/.