Update for July 10, 2026 at 20:00 UTC: this radar pass did not find a new CISA Known Exploited Vulnerabilities catalog addition after the Joomla extension update published earlier today. It did find fresh NVD entries that matter to hosting, server, and Kubernetes operators: CVE-2025-30007 for HestiaCP and CVE-2026-61459 for mcp-server-kubernetes.
There is also a live Progress ShareFile Storage Zone Controller incident. Public sources available during this pass did not tie that incident to a new CVE, so treat it as an operations and incident-response watch item rather than a confirmed new CVE.
What Changed Since The Last Pass
- CISA KEV: no new entries after the July 10 Joomla extension additions.
- HestiaCP: NVD published CVE-2025-30007, rated high, affecting HestiaCP before version 1.9.5.
- mcp-server-kubernetes: NVD published CVE-2026-61459, rated critical, affecting versions before v3.9.0.
- ShareFile: the vendor status page lists Storage Zone Controller customers as not operational while the issue is under investigation.
HestiaCP CVE-2025-30007
HestiaCP is directly in the hosting-control-panel lane, so this one should get same-day review on any server where customers, resellers, contractors, or low-trust staff can access the panel. NVD describes the issue as a high-severity authenticated command-injection class vulnerability. The practical administrator takeaway is simple: HestiaCP systems older than 1.9.5 need an update window.
The HestiaCP GitHub release history confirms 1.9.5 shipped on May 28, 2026, with security and input-handling improvements, and 1.9.6 is available as the latest service release from May 29, 2026. If you manage HestiaCP, update to the current supported release rather than stopping at the first fixed version unless you have a compatibility reason.
Admin Checklist
- Take a VM snapshot or full system backup before changing the control panel.
- Update HestiaCP to the current release, or at minimum to 1.9.5.
- Confirm panel access is limited to trusted users and known IP ranges where possible.
- Review recent panel users, DNS changes, scheduled jobs, and service restarts for anything unexpected.
- After the update, verify websites, DNS zones, email services, backups, and certificate renewals.
mcp-server-kubernetes CVE-2026-61459
NVD published CVE-2026-61459 as a critical issue in mcp-server-kubernetes before v3.9.0. This is especially relevant for teams experimenting with AI agents and Kubernetes administration because MCP servers can sit between an AI client and sensitive cluster operations.
The project has a v3.9.0 release and, as of this pass, a newer v4.0.1 release. Operators should move forward to a current release, keep the service off the public internet, require authentication, and run it with a Kubernetes service account that has only the permissions the workflow actually needs.
Kubernetes Checklist
- Inventory where mcp-server-kubernetes is running, including developer workstations, internal labs, and CI environments.
- Upgrade vulnerable deployments to a fixed or newer release.
- Remove broad cluster-admin style access unless it is strictly required.
- Keep the MCP endpoint behind trusted network controls and authenticated clients.
- Review cluster audit logs for unusual tool-driven changes before and after the update.
Progress ShareFile Watch Item
The Hacker News reported that Progress told ShareFile customers with Storage Zone Controllers to shut down those Windows servers while it responds to a credible external security threat. The ShareFile status page confirms that Storage Zone Controller customers are not operational and that the incident is under investigation as of July 10, 2026 at 12:12 p.m. EDT.
Because the public sources available during this pass do not identify a new CVE for the current ShareFile incident, FixItPhill is not treating it as a confirmed CVE item yet. If you run customer-managed ShareFile Storage Zone Controllers, follow Progress customer communications first, keep affected controllers offline until the vendor clears them, preserve logs, and prepare for a vendor-guided recovery path.
Bottom Line
For hosting admins, the highest-confidence CVE action in this pass is HestiaCP: patch panels before 1.9.5 and verify access controls. For Kubernetes and AI-tooling teams, update mcp-server-kubernetes and reduce the permissions behind the service. For ShareFile, follow the vendor shutdown and status guidance until Progress publishes a clearer technical advisory.


