Self-Hosted Weekly: Week 29, 2026. SharePoint Zero-Day, Nextcloud Migration, KVM Escape

Self-Hosted Weekly: Week 29, 2026. SharePoint Zero-Day, Nextcloud Migration, KVM Escape

Some weeks the theme picks itself. This week it was trust: who you hand your infrastructure to, and what happens when that trust turns out to be misplaced. Microsoft shipped a SharePoint zero-day that was already being exploited, a German state walked away from SharePoint entirely in the same news cycle, and a 16-year-old bug reminded everyone that an "isolated" VM is only as isolated as the kernel underneath it. Here are the eight stories worth your attention, with an honest take on each.

1. Microsoft's Patch Tuesday ships an actively exploited SharePoint zero-day

July's Patch Tuesday landed on the 14th with a record pile of CVEs, and two were already being exploited in the wild: CVE-2026-56164, an unauthenticated privilege-escalation bug in SharePoint Server, and CVE-2026-56155 in Active Directory Federation Services. CISA added both to its Known Exploited Vulnerabilities catalog and set the SharePoint fix deadline to July 17, which is today.

Hot take: An unauthenticated, no-interaction privilege escalation on an internet-facing SharePoint box is about as bad as it gets, and "already exploited" means the window to patch quietly is gone. If you run SharePoint on-prem, this is your afternoon. It's also a reminder that self-hosting proprietary software gives you all the operational burden of running it yourself and none of the freedom to walk away when the vendor's security record wears thin.

2. A German state drops SharePoint for self-hosted Nextcloud

Right on cue, Mecklenburg-Vorpommern confirmed it's replacing Microsoft SharePoint with a self-hosted Nextcloud deployment. Around 5,000 public-sector workers are already on it, with a stated target of 50,000 across ministries and municipal offices, coordinated with neighboring Schleswig-Holstein. The state's CIO says the first migration wave went through with no disruption or data loss, starting with file sharing and adding chat, video, and groupware next.

Hot take: The timing next to the SharePoint zero-day is almost too perfect. This is digital sovereignty stopping being a conference buzzword and turning into a procurement decision at real scale. The interesting detail is the phased rollout: file sharing first, collaboration later. That's the correct way to migrate 50,000 people, and it's exactly the boring competence that makes these projects actually stick. If you want to try the same platform without running the Postgres yourself, you can deploy Nextcloud on Elestio.

3. Januscape: a 16-year-old KVM bug lets a guest escape to the host

Researchers disclosed Januscape (CVE-2026-53359), a use-after-free in the Linux kernel's KVM shadow MMU that sat unnoticed for roughly 16 years. A malicious guest with root and nested virtualization exposed can drive KVM into freeing and reusing the wrong shadow page, and the public proof-of-concept panics the host within minutes. It's the first guest-to-host escape shown to trigger on both Intel and AMD. The catch: the first upstream fix isn't enough on its own, and a second CVE (CVE-2026-46113) is needed to fully close it.

Hot take: This is the one to take seriously if you run your own hypervisor or rent from a smaller cloud. "Root in the guest" is the default state on most rented VMs, so the bar is lower than it sounds. Patch, but actually verify you picked up both fixes, because patching the first flaw alone leaves the door open. This is also the quiet argument for single-tenant hardware: shared virtualization is only as strong as the last kernel bug nobody found for 16 years.

4. Debian 13.6 point release lands

The Debian team shipped 13.6, the newest point release of Debian Trixie, on July 11. As usual for a point release, it's not a new distro so much as the accumulated security fixes and stability corrections rolled into fresh install media. If you're already on Trixie, a normal apt update && apt full-upgrade gets you there.

Hot take: Point releases are the least exciting and most important thing in the self-hosted world. "The base OS under everything, quietly patched" is the foundation the rest of this newsletter sits on. Refresh your images so new VMs start from the patched baseline instead of downloading three months of fixes on first boot.

5. Immich 3.0 is now stable

The self-hosted photo manager's big v3.0 line has settled down, with 3.0.3 landing on July 16. The headline additions are Workflows, a preview feature for automating library actions built on a new plugin system, plus experimental HLS real-time video transcoding, a rebuilt mobile photo editor that matches the web, a Recently Added view, and integrity reports that scan your storage against the database to flag missing or corrupted files. Note that 3.0 includes breaking API changes and drops pgvecto.rs.

Hot take: Immich keeps doing the thing that matters: closing the gap with Google Photos one boring feature at a time. Integrity reports are the underrated one here. When you're the backup, "did any of my files silently rot" is a real question, and having the app answer it is exactly what a self-hosted photo library should do. Read the breaking changes before you upgrade, then run Immich on Elestio if you'd rather not babysit the stack.

6. Forgejo v16.0 ships

Forgejo, the community-run fork of Gitea, released v16.0 on July 16. It's a non-LTS release supported through late October, and it includes security improvements plus configuration fixes around Git mirroring access controls.

Hot take: Coming off a rough month of Gitea Docker auth-bypass headlines, a Forgejo release that specifically tightens mirroring access controls is well timed. The Gitea-versus-Forgejo split keeps looking like a healthy one for users: two projects, real competition, and security fixes landing on both sides. If you self-host your Git, being on a fork with an active security cadence is a feature, not a risk.

7. Minecraft's Bedrock server gets a critical unauthenticated RCE

Buried in the same Patch Tuesday pile was CVE-2026-55010, a heap-based buffer overflow in the Minecraft Bedrock Dedicated Server rated CVSS 9.8, with unauthenticated remote code execution.

Hot take: Easy to laugh off until you remember how many people expose a Bedrock server straight to the internet for friends and family. An unauthenticated RCE means anyone who can reach the port can potentially own the box, and that box is usually sitting on the same home network as everything else. Patch it, or at least put it behind a tunnel instead of a raw port forward. Self-hosted doesn't stop at the serious tools.

8. Open Source for Science Fund opens with up to $1M

On the funding side, the Open Source for Science Fund is accepting proposals through July 21, offering up to $1 million for the foundational libraries that scientific software quietly depends on. It's aimed squarely at the maintainers of the unglamorous dependencies everyone builds on and nobody pays for.

Hot take: This is the good kind of open-source money, the kind that props up load-bearing libraries instead of chasing the next AI wrapper. The deadline is Tuesday, so if you maintain something in that category, it's worth the afternoon to apply.

What we're watching next week

Thing Why it matters
Kubernetes v1.37 code freeze Feature set locks next week ahead of the Aug 26 release; it requires containerd 2.0, so start checking your nodes
AD FS CVE-2026-56155 deadline CISA sets July 28 for the federation flaw; if you run federated login, it's next on the list after SharePoint
Januscape second fix in distros Watch for CVE-2026-46113 landing in your distro's kernel; the first patch alone doesn't close it

The bottom line

This week was a clean split-screen: a proprietary collaboration platform exploited in the wild, and a government walking away from that exact platform toward something it can host and control itself. Add a 16-year-old hypervisor bug that punches through VM isolation on both major CPU vendors, and the theme writes itself. "Someone else runs it" and "it's isolated" are both promises, and this week each came with an asterisk. Patch what you own, know what your isolation actually depends on, and the self-hosted route starts looking less like extra work and more like the option where you at least hold the keys.

Thanks for reading ❤️ See you next week 👋