Oracle PeopleSoft CVE-2026-35273 - Stability Brief for Exposure Owners
Finding 1: Oracle PeopleSoft CVE-2026-35273 Remains The Lead Watchpoint
Confidence: High
Oracle states that CVE-2026-35273 is remotely exploitable without authentication, and Google Cloud threat intelligence attributes education-sector exploitation to ShinyHunters and UNC6240. Current reporting also names the University of Nottingham as a UK victim, giving this item confirmed UK impact without relying on wider exposure-scale claims.
The practical action remains unchanged: inventory internet-reachable PeopleSoft PeopleTools 8.61 and 8.62, check PSEMHUB exposure, apply Oracle mitigation, and review logs from 27 May 2026 onward. Sources: https://www.oracle.com/security-alerts/alert-cve-2026-35273.html ; https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit/ ; https://thehackernews.com/2026/06/shinyhunters-exploits-oracle-peoplesoft.html ; https://cyberscoop.com/oracle-peoplesoft-zero-day-vulnerability-shinyhunters-extortion/.
Finding 2: UPDATE: Ivanti Sentry CVE-2026-10520 Has Active-Exploitation Patch Pressure
Confidence: Medium
Ivanti Sentry remains a high-priority exposure check because current reporting says CISA ordered federal agencies to patch an actively exploited issue within three days. The affected deployments are Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1.
Teams should verify external exposure and fixed-version status before treating any appliance as complete. Sources: https://www.bleepingcomputer.com/news/security/cisa-gives-feds-3-days-to-patch-ivanti-flaw-exploited-in-attacks/ ; https://www.theregister.com/patches/2026/06/10/ivanti-urges-sentry-users-to-patch-two-critical-bugs/5253428 ; https://thehackernews.com/2026/06/ivanti-fortinet-and-sap-release-patches.html.
Finding 3: Langflow CVE-2026-5027 And LangGraph Keep AI Workflows In Scope
Confidence: Medium
The intelligence reports exploited unauthenticated RCE in Langflow before 1.9.0, with /api/v2/files exposure and suspicious file writes as the first checks. LangGraph is also back in the queue because patched versions are now identified across SQLite and Redis checkpointer packages.
Self-hosted AI workflow owners should patch Langflow to 1.9.0 or later, update affected LangGraph packages, and restrict user-controlled filter input to state-history endpoints. Sources: https://thehackernews.com/2026/06/unpatched-langflow-flaw-cve-2026-5027.html ; https://thehackernews.com/2026/06/langgraph-flaw-chain-exposes-self.html.
Finding 4: ServiceNow And File Browser Need Narrow Owner Checks
Confidence: Low / Unverified
ServiceNow reported a hosted update and customer trust notification for an issue that allowed successful table queries against a subset of customer instances. File Browser has several GitHub Advisory Database entries covering public-share bypass, symlink scope escape, archive traversal, and command-execution allowlist bypass.
For ServiceNow, confirm the 5 June hosted update and review relevant table-query activity from 2 June 2026 onward. For File Browser, check v1 and v2 version exposure against the published GHSA entries and prioritise deployments that expose sharing or command-execution features. Sources: https://thehackernews.com/2026/06/servicenow-flaw-exploited-to-gain.html ; https://github.com/advisories/GHSA-j9jx-hp4c-ghhh ; https://github.com/advisories/GHSA-239w-m3h6-ch8v ; https://github.com/advisories/GHSA-gxjx-7m74-hcq8 ; https://github.com/advisories/GHSA-8c9q-7855-wfxq.
Why This Matters
The operational signal is real, and the evidential wording has been tightened to keep the public brief aligned with sourced facts. PeopleSoft and Ivanti remain the top owner-assignment priorities, with AI workflow and SaaS exposure checks close behind.
- Recommended Actions
- Keep PeopleSoft wording tied to sourced facts: active exploitation, Oracle mitigation guidance, and the named University of Nottingham impact.
- Run PeopleSoft and Ivanti exposure checks first, because both connect to exploitation or urgent remediation pressure.
- Route Langflow, LangGraph, File Browser, ServiceNow, MongoDB, Spring, IBM i, Chrome, FortiPortal, Keycloak, Snappy, Budibase, and GeoServer items to product owners with confidence labels intact.
- Treat Low / Unverified items as owner-mapping work unless local exposure changes the risk.
All findings are grounded in source collection through 04:55 UTC on 13 June 2026.
Update: Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows
Confidence: Medium
The anonymous security researcher going by the name Chaotic Eclipse (aka Nightmare-Eclipse) has released a proof-of-concept (PoC) exploit for yet another Microsoft Defender zero-day named RoguePlanet. "The exploit is a race condition, so it's a hit or miss," the researcher, who published the exploit
Sources: https://thehackernews.com/2026/06/microsoft-defender-rogueplanet-zero-day.html
Update: CVE-2026-11986 / WID-SEC-2026-1894 - Keycloak admin-ui-ext file manipulation CVE-2026-11986
Confidence: Medium
CVE-2026-11986 / WID-SEC-2026-1894 - Keycloak admin-ui-ext file manipulation Confidence: LOW / UNVERIFIED. Classification: NEW. Why promoted: new CERT-Bund Keycloak admin-ui-ext advisory absent from the published-intel exclusion ledger.
Sources: https://access.redhat.com/security/cve/CVE-2026-11986
Update: Budibase CVE-2026-48150 lets workspace builders become global admins CVE-2026-48150
Confidence: Medium
Budibase CVE-2026-48150 lets workspace builders become global admins Confidence: LOW / UNVERIFIED. Classification: NEW. Why promoted: new GHSA Budibase advisory absent from the published-intel exclusion ledger. GitHub Advisory Databas
Sources: https://github.com/Budibase/budibase/security/advisories/GHSA-6xp4-cf37-ppjh
Update: UPDATE(patchreleased): LangGraph self-hosted AI-agent flaw chain can reach RCE CVE-2025-67644
Confidence: Medium
UPDATE(patchreleased): LangGraph self-hosted AI-agent flaw chain can reach RCE Confidence: MEDIUM. Classification: UPDATED(patchreleased). Why promoted: poll sidecar marks materialeventtype=patchreleased; the sweep gives patched package versions.
Update: LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Execution CVE-2026-28277
Confidence: Medium
Cybersecurity researchers have disclosed details of three now-patched security flaws impacting LangGraph, including a critical vulnerability chain that could result in remote code execution. LangGraph is an open-source framework created by LangChain to build complex, stateful, and multi-agent artifi
Sources: https://thehackernews.com/2026/06/langgraph-flaw-chain-exposes-self.html
Update: CVE-2026-46643 - Snappy binary path escaping issue CVE-2026-46643
Confidence: Medium
CVE-2026-46643 - Snappy binary path escaping issue Confidence: LOW / UNVERIFIED. Classification: NEW. Why promoted: new MSRC Snappy advisory absent from the published-intel exclusion ledger. MSRC published a Snappy binary path issue w
Sources: https://github.com/KnpLabs/snappy/releases/tag/v1.7.1
Update: MongoDB CVE-2026-11933 gets BSI and CERT-FR patch routing CVE-2026-11933
Confidence: Medium
MongoDB CVE-2026-11933 gets BSI and CERT-FR patch routing Confidence: MEDIUM. Classification: NEW. Why promoted: new BSI/CERT-FR MongoDB advisory pair absent from the published-intel exclusion ledger. BSI CERT-Bund and CERT-FR publish
Sources: https://jira.mongodb.org/browse/SERVER-128125
Update: IBM i CVE-2026-7870 high advisory enters EU owner routing CVE-2026-7870
Confidence: Medium
IBM i CVE-2026-7870 high advisory enters EU owner routing Confidence: LOW / UNVERIFIED. Classification: NEW. Why promoted: new BSI IBM i advisory absent from the published-intel exclusion ledger. BSI CERT-Bund lists IBM i as high seve
Sources: https://www.ibm.com/support/pages/node/7275756
Update: CVE-2026-46683 - Snappy SSRF and local file read CVE-2026-46683
Confidence: Medium
CVE-2026-46683 - Snappy SSRF and local file read Confidence: LOW / UNVERIFIED. Classification: NEW. Why promoted: new MSRC Snappy advisory absent from the published-intel exclusion ledger. MSRC published a Snappy issue involving SSRF
Sources: https://github.com/KnpLabs/snappy/releases/tag/v1.7.0
Update: ServiceNow Flaw Exploited to Gain Unauthorized Access to Customer Instances
Confidence: Medium
ServiceNow has warned about a security incident in which unknown threat actors exploited a flaw to obtain deeper unauthorized access to susceptible instances. "On June 5, 2026, ServiceNow applied a security update to hosted customer instances," the company revealed in an advisory that requires custo
Sources: https://thehackernews.com/2026/06/servicenow-flaw-exploited-to-gain.html
Update: CVE-2026-12007 / WID-SEC-2026-1893 - Google Chrome high multi-CVE update CVE-2026-12007
Confidence: Medium
CVE-2026-12007 / WID-SEC-2026-1893 - Google Chrome high multi-CVE update Confidence: LOW / UNVERIFIED. Classification: NEW. Why promoted: new CERT-Bund Chrome advisory absent from the published-intel exclusion ledger. CERT-Bund publis
Sources: https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_01962725236.html
Broad Advisory Owner Queue Leads 12 June Cyber Checks
Finding 1: CVE-2026-10087 - GitLab WID-SEC-2026-1886 / CERTFR-2026-AVI-0733 vulnerability batch
Confidence: Medium
GitLab owners should review the BSI and CERT-FR advisory scope and match affected versions against managed instances. Treat this as a patch-routing item unless local exposure or exploitation evidence changes the priority.
Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1886 ; https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0733/.
Finding 2: CVE-2026-20251 - Splunk Enterprise WID-SEC-2026-1877 / CERTFR-2026-AVI-0736 patch batch
Confidence: Medium
Splunk Enterprise and SOAR owners should compare affected versions with the BSI, CERT-FR, and SecurityWeek references. Prioritise environments where Splunk has broad log access or automation privileges.
Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1877 ; https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0736/ ; https://www.securityweek.com/splunk-palo-alto-networks-patch-severe-vulnerabilities/.
Finding 3: CVE-2026-47342 / CVE-2026-50223 - Apache OFBiz template/code injection cluster
Confidence: Low / Unverified
Confirm product presence, exposure, and fixed-version status before wider escalation. The evidence supports advisory review and asset validation, not an active-exploitation claim.
Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1888.
Finding 4: CVE-2026-53435 - Jenkins WID-SEC-2026-1884 vulnerability batch
Confidence: Low / Unverified
Confirm product presence, exposure, and fixed-version status before wider escalation. The evidence supports advisory review and asset validation, not an active-exploitation claim.
Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1884.
Finding 5: CVE-2026-48020 - Traefik StripPrefix route-level auth bypass
Confidence: Medium
Traefik routes using StripPrefix and route-level authentication need a configuration review. The immediate check is whether authentication assumptions change after path rewriting.
Sources: https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0738/ ; https://github.com/advisories/GHSA-xf64-8mw2-4gr2.
Finding 6: CVE-2026-50245 - CISA ICS Brickcom Cameras ICSA-26-162-03
Confidence: Low / Unverified
Asset owners should confirm whether the product is present and whether management paths are exposed. Keep the language in validation mode because the daily intelligence does not establish active exploitation.
Sources: https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-03.
Finding 7: CVE-2026-42947 - CISA ICS Naxclow IoT Platform ICSA-26-162-02
Confidence: Low / Unverified
Asset owners should confirm whether the product is present and whether management paths are exposed. Keep the language in validation mode because the daily intelligence does not establish active exploitation.
Sources: https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-02.
Finding 8: CVE-2026-10557 - CISA ICS Yarbo mobile application/cloud infrastructure ICSA-26-162-01
Confidence: Low / Unverified
Asset owners should confirm whether the product is present and whether management paths are exposed. Keep the language in validation mode because the daily intelligence does not establish active exploitation.
Sources: https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-01.
Finding 9: CVE-2026-21837 - HCL Digital Experience OS command injection
Confidence: Low / Unverified
Confirm product presence, exposure, and fixed-version status before wider escalation. The evidence supports advisory review and asset validation, not an active-exploitation claim.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-21837.
Finding 10: CVE-2026-46444 - Flowise vector-store CRUD authorization bypass
Confidence: Medium
Flowise deployments should move to 3.1.2 or later and review workspace boundaries. Pay special attention to vector-store APIs and evaluator create or update permissions.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-46444 ; https://github.com/advisories/GHSA-hmg2-jjjx-jcp2 ; https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2.
Finding 11: CVE-2026-46480 - Flowise evaluator cross-workspace mass assignment
Confidence: Medium
Flowise deployments should move to 3.1.2 or later and review workspace boundaries. Pay special attention to vector-store APIs and evaluator create or update permissions.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-46480 ; https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wxrr-jp8m-qq7f ; https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2.
Finding 12: CVE-2026-11401 - AWS Advanced Go Wrapper privilege escalation in Aurora PostgreSQL
Confidence: Low / Unverified
Confirm product presence, exposure, and fixed-version status before wider escalation. The evidence supports advisory review and asset validation, not an active-exploitation claim.
Sources: https://github.com/advisories/GHSA-r236-5pc3-3qcp.
Finding 13: CVE-2026-25559 - OpenBullet2 path traversal to file write/delete and possible RCE
Confidence: Medium
OpenBullet2 exposure should be treated cautiously because the items touch file operations, command execution, and job configuration. Start by finding instances through 0.3.2 and removing exposed access.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-25559 ; https://www.vulncheck.com/advisories/openbullet2-path-traversal-via-wordlist-endpoint.
Finding 14: CVE-2026-25855 - OpenBullet2 FileProxySource authenticated command execution
Confidence: Low / Unverified
OpenBullet2 exposure should be treated cautiously because the items touch file operations, command execution, and job configuration. Start by finding instances through 0.3.2 and removing exposed access.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-25855.
Finding 15: CVE-2026-25856 - OpenBullet2 plain C# job configuration RCE
Confidence: Low / Unverified
OpenBullet2 exposure should be treated cautiously because the items touch file operations, command execution, and job configuration. Start by finding instances through 0.3.2 and removing exposed access.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-25856.
Finding 16: CVE-2026-48053 - Kolibri unauthenticated SSRF in RemoteFacilityUserViewset
Confidence: Low / Unverified
Confirm product presence, exposure, and fixed-version status before wider escalation. The evidence supports advisory review and asset validation, not an active-exploitation claim.
Sources: https://github.com/advisories/GHSA-4mj9-pf4r-cqrc.
Finding 17: CVE-2026-21032 - Samsung Assistant SmartHomeWidgetReceiver exported component script execution
Confidence: Low / Unverified
Confirm product presence, exposure, and fixed-version status before wider escalation. The evidence supports advisory review and asset validation, not an active-exploitation claim.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-21032.
Finding 18: CVE-2026-48059 - Netty HAProxy TLV parsing memory exhaustion
Confidence: Low / Unverified
Confirm product presence, exposure, and fixed-version status before wider escalation. The evidence supports advisory review and asset validation, not an active-exploitation claim.
Sources: https://github.com/advisories/GHSA-h2qv-fj59-j46j.
Finding 19: CVE-2026-48096 - OpenFGA iterator cache-key delimiter injection
Confidence: Low / Unverified
Confirm product presence, exposure, and fixed-version status before wider escalation. The evidence supports advisory review and asset validation, not an active-exploitation claim.
Sources: https://github.com/advisories/GHSA-8396-jffm-qx4w.
Finding 20: CVE-2026-46490 - samlify XML injection in signed SAML assertions
Confidence: Medium
Teams using samlify should upgrade to 2.13.0 or later and review SAML attribute-to-role mapping. The concern is signed assertion handling, so identity impact depends on deployment context.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-46490 ; https://github.com/advisories/GHSA-34r5-q4jw-r36m.
Finding 21: CVE-2026-49233 - Routinator rsync cache path traversal
Confidence: Medium
Routinator operators should upgrade to 0.15.2 and check rsync, RRDP, and API exposure. These items matter because RPKI tooling sits close to routing trust decisions even when the immediate impact is cache traversal or crashes.
Sources: https://www.nlnetlabs.nl/news/2026/Jun/08/routinator-0.15.2-released/ ; https://nvd.nist.gov/vuln/detail/CVE-2026-49233.
Finding 22: CVE-2026-40519 - Nginx Proxy Manager authenticated command injection in setupCertbotPlugins()
Confidence: Medium
Nginx Proxy Manager administrators should inventory versions 2.9.14 through 2.15.1 and restrict certificate-management permissions. Authenticated command injection belongs in the admin-plane queue.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-40519 ; https://github.com/advisories/GHSA-4pgp-q8h4-9wxm ; https://github.com/NginxProxyManager/nginx-proxy-manager/commit/a5db5ed156355e3088e7d1ceb0533d4bae922def.
Finding 23: CVE-2026-49234 - Routinator API crash on crafted select-asn string
Confidence: Medium
Routinator operators should upgrade to 0.15.2 and check rsync, RRDP, and API exposure. These items matter because RPKI tooling sits close to routing trust decisions even when the immediate impact is cache traversal or crashes.
Sources: https://www.nlnetlabs.nl/news/2026/Jun/08/routinator-0.15.2-released/ ; https://nvd.nist.gov/vuln/detail/CVE-2026-49234.
Finding 24: CVE-2026-49235 - Routinator RRDP DTD crash
Confidence: Medium
Routinator operators should upgrade to 0.15.2 and check rsync, RRDP, and API exposure. These items matter because RPKI tooling sits close to routing trust decisions even when the immediate impact is cache traversal or crashes.
Sources: https://www.nlnetlabs.nl/news/2026/Jun/08/routinator-0.15.2-released/ ; https://nvd.nist.gov/vuln/detail/CVE-2026-49235.
Finding 25: CVE-2026-48681 / CVE-2026-46447 / CVE-2026-44917 - OpenStack Ironic conductor file overwrite, boot script injection, and PXE template file read
Confidence: Medium
Private-cloud teams should patch Ironic packages under Ubuntu USN-8421-1 and review conductor integrity. The cluster spans file overwrite, boot script injection, and PXE template file read paths.
Sources: https://ubuntu.com/security/notices/USN-8421-1 ; https://nvd.nist.gov/vuln/detail/CVE-2026-48681.
Finding 26: CVE-2026-11555 - D-Link DGS-1100-08PD web interface least-privilege violation
Confidence: Low / Unverified
Asset owners should confirm whether the product is present and whether management paths are exposed. Keep the language in validation mode because the daily intelligence does not establish active exploitation.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-11555.
Finding 27: CVE-2026-52849 - MATE Desktop Atril EPUB parsing RCE
Confidence: Low / Unverified
Endpoint and application owners should track vendor remediation and reduce exposure to untrusted content or authenticated export paths. The evidence is single-source here, so do not overstate operational impact.
Sources: http://www.zerodayinitiative.com/advisories/ZDI-26-360/.
Finding 28: CVE-2026-8916 - Samsung rlottie numeric truncation RCE
Confidence: Low / Unverified
Endpoint and application owners should track vendor remediation and reduce exposure to untrusted content or authenticated export paths. The evidence is single-source here, so do not overstate operational impact.
Sources: http://www.zerodayinitiative.com/advisories/ZDI-26-359/.
Finding 29: CVE-2026-11442 - Allegra exportReport directory traversal information disclosure
Confidence: Low / Unverified
Endpoint and application owners should track vendor remediation and reduce exposure to untrusted content or authenticated export paths. The evidence is single-source here, so do not overstate operational impact.
Sources: http://www.zerodayinitiative.com/advisories/ZDI-26-357/.
Why This Matters
This is a breadth problem. Security teams have to route GitLab, Splunk, Traefik, Flowise, OpenBullet2, samlify, Routinator, Nginx Proxy Manager, and OpenStack Ironic without turning every single-source advisory into an incident claim.
The evidence depth is uneven. Medium-confidence items have stronger advisory support or fixed-version anchors. LOW / UNVERIFIED items still deserve an inventory check, but the public posture should stay measured until more confirmation appears.
- Recommended Actions
- Assign owners for GitLab, Splunk, Traefik, Flowise, OpenBullet2, samlify, Routinator, Nginx Proxy Manager, and OpenStack Ironic.
- Confirm exposed management or API paths before escalating LOW / UNVERIFIED items.
- Patch or upgrade where fixed versions are named, including Flowise 3.1.2, samlify 2.13.0, and Routinator 0.15.2.
- Keep CISA ICS, D-Link, endpoint, and ZDI application rows in validation queues unless asset presence and exposure are confirmed.
All findings grounded in a13e intelligence sweeps through 04:55 UTC 12 June 2026.
Update: Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows
Confidence: Medium
The anonymous security researcher going by the name Chaotic Eclipse (aka Nightmare-Eclipse) has released a proof-of-concept (PoC) exploit for yet another Microsoft Defender zero-day named RoguePlanet. "The exploit is a race condition, so it's a hit or miss," the researcher, who published the exploit
Sources: https://thehackernews.com/2026/06/microsoft-defender-rogueplanet-zero-day.html
Update: CISA tells govt agencies to patch critical exploited flaws in 3 days
Confidence: Medium
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced a new Binding Operational Directive, 26-04, that prioritizes security updates for Federal Civilian Executive Branch (FCEB) agencies. [...]
Sources: https://www.bleepingcomputer.com/news/security/cisa-tells-govt-agencies-to-patch-critical-exploited-flaws-in-3-days/
Update: Max severity Ivanti Sentry vulnerability now exploited in attacks
Confidence: Medium
Attackers are now targeting a recently patched maximum-severity flaw in Ivanti Sentry, enabling them to execute code with root privileges on Internet-exposed secure mobile gateways. [...]
Sources: https://www.bleepingcomputer.com/news/security/max-severity-ivanti-sentry-vulnerability-now-exploited-in-attacks/
Update: ‘GreatXML’ Zero-Day Exploit Bypasses BitLocker
Confidence: Medium
The PoC exploits Microsoft Defender’s offline scan to spawn a SYSTEM shell when rebooting in Recovery Mode. The post ‘GreatXML’ Zero-Day Exploit Bypasses BitLocker appeared first on SecurityWeek .
Sources: https://www.securityweek.com/greatxml-zero-day-exploit-bypasses-bitlocker/
Update: WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine CVE-2025-8088
Confidence: Medium
Two Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released. The activity has been attributed by Trend Micro to Earth Dahu (aka Gamaredon) and SHADOW-EARTH-066 (aka UA Known Exploited (CISA KEV).
Sources: https://thehackernews.com/2026/06/winrar-flaw-exploited-by-russia-aligned.html
Update: June 2026 Patch Tuesday: Microsoft Patches 206 Vulnerabilities Including Three Publicly Disclosed Zero-Days
Confidence: Medium
Route to the relevant asset owner for patch evidence.
Sources: https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-june-2026/
Update: ServiceNow Flaw Exploited to Gain Unauthorized Access to Customer Instances
Confidence: Medium
ServiceNow has warned about a security incident in which unknown threat actors exploited a flaw to obtain deeper unauthorized access to susceptible instances. "On June 5, 2026, ServiceNow applied a security update to hosted customer instances," the company revealed in an advisory that requires custo
Sources: https://thehackernews.com/2026/06/servicenow-flaw-exploited-to-gain.html
Update: Cisco customers encounter another SD-WAN zero-day under attack
Confidence: Medium
The defect marks the seventh actively exploited zero-day in Cisco SD-WANs this year, and the vendor has yet to release a patch. The post Cisco customers encounter another SD-WAN zero-day under attack appeared first on CyberScoop .
Sources: https://cyberscoop.com/cisco-sdwan-zero-day-vulnerability-exploited-cve202620245/
Ivanti Sentry CVE-2026-10520 - Security Appliance Patch Routing Leads 11 June Triage
Finding 1: Ivanti Sentry critical vulnerability cluster - CVE-2026-10520 / WID-SEC-2026-1841
Confidence: Medium
BSI, The Register, and SecurityWeek coverage put Ivanti Sentry at the front of the day. The action is narrow: identify Sentry owners, patch affected systems, and confirm whether any management plane is exposed to networks that should not reach it.
Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1841 ; https://www.theregister.com/patches/2026/06/10/ivanti-urges-sentry-users-to-patch-two-critical-bugs/5253428 ; https://www.securityweek.com/critical-vulnerabilities-patched-in-fortinet-ivanti-products/.
Finding 2: Fortinet FortiSandbox command execution - CVE-2026-25089 / WID-SEC-2026-1836
Confidence: Low / Unverified
The FortiSandbox item is single-source in this package, so keep the language restrained. Security-processing environments should still check inventory and fixed-version status because sandbox infrastructure often sits close to mail, file, and detonation workflows.
Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1836.
Finding 3: Adobe ColdFusion and Experience Manager updates - CVE-2026-47928 / CVE-2026-34691
Confidence: Low / Unverified
ColdFusion and Experience Manager should be routed to web-tier owners, especially where the applications are externally reachable. The evidence supports patch and exposure checks, not exploitation claims.
Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1858 ; https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1857.
Finding 4: Lenovo ThinkPad firmware/platform vulnerabilities - CVE-2026-20452 / WID-SEC-2026-1864
Confidence: Low / Unverified
This is an endpoint-platform compliance task. Map affected ThinkPad models, then confirm firmware and platform updates through the endpoint-management tool rather than relying on OS patch status.
Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1864.
Finding 5: Zoom Workplace privilege escalation - CVE-2026-53407 / WID-SEC-2026-1839
Confidence: Low / Unverified
Zoom Workplace updates belong with managed-client owners. Give priority to administrator endpoints and high-risk user groups where local privilege escalation would have a larger blast radius.
Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1839.
Finding 6: CERT-EU Windows Netlogon critical advisory - CERT-EU 2026-007
Confidence: Low / Unverified
CERT-EU places Windows Netlogon into the domain-controller queue. Reconcile it against existing Microsoft patch evidence and make sure domain-controller owners can show deployment status.
Sources: https://cert.europa.eu/publications/security-advisories/2026-007/.
Finding 7: FreeBSD WID-SEC-2026-1871 / CVE-2026-10846 cluster
Confidence: Medium
BSI and CERT-FR both surfaced the FreeBSD cluster, raising confidence above single-source items. Route it to appliance, storage, jail-host, and FreeBSD platform owners for version checks.
Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1871 ; https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0716/.
Finding 8: BSI Kernel WID-SEC-2026-1870 / CVE-2026-46316 cluster
Confidence: Low / Unverified
The kernel item should be handled as server and container-host hygiene. There is no exploitation proof in the daily intelligence, so focus on baseline routing and maintenance windows.
Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1870.
Finding 9: NCSC-NL Veeam Backup & Replication NCSC-2026-0188
Confidence: Low / Unverified
Backup platforms are resilience-critical even when the evidence is still unverified. Confirm whether NCSC-2026-0188 maps to deployed Veeam Backup and Replication versions, then assign a patch window.
Sources: https://advisories.ncsc.nl/advisory?id=NCSC-2026-0188.
Finding 10: Palo Alto Cortex XSOAR/XSIAM CVE-2026-0274 integration credential validation flaw
Confidence: Low / Unverified
The Palo Alto Cortex XSOAR/XSIAM item concerns CommvaultSecurityIQ integration credential validation. Review whether the integration is deployed, what credentials it holds, and whether scopes are wider than needed.
Sources: https://security.paloaltonetworks.com/CVE-2026-0274.
Finding 11: PAN-OS CVE-2026-0269 tunnel-traffic DoS
Confidence: Low / Unverified
PAN-OS CVE-2026-0269 is a tunnel-traffic denial-of-service item. Firewall owners should check authenticated tunnel exposure and maintenance-mode risk before broad escalation.
Sources: https://security.paloaltonetworks.com/CVE-2026-0269.
Finding 12: PAN-OS CVE-2026-0273 authenticated admin command injection
Confidence: Low / Unverified
PAN-OS CVE-2026-0273 sits on the authenticated administration path. Reduce shared admin-plane access and patch eligible firewalls, especially where administrator access is broad.
Sources: https://security.paloaltonetworks.com/CVE-2026-0273.
Finding 13: Go Restful API Boilerplate CVE-2026-48031 hardcoded JWT secret
Confidence: Low / Unverified
The hardcoded JWT secret risk is mainly a codebase discovery task. Search for deployed boilerplate use and rotate secrets where teams inherited defaults.
Sources: https://github.com/advisories/GHSA-mqq6-462x-jxmm.
Finding 14: @hulumi/policies CVE-2026-48032 IAM-role policy bypass
Confidence: Low / Unverified
This Pulumi policy-bypass item should go to IaC platform owners. Validate assumptions around IAM-role restrictions and do not assume policy packs catch every deployment route.
Sources: https://github.com/advisories/GHSA-g759-4pxw-6692.
Finding 15: @hulumi/policies CVE-2026-48033 forged Pulumi-URN policy bypass
Confidence: Low / Unverified
The forged Pulumi-URN bypass item needs a separate policy review. Checks that trust logical names or URNs should be tested against the advisory conditions.
Sources: https://github.com/advisories/GHSA-rhgj-6g2c-frmm.
Finding 16: Claude Code Action CVE-2026-47751 malicious MCP config RCE path
Confidence: Low / Unverified
CI and agent workflows need a configuration review. The concern is PR-controlled MCP server configuration, so restrict who can influence agent runtime settings and inspect affected pipelines.
Sources: https://github.com/advisories/GHSA-8q5r-mmjf-575q.
Finding 17: vLLM CVE-2026-47155 artifact-pinning weakness
Confidence: Low / Unverified
vLLM deployments should be checked for code, weight, and configuration artifact drift. Treat this as AI platform supply-chain hygiene unless stronger exploitation evidence appears.
Sources: https://github.com/advisories/GHSA-3ww4-5jv9-j5gm.
Finding 18: OpenTelemetry Operator CVE-2026-47701 bearerTokenFile arbitrary reads
Confidence: Low / Unverified
Kubernetes teams should inspect ServiceMonitor resources that use bearerTokenFile. The practical check is whether sensitive paths can be read through monitoring configuration.
Sources: https://github.com/advisories/GHSA-cxh2-4639-vmc5.
Finding 19: Keycloak CVE-2026-9704 identity queue item
Confidence: Low / Unverified
Identity teams should track vendor remediation and assess low-privilege authenticated exposure. Keep the item in validation language until stronger confirmation is available.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-9704.
Finding 20: GitHub npm registry security-control changes
Confidence: Low / Unverified
GitHub npm registry control changes are not a vulnerability patch, but they affect maintainer 2FA, tokens, provenance, and CI publishing. Package owners should map the changes to their release process.
Sources: https://www.bleepingcomputer.com/news/security/github-announces-npm-security-changes-to-tackle-supply-chain-attacks/.
Finding 21: CVE-2026-27220 / ZDI-26-355 - Adobe Acrobat Reader DC Annotation use-after-free RCE
Confidence: Low / Unverified
Document-handling endpoints should be prioritised because the ZDI item concerns Acrobat Reader DC Annotation use-after-free RCE. Focus first on users who process untrusted PDFs.
Sources: http://www.zerodayinitiative.com/advisories/ZDI-26-355/.
Finding 22: CVE-2026-49396 / GHSA-8qhj-4f8c-j8qg - Nezha cross-site GET stored cron-command trigger
Confidence: Low / Unverified
Teams running Nezha or exposed monitoring panels should review cron and job controls. The item is unverified in this package, so start with product and exposure confirmation.
Sources: https://github.com/advisories/GHSA-8qhj-4f8c-j8qg.
Finding 23: CVE-2026-47768 / GHSA-9pg3-25fq-p6cc - nebula-mesh operator API key redirect exposure
Confidence: Low / Unverified
The operator API key redirect exposure calls for key rotation where exposure is confirmed. Review logs for Referer leakage before deciding whether incident handling is needed.
Sources: https://github.com/advisories/GHSA-9pg3-25fq-p6cc.
Update: Progress Kemp LoadMaster edge-appliance RCE - CVE-2026-8037
Confidence: Low / Unverified
Previously covered 10 June 2026; today's delta: ZDI visibility and severity-change materiality keep LoadMaster in the edge-appliance queue.
Progress Kemp LoadMaster remains an update, not a fresh lead. Edge teams should verify inventory, management-plane exposure, and vendor fix status before treating this as an incident claim.
Sources: Zero Day Initiative ZDI-26-342.
Why This Matters
This is an owner-assignment day. The risk is not only one critical edge appliance; it is the chance that security appliances, backup systems, identity services, developer agents, document handlers, and package controls all wait for someone else to route the work.
The evidence depth is uneven. Ivanti Sentry and FreeBSD have multi-source support, while many GHSA, NVD, ZDI, BSI, NCSC-NL, Palo Alto, and CERT-EU rows remain LOW / UNVERIFIED. That means the right response is disciplined triage: product match, exposure check, fixed-version evidence, then escalation only where the asset is present and reachable.
- Recommended Actions
- Validate exposed edge and security platforms first: Ivanti Sentry, FortiSandbox, PAN-OS, Cortex integrations, and Progress Kemp LoadMaster.
- Reconcile identity and resilience items: CERT-EU Netlogon, Keycloak, Veeam, and OpenTelemetry bearerTokenFile exposure.
- Patch managed endpoint and document-handler surfaces: Adobe Acrobat, ColdFusion, Experience Manager, Lenovo firmware, and Zoom Workplace.
- Audit developer and AI supply-chain controls: Claude Code Action MCP configuration, vLLM artifact pinning, npm publishing changes, Go JWT boilerplate, and Pulumi policy bypasses.
- Keep LOW / UNVERIFIED items in validation language. Do not turn single-source advisories into exploitation claims.
All findings grounded in a13e intelligence sweeps through 04:55 UTC 11 June 2026.
Update: Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows
Confidence: Medium
The anonymous security researcher going by the name Chaotic Eclipse (aka Nightmare-Eclipse) has released a proof-of-concept (PoC) exploit for yet another Microsoft Defender zero-day named RoguePlanet. "The exploit is a race condition, so it's a hit or miss," the researcher, who published the exploit
Sources: https://thehackernews.com/2026/06/microsoft-defender-rogueplanet-zero-day.html
Update: Microsoft ships largest Patch Tuesday on record, with one bug under active attack
Confidence: Medium
The release comes after Microsoft’s security leadership acknowledged last month that AI tools are driving a surge in vulnerability discovery across the industry.
Sources: https://therecord.media/microsoft-ships-largest-patch-tuesday-on-record
Update: Microsoft patches Exchange Server zero-day exploited in attacks
Confidence: Medium
Microsoft has patched an actively exploited Exchange Server vulnerability that allows threat actors to execute arbitrary JavaScript code in cross-site scripting (XSS) attacks targeting Outlook Web Access users. [...]
Sources: https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-exchange-server-zero-day-exploited-in-attacks/
Update: Microsoft Defender 'RoguePlanet' zero-day grants SYSTEM privileges
Confidence: Medium
A security researcher has released a new Microsoft Defender zero-day exploit named "RoguePlanet" just hours after Microsoft fixed two previously disclosed flaws during June 2026 Patch Tuesday. [...]
Sources: https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/
Update: Microsoft patches YellowKey, GreenPlasma, MiniPlasma zero-days
Confidence: Medium
On Tuesday, Microsoft patched two zero-day vulnerabilities that let attackers gain SYSTEM privileges on fully patched Windows systems, and a third one that grants access to BitLocker-protected drives. [...]
Sources: https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-yellowkey-greenplasma-miniplasma-zero-days/
Update: WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine CVE-2025-8088
Confidence: Medium
Two Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released. The activity has been attributed by Trend Micro to Earth Dahu (aka Gamaredon) and SHADOW-EARTH-066 (aka UA Known Exploited (CISA KEV).
Sources: https://thehackernews.com/2026/06/winrar-flaw-exploited-by-russia-aligned.html
Update: ServiceNow Patches Vulnerability Exploited Against Some Customers
Confidence: Medium
The company updated hosted customer instances to patch a security issue it reportedly had known about since April 7. The post ServiceNow Patches Vulnerability Exploited Against Some Customers appeared first on SecurityWeek .
Sources: https://www.securityweek.com/servicenow-patches-vulnerability-exploited-against-some-customers/
Update: June 2026 Patch Tuesday: Microsoft Patches 206 Vulnerabilities Including Three Publicly Disclosed Zero-Days
Confidence: Medium
Route to the relevant asset owner for patch evidence.
Sources: https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-june-2026/
Update: Critical Vulnerabilities Patched in Fortinet, Ivanti Products
Confidence: Medium
Two OS command injection flaws can be exploited remotely, without authentication, for arbitrary code execution. The post Critical Vulnerabilities Patched in Fortinet, Ivanti Products appeared first on SecurityWeek .
Sources: https://www.securityweek.com/critical-vulnerabilities-patched-in-fortinet-ivanti-products/
Update: ServiceNow Flaw Exploited to Gain Unauthorized Access to Customer Instances
Confidence: Medium
ServiceNow has warned about a security incident in which unknown threat actors exploited a flaw to obtain deeper unauthorized access to susceptible instances. "On June 5, 2026, ServiceNow applied a security update to hosted customer instances," the company revealed in an advisory that requires custo
Sources: https://thehackernews.com/2026/06/servicenow-flaw-exploited-to-gain.html
Update: Cisco customers encounter another SD-WAN zero-day under attack
Confidence: Medium
The defect marks the seventh actively exploited zero-day in Cisco SD-WANs this year, and the vendor has yet to release a patch. The post Cisco customers encounter another SD-WAN zero-day under attack appeared first on CyberScoop .
Sources: https://cyberscoop.com/cisco-sdwan-zero-day-vulnerability-exploited-cve202620245/
Microsoft Kerberos KDC CVE-2026-47288 - Patch Tuesday Identity Queue Leads 10 June Triage
Finding 1: Microsoft Kerberos KDC RCE / Windows identity cluster - CVE-2026-47288
Confidence: Medium
MSRC and NCSC-NL place this item in the identity maintenance queue. Prioritise domain controllers and authentication infrastructure, then capture owner, maintenance window, and patch evidence.
Sources: Microsoft Security Response Centre CVE-2026-47288 and NCSC-NL NCSC-2026-0181.
Finding 2: Microsoft Windows patch batch - CVE-2026-42904 / NCSC-2026-0181
Confidence: Medium
NCSC-NL and MSRC coverage make this a broad Windows evidence task, not a generic Patch Tuesday note. Server, endpoint, and domain-controller owners should show patch status rather than relying on calendar-based assumptions.
Sources: NCSC-NL NCSC-2026-0181 and Microsoft Security Response Centre CVE-2026-42904.
Finding 3: Microsoft SharePoint Server RCE - CVE-2026-47298
Confidence: Medium
On-prem SharePoint farms need a named patch owner. Confirm externally reachable sites first, then internal collaboration farms where delayed maintenance is common.
Sources: Microsoft Security Response Centre CVE-2026-47298.
Finding 4: Microsoft Office patch batch - CVE-2026-45467 / NCSC-2026-0182
Confidence: Medium
Office updates should be checked for higher-risk user groups such as finance, legal, executives, and heavy document-exchange roles. The useful control is rollout evidence, not broad user messaging.
Sources: NCSC-NL NCSC-2026-0182 and Microsoft Security Response Centre CVE-2026-45467.
Finding 5: Microsoft Developer Tools patch batch - CVE-2026-47287 / NCSC-2026-0184
Confidence: Medium
Developer tooling sits outside many endpoint patch dashboards. Engineering workstations, build images, and shared toolchain hosts should be checked separately.
Sources: NCSC-NL NCSC-2026-0184 and Microsoft Security Response Centre CVE-2026-47287.
Finding 6: strongSwan CVE-2026-47895 code execution
Confidence: Medium
BSI and CERT-FR both surfaced this VPN/IPsec advisory. Route it to VPN owners for fixed-version validation and prioritise gateways with wider network reach.
Sources: BSI CERT-Bund WID-SEC-2026-1832 and CERT-FR CERTFR-2026-AVI-0709.
Finding 7: Apache HTTP Server WID-SEC-2026-1824 / CVE-2026-29167 cluster
Confidence: Medium
Internet-facing Apache servers need patch-state validation and change-window planning. Use the BSI and CERT-FR references to map the issue to platform teams rather than opening one undifferentiated web ticket.
Sources: BSI CERT-Bund WID-SEC-2026-1824 and CERT-FR CERTFR-2026-AVI-0710.
Finding 8: Fortinet FG-IR-26-141 command-injection advisory
Confidence: Medium
Fortinet PSIRT published FG-IR-26-141 for command injection via start VNC JSON input. Check Fortinet asset ownership, management-plane exposure, and fixed-version guidance.
Sources: Fortinet PSIRT FG-IR-26-141.
Finding 9: Siemens KACO Blueplanet / Siemens products cluster - CVE-2025-40946
Confidence: Medium
NCSC-NL and CISA ICS coverage make this an OT product matching task. Ask plant, facilities, or energy-system owners whether Siemens KACO Blueplanet assets are deployed and remotely managed.
Sources: NCSC-NL NCSC-2026-0187 and CISA ICSA-26-160-02.
Finding 10: SAP NetWeaver and Commerce Cloud June critical fixes
Confidence: Low / Unverified
BleepingComputer reports critical SAP June fixes affecting NetWeaver and Commerce Cloud. Route this to ERP and e-commerce owners for patch confirmation, but avoid exploitation language unless SAP or another primary source confirms it.
Sources: BleepingComputer.
Finding 11: Progress Kemp LoadMaster RCE - CVE-2026-8037
Confidence: Low / Unverified
ZDI published a LoadMaster advisory for CVE-2026-8037. Edge-appliance teams should check inventory, management-plane exposure, and vendor fix status.
Sources: Zero Day Initiative ZDI-26-342.
Finding 12: Keycloak CVE-2026-11577 / WID-SEC-2026-1821 administrator-rights advisory
Confidence: Low / Unverified
BSI marked the Keycloak advisory as unpatched in today's intelligence. Inventory Keycloak instances now, especially admin-facing deployments, and watch vendor remediation before wider escalation.
Sources: BSI CERT-Bund WID-SEC-2026-1821.
Finding 13: Checkmk CVE-2026-7186 / WID-SEC-2026-1817 XSS advisory
Confidence: Low / Unverified
Monitoring platforms can hold privileged operational views. Assign the item to the monitoring-platform owner and validate fixed version and administrator exposure.
Sources: BSI CERT-Bund WID-SEC-2026-1817.
Finding 14: shell-quote CVE-2026-9277 newline escaping issue
Confidence: Low
The useful test is whether shell-quote output reaches shell command construction. Escalate those paths first and leave non-executable display-only uses for normal dependency hygiene.
Sources: GitHub Security Advisory GHSA-w7jw-789q-3m8p and Ubuntu USN-8410-1.
Finding 15: FortiOS CVE-2025-57740 heap-based buffer overflow
Confidence: Low / Unverified
NVD has the FortiOS 7.6.2 record, but today's evidence is single-source. Confirm applicability with Fortinet owners before treating it as a broad edge emergency.
Sources: NVD CVE-2025-57740.
Finding 16: File Browser CVE-2026-32759/CVE-2026-35585 exposure
Confidence: Low / Unverified
Find exposed File Browser deployments before escalating severity. File-management tools are risky when internet-facing or admin-facing, but this item needs product and exposure confirmation first.
Sources: NVD CVE-2026-32759 and CVE-2026-35585.
Finding 17: Schneider Electric EcoStruxure Panel Server - CVE-2026-6866 / ICSA-26-160-03
Confidence: Low / Unverified
CISA ICS published the advisory, so OT teams should check product and version match. Prioritise management-plane exposure over generic OT concern.
Sources: CISA ICSA-26-160-03.
Finding 18: Schneider Electric Modicon managed switches - CVE-2024-3596 / ICSA-26-160-01
Confidence: Low / Unverified
Network diagrams and OT switch inventories should be checked for affected Modicon managed switches. Keep the request narrow: product, version, and management access.
Sources: CISA ICSA-26-160-01.
Finding 19: UK-facing Microsoft Patch Tuesday owner-mapping context
Confidence: Low / Unverified
UK coverage adds useful context, but the action is to join that coverage to MSRC product records. Do that before sending customer-specific statements.
Sources: The Register.
Finding 20: Microsoft Defender RoguePlanet zero-day grants SYSTEM privileges
Confidence: Medium
A Microsoft Defender zero-day tracked as RoguePlanet is reported as actively exploited and grants SYSTEM privileges on affected hosts. Treat this as a priority endpoint-security item: confirm Defender platform and engine versions, prioritise unmanaged and high-value hosts, and capture update evidence rather than assuming managed rollout reached every device.
Sources: BleepingComputer.
Finding 21: Adobe Acrobat Reader DC information-disclosure advisories - CVE-2026-47924 / CVE-2026-47923
Confidence: Low / Unverified
ZDI published two Adobe Acrobat Reader DC information-disclosure advisories, ZDI-26-346 (CVE-2026-47924) and ZDI-26-344 (CVE-2026-47923), both rated CVSS 3.3. Each needs a user to open a malicious file or visit a malicious page, and no exploitation is reported. Fold these into normal Acrobat patch hygiene for document-handling user groups.
Sources: Zero Day Initiative ZDI-26-346 and ZDI-26-344.
Finding 22: X.Org Server CheckSetGeom information disclosure - CVE-2026-34000
Confidence: Low / Unverified
ZDI published an X.Org Server information-disclosure advisory, ZDI-26-334 (CVE-2026-34000), rated CVSS 6.1, requiring local low-privileged code execution first. Route it to Linux and workstation owners running X.Org: confirm affected versions on shared and multi-user hosts and fold it into normal patching.
Sources: Zero Day Initiative ZDI-26-334.
Update: Google Chrome zero-day CVE-2026-11645 exploited in the wild
Confidence: Medium
Today's delta: CVE-2026-11645 is Known Exploited, added to the CISA KEV catalogue on 9 June 2026 as a Chromium V8 out-of-bounds read and write flaw. CVE-2026-11628 is the companion fix in the same Chrome update and is not in KEV. Validate browser update compliance and prioritise unmanaged endpoints.
Sources: CISA KEV catalogue, BSI CERT-Bund WID-SEC-2026-1819, SecurityWeek, and BleepingComputer.
Update: Cisco Catalyst SD-WAN zero-day CVE-2026-20245 under attack
Confidence: Medium
Today's delta: CVE-2026-20245 is Known Exploited, added to the CISA KEV catalogue on 9 June 2026 with a 23 June federal remediation deadline. It is a Cisco Catalyst SD-WAN Manager output-encoding flaw and the seventh actively exploited SD-WAN zero-day this year, with no vendor patch yet. Route to network and edge owners: confirm SD-WAN Manager exposure, restrict management-plane access, and apply Cisco mitigations as they ship.
Sources: CISA KEV catalogue and CyberScoop.
Update: Veeam Backup & Replication CVE-2026-44963 RCE
Confidence: Medium
Today's delta: patch-released status moves backup servers into fixed-version validation; check management exposure and backup-administrator access.
Sources: BSI CERT-Bund WID-SEC-2026-1834, CERT-FR CERTFR-2026-AVI-0712, and BleepingComputer.
Update: Check Point Security Gateway VPN CVE-2026-50751 / Qilin reporting
Confidence: Medium
Today's delta: CVE-2026-50751 is Known Exploited, added to the CISA KEV catalogue on 8 June 2026 with a three-day federal remediation deadline. It is an IKEv1 improper-authentication flaw that lets an unauthenticated remote attacker establish a VPN connection without valid credentials. Patch-released status and ransomware-linked reporting justify a separate VPN edge ticket; keep it separate from other Check Point CVE queues.
Sources: CISA KEV catalogue, SecurityWeek, and BleepingComputer.
Update: WinRAR CVE-2025-8088 exploitation by Russia-aligned groups
Confidence: Medium
Today's delta: CVE-2025-8088 is Known Exploited, in the CISA KEV catalogue since 12 August 2025, a WinRAR path-traversal flaw now tied to Russia-aligned exploitation. Endpoint teams should look for stale installs and archive-handling exposure.
Sources: CISA KEV catalogue, The Hacker News, and NVD CVE-2025-8088.
Update: Shai-Hulud PyPI package trojanisation
Confidence: Low / Unverified
Today's delta: reported reach widened to 19 science-focused packages; research, science, and ML teams should compare package locks and CI installs with the published list.
Sources: BleepingComputer.
Update: Hades PyPI campaign
Confidence: Low / Unverified
Today's delta: 19 poisoned packages were reported; check package locks, developer endpoints, and CI logs where those package names appear.
Sources: The Hacker News.
Update: TeamPCP supply-chain campaign
Confidence: Low / Unverified
Today's delta: activity remains relevant through 07 June 2026; keep it in developer and package telemetry review.
Sources: SANS ISC.
Update: Proofpoint UNKDeadDrop developer phishing campaign
Confidence: Low / Unverified
Today's delta: developer-focused phishing detail adds repository-lure and cryptocurrency-theft relevance; extract Proofpoint indicators for email and developer telemetry.
Sources: Proofpoint.
Update: Linux kernel CVE-2026-23111 local-root item
Confidence: Low / Unverified
Today's delta: public exploit and patch-routing pressure make shared Linux hosts, CI runners, developer workstations, and bastions the first review targets.
Sources: NVD CVE-2026-23111.
Update: PHPSpreadsheet CVE-2026-45034 patch bypass
Confidence: Low / Unverified
Today's delta: applications parsing untrusted spreadsheets should confirm package remediation and prioritise file-ingestion paths.
Sources: GitHub Security Advisory GHSA-5pgg-2g8v-p4x9.
Update: SymfonyRuntime CVE-2026-47767 patch bypass
Confidence: Low / Unverified
Today's delta: SymfonyRuntime users should validate patched versions where web requests can influence runtime environment handling.
Sources: GitHub Security Advisory GHSA-fqc7-9xjw-jrh3.
Why This Matters
This is a routing day, not a single-vendor panic. Microsoft identity and Windows patch evidence sit at the front, but the same 24-hour window also creates work for ERP, backup, VPN/browser, Apache, strongSwan, Fortinet, Kemp, OT, and developer dependency owners.
The practical risk is missed ownership. A single patch calendar will not cover domain controllers, on-prem SharePoint, SAP, Veeam, OT panels, edge appliances, Python and PHP packages, and developer phishing telemetry. Each needs a named owner and a narrow exposure question.
- Recommended Actions
- Treat the actively exploited zero-days as immediate: Cisco Catalyst SD-WAN CVE-2026-20245 (KEV), Microsoft Defender RoguePlanet, Google Chrome CVE-2026-11645 (KEV), Check Point CVE-2026-50751 (KEV), and WinRAR CVE-2025-8088 (KEV).
- Treat Microsoft Kerberos KDC CVE-2026-47288, Windows, SharePoint, Office, and developer-tool updates as a coordinated Patch Tuesday evidence request.
- Confirm SAP, Veeam, Chrome, Check Point VPN, and WinRAR patch state before broadening incident language.
- Route strongSwan, Apache, Fortinet, Kemp, Siemens, and Schneider Electric items to asset owners for product, version, and exposure checks.
- Keep LOW / UNVERIFIED findings in validation language. Do not turn single-source advisories into exploitation claims.
- Review developer and package surfaces for Shai-Hulud, Hades, TeamPCP, UNKDeadDrop, PHPSpreadsheet, SymfonyRuntime, shell-quote, and Linux CVE-2026-23111 indicators.
All findings grounded in a13e intelligence sweeps through 05:15 UTC 10 June 2026.
BerriAI LiteLLM CVE-2026-42271 KEV Listing Leads AI Gateway Triage
Finding 1: BerriAI LiteLLM CVE-2026-42271 is now KEV-listed
Confidence: Medium
CISA KEV confirms exploitation of CVE-2026-42271 in BerriAI LiteLLM. Treat LiteLLM and AI gateway or proxy deployments as P1: identify exposed instances, prioritise internet-facing or multi-tenant deployments, and track fixed versions or compensating controls.
Sources: CISA KEV.
Finding 2: Kemp LoadMaster CVE-2026-33691 enters edge patch routing
Confidence: Low
BSI CERT-Bund published WID-SEC-2026-1812 for Kemp/Progress LoadMaster. Edge and network teams should confirm exposed ADC or load-balancer deployments and validate fixed-version guidance.
Sources: BSI CERT-Bund WID-SEC-2026-1812.
Finding 3: Netty CVE-2026-44250 opens Java dependency review
Confidence: Low
BSI published WID-SEC-2026-1814 for Netty. Java owners should query SBOMs and package manifests first, because Netty exposure usually appears through application dependencies rather than a single server product.
Sources: BSI CERT-Bund WID-SEC-2026-1814.
Finding 4: VMware Cloud Foundation Operations CVE-2026-41722 needs management-plane review
Confidence: Low
BSI published a high-severity advisory for VMware Cloud Foundation Operations. Virtualisation and operations owners should confirm whether management consoles are exposed to broad admin populations.
Sources: BSI CERT-Bund WID-SEC-2026-1813.
Finding 5: rclone CVE-2026-49980 reaches backup and sync queues
Confidence: Low
BSI added rclone CVE-2026-49980. Inventory endpoints, CI runners, backup jobs, and admin workstations where rclone may sit outside central server CMDBs.
Sources: BSI CERT-Bund WID-SEC-2026-1811.
Finding 6: Check Point Remote/Mobile Access VPN CVE-2026-50751 has fixed-build advisory coverage
Confidence: Low
NCSC-NL published NCSC-2026-0179 for fixed Check Point Remote and Mobile Access VPN vulnerabilities. VPN and edge teams should validate fixed builds and keep this ticket separate from the older Qilin-linked Check Point thread.
Sources: NCSC-NL NCSC-2026-0179.
Finding 7: Laravel CVE-2026-48041 has BSI and CERT-FR corroboration
Confidence: Medium
BSI and CERT-FR both surfaced the Laravel security-bypass advisory. Application owners using Laravel should validate dependency update guidance rather than waiting for estate-wide exploit reporting.
Sources: BSI CERT-Bund WID-SEC-2026-1815 and CERT-FR CERTFR-2026-AVI-0703.
Finding 8: Red Hat Quay CVE-2026-11569 is listed by BSI as unpatched
Confidence: Low
BSI marks the Red Hat Quay XSS item as unpatched. Quay owners should inventory instances, reduce admin and UI exposure where possible, and watch vendor channels for remediation.
Sources: BSI CERT-Bund WID-SEC-2026-1816.
Finding 9: Bitdefender Napoca CVE-2026-10046/CVE-2026-10047 lands in NVD
Confidence: Low
NVD published two bare-metal hypervisor out-of-bounds write records for Bitdefender Napoca. Route only to endpoint or security-product owners where Napoca is actually deployed.
Sources: NVD CVE-2026-10046 and CVE-2026-10047.
Finding 10: OpenShift Router/Route CVE-2026-46579/CVE-2026-1784 needs platform-owner review
Confidence: Low
OpenShift platform owners should review route termination and pod-reachability assumptions. Keep severity language restrained until Red Hat details are confirmed.
Sources: NVD and Red Hat CVE pages for CVE-2026-46579 and CVE-2026-1784.
Finding 11: X.Org/Xwayland CVE-2026-50257/CVE-2026-50258/CVE-2026-50259 affects Linux GUI baselines
Confidence: Low
Queue distro and package checks for Linux desktop, VDI, kiosk, and server GUI packages. No exploitation claim is supported by today’s intelligence.
Sources: NVD CVE-2026-50257, CVE-2026-50258, and CVE-2026-50259.
Finding 12: 7-Zip CVE-2026-48103/CVE-2026-48111 needs endpoint baseline checks
Confidence: Low
Validate managed 7-Zip versions and look for stale portable copies in golden images, admin toolkits, and bundled application directories. This is a hygiene and exposure-reduction task, not an incident claim.
Sources: NVD CVE-2026-48103 and CVE-2026-48111.
Finding 13: Microsoft Edge mobile CVE-2026-35429 needs MDM compliance validation
Confidence: Low
MSRC published a mobile Edge spoofing issue. Confirm managed mobile fleets and BYOD guidance are moving Edge to fixed builds.
Sources: Microsoft Security Response Centre CVE-2026-35429.
Finding 14: Netty GHSA cluster affects filtering and DoS surfaces
Confidence: Low
Run dependency graph queries for Netty in internet-facing Java services, especially RedisDecoder, HAProxy protocol, subnet-filtering, and default-configuration use cases. Treat this as SBOM-led triage.
Sources: GitHub Security Advisories GHSA-3qp7-7mw8-wx86, GHSA-6ghj-frrj-jjj3, GHSA-c2rx-5r8w-8xr2, and GHSA-cc37-9q2j-3hfv.
Finding 15: Authlib CVE-2026-41479 affects Python OAuth redirect handling
Confidence: Low
Identify Authlib usage in Python identity flows and schedule version validation. OAuth redirect handling bugs can be high-leverage even when initial severity appears moderate.
Sources: GitHub Security Advisory GHSA-w8p2-r796-3vmq.
Update: Shai-Hulud PyPI trojanisation widens to 19 science-focused packages
Confidence: Low
Previously covered as a supply-chain watch item; today’s delta is expanded reported reach to 19 science-focused PyPI packages. Research, science, and ML owners should compare package locks and CI installs with the published package list.
Sources: BleepingComputer.
Finding 16: FUXA CVE-2026-47719/CVE-2026-47720/CVE-2026-47721 affects web-managed OT dashboards
Confidence: Medium
FUXA has a GHSA burst covering unauthenticated SSRF, SQL injection, and privilege escalation paths. Identify web-managed OT or industrial dashboard deployments and route upgrade or compensating-control review.
Sources: GitHub Security Advisories GHSA-w86f-rf9w-h3x6, GHSA-h9fj-c2qr-76g2, and GHSA-8ghr-w65f-j3qr.
Finding 17: Later Netty GHSA batch expands Java dependency patch routing
Confidence: Medium
A distinct Netty batch includes CVE-2026-44894, CVE-2026-45416, CVE-2026-45673, CVE-2026-45674, CVE-2026-47244, and CVE-2026-47691. Prioritise internet-facing HTTP/2, DNS, and QUIC use cases.
Sources: GitHub Security Advisories GHSA-cmm3-54f8-px4j, GHSA-xmv7-r254-6q78, GHSA-676x-f7gg-47vc, and GHSA-5x3r-wrvg-rp6q.
Finding 18: Puma CVE-2026-47736/CVE-2026-47737 adds Ruby web-tier DoS checks
Confidence: Low
Ruby web-tier owners should check Puma deployments behind load balancers or proxies that pass PROXY Protocol v1 traffic. Prioritise internet-facing services and shared hosting patterns.
Sources: GitHub Security Advisories GHSA-qpgp-93vx-g8v8 and GHSA-2vqw-3mp8-cgmx.
Finding 19: PHPSpreadsheet CVE-2026-45034 reopens spreadsheet parsing review
Confidence: Low
Applications ingesting untrusted spreadsheets should identify PHPSpreadsheet versions and confirm the bypass fix is pulled once package metadata is available. Treat file-ingestion paths as the first priority.
Sources: GitHub Security Advisory GHSA-87m4-826x-3crx.
Update: Proofpoint UNK_DeadDrop targets developers for cryptocurrency theft
Confidence: Low
Today’s delta is developer-focused phishing detail from Proofpoint, including repository-lure and wallet-theft relevance. Extract Proofpoint IOCs and check developer email, repository, and wallet-theft telemetry.
Sources: Proofpoint.
Update: TeamPCP supply-chain campaign remains active through 07 June 2026
Confidence: Low
Today’s delta is continued campaign activity through 07 June 2026. Keep this as developer and supply-chain watch, with package and repository telemetry reviewed where TeamPCP indicators are relevant.
Sources: SANS ISC.
Update: Everest Forms Pro CVE-2026-3300 exploitation raises WordPress takeover risk
Confidence: Medium
Today’s delta is active exploitation reporting for Everest Forms Pro CVE-2026-3300. Confirm whether the plugin is installed, apply fixed versions, and prioritise sites with public forms or elevated WordPress roles.
Sources: SecurityWeek and BleepingComputer.
Update: SolarWinds Serv-U CVE-2026-28318 exploitation remains managed-file-transfer P1
Confidence: Medium
Serv-U remains a P1 managed-file-transfer exposure because exploitation is linked through CISA and SolarWinds reporting in the current corpus. Verify fixed versions, restrict internet exposure, and review crash, restart, and authentication events.
Sources: SecurityWeek, CISA, and SolarWinds.
Update: Gogs patches critical zero-day enabling remote code execution
Confidence: Low
Today’s delta is patch-availability reporting for a Gogs remote-code-execution issue without a CVE in this corpus. Inventory self-hosted Gogs, validate fixed builds, and restrict internet-exposed admin paths.
Sources: BleepingComputer.
Update: Check Point VPN zero-day/Qilin thread needs ransomware-linked edge validation
Confidence: Low
Today’s delta is patch-released status and ransomware-linked reporting. Validate Check Point VPN exposure, patch state, and telemetry, and keep this separate from CVE-2026-50751.
Sources: BleepingComputer.
Update: Linux one-character local-root flaw has public exploit and patch routing
Confidence: Low
Today’s delta is public exploit and patch-routing pressure for the Linux local-root flaw. Watch distro advisories and prioritise multi-user hosts, CI runners, developer workstations, and shared bastion systems.
Sources: The Hacker News.
Update: VS Code extension auto-update delay changes extension-governance posture
Confidence: Low
Today’s delta is supply-chain governance impact from the two-hour auto-update delay. Review developer endpoint policy for approved extensions, rapid malicious-extension revocation, and visibility into delayed updates.
Sources: The Hacker News.
Update: Miasma/IronWorm npm and GitHub cluster continues to widen
Confidence: Medium
Today’s delta is expanded npm and GitHub reach. Keep duplicate rows consolidated, then scan lockfiles, npm caches, developer endpoints, and CI logs. Rotate GitHub or npm tokens where malicious package installation is confirmed.
Sources: The Hacker News and Microsoft Security Blog.
Why This Matters
The day is not defined by one patch queue. It is a routing problem across AI gateways, edge and VPN infrastructure, Java and Python dependencies, endpoint packages, WordPress, developer supply chain, and managed file transfer. The LiteLLM KEV entry deserves the fastest response because it is the newly promoted KEV item in today’s intelligence.
- Recommended Actions
- Treat LiteLLM and exposed AI gateway or proxy deployments as P1 until inventory and compensating controls are confirmed.
- Split the remaining work into named owner queues: edge/VPN, Java and application dependencies, endpoint packages, CMS, developer supply chain, and managed file transfer.
- Keep LOW / UNVERIFIED items in owner-assignment language. Do not turn feed-derived advisories into exploitation claims.
- For updated active-exploitation items, confirm fixed versions and review exposure before broadening incident scope.
All findings grounded in a13e intelligence sweeps through 04:55 UTC 09 June 2026.
SolarWinds Serv-U CVE-2026-28318 KEV Exploitation Leads a Broad Multi-Owner Day
Update: SolarWinds Serv-U CVE-2026-28318 is CISA KEV-listed and needs patch verification
Confidence: High for CISA and SolarWinds linkage
Previously covered 07 June 2026; today's delta: a patch is now the key control, and CISA, SolarWinds, and BleepingComputer reporting keeps Serv-U CVE-2026-28318 in the exploited managed-file-transfer queue.
Serv-U exposure is operationally sensitive because managed file transfer systems often sit at trust boundaries. The action is not to widen the claim. It is to confirm fixed Serv-U versions, reduce unnecessary internet exposure, and look for crash or restart events around the advisory window.
Action: Route to managed file transfer owners and ask for version proof, exposure status, and crash or restart event review.
Sources: CISA Known Exploited Vulnerability alert, SolarWinds advisory, and BleepingComputer reporting.
Update: Everest Forms Pro CVE-2026-3300 stays a WordPress estate check
Confidence: Medium
Previously covered 07 June 2026; today's delta: reporting raises the severity emphasis for Everest Forms Pro CVE-2026-3300, and exploitation coverage continues.
This belongs in the same CMS risk conversation as Gutenberg Essential Blocks, but it is not the same exposure. Everest Forms Pro should be checked on WordPress-heavy estates, especially sites with public forms, elevated WordPress roles, or frequent plugin exceptions.
Action: Confirm whether Everest Forms Pro is installed, validate fixed-version status, and prioritise public-facing sites with privileged WordPress users.
Sources: BleepingComputer and The Hacker News reporting.
Update: Cisco SD-WAN Manager CVE-2026-20245 management-plane exposure needs patch verification
Confidence: High for exploitation and advisory linkage; Medium for UK impact
Previously covered 07 June 2026; today's delta: a fixed version is now available, so this moves to patch verification for Cisco SD-WAN Manager.
Treat this as a management-plane exposure review. Cisco's advisory and current reporting keep the focus on SD-WAN Manager, so the work is specific: identify affected managers, restrict management access, review authentication and RBAC logs, and follow Cisco fixed-version guidance.
Action: Give this to network and SD-WAN platform owners, not a generic endpoint queue. Prioritise internet-reachable or broadly accessible management interfaces.
Sources: Cisco security advisory and The Register reporting.
Finding 1: authentik CVE-2026-41577 identity-provider upgrade needs owner routing
Confidence: High
authentik enters today's queue through CVE-2026-41577, with a vendor GHSA advisory and an NVD entry. Identity providers are high-value because a weakness there can affect authentication and administrative access across many downstream services, so this deserves owner-specific routing rather than a generic patch queue.
Action: Confirm authentik versions, schedule the upgrade to fixed releases, and review identity-provider logs for anomalous authentication or administrative events.
Sources: authentik GHSA-4v4x-x5pr-8gp2 and NVD CVE-2026-41577.
Finding 2: IBM WebSphere Application Server CVE-2026-9330 needs enterprise patch routing
Confidence: High
IBM WebSphere Application Server enters the queue through CVE-2026-9330, with an IBM support advisory and an NVD entry. WebSphere often supports finance and government workloads, so exposure and change-window constraints matter as much as the patch itself.
Action: Route to WebSphere administrators, validate 8.5 and 9.0 exposure, apply IBM fixed-version guidance, and capture the business owner and maintenance-window constraints.
Sources: IBM WebSphere advisory (support node 7274733) and NVD CVE-2026-9330.
Finding 3: Hola Browser for Windows compromise expands endpoint supply-chain review
Confidence: Medium / Unverified
Sophos and BleepingComputer report a compromise of Hola Browser for Windows that delivers an unexpected executable and a cryptominer. Treat installed copies as endpoint supply-chain risk, not ordinary browser drift.
Action: Inventory endpoints for Hola Browser, remove unapproved installs, and hunt for the unexpected executable and cryptominer indicators described in the Sophos write-up.
Sources: Sophos research and BleepingComputer reporting.
Update: UNC3753 law-firm campaign should feed legal-sector detections
Confidence: High for Mandiant reporting; Medium for direct client applicability
Previously covered 07 June 2026; today's delta: Mandiant's legal-sector reporting remains material and should now be converted into detection and process checks.
Legal-sector environments should review helpdesk callback verification, RMM allowlisting, removable-media controls, and WinSCP or Rclone exfiltration monitoring. Keep the scope tied to the cited Mandiant report and do not imply wider victim counts beyond the evidence.
Action: Build a short legal-sector watch pack from the Mandiant TTPs and indicators, then map it to helpdesk, endpoint, identity, and data-egress controls.
Sources: Google Cloud and Mandiant reporting, with a VirusTotal collection reference.
Update: IronWorm/Miasma npm and GitHub cluster keeps widening
Confidence: Medium
Previously covered 07 June 2026; today's delta: the supply-chain reach has widened, and current Microsoft and The Hacker News reporting keeps the IronWorm/Miasma cluster active across npm and GitHub.
This is still one consolidated supply-chain story. The action should be evidence led: search lockfiles, npm caches, developer endpoints, CI logs, and repository interactions. Rotate GitHub or npm tokens where malicious package installation or token exposure is confirmed, not as a blanket response.
Action: Keep duplicate rows merged, run focused package and token-exposure checks, and document which repositories or developers have real exposure evidence.
Sources: Microsoft security research and The Hacker News reporting.
Finding 4: Securly Chrome Extension CVE-2026-8888/CVE-2026-8889 needs managed-extension inventory
Confidence: Low / Unverified
Securly Chrome Extension 3.0.7 has NVD-reported HTTP configuration transport and deprecated SHA-1 integrity issues under CVE-2026-8888 and CVE-2026-8889. This is most relevant to education and child-safety environments that deploy managed extensions.
Action: Locate managed Chrome extension deployments, confirm the installed version, and ask the administrator or vendor owner for remediation status.
Sources: NVD CVE-2026-8888 and NVD CVE-2026-8889.
Finding 5: Google Chrome 149.0.7827.53 CVE cluster needs endpoint update validation
Confidence: Low / Unverified
A cluster of Chrome CVEs (CVE-2026-10988, CVE-2026-10995, CVE-2026-10968, CVE-2026-11102) maps to Chrome 149.0.7827.53. The work is fleet version validation rather than an emergency.
Action: Validate that managed endpoints are on Chrome 149.0.7827.53 or later, prioritise unmanaged or delayed-update endpoints across Windows and macOS fleets, and record exceptions by operating system and channel.
Sources: NVD entries for the Chrome 149 CVE cluster.
Finding 6: Gutenberg Essential Blocks CVE-2026-10586 SSRF enters the CMS-plugin queue
Confidence: Low / Unverified
NVD describes server-side request forgery in the Essential Blocks page-builder plugin up to and including version 6.1.3, through the saveaigenerated_image() function, with Wordfence cited as a supporting reference. The collected NVD text describes the issue as reachable by authenticated attackers with Author-level access and above, which makes it a CMS-permission and plugin-inventory problem rather than a broad unauthenticated emergency.
Action: Inventory WordPress sites using the essential-blocks plugin at or below 6.1.3, reduce Author-level access where it is not needed, and watch Wordfence or vendor channels for fixed-version confirmation.
Sources: NVD CVE-2026-10586, Wordfence reference, and the WordPress plugin Trac reference.
Finding 7: Developer and runtime dependency CVEs need owner mapping
Confidence: Low / Unverified
Five developer and runtime dependency CVEs need SBOM-driven owner mapping rather than emergency patching: Cilium eBPF LoadCollectionSpec integer overflow (CVE-2026-10722), rrdtool stack buffer overflow (CVE-2026-43958), ansible-core ansible-galaxy argument injection (CVE-2026-11332), libexpat use-after-free before 2.8.2 (CVE-2026-50219), and pip script extraction outside the installation directory (CVE-2026-8643). Route Cilium to Kubernetes and platform owners; ansible-core and pip to automation and CI owners running installs with elevated permissions; rrdtool to monitoring-appliance owners; and libexpat to teams that own XML-parsing dependencies in base images and runtimes.
Action: Inventory these packages across base images, CI runners, and runtimes, pin sources, and apply fixed versions as upstream and distribution advisories confirm them.
Sources: MSRC entries for CVE-2026-10722, CVE-2026-43958, CVE-2026-11332, CVE-2026-50219, and CVE-2026-8643.
Update: Chinese APT persistence tooling is a detection review, not a victim-scope claim
Confidence: Low / Unverified
Previously covered 07 June 2026; today's delta: attribution reporting has firmed up for the Chinese APT persistence-malware story.
The sensible use of this item is detection work. The current intelligence supports review of Microsoft 365 persistence, backdoor activity, and lateral-access telemetry. It does not support expanding victim-scope claims beyond the cited reporting.
Action: Convert the report into detection hypotheses and telemetry checks, and keep confidence language restrained.
Source: BleepingComputer reporting.
Why This Matters
Today is a queue discipline problem, not a single catastrophic headline. Managed file transfer, WordPress, SD-WAN, identity and application servers, endpoint supply chain, browser governance, and developer dependencies all need different owners and different proof.
The highest risk is misrouting. A CISA KEV-listed managed file transfer exposure should not wait behind routine endpoint patching. New high-confidence identity and application-server findings should reach their owners directly rather than sitting in a generic queue. A developer-dependency cluster should be mapped through SBOM inventory, not ignored because no single item is an emergency.
- Recommended Actions
- P1: Verify SolarWinds Serv-U (CVE-2026-28318) fixed versions, reduce internet exposure, and review crash or restart evidence. It is CISA KEV-listed.
- P1: Verify Cisco SD-WAN Manager (CVE-2026-20245) fixed version, management-plane exposure, and authentication or RBAC logs.
- P1: Route authentik (CVE-2026-41577) and IBM WebSphere (CVE-2026-9330) to identity and application-server owners for upgrade and exposure validation.
- P1: Inventory the developer and runtime dependency cluster (Cilium, ansible-core, libexpat, pip, rrdtool) and the IronWorm/Miasma supply-chain story, and triage the Hola Browser endpoint compromise.
- P2: Check WordPress estates for Everest Forms Pro (CVE-2026-3300) and Gutenberg Essential Blocks (CVE-2026-10586), validate Chrome fleet version drift, and inventory the Securly extension.
- P2: Convert UNC3753 reporting into legal-sector detections and review Chinese APT persistence telemetry, with restrained attribution and scope language.
All findings grounded in a13e intelligence sweeps through 04:55 UTC 08 June 2026.
Oracle Payments CVE-2026-46818 - ERP Owner Routing Moves to the Front
Finding 1: Oracle Payments CVE-2026-46818 enters the ERP owner assignment queue
Confidence: Medium
Oracle Payments in Oracle E-Business Suite 12.2.3 through 12.2.15 is the lead item in today's intelligence. NVD describes CVE-2026-46818 as an unauthenticated network-access issue over HTTPS affecting the File Transmission component, with confidentiality and integrity impacts in Oracle Payments.
The practical risk is ownership delay. Finance and ERP applications are often patched by application teams, not infrastructure teams, so this item needs a named Oracle E-Business Suite owner rather than a generic vulnerability ticket.
Action: Confirm whether Oracle Payments is deployed, whether it is internet-adjacent, and whether the April 2026 Oracle CPU guidance has been applied.
Sources: NVD CVE-2026-46818 and Oracle Critical Patch Update, April 2026.
Finding 2: IBM Aspera, RabbitMQ, and go-git need owner mapping before severity escalation
Confidence: Low
IBM Aspera HSTE/HSTS 3.7.4 through 4.4.7 Fix Pack 1 is in scope for CVE-2026-8179 and CVE-2026-8180. The immediate task is to find Aspera services, especially internet-reachable asperahttpd exposure, and patch according to IBM's PSIRT notice.
RabbitMQ CVE-2026-44838 affects MQTT-enabled deployments in versions 4.2.0 through 4.2.3, with RabbitMQ 4.2.4 listed as the fixed line in the collected advisory. go-git CVE-2026-45022 belongs with developer-platform and release-engineering owners because the affected library can sit inside tooling that makes trust, policy, or signature-verification decisions.
Action: Split the queue. Send Aspera to managed file transfer owners, RabbitMQ MQTT to broker owners, and go-git to application security, platform engineering, and release tooling owners.
Sources: NVD CVE-2026-8179, NVD CVE-2026-8180, IBM PSIRT, NVD CVE-2026-44838, RabbitMQ GHSA-x866-xp2g-cx8v, NVD CVE-2026-45022, and go-git GHSA-389r-gv7p-r3rp.
Finding 3: radare2-mcp, SmarterMail, and Zabbix add local tooling, mail, and monitoring checks
Confidence: Low
radare2-mcp CVE-2026-6942 affects radare2-mcp 1.6.0 and earlier. The reason it matters is workflow placement: MCP tooling can run on analyst, developer, reversing, or CI systems where command injection may cross from a tooling issue into local compromise.
SmarterMail CVE-2026-7807 affects SmarterTools SmarterMail builds before 9560, according to NVD. Zabbix CVE-2026-23925 needs a permission review for roles with template or host write access, because monitoring platforms often have broad visibility across production environments.
Action: Inventory radare2-mcp use, confirm SmarterMail build levels, and audit Zabbix roles with template or host write permissions before patching is treated as routine maintenance.
Sources: NVD CVE-2026-6942, NVD CVE-2026-7807, and NVD CVE-2026-23925.
Update: Cisco SD-WAN, SolarWinds Serv-U, Everest Forms Pro, and ASUS Business Manager stay in exposure-review mode
Confidence: Low
Previously covered 06 June 2026; today's delta: these items remain active owner checks, but the current intelligence still keeps the claims narrow and low-confidence where vendor or government mapping is incomplete.
Cisco SD-WAN remains a no-CVE exposure-review item in the collected reporting. SolarWinds Serv-U reporting points to exploitation of a recently patched flaw to crash servers, but the right next step is patch-channel verification. Everest Forms Pro CVE-2026-3300 remains a WordPress estate check, and ASUS Business Manager Service CVE-2026-7480 / ZDI-26-328 belongs with endpoint owners.
Action: Check exposed SD-WAN management/control-plane assets, verify SolarWinds Serv-U patch status through official channels, identify Everest Forms Pro installations, and inventory ASUS Business Manager Service on managed endpoints.
Sources: The Register, BleepingComputer, The Hacker News, and Zero Day Initiative ZDI-26-328.
Update: Mandiant law-firm targeting and Chinese APT reporting need detection work, not overstatement
Confidence: Low
Previously covered 06 June 2026; today's delta: the legal-sector and Chinese APT items remain material, but both need careful wording and detection preparation before wider amplification.
Mandiant's law-firm targeting report should feed a legal-sector watch pack built from its indicators and TTPs. The Chinese APT persistence-malware report should feed identity-persistence and lateral-access telemetry reviews. The collected intelligence does not support adding new victim-scope claims beyond the cited reports.
Action: Extract indicators, TTPs, and detection hypotheses into sector-specific watch packs. Keep attribution and scope language tied to the named sources.
Sources: Google Cloud/Mandiant and BleepingComputer.
Finding 6: IronWorm/Miasma and Hola Browser keep supply-chain and endpoint hygiene in scope
Confidence: Medium
IronWorm/Miasma remains one consolidated supply-chain cluster. The current intelligence ties together npm poisoned-package reporting, a Miasma variant, and Microsoft GitHub repository reporting, but the action still depends on local evidence of package installation, cache hits, repository interaction, or token exposure.
Hola Browser for Windows is a separate endpoint supply-chain hygiene item. BleepingComputer reports a compromised distribution or update path delivering a cryptominer, so teams should inventory endpoints, remove unapproved installs, and validate any exceptions by source and hash.
Action: Scan lockfiles, npm caches, developer endpoints, and CI logs for IronWorm/Miasma indicators as package lists are validated. Rotate tokens only where installation or exposure evidence exists, and remove unapproved Hola Browser installs.
Sources: BleepingComputer and The Hacker News.
Why This Matters
Today's intelligence is about getting the right ticket to the right owner. ERP, managed file transfer, brokers, developer libraries, MCP tooling, mail, monitoring, endpoint software, and npm/GitHub supply-chain exposure do not share the same remediation path.
The safest posture is to avoid severity inflation. Treat Oracle Payments as the lead because it has a clear enterprise-owner gap. Treat the lower-confidence items as fast exposure checks, and turn the supply-chain items into evidence-led searches before declaring incident scope.
- Recommended Actions
- P1: Route Oracle Payments CVE-2026-46818 to Oracle E-Business Suite owners with April 2026 CPU context.
- P1: Assign IBM Aspera, RabbitMQ MQTT, and go-git checks to managed file transfer, broker, and developer-platform owners.
- P1: Inventory radare2-mcp, SmarterMail, and Zabbix exposure or permission scope, then patch affected versions.
- P1: Continue IronWorm/Miasma searches across lockfiles, caches, developer endpoints, CI logs, and repository interactions.
- P2: Keep Cisco SD-WAN, SolarWinds Serv-U, Everest Forms Pro, and ASUS Business Manager Service in exposure-review mode until official mapping or fixed-version evidence is confirmed.
- P2: Build legal-sector and Chinese APT detection watch packs from the cited reports without expanding victim-scope claims.
All findings grounded in a13e intelligence sweeps through 04:55 UTC 07 June 2026.
Arista EOS CVE-2025-5088 - EU Advisory Burst Widens the Owner Assignment Queue
Finding 1: Arista EOS CVE-2025-5088 and CVE-2024-27889 clusters need network-owner assignment
Confidence: Low
Two Arista EOS advisory clusters entered today's intelligence from BSI/CERT-Bund. WID-SEC-2025-2639 covers CVE-2025-5088, CVE-2025-5089, CVE-2025-5090, and CVE-2025-8873. A separate advisory, WID-SEC-2024-0489, covers CVE-2024-27889 and CVE-2024-27892, and the current brief describes code-execution impact for that second cluster.
Keep the two queues separate. They point to the same product family, but the advisory IDs and CVE sets differ. Network teams should map EOS exposure, confirm versions, and record vendor-supported update or mitigation status before any severity language is raised.
Action: Ask network owners for EOS inventory, exposed management or routing-plane paths, affected version status, and planned update or mitigation evidence.
Sources: BSI/CERT-Bund advisories WID-SEC-2025-2639 and WID-SEC-2024-0489.
Finding 2: Keycloak, BigBlueButton, FRRouting, HTTP/2, and MISP expand the EU patch-routing queue
Confidence: Low
The BSI/CERT-Bund feed also added Keycloak CVE-2026-7500, BigBlueButton CVE-2026-46355, FRRouting CVE-2026-37460, HTTP/2 CVE-2026-49975, and MISP CVE-2026-10854. The common action is not a generic patch blast. Each item belongs to a different operational owner: IAM, collaboration, network availability, edge services, and security operations.
Keycloak deserves an IAM-first route, especially for internet-facing or administrator realms. BigBlueButton should go to collaboration and education-platform owners. FRRouting belongs with network availability teams. HTTP/2 needs edge-service mapping across reverse proxies and application platforms. MISP should not lag just because it is defensive infrastructure.
Action: Split the queue by owner and ask each team for asset match, affected version, patch availability, and exposure status.
Sources: BSI/CERT-Bund advisories WID-SEC-2026-1330, WID-SEC-2026-1804, WID-SEC-2026-1795, WID-SEC-2026-1791, and WID-SEC-2026-1800.
Finding 3: DbGate, Twig, TinyMCE, and Bugsink create a developer-platform patch queue
Confidence: Low
GitHub Security Advisories added several application and dependency items. DbGate includes CVE-2026-47668, CVE-2026-47669, CVE-2026-47670, and CVE-2026-48017. Twig includes CVE-2026-47732, CVE-2026-24425, and CVE-2026-47730. TinyMCE includes CVE-2026-47759, CVE-2026-47760, CVE-2026-47761, and CVE-2026-47762. Bugsink includes CVE-2026-47715, CVE-2026-47716, and CVE-2026-47728.
The useful cut is by exposure path. DbGate matters most where self-hosted database-admin tooling is reachable or where JSON Script Runner and archive paths are enabled. Twig should be checked where tenant-controlled templates, CMS plugins, or admin/developer consoles use Symfony or Twig. TinyMCE belongs in rich-text editor workflows that process customer or tenant content. Bugsink needs attention where self-hosted error tracking is used by multiple teams or projects.
Action: Match each advisory cluster against SBOMs, repos, containers, and self-hosted admin tools. Disable risky DbGate script or archive paths until fixed where exposure is confirmed.
Sources: GitHub Security Advisories GHSA-8v3q-9vmx-36vc, GHSA-h535-j5hr-mv56, GHSA-pr2w-4gpj-cpq4, GHSA-2q52-x2ff-qgfr, GHSA-q742-qvgc-gc2f, GHSA-mh5m-5hw4-5c69, GHSA-vx2f-6m6h-9frf, and GHSA-g5vc-q7qc-v939.
Finding 4: Cisco SD-WAN, Everest Forms Pro, and SolarWinds Serv-U are exposure-review triggers, not confirmed escalation items
Confidence: Low
Three exploitation-oriented reports are visible but remain low-confidence in this intelligence. The Register reports a Cisco SD-WAN no-CVE zero-day under attack with no patch in the current report. The Hacker News reports active exploitation of Everest Forms Pro CVE-2026-3300. BleepingComputer reports CISA warning that attackers are exploiting a recently patched SolarWinds Serv-U flaw to crash servers.
All three should be handled carefully. Cisco SD-WAN should trigger a management and control-plane exposure review whilst teams wait for Cisco or CISA advisory mapping. Everest Forms Pro should trigger a WordPress estate check, but P0 escalation should wait for stronger vendor, CISA, or Wordfence corroboration. SolarWinds Serv-U should trigger an exposure and patch-status review for internet-facing file-transfer services, without broadening the claim beyond reported crash exploitation.
Action: Identify internet-facing Cisco SD-WAN management or control-plane assets, check WordPress estates for Everest Forms Pro, and confirm whether SolarWinds Serv-U instances are exposed and patched. Keep all three in watch status until higher-authority corroboration appears.
Sources: The Register Cisco SD-WAN report, The Hacker News Everest Forms Pro CVE-2026-3300 report, and BleepingComputer SolarWinds Serv-U/CISA warning report.
Finding 5: Mandiant law-firm campaign and Hola Browser compromise need targeted monitoring and endpoint hygiene
Confidence: Low
Mandiant reports a targeted campaign against US law firms involving UNC3753, Luna Moth, Chatty Spider, or Silent Ransom Group naming in the current intelligence. The brief keeps this LOW / UNVERIFIED for this corpus, so the immediate value is to extract indicators and TTPs into a legal-sector watch pack before proposing detection engineering.
BleepingComputer also reports Hola Browser for Windows was compromised to deliver a cryptominer. That is an endpoint-hygiene item. Teams should inventory managed endpoints for Hola Browser for Windows, remove unapproved installs, and validate hashes or install source where an exception exists.
Action: Build a legal-sector watch pack from the Mandiant report and run an endpoint inventory query for Hola Browser for Windows.
Sources: Google Cloud Mandiant law-firm campaign report and BleepingComputer Hola Browser for Windows compromise report.
Finding 6: UPDATE: IronWorm/Miasma npm cluster expands to 50+ poisoned packages
Confidence: Medium
Previously covered 05 June 2026; today's delta: the scope expanded from the prior 36-package IronWorm item to a broader 50+ package IronWorm/Miasma npm cluster.
This is the one material update in today's intelligence. BleepingComputer and The Hacker News reporting now put the cluster above 50 poisoned npm packages and add the Miasma variant to the same supply-chain queue.
Treat this as package exposure work, not a blanket compromise claim. Search lockfiles, npm caches, developer endpoints, and CI build logs as package lists become available. Rotate tokens where malicious package installation is confirmed. Avoid unnecessary token churn where there is no install evidence.
Action: Send the updated IronWorm/Miasma package list to application security, developer platform, and CI owners. Ask for evidence of matching installs, cache hits, and token exposure before declaring incident scope.
Sources: BleepingComputer IronWorm npm report and The Hacker News IronWorm/Miasma report.
Why This Matters
Today's brief is a routing problem. The signal is spread across network infrastructure, IAM, collaboration platforms, developer dependencies, edge services, legal-sector monitoring, and endpoint hygiene. Most items are single-source or feed-level, so accuracy depends on exposure proof.
The safest order is simple: send Arista EOS and the wider BSI/CERT-Bund queue to the correct owners, run SBOM and dependency checks for the GitHub advisory clusters, keep low-corroboration exploitation reports in watch status, and treat IronWorm/Miasma as a scope expansion that needs package-level evidence.
- Recommended Actions
- P1: Route Arista EOS WID-SEC-2025-2639 and WID-SEC-2024-0489 to network owners for asset, version, exposure, and patch-status checks.
- P1: Assign Keycloak, BigBlueButton, FRRouting, HTTP/2, and MISP advisories to IAM, collaboration, network, edge-service, and security-ops owners.
- P1: Search lockfiles, npm caches, developer endpoints, and CI logs for IronWorm/Miasma package indicators as validated lists become available.
- P2: Match DbGate, Twig, TinyMCE, and Bugsink advisories against SBOMs, repositories, containers, and self-hosted services.
- P2: Treat Cisco SD-WAN and Everest Forms Pro as exposure-review items until stronger vendor or government corroboration appears.
- P2: Build a law-firm campaign watch pack and remove unapproved Hola Browser for Windows installs from managed endpoints.
All findings grounded in a13e intelligence sweeps through 04:55 UTC 06 June 2026.
Cisco Unified CM CVE-2026-20230 - WebDialer Exposure Leads Today's Patch Queue
Finding 1: Cisco Unified CM / CM SME CVE-2026-20230 - WebDialer SSRF can become root
Confidence: High
NCSC-NL and CERT-FR both reference Cisco Unified CM / CM SME CVE-2026-20230. Today's intelligence treats it as the lead because the affected environment is clear: Unified CM/CM SME 14 and 15, with WebDialer enablement and patch or COP status needing confirmation.
This is not a generic collaboration-platform reminder. If WebDialer is enabled, the exposure check matters first. Teams should confirm whether the feature is in use, whether the relevant Cisco fix has been applied, and whether externally reachable or high-trust voice-management paths need additional review.
Action: Ask collaboration and voice-platform owners for a same-day answer on Unified CM/CM SME version, WebDialer status, patch/COP state, and exposure.
Sources: NCSC-NL advisory NCSC-2026-0174 and CERT-FR advisory CERTFR-2026-AVI-0689.
Finding 2: Microsoft cloud advisories need named tenant and service owners
Confidence: Low
MSRC lists new advisories for Microsoft M365 Copilot CVE-2026-45497, Azure HorizonDB CVE-2026-48567, and Exchange Online CVE-2026-48579. The evidence in today's intelligence is Tier-0 single-source, so the right action is owner routing and applicability confirmation, not incident language.
The common failure mode is assuming Microsoft-owned services need no internal tracking. That misses the real work: finding the tenant owner, confirming whether the service is enabled or in scope, and recording remediation or mitigation evidence from the relevant Microsoft channel.
Action: Route each CVE to the right Microsoft 365, Azure data-platform, or Exchange Online owner. Track applicability, remediation state, and any change in MSRC detail.
Sources: Microsoft MSRC entries for CVE-2026-45497, CVE-2026-48567, and CVE-2026-48579.
Finding 3: Axios, Matrix, @cap-js/openapi, and IronWorm create a package-integrity queue
Confidence: Medium
The software supply-chain queue is broad. Axios has Proxy-Authorization credential-leakage advisories for CVE-2026-44486 and CVE-2026-44487. Matrix Rust SDK has sender-binding concerns under CVE-2026-45056 and GHSA-wfq4-36m3-9g42. GitHub Advisories also list a malicious @cap-js/openapi package compromise under GHSA-jpvj-wpmj-h7rv.
IronWorm is the most visible package-compromise item in the set. BleepingComputer reports IronWorm malware affecting 36 npm packages, with Unit 42 providing wider npm supply-chain context. Exact package matching still matters before broad escalation, so this should start with lockfiles, SBOMs, package registries, CI artefacts, and developer endpoint telemetry.
Action: Search lockfiles, SBOMs, npm caches, CI artefacts, and registry telemetry for Axios, Matrix Rust SDK, @cap-js/openapi, and IronWorm indicators. Rotate proxy credentials if Axios exposure evidence exists.
Sources: GitHub Advisories for Axios, Matrix Rust SDK, and @cap-js/openapi; BleepingComputer IronWorm reporting; Unit 42 npm supply-chain research.
Finding 4: OT owners should assess B&R, NAVTOR, and Hitachi Energy without assuming exploitation
Confidence: Low
CISA ICS advisories list three operational-technology items: B&R PPT30 Operating System CVE-2025-11482, NAVTOR NavBox CVE-2026-21404, and Hitachi Energy MACH HiDraw CVE-2026-7310. Today's intelligence does not state confirmed exploitation for these items.
That distinction matters. OT teams still need to act, but the first step is applicability: whether the product exists, whether the affected feature or version is present, and whether patching can be scheduled safely inside operational constraints. For B&R, OPC-UA enablement is part of the decision. For NAVTOR, SOAP exposure and auto-update status matter. For Hitachi Energy, engineering-workstation access controls are part of the review.
Action: Send B&R, NAVTOR, and Hitachi Energy checks to OT and maritime or engineering-system owners. Ask for version, feature exposure, network isolation, and patch plan.
Sources: CISA ICS advisories ICSA-26-155-03, ICSA-26-155-01, and ICSA-26-155-05.
Finding 5: Synology, NetApp, Shopware, OpenMeter, and MCP-for-Stata need exposure-led triage
Confidence: Low
Several new advisories are actionable only after product matching. CERT-FR lists Synology Chat Server CVEs CVE-2026-9491, CVE-2026-40541, and CVE-2026-9548, plus NetApp Active IQ Config Advisor / OneCollect CVE-2026-22055 and CVE-2026-22054. GitHub Advisories add OpenMeter CVE-2026-8462, MCP-for-Stata CVE-2026-47708, Shopware CVE-2026-48009, and Shopware CVE-2026-48013.
Treat this as an exposure queue. Collaboration-heavy Synology deployments, storage-administration tooling, tenant-facing OpenMeter paths, research analytics environments, and Shopware admin or media endpoints all need different owners. One generic patch ticket will lose the detail.
Action: Split the queue by owner. Prioritise externally reachable Synology or Shopware systems, production storage-admin tooling, and environments where untrusted tenant, user, or filename input reaches the affected component.
Sources: CERT-FR advisories CERTFR-2026-AVI-0687 and CERTFR-2026-AVI-0686; GitHub Advisories for OpenMeter, MCP-for-Stata, and Shopware.
Finding 6: ASUS Business Manager Service and Microsoft Edge require endpoint-owner routing
Confidence: Low
Zero Day Initiative published advisories for ASUS Business Manager Service CVE-2026-7480 and Microsoft Edge CVE-2026-45492. The current evidence is single-source in today's intelligence, but both are close enough to endpoint management to justify owner checks.
The practical question is population. ASUS Business Manager Service is relevant only where it is installed on managed endpoints. Microsoft Edge is broader, but remediation still depends on browser update channels and the users most exposed to risky browsing or untrusted web content.
Action: Inventory ASUS Business Manager Service, route vendor remediation to endpoint owners, and confirm Edge update-channel coverage for high-risk browsing populations.
Sources: Zero Day Initiative advisories ZDI-26-328 and ZDI-26-329.
- Updates to ongoing stories
- Confidence: Medium
- Android CVE-2025-48595: Today's intelligence records active exploitation as a material update. Managed Android fleets should keep June patch tracking open and prioritise devices with elevated user risk.
- WinRAR CVE-2025-8088: The update is attribution to Gamaredon activity, not a new vulnerability. Keep WinRAR remediation and archive-lure detections active for Ukraine-facing or government-adjacent teams.
- Kirki WordPress CVE-2026-8206: The update is a severity change. WordPress owners should verify Kirki usage and review privileged-account changes.
Why This Matters
Today's brief is less about one confirmed compromise pattern and more about clean routing. Cisco leads because the evidence is stronger and the affected condition is specific. Most other items require asset, feature, tenant, package, or endpoint confirmation before severity can be raised.
The order is clear: check Cisco Unified CM/CM SME first, route Microsoft cloud advisories to named owners, run package-integrity searches, and ask OT teams for applicability without implying confirmed exploitation.
- Recommended Actions
- P1: Confirm Cisco Unified CM/CM SME 14/15 exposure, WebDialer status, and patch/COP state for CVE-2026-20230.
- P1: Assign Microsoft M365 Copilot, Azure HorizonDB, and Exchange Online CVEs to tenant and service owners.
- P2: Search SBOMs, lockfiles, npm caches, CI artefacts, and registry telemetry for Axios, Matrix Rust SDK, @cap-js/openapi, and IronWorm indicators.
- P2: Ask OT owners to assess B&R PPT30, NAVTOR NavBox, and Hitachi Energy MACH HiDraw applicability and patch plans.
- P2: Split Synology, NetApp, Shopware, OpenMeter, and MCP-for-Stata checks by product owner and exposure path.
- P2: Inventory ASUS Business Manager Service and confirm Microsoft Edge update-channel coverage.
All findings grounded in a13e intelligence sweeps through 04:55 UTC 05 June 2026.
Mirasvit CVE-2026-45247 Enters CISA KEV as PAN-OS and TA4922 Pressure Builds
Finding 1: Mirasvit Full Page Cache Warmer CVE-2026-45247 enters CISA KEV
Confidence: High
CISA's Known Exploited Vulnerabilities catalogue lists CVE-2026-45247 in Mirasvit Full Page Cache Warmer. Today's intelligence treats this as the lead because the exploitation signal is government-confirmed, not merely feed-level reporting.
The practical question is exposure. Teams running Magento or related e-commerce estates should confirm whether the Mirasvit Full Page Cache Warmer extension is present, check patch or removal options, and review logs for suspicious activity where the extension is deployed.
Action: Make this a P0 applicability check for Magento and e-commerce owners. If the extension is present, move from asset confirmation to remediation and exploitation review the same day.
Source: CISA Known Exploited Vulnerabilities catalogue, CVE-2026-45247.
Finding 2: PAN-OS GlobalProtect CVE-2026-0257 is CISA KEV-listed and back in incident-routing scope
Confidence: High
PAN-OS GlobalProtect CVE-2026-0257 is a Palo Alto Networks authentication bypass listed in CISA's Known Exploited Vulnerabilities catalogue since 29 May 2026, so exploitation is government-confirmed rather than feed-level. Today's intelligence records it as an update with active-exploitation materiality, and The Register reports that exposed Palo Alto VPN environments have moved from advisory tracking into active-exploitation concern.
This should not be treated as generic perimeter patching. Exposed GlobalProtect gateways deserve a separate owner check, with patch or mitigation state tied to incident-response visibility. If a gateway remains exposed and unpatched, the question is no longer only “when is the maintenance window?” It is also “what evidence would show compromise?”
Action: Re-check exposed GlobalProtect gateways, confirm patch or mitigation status, and route unpatched exposure into incident-response review.
Sources: CISA Known Exploited Vulnerabilities catalogue, CVE-2026-0257 (added 29 May 2026); The Register, PAN-OS GlobalProtect active-exploitation reporting.
Finding 3: TA4922 Atlas RAT targeting reaches Britain and Germany
Confidence: Medium
Proofpoint reports that TA4922, a suspected Chinese-speaking cybercrime group, has expanded activity into Europe, including the United Kingdom and Germany. The reporting names Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT, with lures using business, HR, tax, payroll, and invoice themes.
The most useful action is hunting, not general awareness. Today's intelligence includes hashes and infrastructure from the reporting, including a648db354820ea4d02940cb1702b35974513b7aae83f6dffaacaac4ba31f9295, 584a9448dda46bd590d7a2f86228100d2ae6e0d6d990c1a4459ed5ee28e07ae8, 206.238.115.58, 154.211.86.110, 43.156.77.97, and 103.214.172.33.
Action: Hunt those indicators across mail, EDR, proxy, DNS, and firewall telemetry. Pay particular attention to GoFile ZIP lures, DLL sideloading, HR-themed emails, and Germany or UK tax-themed social engineering.
Sources: Proofpoint TA4922 research and BleepingComputer European Atlas RAT reporting.
Finding 4: BSI advisories create a QEMU, automation, security-ops, CMS, and delivery-tool queue
Confidence: Low/Unverified
BSI published or surfaced multiple advisories relevant to QEMU/qemu-kvm, Red Hat Ansible Automation Platform, MISP, Progress Sitefinity, Go, Devolutions Server, Froxlor, and Octopus Deploy. The QEMU items include CVE-2026-3195, CVE-2026-3196, CVE-2025-14876, CVE-2026-2243, and CVE-2026-3842.
The risk is not that every item deserves the same urgency. The risk is that virtualisation, automation, threat-intelligence, CMS, privileged-access, hosting-control-panel, and CI/CD owners all assume someone else has the ticket. This is a routing problem first.
Action: Build a same-day owner table. Send QEMU to virtualisation and appliance owners, Ansible to automation owners, MISP to security operations, Sitefinity and Froxlor to web teams, Devolutions to privileged-access owners, and Octopus Deploy to CI/CD owners.
Sources: BSI WID-SEC advisories WID-SEC-2026-0566, WID-SEC-2025-2884, WID-SEC-2026-0464, WID-SEC-2026-1083, WID-SEC-2025-2432, WID-SEC-2026-1778, WID-SEC-2026-1783, WID-SEC-2026-1776, WID-SEC-2026-1781, WID-SEC-2026-1782, and WID-SEC-2026-1784.
Finding 5: Developer and research-platform dependencies need SBOM matching before escalation
Confidence: Low/Unverified
GitHub Advisories list clusters affecting Jupyter Enterprise Gateway, Docling, browserstack-runner, React Router, AIOHTTP, and quic-go. The most sensitive paths are notebook gateways, Kubernetes-backed research platforms, document and archive parsing, CI runners, public React Router apps, Python services, and Go HTTP/3 endpoints.
This is too broad for manual ticket guessing. The better route is SBOM or dependency matching against production services, CI runners, developer workstations, research platforms, and container images. Escalate only where a vulnerable package is present in a relevant execution path.
Action: Ask platform, application, and developer-experience owners to run dependency matching for the named packages. Prioritise browserstack-runner, Jupyter Enterprise Gateway, and Docling where untrusted input or CI execution is involved.
Sources: GitHub Advisories for Jupyter Enterprise Gateway, Docling, browserstack-runner, React Router, AIOHTTP, and quic-go.
Finding 6: Acer Wave 7 and Gemini notification hijack remain low-confidence but actionable hygiene items
Confidence: Low/Unverified
Acer Wave 7 router zero-day reporting is included as a new item, but the evidence remains incomplete pending fuller vendor and CVE detail. Treat it as an exposure-management item: know whether Wave 7 routers exist, reduce external exposure, and track firmware availability.
The Gemini notification hijack path is also included as a low-confidence hygiene item. The Hacker News reports that Google patched the issue server-side. The residual control question is whether Android fleets grant broad notification access or connected-app permissions to AI assistant workflows without a clear business reason.
Action: Inventory Acer Wave 7 routers and restrict exposure where possible. Review Gemini notification access and Android connected-app permissions, especially on managed devices used by privileged or sensitive users.
Sources: BleepingComputer Acer Wave 7 reporting and The Hacker News Gemini notification hijack reporting.
- Updates to ongoing stories
- Confidence: Low/Unverified
- WinRAR CVE-2025-8088 (CISA KEV): This path-traversal flaw is a known-exploited vulnerability, listed in CISA's Known Exploited Vulnerabilities catalogue since 12 August 2025. Today's update is attribution, not a new vulnerability: The Hacker News reports Gamaredon-linked use against Ukraine. Keep WinRAR remediation and archive-lure detection active for Ukraine-facing, government-adjacent, and Europe-facing teams.
- Android CVE-2025-48595 (CISA KEV): This Android Framework integer-overflow flaw entered CISA's Known Exploited Vulnerabilities catalogue on 2 June 2026 and is known-exploited. Yesterday's bundle already covered managed Android patch compliance, so it is not a fresh lead today, but keep patch tracking open and prioritise managed fleets given the confirmed exploitation.
- Kirki CVE-2026-8206 and WP Maps Pro: WordPress administrator-account abuse remains important. Continue plugin checks and administrator-account review, but today's brief treats those stories as repeated against recent publication state.
- VS Code token theft: Exploit-code reporting remains watchlist-only pending stronger advisory or patch anchoring. Developer teams should still tighten GitHub token hygiene and review unusual authentication activity.
Why This Matters
Today's brief is a triage exercise. Four items carry a government-confirmed exploitation signal through CISA KEV: Mirasvit CVE-2026-45247, PAN-OS CVE-2026-0257, WinRAR CVE-2025-8088, and Android CVE-2025-48595. Mirasvit is the lead because it is the newest KEV addition; the others are already-tracked exploited items. Several non-KEV findings need fast owner confirmation because they sit on exposed gateways, developer tooling, e-commerce sites, or security operations systems.
The right response is not to panic-patch everything. It is to rank by confidence, exposure, and owner. Start with Mirasvit CVE-2026-45247, re-check PAN-OS GlobalProtect, hunt TA4922 indicators, and then route the lower-confidence BSI, Ubuntu, MSRC, and GHSA items to the right technical teams.
- Recommended Actions
- P0: Check Mirasvit Full Page Cache Warmer CVE-2026-45247 exposure in Magento and e-commerce estates, then remediate and review logs where present.
- P1: Confirm PAN-OS GlobalProtect CVE-2026-0257 (CISA KEV) patch or mitigation status for exposed gateways.
- P1: Hunt TA4922 Atlas RAT indicators across mail, EDR, proxy, DNS, and firewall telemetry.
- P1: Route the BSI advisory queue to named virtualisation, automation, security-ops, CMS, privileged-access, hosting, and CI/CD owners.
- P2: Run SBOM and dependency matching for Jupyter Enterprise Gateway, Docling, browserstack-runner, React Router, AIOHTTP, and quic-go.
- P2: Track Acer Wave 7 firmware detail and review Gemini notification and connected-app permissions on Android fleets.
All findings grounded in a13e intelligence sweeps through 04:55 UTC 04 June 2026.
Android CVE-2025-48595 and CISA KEV CVE-2022-0492 Lead a Patch-Routing Day
Finding 1: Android CVE-2025-48595 (CISA KEV) active-exploitation patch compliance
Confidence: Low/Unverified
The 03 June intelligence sweep flags Android CVE-2025-48595 as a managed-mobile patch-compliance item. SecurityWeek reports that Google's Android update patches CVE-2025-48595 and 123 other vulnerabilities, with CVE-2025-48595 described as exploited in limited, targeted attacks. CVE-2025-48595 is also listed on CISA's Known Exploited Vulnerabilities catalogue (2026-06-02 release), which corroborates the exploitation signal beyond the single SecurityWeek source.
The call is simple. This is not a broad mobile panic item. It is a patch-status question for managed Android fleets. Teams should confirm whether exposed or sensitive-user devices have received the June Android security update, then record exceptions by device owner and business function.
Action: Treat managed Android patch state as P1 for the next seven days. Prioritise devices used by administrators, executives, incident responders, and users in higher-risk roles. Where patching depends on OEM or carrier release timing, document the blocked population and keep Samsung/Android remediation mapping current through NCSC-NL NCSC-2026-0173.
Source: SecurityWeek, plus NCSC-NL NCSC-2026-0173.
Finding 2: CISA KEV adds Linux kernel/container CVE-2022-0492
Confidence: Low/Unverified
The intelligence sweep surfaces CISA Known Exploited Vulnerabilities entry CVE-2022-0492 to today's brief. It is an existing KEV listing rather than a new addition, so treat it as standing exposure to confirm. The brief routes this to legacy kernels, Kubernetes nodes, privileged containers, and cgroup exposure checks.
The age of the CVE matters less than the KEV signal. If a legacy Linux estate, old container host, or privileged workload still carries exposure, this becomes an asset-discovery and exception-management problem. The highest-risk systems are those where container isolation assumptions are part of the control model.
Action: Check kernel versions and container runtime exposure on Kubernetes nodes, CI workers, shared Linux hosts, and any environment using privileged containers. Confirm whether remediation is already covered by current distribution baselines. Escalate exceptions where internet-facing services, shared tenancy, or administrative workloads are present.
Source: CISA KEV catalogue.
Finding 3: EU Tier-0 advisories create an owner assignment queue
Confidence: Low/Unverified
The largest change is volume. The 03 June intelligence sweep contains new Tier-0 or national-advisory items for IBM WebSphere, Microsoft SharePoint, Mozilla Firefox for iOS, Google Android and Samsung Mobile remediation, Apache Kafka, Ivanti Neurons for ITSM, OpenSC, Nextcloud, and Red Hat OpenShift. These items do not all deserve the same urgency, but each needs an accountable owner.
The risk is queue failure. Middleware, collaboration, ITSM, smart-card, OpenShift, Kafka, and mobile-browser owners may sit in different teams. A daily advisory spike can turn into missed routing if everything lands in one generic patch inbox.
Action: Build a same-day routing table. Assign WebSphere to Java middleware owners, SharePoint and Nextcloud to collaboration owners, Kafka to platform/data-stream owners, Ivanti to ITSM owners, OpenSC to endpoint and privileged-admin endpoint owners, and OpenShift to platform owners. Ask each owner for exposure, patch availability, and planned remediation date.
Sources: BSI WID-SEC-2026-1762, WID-SEC-2026-1764, WID-SEC-2026-1763, WID-SEC-2026-1765, WID-SEC-2026-1767, WID-SEC-2026-1769, WID-SEC-2026-1773, WID-SEC-2026-1768, and NCSC-NL NCSC-2026-0173.
Finding 4: Linux, desktop, and package baseline items need hygiene without over-escalation
Confidence: Low/Unverified
The intelligence sweep lists new package and platform items for libsoup CVE-2026-6324, X.Org/Xwayland CVE-2025-26597, glib-networking CVE-2026-10028, Ubuntu Tomcat Connectors USN-8369-1 / CVE-2024-46544, Ubuntu age USN-8372-1 / CVE-2024-56327, Ubuntu libeconf USN-8368-1 / CVE-2023-22652, Ubuntu EditorConfig USN-8238-2 / CVE-2026-40489, and an OpenSSH rowhammer-related NVD entry, CVE-2023-51767.
This set is best handled through baseline engineering, not incident response. The practical question is where these packages appear in base images, developer workstations, VDI, kiosk builds, CI images, Linux clients, appliances, and Java web front ends.
Action: Fold these into normal package and image rebuild workflows. Prioritise exposed services and shared desktop contexts ahead of low-actionability items. Keep OpenSSH CVE-2023-51767 on watch until distribution or vendor clarification gives a clearer remediation path.
Sources: MSRC, NVD, and Ubuntu notices.
Finding 5: Kirki WordPress CVE-2026-8206 adds a second admin-account risk
Confidence: Low/Unverified
The intelligence sweep promotes a new BleepingComputer report on CVE-2026-8206, a Kirki WordPress flaw reported as exploited to hijack administrator accounts. This is separate from yesterday's WP Maps Pro CVE-2026-8732 story, which was already published and is not repeated as today's lead.
The common risk is administrator-account abuse in WordPress estates. Even where a site is patched, unexpected administrator creation is a high-value detection point because it can persist after the vulnerable component is removed.
Action: Check Kirki usage, plugin versions, and recent administrator-account changes. Keep the WP Maps Pro remediation from 02 June open until admin-account review is complete across affected WordPress sites.
Source: BleepingComputer.
- Updates to ongoing stories
- Confidence: Low/Unverified
- Oracle WebLogic exploited-patch reporting: The intelligence sweep marks this as an update with patch-released materiality. Verify against CISA KEV and Oracle alerts before raising customer-facing urgency.
- Gamaredon and WinRAR CVE-2025-8088: The intelligence sweep records attribution change, with GammaWorm and GammaSteel delivery against Ukraine. CVE-2025-8088 is on CISA's KEV catalogue, so treat WinRAR archive-handling exposure as actively exploited. Keep Europe-facing phishing and archive-handling controls in scope.
- praisonai-platform CVE-2026-47411 / GHSA-rcmc-q9rj-4wmq: route as low-priority dependency hygiene.
- Palo Alto VPN / PAN-OS CVE-2026-0257 context: CVE-2026-0257 is on CISA's KEV catalogue, and active-exploitation coverage was re-promoted by the sweep's sidecar. This remains a short update because Palo Alto exploitation was previously covered.
- Red Hat npm / Miasma and WP Maps Pro CVE-2026-8732: both remain relevant from yesterday's bundle. Today's evidence changes their status, not the core recommended actions.
Why This Matters
The day is less about one headline exploit and more about avoiding routing failure. Today's brief shows a wide set of eligible findings that would be easy to mishandle if they were all treated as the same patch ticket.
The right response is owner-driven: confirm mobile patch state, verify Linux/container exposure, route EU advisory items to named service owners, and keep WordPress administrator-account checks active. Most findings are still Low/Unverified. Move owners, but do not imply confirmed compromise across the estate.
- Recommended Actions
- P1: Confirm Android CVE-2025-48595 patch status for managed devices and record OEM/carrier blockers.
- P1: Check Linux and Kubernetes exposure for CVE-2022-0492, especially legacy kernels, privileged containers, cgroups, CI workers, and shared hosts.
- P1: Route the EU advisory cluster to named middleware, collaboration, ITSM, OpenShift, Kafka, smart-card, and mobile owners.
- P2: Fold libsoup, X.Org/Xwayland, glib-networking, Ubuntu package notices, and OpenSSH CVE-2023-51767 into package/image baselines.
- P2: Check Kirki and WP Maps Pro exposure, then audit WordPress administrator-account changes.
All findings grounded in a13e intelligence sweeps through 04:55 UTC 03 June 2026.
Actively Exploited WordPress Admin-Takeover Flaw Leads a Supply-Chain-Heavy Day
Finding 1: WP Maps Pro flaw actively exploited to create WordPress admin accounts (CVE-2026-8732)
Confidence: Medium-High
The WP Maps Pro plugin for WordPress contains a privilege-escalation flaw, tracked as CVE-2026-8732, in all versions up to and including 6.1.0. The wpgmptempaccessajax AJAX action is registered without an adequate capability check, which lets an attacker create a new administrator account and take over the site. The vulnerability is recorded in the NVD (published 2026-05-29), and The Hacker News reports it is being actively exploited.
This is the clearest action item today. Administrator-account creation gives an attacker full control of the affected site, including content, user data, and any connected systems.
Action: Update WP Maps Pro past 6.1.0 immediately on any WordPress estate that uses it. Audit the WordPress user list for unexpected administrator accounts created recently, and review access logs for calls to the wpgmptempaccessajax action. Where you cannot patch at once, disable the plugin until you can.
Source: https://thehackernews.com/2026/06/critical-wp-maps-pro-flaw-actively.html
Finding 2: Credential-stealing npm worm compromises Red Hat packages (Miasma)
Confidence: Medium
Two reporting sources describe a supply-chain compromise, named Miasma, in which npm packages associated with Red Hat were altered to steal developer credentials. The reporting frames it as a self-propagating, credential-stealing worm in the npm registry rather than a single tampered package.
The practical risk is to developer workstations and CI runners, where registry tokens, source-code access, and other secrets often sit in the same context. A credential-stealing package that lands on a build runner can reach well beyond the one machine.
Action: Check npm install history, package-lock files, and CI logs for the affected Red Hat-associated packages. Rotate npm and registry credentials that may have been reachable from an affected developer or CI environment, and review recent registry activity for unexpected publishes or token use.
Sources: https://thehackernews.com/2026/06/miasma-supply-chain-attack-compromises.html and https://www.bleepingcomputer.com/news/security/red-hat-npm-packages-compromised-to-steal-developer-credentials/
Finding 3: OpenAI Codex authentication tokens reportedly stolen via codexui-android@0.1.82 [single-source]
Confidence: Low / Unverified
A single source reports that the npm package codexui-android, version 0.1.82, targets OpenAI Codex authentication tokens. The report does not confirm victim count, exploitation telemetry, or registry takedown status, so treat it as a containment-oriented hygiene check rather than a confirmed incident. It fits the same developer-token supply-chain theme as the Miasma reporting above.
Action: Search package-lock files, npm caches, CI logs, and developer workstations for codexui-android, especially version 0.1.82. Rotate OpenAI or Codex tokens where the package appears in a trusted developer or CI environment.
Source: https://thehackernews.com/2026/06/openai-codex-authentication-tokens.html
On Watch (active-exploitation reports awaiting firm identifiers)
Confidence: Medium
- These two carry active-exploitation reporting but lack a confirmed CVE or advisory identifier at the time of writing. They are on watch, not dismissed: verify your own exposure now and treat a confirmed identifier as a trigger to act.
- Windows Netlogon remote code execution, reported exploited in attacks. If confirmed against your domain controllers this would be high-impact. Review domain-controller patch levels and watch for a Microsoft advisory or CVE to anchor remediation. Source: https://www.bleepingcomputer.com/news/microsoft/critical-windows-netlogon-remote-code-execution-flaw-now-exploited-in-attacks/
- A Linux kernel local privilege-escalation flaw described as 19 years old, reported to grant root. Identify the affected subsystem and distribution advisories before scheduling kernel updates. Source: https://www.securityweek.com/19-year-old-linux-kernel-vulnerability-exposes-systems-to-root-access/
Already Covered (no repeat today)
Confidence: High
Palo Alto PAN-OS exploitation under CVE-2026-0257 featured in our 31 May report and carries no materially new development today, so it is not repeated here. Continue any remediation already underway from that advisory.
Why This Matters
Three of today's items sit in the software-supply-chain and developer-tooling layer: a WordPress plugin, npm registry packages, and an AI-tool token. The common thread is that a single compromised component can grant broad access, whether that is administrator control of a website or a credential lifted from a build runner. The defensive moves are the same in each case: know where the component is in use, patch or remove it, and rotate any credential that was reachable from it.
- Recommended Actions
- P1: Update WP Maps Pro past version 6.1.0 and audit WordPress sites for unexpected administrator accounts.
- P1: Hunt for the Miasma-affected Red Hat npm packages and codexui-android@0.1.82 across npm caches, lockfiles, CI logs, and developer endpoints; rotate exposed registry and OpenAI/Codex tokens.
- P2: Verify Windows domain-controller and Linux kernel exposure now; act on the Netlogon and Linux kernel reports as soon as a CVE or vendor advisory anchors them.
- P3: No further action needed on Palo Alto CVE-2026-0257 beyond remediation already in progress from the 31 May advisory.
All findings grounded in a13e intelligence sweeps and verified against primary sources through 06:30 UTC on 02 June 2026.
Gogs No-CVE RCE Report - Exposure Review Whilst PAN-OS CVE-2026-0257 KEV/Exploitation Context Moves to P1
Finding: Gogs no-CVE remote-code-execution report [UNCONFIRMED, single-source]
Confidence: Low/Unverified
Source: SecurityWeek reporting in the 31 May source packet. SecurityWeek reports a Gogs zero-day exposing servers to remote code execution. The source packet records this as the only NEW finding eligible for publication, but it does not include a CVE, maintainer patch URL, IOC set or named-victim evidence.
That matters because the right response is exposure discovery, not incident escalation. Teams should identify internet-facing Gogs instances, restrict access where possible and review repository or administrative logs for unusual activity. Stronger language should wait for maintainer guidance, a CVE, a patch, IOCs or confirmed victim evidence.
Update: Palo Alto Networks CVE-2026-0257 KEV/exploitation context confirmed
Confidence: Medium
Source: NCSC-NL advisory, Palo Alto Networks advisory and Rapid7 exploitation reporting in the 31 May source packet. Previously tracked PAN-OS and Prisma Access exposure is now back in the P1 edge-VPN review queue because CVE-2026-0257 is present in broader Known Exploited/KEV tracking, and NCSC-NL cites Rapid7 observed exploitation plus public proof-of-concept availability. This is not being treated as a new KEV addition in today's KEVNEW list.
This is the clearest operational update in today's evidence. Owners should verify PAN-OS and Prisma Access patch state, review certificate reuse and authentication-override cookie configuration, and check Rapid7 IOC guidance where an affected portal or gateway was exposed.
Update: Admidio CVE-2026-47233 patched in 5.0.10 [UNCONFIRMED, single-source]
Confidence: Low/Unverified
Source: GitHub Advisory Database, GHSA-xw54-c3mx-9pm3. The source packet records a new patched-version anchor for CVE-2026-47233: Admidio 5.0.10. The advisory describes logged-in inventory field deletion through mode=fielddelete, with affected versions at or below 5.0.9.
Treat this as a targeted owner assignment item. Check Admidio deployments, especially internet-facing or multi-admin/community instances, and upgrade to 5.0.10 or later where the software is present.
Update: praisonai-platform CVE-2026-47416 patched in 0.1.4 [UNCONFIRMED, single-source]
Confidence: Low/Unverified
Source: GitHub Advisory Database, GHSA-c2m8-4gcg-v22g. The source packet records a new patched-version anchor for CVE-2026-47416: praisonai-platform 0.1.4. The issue is described as member-to-owner workspace privilege escalation affecting versions up to 0.1.2.
This is a patch-validation task. If PraisonAI or praisonai-platform workspaces are present in labs, demos, customer proof-of-concepts or internal tooling, pin to 0.1.4 or later and review recent workspace-owner membership changes.
Why This Matters
Today's signal is mixed. The only NEW item, Gogs, is not mature enough for exploit claims. The strongest action sits in an UPDATED item: Palo Alto Networks CVE-2026-0257 now has KEV-aligned exploitation context and should outrank lower-confidence software advisory checks.
The two patch updates are still useful. They give owners exact fixed-version targets for praisonai-platform and Admidio, which is the difference between vague awareness and a closeable ticket.
- Recommended Actions
- Treat Palo Alto Networks CVE-2026-0257 as the P1 edge-VPN item: verify patch state, configuration exposure and Rapid7 IOC guidance where exposed; note it is KEV-aligned but not a new KEV_NEW entry today.
- Inventory internet-facing Gogs instances and apply compensating access controls pending maintainer, CVE, patch or IOC detail.
- Upgrade Admidio to 5.0.10 or later where present, prioritising shared or internet-facing deployments.
- Upgrade praisonai-platform to 0.1.4 or later where present, then review workspace-owner membership changes.
- Keep watchlist-only and excluded items out of executive escalation unless future evidence provides a strict material update.
All findings grounded in a13e intelligence sweeps through 04:55 UTC 31 May 2026.
Cyber Threat Watchlist for 2026-06-01
- 🟡 Low-signal day: little new material, but one tracked item is under active exploitation.
- The bullets below are what we are watching; the Marimo item warrants action now.
- nvd.nist.gov, thehackernews.com: Marimo CVE-2026-39987 is on CISA KEV, with reporting of LLM-agent post-exploitation activity. If you run Marimo notebooks anywhere, patch to the fixed release now and keep them off the public internet.
- nvd.nist.gov: Google Chrome use-after-free fixes CVE-2026-10002 (PDFium) and CVE-2026-10012 (Skia), resolved in 148.0.7778.216. Check that managed fleets, VDI pools and unmanaged endpoints are on that build or later.
- github.com: praisonai-platform has patched workspace-boundary and privilege-promotion issues. If it runs in labs or internal tooling, move to the latest release and review who can promote workspace members.
Most likely to escalate: Marimo CVE-2026-39987, already KEV-listed and exploited, so treat unpatched instances as exposed today rather than tomorrow.
Full brief resumes when material change is detected.
Act on today's threats
Map your detection gaps or generate Sigma rules from the intel above.