bc1q3909urygy90qhytu32344ws0t5vy085y0h7xc8 0x71faaDcAF2538e7346885F772FBAcb88740059A8 49PeCUfdgmG1ZMAzUxz2WFWiRDbDrycrJ8qYVfxBq6HWCHjk7uncaoESm7CRF5DtxcFgStuvyvcfUD3p4xU33F8dPep53MP 31 analyses tagged cisa-kev, sorted newest first.
CISA added Splunk Enterprise CVE-2026-20253 to KEV on 2026-06-18. The vulnerability allows an unauthenticated user to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint in affected Splunk Enterprise releases.
CISA added CVE-2026-48907 to KEV on 2026-06-16. JCE 2.9.99[.]5 and 2.9.99[.]6 fix an unauthenticated editor-profile upload flaw that can lead to PHP code execution on Joomla sites.
CISA added Cisco Catalyst SD-WAN Manager CVE-2026-20262 to KEV on 2026-06-15 with a 2026-06-29 due date. Cisco says authenticated attackers with at least write access can abuse a web-UI file-upload path traversal to create or overwrite files on affected systems across all SD-WAN deployment types.
CISA added LiteSpeed cPanel Plugin CVE-2026-54420 to KEV on 2026-06-15 with a 2026-06-18 due date. LiteSpeed says v2.4.8, bundled with WHM Plugin v5.3.2.1, fixes a symlink-following flaw that can let a user with FTP or web shell access escalate to root on shared hosting servers running CloudLinux/CageFS.
CISA added actively exploited Oracle PeopleSoft PeopleTools CVE-2026-35273 to KEV on 2026-06-12. Affects PSEMHUB in versions 8.61 and 8.62, allowing unauthenticated remote code execution exploited by ShinyHunters.
Attackers are actively exploiting CVE-2026-26980, a critical SQL injection in the Ghost CMS Content API, to extract Admin API Keys. Stolen keys are used to inject malicious JavaScript into published articles, serving ClickFix social engineering payloads to website visitors.
CISA and Ivanti confirmed active exploitation of CVE-2026-10520, a critical pre-authentication OS command injection vulnerability in Ivanti Sentry. Attackers can execute arbitrary commands with root privileges by sending a crafted HTTP POST request to Sentry MICS APIs.
CISA added actively exploited Arista EOS CVE-2026-7473 to KEV on 2026-06-09. Affected tunnel endpoints may decapsulate unexpected protocols sent to a configured decapsulation IP; Arista rates the issue Medium and provides configuration checks and ACL mitigations.
CISA added CVE-2026-20245 to KEV on 2026-06-09. Cisco scopes the authenticated local command-injection flaw to Catalyst SD-WAN Controller, Manager, and Validator and lists fixed 20.18.3.1 and 26.1.1.2 releases as of 2026-06-10.
Google fixed actively exploited CVE-2026-11645 in the June 8, 2026 Chrome desktop update. The V8 out-of-bounds memory flaw can allow code execution inside the browser sandbox through crafted HTML.
Check Point and CISA confirmed active exploitation of CVE-2026-50751, an IKEv1 Remote Access and Mobile Access authentication bypass. Check Point observed targeting from May 7, 2026, added campaign IOCs through June 10, and linked one post-compromise case to a Qilin ransomware affiliate.
CISA added BerriAI LiteLLM CVE-2026-42271 to its KEV catalog on 2026-06-08 due to active exploitation. This high-severity command injection vulnerability in MCP server preview endpoints allows authenticated (or unauthenticated, when chained with CVE-2026-48710) users to run arbitrary shell commands on the host proxy.
CISA added the Linux Kernel cgroups v1 container escape vulnerability (CVE-2022-0492) to KEV on 2026-06-02. The flaw allows unprivileged container processes with CAP_SYS_ADMIN or uid 0 to write to cgroups release_agent files and execute code on the host, escaping the container namespace. System operators should audit host kernels, verify container capabilities, and disable unprivileged user namespaces.
CISA added Mirasvit Cache Warmer for Magento 2 CVE-2026-45247 to KEV on 2026-06-03. Adobe Commerce and Magento operators should verify Cache Warmer versions, collect admin and web logs, and hunt for suspicious module and admin activity.
CISA added SolarWinds Serv-U CVE-2026-28318 to KEV on 2026-06-05, indicating active exploitation. The high-severity vulnerability allows remote, unauthenticated attackers to cause a Denial of Service (DoS) by sending specially crafted HTTP POST requests with a Content-Encoding: deflate header. SolarWinds has released version 15.5.4 Hotfix 1 to address the flaw.
Google says Android Framework CVE-2025-48595 may be under limited, targeted exploitation. The high-severity integer-overflow issue affects Android 14, 15, 16, and 16 QPR2 and is addressed at the 2026-06-01 security patch level.
CISA added WebPros cPanel & WHM and WP2 CVE-2026-41940 to KEV on 2026-04-30 and marks ransomware use as known. WebPros patched many cPanel branches and WP2 136.1.7, provided session-file IOC checks, and urged immediate update or service exposure reduction.
CISA added Linux kernel CVE-2026-31431 to KEV on 2026-05-01. Theori's Copy Fail research ties the bug to AF_ALG AEAD in-place operation and shows why shared CI runners, Kubernetes nodes, and multi-tenant Linux hosts need kernel patch proof or AF_ALG mitigation.
CISA added Oracle WebLogic Server CVE-2024-21182 to its KEV catalog on 2026-06-01 due to active exploitation. This high-severity authentication bypass vulnerability allows unauthenticated attackers with network access via T3 or IIOP protocols to compromise the server and gain unauthorized access to critical data.
CISA added DAEMON Tools Lite CVE-2026-8398 to KEV after the vendor confirmed unauthorized interference in its infrastructure and compromised DAEMON Tools Lite installation packages.
CISA added PAN-OS CVE-2026-0257 to KEV on 2026-05-29 after limited exploitation of unpatched GlobalProtect portal and gateway configurations that use authentication override cookies.
CISA added LiteSpeed User-End cPanel Plugin CVE-2026-48172 to KEV on 2026-05-26 with a 2026-05-29 due date. NVD and LiteSpeed now provide exact advisory links, affected version bounds, and the vendor log-check command for redisAble exploitation.
CVE-2026-32202 is an actively exploited Windows Shell protection-mechanism failure that Akamai traced to an incomplete patch for an APT28 LNK exploit chain, allowing zero-click NTLM authentication coercion when Explorer renders a malicious shortcut.
CISA added Cisco Catalyst SD-WAN CVE-2026-20182 to KEV on 2026-05-14. Cisco confirmed limited exploitation, published fixed releases, and documented vmanage-admin authentication and anomalous control-connection evidence for compromise review.
CISA added Drupal Core CVE-2026-9082 to KEV on 2026-05-22. The exploitable surface is PostgreSQL-backed Drupal Core in affected 8.9.x, 10.x, and 11.x ranges; this article provides composer, settings, and telemetry scripts for exposure and closure.
CISA added Langflow CVE-2025-34291 to KEV on 2026-05-21. The issue combines permissive CORS and credentialed refresh-token behavior; this article provides dependency, container, HTTP telemetry, and token-abuse audit scripts.
CISA added Microsoft Defender CVE-2026-41091 to KEV on 2026-05-20. MSRC marks exploitation detected and gives the exact fixed Malware Protection Engine version 1.1.26040.8.
CISA added Microsoft Defender CVE-2026-45498 to KEV on 2026-05-20. MSRC marks exploitation detected and gives the exact fixed Defender Antimalware Platform version 4.18.26040.7.
CISA added Exchange Server CVE-2026-42897 to KEV on 2026-05-15. MSRC marks exploitation detected and points to Exchange Emergency Mitigation Service mitigation ID M2 rather than a normal update table.
CISA added PAN-OS CVE-2026-0300 to KEV on 2026-05-06. The vulnerability involves an out-of-bounds write in the User-ID Authentication Portal (Captive Portal) affecting PA-Series and VM-Series firewalls, leading to unauthenticated remote root code execution; this article provides config audits and post-compromise triage scripts.
CISA added Trend Micro Apex One CVE-2026-34926 to KEV on 2026-05-21. Trend Micro reports at least one in-the-wild attempt and fixed builds 17079, 18012, and 14.0.20731; this article provides build-export and agent-deployment audit scripts.