bc1q3909urygy90qhytu32344ws0t5vy085y0h7xc8 0x71faaDcAF2538e7346885F772FBAcb88740059A8 49PeCUfdgmG1ZMAzUxz2WFWiRDbDrycrJ8qYVfxBq6HWCHjk7uncaoESm7CRF5DtxcFgStuvyvcfUD3p4xU33F8dPep53MP 20 analyses tagged zero-day, sorted newest first.
CISA added Cisco Catalyst SD-WAN Manager CVE-2026-20262 to KEV on 2026-06-15 with a 2026-06-29 due date. Cisco says authenticated attackers with at least write access can abuse a web-UI file-upload path traversal to create or overwrite files on affected systems across all SD-WAN deployment types.
CISA added LiteSpeed cPanel Plugin CVE-2026-54420 to KEV on 2026-06-15 with a 2026-06-18 due date. LiteSpeed says v2.4.8, bundled with WHM Plugin v5.3.2.1, fixes a symlink-following flaw that can let a user with FTP or web shell access escalate to root on shared hosting servers running CloudLinux/CageFS.
CISA added actively exploited Oracle PeopleSoft PeopleTools CVE-2026-35273 to KEV on 2026-06-12. Affects PSEMHUB in versions 8.61 and 8.62, allowing unauthenticated remote code execution exploited by ShinyHunters.
CISA added CVE-2026-20245 to KEV on 2026-06-09. Cisco scopes the authenticated local command-injection flaw to Catalyst SD-WAN Controller, Manager, and Validator and lists fixed 20.18.3.1 and 26.1.1.2 releases as of 2026-06-10.
Google fixed actively exploited CVE-2026-11645 in the June 8, 2026 Chrome desktop update. The V8 out-of-bounds memory flaw can allow code execution inside the browser sandbox through crafted HTML.
CISA added BerriAI LiteLLM CVE-2026-42271 to its KEV catalog on 2026-06-08 due to active exploitation. This high-severity command injection vulnerability in MCP server preview endpoints allows authenticated (or unauthenticated, when chained with CVE-2026-48710) users to run arbitrary shell commands on the host proxy.
Google says Android Framework CVE-2025-48595 may be under limited, targeted exploitation. The high-severity integer-overflow issue affects Android 14, 15, 16, and 16 QPR2 and is addressed at the 2026-06-01 security patch level.
CISA added WebPros cPanel & WHM and WP2 CVE-2026-41940 to KEV on 2026-04-30 and marks ransomware use as known. WebPros patched many cPanel branches and WP2 136.1.7, provided session-file IOC checks, and urged immediate update or service exposure reduction.
CISA added Linux kernel CVE-2026-31431 to KEV on 2026-05-01. Theori's Copy Fail research ties the bug to AF_ALG AEAD in-place operation and shows why shared CI runners, Kubernetes nodes, and multi-tenant Linux hosts need kernel patch proof or AF_ALG mitigation.
CISA added Oracle WebLogic Server CVE-2024-21182 to its KEV catalog on 2026-06-01 due to active exploitation. This high-severity authentication bypass vulnerability allows unauthenticated attackers with network access via T3 or IIOP protocols to compromise the server and gain unauthorized access to critical data.
CISA added PAN-OS CVE-2026-0257 to KEV on 2026-05-29 after limited exploitation of unpatched GlobalProtect portal and gateway configurations that use authentication override cookies.
CISA added LiteSpeed User-End cPanel Plugin CVE-2026-48172 to KEV on 2026-05-26 with a 2026-05-29 due date. NVD and LiteSpeed now provide exact advisory links, affected version bounds, and the vendor log-check command for redisAble exploitation.
CVE-2026-32202 is an actively exploited Windows Shell protection-mechanism failure that Akamai traced to an incomplete patch for an APT28 LNK exploit chain, allowing zero-click NTLM authentication coercion when Explorer renders a malicious shortcut.
A public Chromium Background Fetch proof of concept showed that a service worker could repeatedly start background fetches after a malicious page visit. Chromium restricted BackgroundFetchManager.fetch() from service-worker contexts on May 21, 2026; downstream deployment remained browser- and channel-specific through June 10.
CISA added Cisco Catalyst SD-WAN CVE-2026-20182 to KEV on 2026-05-14. Cisco confirmed limited exploitation, published fixed releases, and documented vmanage-admin authentication and anomalous control-connection evidence for compromise review.
CISA added Exchange Server CVE-2026-42897 to KEV on 2026-05-15. MSRC marks exploitation detected and points to Exchange Emergency Mitigation Service mitigation ID M2 rather than a normal update table.
CISA added PAN-OS CVE-2026-0300 to KEV on 2026-05-06. The vulnerability involves an out-of-bounds write in the User-ID Authentication Portal (Captive Portal) affecting PA-Series and VM-Series firewalls, leading to unauthenticated remote root code execution; this article provides config audits and post-compromise triage scripts.
Starlette CVE-2026-48710 (BadHost) is a Host-header URL reconstruction flaw fixed in Starlette 1.0.1. New OSTIF, X41, Tenable, and BadHost scanner sources clarify that the highest-risk deployments are FastAPI/Starlette/LLM services whose middleware makes security decisions from request.url.path.
CISA added Trend Micro Apex One CVE-2026-34926 to KEV on 2026-05-21. Trend Micro reports at least one in-the-wild attempt and fixed builds 17079, 18012, and 14.0.20731; this article provides build-export and agent-deployment audit scripts.
MiniPlasma is a public Windows cldflt.sys Cloud Filter driver LPE proof of concept that BleepingComputer tested on fully patched Windows 11 Pro with May 2026 updates. The article now replaces generic secondary sourcing with exact reporting and narrows the claim to local SYSTEM escalation.