Threat Modeling and Security by Design

Critical Vulnerability — CVSS 9.8 CVE-2026-8935 is a critical-severity unauthenticated AJAX vulnerability in the WP MAPS PRO WordPress plugin. CVSS Score: 9.8 (Critical) | Attack Complexity: Low | Privileges Required: None Exploitation is trivial. A valid nonce is exposed on every frontend page, allowing any unauthenticated visitor to execute privileged AJAX actions remotely. CVE-2026-8935 is a critical-severity unauthenticated AJAX vulnerability affecting the WP MAPS…

CISA Known Exploited Vulnerability CVE-2026-20262 has been added to the CISA Known Exploited Vulnerabilities (KEV) Catalog. Date Added: June 15, 2026 | Due Date: June 29, 2026 Federal agencies and organisations following CISA Binding Operational Directive (BOD) 22-01 must remediate this vulnerability by the due date. This vulnerability is being actively exploited in the wild. CVE-2026-20262 is a high-severity path traversal vulnerability in Cisco…

OptinMonster, the popular lead-generation and conversion optimization WordPress plugin with over 1.4 million active installations, has been compromised in a CDN supply-chain attack that also affected sibling products TrustPulse and PushEngage. The attack, discovered by e-commerce security firm Sansec over the weekend of June 13-14, 2026, allowed threat actors to inject malicious JavaScript into websites by compromising the parent company Awesome Motive’s content distribution…

SummaryA critical vulnerability has been disclosed in the SimpleHelp remote support platform that allows unauthenticated attackers to create rogue administrator accounts. This flaw enables complete takeover of the SimpleHelp server and all connected client machines.Affected ProductSimpleHelp – Remote support and remote access platform (all versions prior to the patched release)Vulnerability DetailsThe vulnerability resides in the administrator account creation mechanism. Due to insufficient access controls,…

Vulnerability Intelligence Report — June 16, 2026 Coverage: June 1–16, 2026 | Total CISA KEV additions (period): 14 | New KEVs yesterday: 2 | Oracle PeopleSoft deadline passed (June 15) | Next KEV deadline: LiteSpeed cPanel (June 18) | Overdue KEVs: 7 Previous reports: June 15, 2026 | June 14, 2026 Today — Tuesday, June 16, 2026 — marks the start of a new…

Overview CVE-2026-12191 is a high-severity insecure deserialization vulnerability in Comma AI Openpilot, an open-source autonomous driving research platform. The vulnerability exists in the modeld.py module, which uses Python’s pickle.load() and pickle.loads() to deserialize untrusted data without any validation or sanitization. A local attacker with access to the system can craft a malicious pickle payload to achieve arbitrary code execution in the context of the…