Coverage Period: June 1–12, 2026
Report Date: June 12, 2026
Vulnerabilities Tracked: 47
New CISA KEV Additions: 11
Critical/High Severity: 23
Actively Exploited (KEV + Reports): 8
Previous Report: June 1, 2026
Quick Reference
- CVE-2026-10520 — Ivanti Sentry OS Command Injection (KEV, due Jun 14, max severity, exploited)
- CVE-2026-35273 — Oracle PeopleSoft Zero-Day RCE (KEV candidate, ShinyHunters exploitation)
- CVE-2026-50751 — Check Point Security Gateway Auth Bypass (KEV, due Jun 11, ransomware)
- CVE-2026-5027 — Langflow Path Traversal (exploited in attacks)
- CVE-2026-42271 — BerriAI LiteLLM Command Injection (KEV, due Jun 22)
- CVE-2026-20245 — Cisco Catalyst SD-WAN Manager Privesc (KEV, due Jun 23)
- CVE-2026-11645 — Google Chromium V8 OOB R/W (KEV, due Jun 23, affects Chrome/Edge/Opera)
- CVE-2026-7473 — Arista EOS Tunneling Flaw (KEV, due Jun 23)
- CVE-2026-28318 — SolarWinds Serv-U DoS (KEV, due Jun 19)
- CVE-2026-45247 — Mirasvit Cache Warmer Deserialization RCE (KEV, due Jun 6)
- CVE-2026-5497 — vLLM Unbounded Frame DoS (HIGH, AI/ML infrastructure)
- Spring Framework / Spring Security / Spring Data / Spring WS / Spring GraphQL / Spring Boot / Spring AMQP — 30+ CVEs (multiple HIGH/CRITICAL)
- GitLab — 8 CVEs (CVE-2026-6552, 10087, 6976, 6277, 6269, 3553, 1500, 10733)
- CVE-2026-4764 — Google Cloud Dialogflow CX Privilege Escalation (CRITICAL)
- CVE-2026-44716 — Pipecat AI Framework Path Traversal (HIGH)
Individual Vulnerability Analysis
1. CVE-2026-10520 — Ivanti Sentry OS Command Injection (CISA KEV)
Software Affected: Ivanti Sentry (formerly MobileIron Sentry) — all versions prior to patched release
CVE: CVE-2026-10520
Fixable: Yes — vendor patch available
Business Impact: CRITICAL. Unauthenticated remote code execution as root on internet-exposed Sentry appliances. Active exploitation confirmed. Allows full compromise of mobile gateway infrastructure.
How to Fix: Apply vendor patch per Ivanti Security Advisory. Ensure mTLS with EPMM or restricted HTTPS via Neurons for MDM.
Recommended Action: Patch immediately. CISA KEV action due June 14, 2026 (BOD 26-04: 3-day patch window for critical). If patching not possible, disconnect from internet immediately.
Official Source: CISA KEV Entry | Ivanti Advisory
2. CVE-2026-35273 — Oracle PeopleSoft Zero-Day RCE (Active Exploitation)
Software Affected: Oracle PeopleSoft Suite
CVE: CVE-2026-35273
Fixable: Yes — Oracle has released mitigations
Business Impact: CRITICAL. Unauthenticated remote code execution. Actively exploited by ShinyHunters in data theft campaigns. Direct path to sensitive HR/financial data.
How to Fix: Apply Oracle’s mitigations per vendor guidance. Review PeopleSoft access logs for indicators of compromise.
Recommended Action: Emergency patch. Treat as KEV-equivalent. ShinyHunters is a known data extortion group — assume breach if unpatched.
Official Source: BleepingComputer Report | Oracle Security Alert (pending)
3. CVE-2026-50751 — Check Point Security Gateway Authentication Bypass (CISA KEV, Ransomware)
Software Affected: Check Point Security Gateway (IKEv1 VPN)
CVE: CVE-2026-50751
Fixable: Yes — hotfix available (SK185033)
Business Impact: CRITICAL. Unauthenticated remote attacker can bypass authentication and establish VPN connection. Known ransomware campaign use. CISA KEV action due June 11, 2026 (deadline passed).
How to Fix: Apply Check Point Hotfix SK185033. Disable IKEv1 if not required.
Recommended Action: Immediate remediation required. Deadline has passed. Disable IKEv1 VPN immediately if patch not yet applied. Review VPN logs for unauthorized connections.
Official Source: CISA KEV Entry | Check Point Blog
4. CVE-2026-5027 — Langflow Path Traversal (Active Exploitation)
Software Affected: Langflow (AI development platform)
CVE: CVE-2026-5027
Fixable: Yes — update to latest version
Business Impact: HIGH. Path traversal allows arbitrary file write on exposed servers. Active exploitation reported. AI/ML development environments increasingly targeted.
How to Fix: Upgrade Langflow to patched version. Restrict network access to trusted IPs only.
Recommended Action: Patch immediately. AI dev platforms are high-value targets for supply chain attacks.
Official Source: BleepingComputer Report
5. CVE-2026-42271 — BerriAI LiteLLM Command Injection (CISA KEV)
Software Affected: BerriAI LiteLLM (open-source LLM gateway)
CVE: CVE-2026-42271
Fixable: Yes — upgrade to v1.83.7-stable or later
Business Impact: HIGH. Any authenticated user (including low-privilege internal keys) can execute arbitrary commands on host. Widely deployed in AI/ML stacks.
How to Fix: Upgrade to v1.83.7-stable.
Recommended Action: Patch by June 22, 2026 (CISA KEV due date). Audit internal API keys for compromise.
Official Source: CISA KEV Entry | GitHub Advisory
6. CVE-2026-20245 — Cisco Catalyst SD-WAN Manager Privilege Escalation (CISA KEV)
Software Affected: Cisco Catalyst SD-WAN Manager (formerly vManage)
CVE: CVE-2026-20245
Fixable: Yes — vendor patch available
Business Impact: HIGH. Authenticated local attacker can execute arbitrary commands as root via crafted file upload. Affects network management plane.
How to Fix: Apply patch per Cisco Advisory.
Recommended Action: Patch by June 23, 2026 (CISA KEV due date). Restrict SD-WAN Manager access to trusted administrators only.
Official Source: CISA KEV Entry | Cisco Advisory
7. CVE-2026-11645 — Google Chromium V8 Out-of-Bounds Read/Write (CISA KEV)
Software Affected: Google Chrome, Microsoft Edge, Opera, and all Chromium-based browsers
CVE: CVE-2026-11645
Fixable: Yes — browser auto-update
Business Impact: HIGH. Remote code execution inside sandbox via crafted HTML page. Broad attack surface across enterprise endpoints.
How to Fix: Ensure browsers auto-update to latest stable channel. Chrome Stable Update.
Recommended Action: Verify fleet compliance by June 23, 2026 (CISA KEV due date). Deploy via endpoint management if auto-update disabled.
Official Source: CISA KEV Entry | Chrome Releases Blog
8. CVE-2026-7473 — Arista EOS Tunneling Decapsulation Flaw (CISA KEV)
Software Affected: Arista Extensible Operating System (EOS)
CVE: CVE-2026-7473
Fixable: Yes — vendor patch available
Business Impact: HIGH. Switch incorrectly decapsulates and forwards unexpected tunneled packets, potentially bypassing network segmentation.
How to Fix: Apply patch per Arista Security Advisory 0137.
Recommended Action: Patch by June 23, 2026 (CISA KEV due date). Review network segmentation controls.
Official Source: CISA KEV Entry | Arista Advisory
9. CVE-2026-28318 — SolarWinds Serv-U Uncontrolled Resource Consumption (CISA KEV)
Software Affected: SolarWinds Serv-U File Server
CVE: CVE-2026-28318
Fixable: Yes — upgrade to 15.5.4 Hotfix 1 or later
Business Impact: MEDIUM-HIGH. Unauthenticated DoS via crafted POST with Content-Encoding: deflate. Crashes Serv-U service.
How to Fix: Upgrade per SolarWinds Release Notes.
Recommended Action: Patch by June 19, 2026 (CISA KEV due date). Monitor for service crashes.
Official Source: CISA KEV Entry | SolarWinds Advisory
10. CVE-2026-45247 — Mirasvit Full Page Cache Warmer Deserialization RCE (CISA KEV)
Software Affected: Mirasvit Full Page Cache Warmer (Magento/Adobe Commerce extension)
CVE: CVE-2026-45247
Fixable: Yes — update extension
Business Impact: CRITICAL. Unauthenticated RCE via crafted serialized PHP object in CacheWarmer cookie. E-commerce platforms at high risk.
How to Fix: Update per Mirasvit Changelog.
Recommended Action: Urgent — CISA KEV due date was June 6, 2026 (passed). Patch immediately or disable extension.
Official Source: CISA KEV Entry | Mirasvit Changelog
11. CVE-2026-5497 — vLLM Unbounded Frame DoS (HIGH)
Software Affected: vLLM 0.8.0+ (LLM inference server)
CVE: CVE-2026-5497
Fixable: Patch pending — monitor vendor
Business Impact: HIGH. OOM DoS via unbounded JPEG frame processing in video/jpeg data URLs. Reachable via OpenAI-compatible API without auth. AI inference infrastructure at risk.
How to Fix: Await vendor patch. Mitigate: implement request size limits, WAF rules for multipart base64 payloads.
Recommended Action: Implement mitigations now. AI/ML serving infrastructure is a high-value target.
Official Source: Tenable CVE Entry
12. Spring Ecosystem — 30+ CVEs (Multiple HIGH/CRITICAL)
Software Affected: Spring Framework, Spring Security, Spring Data, Spring Web Services, Spring GraphQL, Spring Boot, Spring AMQP, Spring for Apache Kafka/Pulsar, Spring Authorization Server, Spring REST Docs
CVEs: CVE-2026-41694 through CVE-2026-41856, CVE-2026-40988 through CVE-2026-41732, CVE-2026-41000 through CVE-2026-41008, CVE-2026-41700 through CVE-2026-41701, CVE-2026-41714 through CVE-2026-41731, CVE-2026-41716 through CVE-2026-41729, CVE-2026-41856 through CVE-2026-41699
Fixable: Yes — upgrade to patched versions per component
Business Impact: HIGH to CRITICAL. Vulnerabilities include: SpEL injection (RCE), unsafe deserialization (RCE), SSRF, XXE, authentication bypass, open redirect, DoS, information disclosure. Ubiquitous in Java enterprise applications.
How to Fix: Upgrade each affected Spring module to patched versions. See Spring Security Advisories.
Recommended Action: Inventory all Spring dependencies and prioritize patching. SpEL injection and deserialization CVEs pose highest risk.
Official Source: Spring Security Advisories | NVD Search
13. GitLab — 8 CVEs (HIGH/CRITICAL)
Software Affected: GitLab CE/EE versions prior to 18.10.8, 18.11.5, 19.0.2
CVEs: CVE-2026-6552 (Account takeover via SAML), CVE-2026-10087 (XSS in Analytics), CVE-2026-6976 (Merge request diff manipulation), CVE-2026-6277 (Security config bypass), CVE-2026-6269 (Hidden MR modification), CVE-2026-3553 (Confidential issue access), CVE-2026-1500 (DoS via file upload), CVE-2026-10733 (CI/CD Catalog DoS)
Fixable: Yes — upgrade to 18.10.8, 18.11.5, or 19.0.2
Business Impact: HIGH. Account takeover, XSS, authorization bypass, DoS. Source code and CI/CD pipelines at risk.
How to Fix: Upgrade GitLab per GitLab Releases.
Recommended Action: Patch GitLab instances immediately. CVE-2026-6552 (account takeover) and CVE-2026-10087 (XSS) are highest priority.
Official Source: Tenable CVE Feed | GitLab Release Notes
14. CVE-2026-4764 — Google Cloud Dialogflow CX Privilege Escalation (CRITICAL)
Software Affected: Dialogflow CX on Google Cloud Platform
CVE: CVE-2026-4764
Fixable: Yes — patched by Google on March 15, 2026 (no customer action needed)
Business Impact: CRITICAL. Missing authorization in playbook import allows authenticated user to escalate privileges and potentially take over GCP project.
How to Fix: Already patched by Google. Verify no anomalous playbook imports in audit logs.
Recommended Action: Review GCP audit logs for suspicious playbook import activity prior to March 15, 2026.
Official Source: Tenable CVE Entry
15. CVE-2026-44716 — Pipecat AI Framework Path Traversal (HIGH)
Software Affected: Pipecat (real-time voice/multimodal AI framework) versions 0.0.90 to < 1.2.0
CVE: CVE-2026-44716
Fixable: Yes — upgrade to 1.2.0+
Business Impact: HIGH. Unauthenticated arbitrary file read via path traversal in dev runner (–folder flag). Exposes SSH keys, credentials, system files. AI development environments targeted.
How to Fix: Upgrade to Pipecat 1.2.0. Never expose dev runner to untrusted networks.
Recommended Action: Patch immediately. AI dev tools are emerging attack surface.
Official Source: Tenable CVE Entry | GitHub Advisory
KEV Deadline Watch
| CVE | Vendor/Product | KEV Added | Action Due | Days Remaining | Status |
|---|---|---|---|---|---|
| CVE-2026-10520 | Ivanti Sentry | 2026-06-11 | 2026-06-14 | 2 | URGENT |
| CVE-2026-50751 | Check Point Security Gateway | 2026-06-08 | 2026-06-11 | PASSED | OVERDUE |
| CVE-2026-45247 | Mirasvit Cache Warmer | 2026-06-03 | 2026-06-06 | PASSED | OVERDUE |
| CVE-2026-28318 | SolarWinds Serv-U | 2026-06-05 | 2026-06-19 | 7 | PENDING |
| CVE-2026-42271 | BerriAI LiteLLM | 2026-06-08 | 2026-06-22 | 10 | PENDING |
| CVE-2026-20245 | Cisco SD-WAN Manager | 2026-06-09 | 2026-06-23 | 11 | PENDING |
| CVE-2026-7473 | Arista EOS | 2026-06-09 | 2026-06-23 | 11 | PENDING |
| CVE-2026-11645 | Google Chromium V8 | 2026-06-09 | 2026-06-23 | 11 | PENDING |
| CVE-2026-48027 | Nx Console | 2026-05-27 | 2026-06-10 | PASSED | OVERDUE (ransomware) |
| CVE-2026-0257 | Palo Alto PAN-OS | 2026-05-29 | 2026-06-01 | PASSED | OVERDUE |
Note: BOD 26-04 (announced June 11) mandates 3-day patching for critical exploited vulnerabilities for FCEB agencies. CVE-2026-10520 falls under this accelerated timeline.
Updates on Previous Reports
- CVE-2026-0257 (Palo Alto PAN-OS Auth Bypass): KEV action deadline (Jun 1) has passed. Dedicated advisory post published: CVE-2026-0257 Advisory.
- CVE-2026-48027 (Nx Console Malicious Code): KEV action deadline (Jun 10) has passed. Known ransomware campaign use. Dedicated advisory post published: CVE-2026-48027 Advisory. Any developer who installed v18.95.0 during the ~18–36 minute exposure window should rotate all credentials.
- CVE-2026-50751 (Check Point IKEv1): Deadline passed (Jun 11). Active ransomware exploitation. Immediate patching or IKEv1 disablement required.
- CVE-2026-45247 (Mirasvit Cache Warmer): Deadline passed (Jun 6). Unauthenticated RCE in e-commerce extension. Patch or disable immediately.
- Spring Framework CVEs: June 1 report noted Spring advisories; this period adds 30+ new CVEs across the entire Spring portfolio. See Section 12 above.
Sources
- CISA Known Exploited Vulnerabilities Catalog (JSON feed)
- NVD API (CVE search, June 1–12, 2026)
- Security.nl (Dutch security advisories)
- The Hacker News
- BleepingComputer (Vulnerability tag)
- CybersecurityNews.com
- Cybersecurity Dive
- Tenable CVE Newest Feed (pages 1–5)
- Vendor advisories: Ivanti, Oracle, Check Point, Cisco, Google, Arista, SolarWinds, Mirasvit, GitLab, Spring.io, BerriAI, Langflow, Pipecat, vLLM
This report is part of the daily Vulnerability Intelligence series on threat-modeling.com. Category: Vulnerability Intelligence (ID: 24). Author: nick. Featured illustration: custom dark-blue SVG (1200×630) rendered to PNG via qlmanage and uploaded as featured media. Next report: June 13, 2026.
