Vulnerability Intelligence Report — June 13, 2026
Coverage: June 1–13, 2026 | New CISA KEV additions (period): 12 | New KEV since yesterday: 1 | KEV deadlines this weekend: 2 | BOD 26-04 3-day mandate in effect
Previous reports: June 12, 2026 | June 11, 2026
Today — June 13, 2026 — carries two urgent weekend KEV deadlines: Ivanti Sentry CVE-2026-10520 (tomorrow, June 14) and Oracle PeopleSoft CVE-2026-35273 (Sunday, June 15), the latter newly added to the CISA KEV catalog yesterday with confirmed ransomware campaign use and active ShinyHunters exploitation. Under CISA’s new BOD 26-04, both carry a 3-day mandatory patch window for federal agencies. Meanwhile, a critical authentication bypass in the UpdraftPlus WordPress plugin (millions of installations) enables unauthenticated remote code execution, and over 400 Arch Linux AUR packages have been compromised to distribute rootkits and infostealers. The Spring ecosystem added 5 new CVEs this period, and GitLab published 4 additional advisories.
Quick Reference — Most Important Items Today
Oracle PeopleSoft: CVE-2026-35273 (NEW CISA KEV, ransomware, ShinyHunters exploitation, deadline Sunday June 15)
Ivanti Sentry: CVE-2026-10520 (CISA KEV DEADLINE TOMORROW June 14, actively exploited, BOD 26-04 3-day mandate)
UpdraftPlus: CVE-2026-10795 (auth bypass → RCE, unauthenticated, millions of WordPress installations affected)
Arch Linux AUR: 400+ packages compromised with rootkit and infostealer — audit all Arch-based systems now
Apinizer: CVE-2026-11561 (CVSS 9.8, expression language injection, API management platform)
Spring ecosystem: 5 new CVEs (Integration FTP write, WS BSP bypass, Web Flow EL injection, Boot mail, WS hardening items)
GitLab: 4 new CVEs (SSRF via Gitaly, DoS via API, email injection, Service Desk impersonation)
Overdue KEV: Check Point CVE-2026-50751 (+2 days, active ransomware) | Mirasvit CVE-2026-45247 (+7 days) | PAN-OS CVE-2026-0257 (+12 days) | Nx Console CVE-2026-48027 (+3 days)
Oracle PeopleSoft — CVE-2026-35273 (NEW CISA KEV, Ransomware, Deadline Sunday)
Software affected: Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62.
CVE: CVE-2026-35273 | CISA KEV added June 12 — deadline Sunday June 15, 2026 | CVSS 9.8 | Missing authentication for critical function enables complete PeopleSoft takeover via HTTP | Known ransomware campaign use | Actively exploited by ShinyHunters in data theft attacks targeting HR, payroll, and financial data.
Status: This vulnerability was escalated from “KEV candidate” to confirmed CISA KEV yesterday. Oracle has released a security alert with mitigations. BOD 26-04’s 3-day patch window applies — the Sunday deadline reflects this accelerated timeline. ShinyHunters is a known data extortion group; organisations with unpatched internet-facing PeopleSoft instances should assume breach. If your PeopleSoft environment is accessible via HTTP: patch before Sunday, or disconnect it from the network.
Recommended action: Apply Oracle’s mitigations per the security alert. Patch this weekend — deadline is Sunday. Review PeopleSoft access logs for indicators of compromise. If immediate patching is not possible, restrict all network access to PeopleSoft until patched.
Official source: Oracle Security Alert CVE-2026-35273 | CISA KEV Catalog
Ivanti Sentry — CVE-2026-10520 (KEV DEADLINE TOMORROW)
Software affected: Ivanti Sentry (formerly MobileIron Sentry) — all versions prior to patched release.
CVE: CVE-2026-10520 | CISA KEV deadline tomorrow — June 14, 2026 | OS command injection enabling unauthenticated root-level remote code execution | Actively exploited | BOD 26-04 3-day mandate applies. CISA has explicitly ordered federal agencies to patch by Sunday.
Status: Tomorrow is the remediation deadline. Active exploitation is confirmed. The vulnerability is trivially exploitable on internet-exposed Sentry appliances not protected by mTLS with EPMM or restricted HTTPS through Neurons for MDM. Organisations that have not yet patched are now operating inside the final 24-hour window. If your Sentry appliance is internet-facing and unmanaged: patch today, or disconnect it from the internet immediately.
Recommended action: Patch today before the June 14 deadline. If patching is not possible, disconnect Sentry from the internet immediately. Ensure mTLS with EPMM or restricted HTTPS access is configured as a compensating control.
Official source: Ivanti Security Advisory | CISA KEV Catalog
UpdraftPlus — CVE-2026-10795 (Auth Bypass → RCE, Millions Affected)
Software affected: UpdraftPlus: WP Backup & Migration Plugin versions ≤ 1.26.4 — over 3 million active WordPress installations.
CVE: CVE-2026-10795 | CVSS 8.1 | Authentication bypass via flawed remote communications signature verification | Decrypt-to-zero key weakness enables forging arbitrary RPC commands | Unauthenticated attacker runs commands as connected administrator | Leads to malicious plugin upload/activation and full remote code execution.
Status: This is a serious WordPress supply-chain vulnerability. The flawed signature verification combined with the predictable all-zero encryption key means any unauthenticated attacker can impersonate the site administrator via the remote communications protocol. Given UpdraftPlus’s massive install base, this is likely to attract rapid exploitation. No CISA KEV listing yet, but treat as KEV-equivalent given severity and attack surface.
Recommended action: Update UpdraftPlus beyond 1.26.4 immediately on all WordPress sites. Check for unexpected administrator accounts, recently installed plugins, or unexplained file modifications — these are indicators of prior compromise via this vector. Run a full malware scan on WordPress installations running the affected versions.
Official source: NVD Entry | Wordfence / Patchstack advisories (expected)
Arch Linux AUR Supply Chain Compromise — 400+ Packages
Software affected: Over 400 packages in the Arch Linux User Repository (AUR). Impact extends to Arch-based distributions including Steam Deck, development workstations, and CI/CD runners.
Status: More than 400 AUR packages have been confirmed to distribute a Linux rootkit and infostealer malware. The malware targets credentials, access tokens, SSH keys, and establishes persistent system access. This is a significant open-source supply chain incident — the compromised packages were available through the standard AUR installation workflow. Any Arch-based system that installed or updated AUR packages during the compromise window should be treated as potentially breached.
Recommended action: Immediately audit all Arch Linux workstations, servers, and CI runners for installed AUR packages. Remove any suspicious or unverified packages. Reinstall packages from verified, clean sources only. Rotate all credentials and access tokens that were stored on or accessible from potentially affected systems. Review system logs for signs of rootkit activity.
Official source: BleepingComputer Report | Arch Linux security announcements
Apinizer, Spring, GitLab — New Critical and High Severity Advisories
Apinizer CVE-2026-11561 (CVSS 9.8): Expression language injection enabling code injection in the Apinizer API management platform. Affects versions 2026.04.0 through 2026.04.5. Upgrade to 2026.04.6 or later. API management platforms are high-value infrastructure — compromise could expose all managed APIs.
Spring Integration CVE-2026-40987 (CVSS 7.1): Malicious FTP/SFTP/SMB server can write arbitrary files outside the configured local-directory on the client filesystem — path to remote code execution. Affects Spring Integration 5.5.0 through 7.0.4. Upgrade per Spring Security Advisories.
Spring Web Services: Five new advisories covering BSP compliance bypass (CVE-2026-40994, CVSS 8.2), X509 account lifecycle check bypass (CVE-2026-40995), weak RSA15 key transport default (CVE-2026-40996), account state enumeration (CVE-2026-40997), and WSS4J replay cache inconsistency (CVE-2026-41000). Affects Spring WS 3.1.0 through 5.0.1.
Spring Web Flow: Two new advisories — Unified EL injection (CVE-2026-40985, CVSS 6.4) and JavaScript RemotingHandler XSS (CVE-2026-40986). Affects Spring Web Flow 2.5.0 through 4.0.0.
GitLab: Four new CVEs since the previous report — Gitaly SSRF and arbitrary file read during repository import (CVE-2026-9204, CVSS 5.3), unauthenticated DoS via API request parsing middleware (CVE-2026-7250, CVSS 7.5), unauthorised email injection via group settings (CVE-2026-8589, CVSS 7.3), and Service Desk email impersonation (CVE-2026-9694). All fixed in GitLab 18.10.8, 18.11.5, and 19.0.2. Now 12 GitLab CVEs this period.
Recommended action: Review all Spring module versions across your Java estate — the cumulative count is now over 35 CVEs this period. Prioritise Spring Integration CVE-2026-40987 (arbitrary file write) and Spring WS CVE-2026-40994 (BSP bypass). Patch Apinizer immediately (CVSS 9.8). Schedule GitLab upgrades — the 12-CVE release merits attention.
KEV Deadline Watch
TOMORROW (June 14): Ivanti Sentry CVE-2026-10520. BOD 26-04 3-day mandate applies.
Sunday June 15: Oracle PeopleSoft CVE-2026-35273. Known ransomware. BOD 26-04 applies. NEW since yesterday.
OVERDUE — June 11: Check Point Security Gateway CVE-2026-50751 (+2 days, ransomware). See June 12 report.
OVERDUE — June 10: Nx Console CVE-2026-48027 (+3 days, ransomware). Dedicated advisory.
OVERDUE — June 6: Mirasvit Cache Warmer CVE-2026-45247 (+7 days). Unauthenticated RCE on e-commerce.
OVERDUE — June 1: Palo Alto PAN-OS CVE-2026-0257 (+12 days). Dedicated advisory.
June 19: SolarWinds Serv-U CVE-2026-28318 (6 days).
June 22: BerriAI LiteLLM CVE-2026-42271 (9 days).
June 23: Google Chromium V8 CVE-2026-11645 / Arista EOS CVE-2026-7473 / Cisco SD-WAN CVE-2026-20245 (10 days).
Updates on Items from Previous Reports
Oracle PeopleSoft CVE-2026-35273: Escalated from KEV candidate in yesterday’s report to confirmed CISA KEV with known ransomware use. Now carries a Sunday June 15 deadline under BOD 26-04. Dedicated advisory pending.
Check Point CVE-2026-50751: Now 2 days past KEV deadline. Active ransomware exploitation continues. Disable IKEv1 immediately if not already done. Audit VPN logs for unauthorised connections.
Ivanti Sentry CVE-2026-10520: Deadline tomorrow. Patch today or disconnect from internet. CISA has explicitly ordered FCEB agencies to patch by Sunday under BOD 26-04.
Mirasvit CVE-2026-45247: Now 7 days past KEV deadline. Unauthenticated RCE on e-commerce platforms. Patch or disable the Cache Warmer extension immediately.
PAN-OS CVE-2026-0257, Nx Console CVE-2026-48027: Both past KEV deadline. Dedicated advisories published.
Spring ecosystem: Cumulative count now exceeds 35 CVEs this period covering Spring Security, Spring Data, Spring WS, Spring Integration, Spring Web Flow, Spring Boot, Spring GraphQL, Spring AMQP, Spring for Kafka/Pulsar, and Spring Authorization Server. Inventory and prioritise.
GitLab: Now 12 CVEs this period (8 reported June 11, 4 new). Upgrade to 18.10.8, 18.11.5, or 19.0.2.
Langflow CVE-2026-5027: Still actively exploited. Upgrade and restrict network access.
phpBB 10-year auth bypass: Newly reported yesterday. Affects phpBB forum installations spanning a decade — allows login as any user including administrators. Patch if running phpBB.
This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including BleepingComputer, The Hacker News, Security.nl, CybersecurityNews.com, Cybersecurity Dive, and Tenable CVE feeds.
