Vulnerability Intelligence Report — June 18, 2026
Coverage: June 1–18, 2026 | Total CISA KEV additions (period): 15 | New KEVs: 0 | KEV deadline TODAY: LiteSpeed cPanel | KEV deadlines TOMORROW: Joomla CE + SolarWinds Serv-U | Overdue KEVs: 7
Previous reports: June 17, 2026 | June 16, 2026
Today — Thursday, June 18, 2026 — is the CISA KEV deadline for LiteSpeed cPanel CVE-2026-54420. Two more deadlines follow tomorrow: Joomla Content Editor CVE-2026-48907 and SolarWinds Serv-U CVE-2026-28318. No new KEVs were added. Oracle released its July 2026 Critical Patch Update overnight — a massive advisory containing 5 CRITICAL and 12+ HIGH severity CVEs across WebLogic Server (9.9), PeopleSoft PeopleTools (9.8), WebCenter Content (9.1), Identity Manager (9.9), WebCenter Enterprise Capture (9.9), and VirtualBox (7.5). Given that we are in the middle of a ShinyHunters campaign actively exploiting PeopleSoft vulnerabilities (CVE-2026-35273), another PeopleSoft CRITICAL (CVE-2026-35278) arriving during an active exploitation window is particularly concerning. In other major news, F5 has issued out-of-band patches for critical NGINX vulnerabilities, and a leak dubbed “FortiBleed” has exposed Fortinet VPN credentials for 73,000 devices.
Quick Reference — Most Important Items Today
LiteSpeed cPanel: CVE-2026-54420 (CISA KEV DEADLINE TODAY — patch shared hosting immediately)
Oracle CPU July 2026: 5 CRITICALs — WebLogic 9.9, PeopleSoft 9.8, Identity Manager 9.9, WebCenter 9.1, WebCenter Capture 9.9
F5 NGINX: Out-of-band critical patches — apply immediately, NGINX is ubiquitous in web infrastructure
FortiBleed: 73,000 Fortinet VPN credentials exposed in leak — rotate credentials, check for compromise
Joomla Content Editor: CVE-2026-48907 (CISA KEV deadline TOMORROW June 19 — remaining 1 day)
SolarWinds Serv-U: CVE-2026-28318 (CISA KEV deadline TOMORROW June 19 — patch by end of Friday)
CVE-2026-35278: NEW PeopleSoft PeopleTools CRITICAL 9.8 — another PeopleSoft CVE during active ShinyHunters exploitation
Overdue KEV: Oracle PS +3 | Ivanti +4 | Check Point +7 | Nx Console +8 | Mirasvit +12 | Android +13 | PAN-OS +17
LiteSpeed cPanel — CVE-2026-54420 (KEV DEADLINE TODAY)
Software affected: LiteSpeed cPanel plugin before 2.4.8 / WHM Plugin before 5.3.2.0.
CVE: CVE-2026-54420 | CISA KEV deadline today — June 18, 2026 | CVSS 8.5 | Symlink following enables cross-account data access on shared hosting | BOD 26-04 3-day mandate.
Status: Today is the remediation deadline. Shared hosting providers running LiteSpeed with the cPanel plugin must be on WHM Plugin 5.3.2.0+ or cPanel plugin 2.4.8+ by end of day. This is the first cPanel-related KEV deadline. Organisations that have not yet upgraded are now at the final deadline. Full coverage in the dedicated advisory.
Recommended action: Upgrade today before end of day. Audit CageFS enforcement and symlink configurations on shared hosting servers. Review access logs for cross-account anomalies.
Official source: LiteSpeed Security Update | CISA KEV Catalog
Oracle July 2026 Critical Patch Update — 5 CRITICALs, 12+ HIGHs
Software affected: Oracle WebLogic Server, PeopleSoft PeopleTools, WebCenter Content, Identity Manager, WebCenter Enterprise Capture, VirtualBox, Oracle Access Manager, Oracle Data Integrator.
Status: Oracle’s July 2026 CPU is one of the larger releases this year. The most critical items:
CVE-2026-35263 — WebLogic Server CRITICAL 9.9: Core component vulnerability. WebLogic is a cornerstone of Oracle Fusion Middleware and widely deployed in enterprise Java environments. This CVSS score indicates network-exploitable, unauthenticated, complete compromise.
CVE-2026-35278 — PeopleSoft PeopleTools CRITICAL 9.8: Performance Monitor component. This is critically timed — ShinyHunters is actively exploiting PeopleSoft CVE-2026-35273 right now. A new PeopleSoft CRITICAL arriving during an active exploitation campaign demands immediate patching priority. Assume ShinyHunters will attempt to chain this with CVE-2026-35273.
CVE-2026-35268 — Identity Manager CRITICAL 9.9: Core component. Identity Manager controls enterprise user provisioning and access — compromise means attacker gains control over the identity fabric.
CVE-2026-35270 — WebCenter Content CRITICAL 9.1: Content Server. Enterprise document management systems are high-value data targets.
CVE-2026-35280 / CVE-2026-35281 — WebCenter Enterprise Capture 2x CRITICAL 9.9: Client Bundle component. Document capture and imaging — often processes sensitive scanned documents.
Other notable HIGHs: CVE-2026-35259 (WebLogic Console 8.8), CVE-2026-35271 (PeopleSoft Weblogic 8.7), CVE-2026-35275 (VirtualBox Shared Folders 7.5), CVE-2026-35279 (PeopleSoft Performance Monitor 8.1).
Recommended action: Prioritise PeopleSoft CVE-2026-35278 and WebLogic CVE-2026-35263 above all other patch items this week. ShinyHunters context makes the PeopleSoft CRITICAL an emergency. Apply the full Oracle CPU using the standard quarterly patching process. Internet-facing WebLogic and PeopleSoft instances should be patched within 24 hours.
Official source: Oracle Critical Patch Updates | NVD entries for CVE-2026-35263, CVE-2026-35278, CVE-2026-35268, CVE-2026-35270, CVE-2026-35280/35281
F5 NGINX Out-of-Band Critical Patches
Software affected: NGINX — widely deployed open-source and NGINX Plus web server, reverse proxy, and load balancer.
Status: F5 has released out-of-band security patches for critical vulnerabilities in NGINX. Out-of-band releases are rare for NGINX and signal serious severity. NGINX is one of the most widely deployed web server platforms globally, powering approximately 33% of all websites and serving as the ingress/reverse proxy for a large proportion of Kubernetes environments. Specific CVE identifiers are pending. Given NGINX’s ubiquity, these should be treated as emergency patches.
Recommended action: Apply F5/NGINX patches immediately across all NGINX instances — web servers, reverse proxies, load balancers, API gateways, and Kubernetes ingress controllers. Prioritise internet-facing NGINX instances. Check NGINX Plus subscription channels and open-source distribution channels for updated packages.
Official source: BleepingComputer Report | F5/NGINX Security Advisories (my.f5.com)
FortiBleed — 73,000 Fortinet VPN Credentials Exposed
Affected: Organisations using Fortinet VPN appliances with credentials exposed in the FortiBleed leak.
Status: A data leak dubbed “FortiBleed” has exposed Fortinet VPN credentials for approximately 73,000 devices. The leaked data includes VPN usernames, password hashes, and device identifiers. Combined with the critical FortiSandbox exploitation disclosed yesterday, this represents a significant Fortinet-focused threat cluster. Organisations should assume that exposed VPN credentials are being actively tested by attackers.
Recommended action: Immediately rotate all Fortinet VPN credentials. Enforce MFA on all VPN connections. Check if your organisation’s devices appear in the leaked dataset. Review VPN authentication logs for unusual access patterns or brute-force attempts. Upgrade FortiOS and FortiGate firmware to latest versions.
Official source: BleepingComputer Report
Double KEV Deadline Tomorrow + Overdue Status
Tomorrow — Joomla Content Editor CVE-2026-48907: KEV deadline Friday June 19. Unauthenticated PHP upload/execution. Dedicated advisory. Patch Joomla JCE today to avoid the Friday rush.
Tomorrow — SolarWinds Serv-U CVE-2026-28318: KEV deadline Friday June 19. Unauthenticated DoS via crafted POST. Patch to 15.5.4 Hotfix 1+.
Overdue: Oracle PeopleSoft CVE-2026-35273 now 3 days overdue. Ivanti Sentry 4 days. Check Point 7 days (ransomware). Nx Console 8 days (ransomware). Mirasvit 12 days. Android 13 days. PAN-OS 17 days.
KEV Deadline Watch
TODAY (June 18): LiteSpeed cPanel CVE-2026-54420. Dedicated advisory. DEADLINE.
TOMORROW (June 19): Joomla Content Editor CVE-2026-48907 + SolarWinds Serv-U CVE-2026-28318. Double deadline.
June 22 (4 days): BerriAI LiteLLM CVE-2026-42271.
June 23 (5 days): Chromium V8 CVE-2026-11645 / Arista EOS CVE-2026-7473 / Cisco SD-WAN CVE-2026-20245.
June 29 (11 days): Cisco SD-WAN CVE-2026-20262. Actively exploited. Dedicated advisory.
OVERDUE: 7 entries — Oracle PS (+3), Ivanti (+4), Check Point (+7), Nx Console (+8), Mirasvit (+12), Android (+13), PAN-OS (+17).
Updates on Items from Previous Reports
ShinyHunters campaign: Now confirmed at Oracle PeopleSoft, Council of Europe, and Kodak. Oracle has released new PeopleSoft CRITICAL CVE-2026-35278 (9.8) — patch immediately before ShinyHunters chains exploits.
LiteSpeed CVE-2026-54420: Deadline today. Upgrade to WHM Plugin 5.3.2.0+.
Fortinet: Two simultaneous incidents — FortiSandbox actively exploited AND FortiBleed credential leak. Audit all Fortinet infrastructure urgently.
Joomla CVE-2026-48907 / SolarWinds CVE-2026-28318: Both due tomorrow. Patch today.
Oracle PeopleSoft CVE-2026-35273: 3 days overdue. Combined with new CVE-2026-35278, PeopleSoft is now a two-CVE emergency.
Fortinet FortiSandbox, JetBrains, MS Teams Relay, Premmerce, WP Review Slider: All have dedicated advisories published in recent batches.
All 29 dedicated advisories published this period — see threat-modeling.com/vulnerability-intelligence/ for the full archive.
This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including BleepingComputer, The Hacker News, Security.nl, CybersecurityNews.com, Cybersecurity Dive, and Tenable CVE feeds.
