Vulnerability Intelligence Report — June 20, 2026

nick

Vulnerability Intelligence Report — June 20, 2026

by

Vulnerability Intelligence Report — June 20, 2026 (Saturday Edition)
Coverage: June 1–20, 2026 | Total CISA KEV additions (period): 16 | New KEVs: 0 | KEV deadline TOMORROW: Splunk Enterprise (Sunday, actively exploited) | New overdue KEVs: +3 (Joomla, SolarWinds, LiteSpeed) | Total overdue KEVs: 10
Previous reports: June 19, 2026 | June 18, 2026

Today — Saturday, June 20, 2026 — is the quietest day of the reporting period. No new CISA KEV entries were added. The weekend double-deadline (Joomla CE + SolarWinds Serv-U) passed yesterday, bringing the total overdue KEV count to 10. The next deadline is tomorrow: Splunk Enterprise CVE-2026-20253, now confirmed by CISA as actively exploited. This makes Splunk the second actively exploited KEV this period after Oracle PeopleSoft. The vulnerability landscape is otherwise subdued: pgAdmin 4 released a significant advisory with multiple CRITICAL vulnerabilities (XSS 9.3, SQL injection 8.8, AI assistant bypass 9.0) affecting one of the most widely used PostgreSQL management tools, hackers are actively exploiting an information disclosure bug in the Gravity SMTP WordPress plugin, and the Klue OAuth breach — attributed to the “Icarus” threat actor — continues to expand its victim list with Salesforce data theft claims. On the data breach front, a Texas government incident has exposed over 3 million driver’s licenses.

Quick Reference — Most Important Items Today

Splunk Enterprise: CVE-2026-20253 (CISA KEV deadline TOMORROW Sunday, now confirmed actively exploited — patch this weekend)

pgAdmin 4: Multiple CRITICALs (CVE-2026-12048 XSS 9.3, CVE-2026-12046 9.0, CVE-2026-12045 9.0) + SQL injection CVE-2026-12044 (8.8)

Gravity SMTP WordPress: Info disclosure bug actively exploited in attacks — patch plugin immediately

Icarus/Klue OAuth: Victim list growing, Salesforce data theft claims expanding

Texas govt breach: 3 million driver’s licenses exposed

Microsoft: June Windows updates break Recycle Bin prompts on all supported releases

Overdue KEV roundup: Joomla + SolarWinds +1 | LiteSpeed +2 | Oracle PS +5 | Ivanti +6 | Check Point +9 | Nx Console +10 | Mirasvit +14 | Android +15 | PAN-OS +19

Splunk Enterprise — CVE-2026-20253 (KEV Deadline TOMORROW, Now Confirmed Actively Exploited)

Software affected: Splunk Enterprise — the SIEM and log analytics platform used by a large proportion of enterprise security operations centres.

CVE: CVE-2026-20253 | CISA KEV deadline tomorrow — Sunday, June 21, 2026 | Now confirmed actively exploited by CISA | Missing authentication (CWE-306) enables unauthenticated file create/truncate via PostgreSQL sidecar endpoint | BOD 26-04 weekend deadline.

Status: CISA confirmed yesterday that this vulnerability is actively exploited in the wild. This elevates Splunk from a theoretical risk to a confirmed active threat — and makes it the second actively exploited KEV this period after Oracle PeopleSoft. The PostgreSQL sidecar endpoint, if network-accessible, allows attackers to write arbitrary files (potentially enabling RCE via script directory injection) or truncate files (destroying indexes, configurations, audit logs). SIEM compromise is one of the highest-impact scenarios in enterprise security — attackers who control the SIEM can suppress alerts, delete evidence, and operate with near-total impunity. The Sunday deadline means patching must be completed this weekend. Dedicated advisory.

Recommended action: Patch Splunk today — do not wait until Sunday. Apply SVD-2026-0603 immediately. Restrict PostgreSQL sidecar port to localhost only if patching is delayed. Audit Splunk for signs of compromise — unauthorised files, modified configs, suppressed alerts, disabled log forwarding. This is the #1 patching priority this weekend.

Official source: Splunk SVD-2026-0603 | CISA Confirmation (BleepingComputer)

KEV Deadline Update — 3 New Overdue, 10 Total

Joomla Content Editor CVE-2026-48907: Deadline passed yesterday (June 19) — now 1 day overdue. Unauthenticated PHP upload/execution. Dedicated advisory.

SolarWinds Serv-U CVE-2026-28318: Deadline passed yesterday (June 19) — now 1 day overdue. Unauthenticated DoS via crafted POST.

LiteSpeed cPanel CVE-2026-54420: Deadline passed June 18 — now 2 days overdue. Dedicated advisory.

Overdue KEV status: Joomla +1, SolarWinds +1, LiteSpeed +2, Oracle PS +5, Ivanti +6, Check Point +9, Nx Console +10, Mirasvit +14, Android +15, PAN-OS +19.

pgAdmin 4 — Multiple CRITICAL Vulnerabilities

Software affected: pgAdmin 4 — the most widely used open-source PostgreSQL administration and development platform.

Status: A significant advisory covering multiple vulnerabilities including:

CVE-2026-12048 — Stored XSS CRITICAL 9.3: Cross-site scripting in error-rendering and plan-node-rendering paths. Text returned by PostgreSQL server is rendered without sanitisation, enabling an attacker who controls database content to execute JavaScript in the pgAdmin user’s browser session.

CVE-2026-12046 — CRITICAL 9.0: Missing CSRF protection on state-mutating SQL Editor endpoints (DELETE /sqleditor/close and POST /sqleditor/initialize). Allows unauthorised modification of user editor state.

CVE-2026-12045 — CRITICAL 9.0: Read-only transaction bypass in the AI Assistant. An attacker who influences database content can make the AI assistant execute write operations.

CVE-2026-12044 — HIGH 8.8: SQL injection across dialog templates rendering COMMENT ON statements with user-supplied descriptions.

Recommended action: Upgrade pgAdmin 4 to the latest patched version immediately. pgAdmin is used by virtually every PostgreSQL DBA and developer — the installed base is massive. The stored XSS (9.3) is particularly dangerous for multi-user pgAdmin deployments or shared database environments.

Official source: pgAdmin Security Announcements | NVD entries CVE-2026-12044 through CVE-2026-12050

Gravity SMTP, Icarus/Klue, Texas Breach, and Weekend Roundup

Gravity SMTP WordPress — Actively Exploited Info Disclosure: Hackers are actively exploiting an information disclosure vulnerability in the Gravity SMTP WordPress plugin. The bug exposes sensitive configuration data including SMTP credentials, which can be used to intercept or spoof outgoing email from WordPress sites. Patch the plugin immediately and rotate SMTP credentials if the plugin was running a vulnerable version.

Icarus/Klue OAuth Attack Expansion: The victim list from the Klue OAuth breach continues to grow, with the “Icarus” threat actor group claiming responsibility for Salesforce data theft attacks leveraging compromised OAuth tokens. Organisations using Klue or connected Salesforce instances should review OAuth token scopes, revoke unused or suspicious tokens, and audit Salesforce API access logs.

Texas Government Data Breach — 3 Million Driver’s Licenses: A Texas government data breach has exposed over 3 million driver’s license records. Affected individuals should be notified per state breach notification laws. This is one of the larger US state government breaches this year.

Microsoft Recycle Bin Bug: The June 2026 Windows cumulative updates introduce a bug that breaks Recycle Bin confirmation prompts on all supported Windows releases. Not a security vulnerability, but a deployment consideration for organisations still rolling out June Patch Tuesday updates.

KEV Deadline Watch

TOMORROW — Sunday June 21: Splunk Enterprise CVE-2026-20253. Actively exploited. Dedicated advisory.

June 22 (2 days): BerriAI LiteLLM CVE-2026-42271.

June 23 (3 days): Chromium V8 CVE-2026-11645 / Arista EOS CVE-2026-7473 / Cisco SD-WAN CVE-2026-20245.

June 29 (9 days): Cisco SD-WAN CVE-2026-20262. Actively exploited.

OVERDUE — June 19: Joomla CE CVE-2026-48907 (+1) + SolarWinds Serv-U CVE-2026-28318 (+1).

OVERDUE — June 18: LiteSpeed cPanel CVE-2026-54420 (+2).

OVERDUE: Oracle PS (+5), Ivanti (+6), Check Point (+9, ransomware), Nx Console (+10, ransomware), Mirasvit (+14), Android (+15), PAN-OS (+19).

Updates on Items from Previous Reports

Splunk CVE-2026-20253: Now confirmed actively exploited by CISA. Patch before Sunday’s deadline. Dedicated advisory.

Joomla CE, SolarWinds Serv-U, LiteSpeed cPanel: All past deadline. Three KEVs now overdue.

Oracle CPU: Patch deployment should be complete. PeopleSoft CVE-2026-35278 (9.8) was the top priority.

F5 NGINX: Verify NGINX patches deployed across all instances. Two CRITICALs.

FortiBleed: CISA formal warning in effect. Rotate Fortinet VPN credentials and enforce MFA.

ShinyHunters campaign: 3+ confirmed victims. PeopleSoft remains primary vector.

ShapedPlugin, Gentlemen ransomware: Dedicated advisories published yesterday.

35 dedicated advisories published this period.

This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including BleepingComputer, The Hacker News, Security.nl, CybersecurityNews.com, Cybersecurity Dive, and Tenable CVE feeds.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!