Vulnerability Intelligence Report — June 22, 2026

nick

Vulnerability Intelligence Report — June 22, 2026

by

Vulnerability Intelligence Report — June 22, 2026
Coverage: June 1–22, 2026 | Total CISA KEV additions (period): 16 | New KEVs: 0 | KEV deadline TODAY: BerriAI LiteLLM | KEV deadlines TOMORROW: Triple (Chromium V8, Arista EOS, Cisco SD-WAN) | Splunk deadline passed (June 21) | Total overdue KEVs: 11
Previous reports: June 21, 2026 | June 20, 2026

Today — Monday, June 22, 2026 — is the CISA KEV deadline for BerriAI LiteLLM CVE-2026-42271. Tomorrow is the largest single-day KEV deadline of the period: three simultaneous deadlines (Google Chromium V8, Arista EOS, and Cisco SD-WAN Manager), making this a critical Monday-Tuesday patching window. The Splunk Enterprise deadline passed yesterday, adding to the now 11-strong overdue KEV list. The vulnerability news cycle remains in its weekend lull, with no new CISA KEV entries and limited NVD activity. However, LiteLLM has seen a cluster of new CVE disclosures (CVE-2026-12770 through 12774) covering authentication and API key issues, adding urgency to today’s remediation. On the threat intelligence front, the North Korea Mastra AI attribution and AryStinger botnet stories continue to develop.

Quick Reference — Most Important Items Today

BerriAI LiteLLM: CVE-2026-42271 (CISA KEV DEADLINE TODAY — patch to v1.83.7-stable, audit internal API keys)

TRIPLE KEV TOMORROW: Chromium V8 CVE-2026-11645 + Arista EOS CVE-2026-7473 + Cisco SD-WAN CVE-2026-20245

Splunk Enterprise: CVE-2026-20253 (deadline passed yesterday — now 1 day overdue, actively exploited)

LiteLLM: Multiple new CVEs disclosed (CVE-2026-12770-12774) — authentication and API key management issues

North Korea Mastra AI: Microsoft attribution — audit AI framework dependencies

Overdue KEV: Splunk +1 | Joomla +3 | SolarWinds +3 | LiteSpeed +4 | Oracle PS +7 | Ivanti +8 | Check Point +11 | Nx Console +12 | Mirasvit +16 | Android +17 | PAN-OS +21

BerriAI LiteLLM — CVE-2026-42271 (KEV DEADLINE TODAY)

Software affected: BerriAI LiteLLM — open-source LLM gateway and API proxy used to manage access to multiple AI model providers.

CVE: CVE-2026-42271 | CISA KEV deadline today — June 22, 2026 | Command injection enabling any authenticated user (including low-privilege internal keys) to execute arbitrary commands on the host | Widely deployed in AI/ML infrastructure stacks.

Status: Today is the remediation deadline. LiteLLM serves as the gateway between applications and AI model providers (OpenAI, Anthropic, Google, Azure, etc.), making it a critical chokepoint in AI infrastructure. A compromised LiteLLM instance gives attackers access to all proxied AI API keys, the ability to intercept or modify AI model inputs and outputs, and command execution on the host server. Organisations using LiteLLM must be on v1.83.7-stable or later by end of day. Additionally, five new LiteLLM CVEs were disclosed over the weekend (CVE-2026-12770 through 12774) covering authentication bypass and API key exposure issues — these should be addressed in the same upgrade.

Recommended action: Upgrade to LiteLLM v1.83.7-stable or later. Audit all internal API keys — rotate credentials for all proxied AI services (OpenAI, Anthropic, Google, Azure, etc.). Review LiteLLM access logs for unauthorised command execution or unusual API key usage patterns. Restrict network access to LiteLLM management interfaces.

Official source: CISA KEV Catalog | GitHub Advisory GHSA-v4p8-mg3p-g94g

TRIPLE KEV Deadline Tomorrow — Prepare Today

Tomorrow — Tuesday June 23 — is the largest single-day KEV deadline of the period:

Google Chromium V8 CVE-2026-11645: Out-of-bounds read/write in the V8 JavaScript engine. Affects Chrome, Edge, Opera, and all Chromium-based browsers. Remote code execution inside the browser sandbox via a crafted HTML page. Verify fleet-wide browser auto-update compliance today. Deploy via endpoint management if auto-update is disabled.

Arista EOS CVE-2026-7473: Incomplete comparison vulnerability causing incorrect decapsulation and forwarding of unexpected tunneled packets. Network segmentation bypass. Upgrade Arista EOS per vendor advisory. Review network segmentation controls and tunnel configurations.

Cisco SD-WAN Manager CVE-2026-20245: Local privilege escalation to root via crafted file. Authenticated attacker can execute arbitrary commands as root on SD-WAN Manager. Apply per Cisco advisory. Restrict SD-WAN Manager access to trusted administrators. Note: this is in addition to Cisco SD-WAN CVE-2026-20262 (due June 29, actively exploited) — both must be patched.

Recommended action: Use today to prepare for tomorrow’s triple deadline. Verify Chromium browser versions across the fleet. Stage Arista EOS upgrades. Confirm Cisco SD-WAN Manager access controls are restricted pending patching.

Splunk Deadline Passed + Week-Ahead Outlook

Splunk CVE-2026-20253: Sunday deadline passed — now 1 day overdue. Second actively exploited KEV this period. Organisations that did not patch over the weekend must do so today. Dedicated advisory.

Overdue KEV Status (11 entries): Splunk +1, Joomla +3, SolarWinds +3, LiteSpeed +4, Oracle PS +7 (ShinyHunters), Ivanti +8, Check Point +11 (ransomware), Nx Console +12 (ransomware), Mirasvit +16, Android +17, PAN-OS +21.

This Week’s Remaining Deadlines: Today: LiteLLM. Tomorrow: Triple (Chromium/Arista/Cisco). June 29: Cisco SD-WAN CVE-2026-20262 (actively exploited). After Tuesday’s triple deadline, the KEV calendar clears significantly.

North Korea Mastra AI, AryStinger, Prinz Eugen: All covered in dedicated advisories published yesterday. See the June 21 report for full context. Mastra Advisory | AryStinger Advisory | Prinz Eugen Advisory

KEV Deadline Watch

TODAY (June 22): BerriAI LiteLLM CVE-2026-42271. DEADLINE.

TOMORROW (June 23): TRIPLE — Chromium V8 CVE-2026-11645 / Arista EOS CVE-2026-7473 / Cisco SD-WAN CVE-2026-20245.

June 29 (7 days): Cisco SD-WAN CVE-2026-20262. Actively exploited.

OVERDUE — June 21: Splunk Enterprise CVE-2026-20253 (+1, actively exploited).

OVERDUE — June 19: Joomla CE CVE-2026-48907 (+3) + SolarWinds CVE-2026-28318 (+3).

OVERDUE — June 18: LiteSpeed CVE-2026-54420 (+4).

OLDER OVERDUE: Oracle PS (+7), Ivanti (+8), Check Point (+11), Nx Console (+12), Mirasvit (+16), Android (+17), PAN-OS (+21).

Updates on Items from Previous Reports

Splunk CVE-2026-20253: Deadline passed. Patch today if you missed the Sunday deadline. Dedicated advisory.

LiteLLM CVE-2026-42271: Deadline today. Multiple new LiteLLM CVEs add urgency.

Triple Deadline Tomorrow: Use today to prepare. Verify Chromium versions, stage Arista upgrades, restrict Cisco SD-WAN access.

North Korea Mastra AI, AryStinger, Prinz Eugen, Branda WP: All have dedicated advisories published in the June 21 batch.

Oracle CPU, F5 NGINX, FortiBleed: Patch deployment should be complete or nearing completion.

42 dedicated advisories published this period.

This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including BleepingComputer, The Hacker News, Security.nl, CybersecurityNews.com, Cybersecurity Dive, and Tenable CVE feeds.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!