Vulnerability Intelligence Report — June 19, 2026

nick

Vulnerability Intelligence Report — June 19, 2026

by

Vulnerability Intelligence Report — June 19, 2026
Coverage: June 1–19, 2026 | Total CISA KEV additions (period): 16 | New KEVs: 1 (Splunk) | KEV deadlines TODAY: Joomla CE + SolarWinds Serv-U | Next KEV: Splunk (Sunday June 21) | LiteSpeed deadline passed | Overdue KEVs: 8
Previous reports: June 18, 2026 | June 17, 2026

Today — Friday, June 19, 2026 — carries a double CISA KEV remediation deadline: Joomla Content Editor CVE-2026-48907 and SolarWinds Serv-U CVE-2026-28318. LiteSpeed cPanel’s deadline passed yesterday, becoming the 8th overdue KEV. CISA added a significant new KEV yesterday: Splunk Enterprise CVE-2026-20253 — an unauthenticated file creation/truncation vulnerability via PostgreSQL sidecar — with a tight Sunday deadline (June 21). This is a rare weekend KEV and a critical concern for every Splunk deployment. On the threat intelligence front: law enforcement took down nearly 15,000 SocGholish-infected sites tied to Evil Corp in a coordinated multinational operation, the ShapedPlugin WordPress update flow was compromised in yet another supply-chain attack, a new “Gentlemen” ransomware variant deploys multiple EDR killers to disable endpoint defenses, and CISA issued a formal warning to Fortinet users following the FortiBleed credential leak. The Oracle CPU and F5 NGINX stories from yesterday continue to demand patching attention.

Quick Reference — Most Important Items Today

Splunk Enterprise: CVE-2026-20253 (NEW CISA KEV, due Sunday June 21 — 2 days, unauthenticated file create/truncate via PostgreSQL sidecar)

Joomla Content Editor: CVE-2026-48907 (CISA KEV DEADLINE TODAY — patch Joomla JCE immediately)

SolarWinds Serv-U: CVE-2026-28318 (CISA KEV DEADLINE TODAY — patch to 15.5.4 Hotfix 1+)

ShapedPlugin: WordPress update flow compromised in supply-chain attack — another WP ecosystem compromise

SocGholish/Evil Corp: Law enforcement dismantles 15,000 infected sites — major takedown operation

Gentlemen Ransomware: New variant deploying multiple EDR killers — review endpoint defense coverage

Oracle CPU July 2026: Patch deployment ongoing — PeopleSoft CVE-2026-35278 (9.8) is priority #1

F5 NGINX: Out-of-band critical patches — deploy across all NGINX instances

CISA FortiBleed: Formal warning issued — secure Fortinet devices per advisory

Overdue KEV: LiteSpeed +1 | Oracle PS +4 | Ivanti +5 | Check Point +8 | Nx Console +9 | Mirasvit +13 | Android +14 | PAN-OS +18

Splunk Enterprise — CVE-2026-20253 (New CISA KEV, Due Sunday June 21)

Software affected: Splunk Enterprise — widely deployed SIEM and log analytics platform.

CVE: CVE-2026-20253 | NEW CISA KEV — added June 18, due Sunday June 21, 2026 | Missing authentication for critical function (CWE-306) | Unauthenticated attacker can create or truncate arbitrary files through a PostgreSQL sidecar service endpoint | BOD 26-04 3-day mandate applies.

Status: This is a critical concern for the security operations community. Splunk is the SIEM of record for many enterprises — a compromised Splunk instance means attackers can blind the security monitoring infrastructure. The PostgreSQL sidecar endpoint vulnerability means an unauthenticated attacker with network access can write arbitrary files, potentially leading to remote code execution or data destruction. The Sunday deadline means patching must happen today or this weekend. Internet-facing Splunk management interfaces are directly exposed.

Recommended action: Apply Splunk patch per SVD-2026-0603 immediately — do not wait until Sunday. Restrict network access to Splunk management interfaces and the PostgreSQL sidecar endpoint. Audit Splunk logs for unauthorised file operations. Verify SIEM functionality after patching.

Official source: Splunk Advisory SVD-2026-0603 | CISA KEV Catalog

Double KEV Deadline Today — Joomla CE + SolarWinds Serv-U

Joomla Content Editor CVE-2026-48907: KEV deadline today. Unauthenticated PHP upload and execution via editor profile creation. Update JCE to latest version. Dedicated advisory. Check Joomla installations for unexpected admin accounts and PHP files.

SolarWinds Serv-U CVE-2026-28318: KEV deadline today. Unauthenticated DoS via crafted POST with Content-Encoding: deflate header. Upgrade to 15.5.4 Hotfix 1 or later. Monitor for Serv-U service crashes as an indicator of exploitation attempts.

LiteSpeed cPanel CVE-2026-54420: Deadline passed yesterday — now 1 day overdue. Upgrade WHM Plugin to 5.3.2.0+ immediately. Dedicated advisory.

ShapedPlugin WordPress Supply-Chain Attack + 15K SocGholish Takedown

ShapedPlugin Update Flow Compromise: The update mechanism for ShapedPlugin WordPress products has been compromised in a supply-chain attack, enabling malicious code distribution to sites using automatic updates from the vendor’s infrastructure. This is the third WordPress ecosystem supply-chain attack in this reporting period alone — following UpdraftPlus (CVE-2026-10795) and OptinMonster CDN attacks. Organisations using ShapedPlugin products should immediately verify plugin integrity, disable automatic updates until the vendor confirms the update flow is secured, and audit for indicators of compromise.

15,000 SocGholish Sites Dismantled: In a coordinated multinational law enforcement operation, nearly 15,000 websites infected with the SocGholish malware framework — attributed to the Evil Corp cybercrime group — have been cleaned or taken offline. SocGholish is a social-engineering-driven malware dropper that typically masquerades as browser update prompts. This is one of the largest malware infrastructure takedowns in recent years. Organisations should still maintain browser-update security awareness training as SocGholish infrastructure will inevitably be rebuilt.

Gentlemen Ransomware, PTC Windchill, CISA FortiBleed, and Oracle CPU Follow-up

Gentlemen Ransomware — Multiple EDR Killers: A new ransomware variant tracked as “Gentlemen” deploys multiple endpoint detection and response (EDR) killer tools before encryption. The malware attempts to disable or bypass EDR products from multiple vendors simultaneously, increasing the probability of successful defense evasion. Review EDR tamper protection settings and ensure EDR agents are configured with maximum anti-tampering controls. Test EDR resilience against known killer tools.

PTC Windchill CVE-2026-12569 — CRITICAL RCE: Critical remote code execution in PTC Windchill PDMlink and FlexPLM — product lifecycle management software used in manufacturing and retail supply chains. Industrial and PLM systems are increasingly targeted. Apply vendor patches immediately.

CISA FortiBleed Warning: CISA has issued a formal advisory following the FortiBleed credential leak. The agency is directing all organisations using Fortinet VPN appliances to rotate credentials, enforce MFA, and upgrade firmware. This formal CISA advisory elevates FortiBleed from an incident report to an official government-directed action item.

Oracle CPU: Patch deployment should be well underway. PeopleSoft CVE-2026-35278 (9.8) is the highest priority given active ShinyHunters exploitation of the PeopleSoft attack surface. Oracle CPU advisory.

F5 NGINX: Patches for 4 CVEs including 2 CRITICALs. NGINX is ubiquitous — verify deployment across web, proxy, and Kubernetes ingress. NGINX advisory.

KEV Deadline Watch

TODAY (June 19): Joomla Content Editor CVE-2026-48907 + SolarWinds Serv-U CVE-2026-28318. Double deadline.

June 21 — Sunday (2 days): Splunk Enterprise CVE-2026-20253. NEW KEV. Weekend deadline.

June 22 (3 days): BerriAI LiteLLM CVE-2026-42271.

June 23 (4 days): Chromium V8 CVE-2026-11645 / Arista EOS CVE-2026-7473 / Cisco SD-WAN CVE-2026-20245.

June 29 (10 days): Cisco SD-WAN CVE-2026-20262. Actively exploited.

OVERDUE — June 18: LiteSpeed cPanel CVE-2026-54420 (+1 day).

OVERDUE — June 15: Oracle PeopleSoft CVE-2026-35273 (+4 days, ransomware).

OVERDUE — June 14: Ivanti Sentry CVE-2026-10520 (+5 days).

OVERDUE: Check Point (+8), Nx Console (+9), Mirasvit (+13), Android (+14), PAN-OS (+18).

Updates on Items from Previous Reports

Splunk CVE-2026-20253: New CISA KEV — weekend deadline. Patch today. Dedicated advisory pending.

Joomla + SolarWinds: Double KEV deadline today. Both dedicated advisories published.

LiteSpeed CVE-2026-54420: Deadline passed yesterday. Now 1 day overdue.

Oracle CPU: Deployment should be in progress. PeopleSoft CVE-2026-35278 is the #1 patching priority across the entire Oracle CPU.

F5 NGINX: Out-of-band patches deployed — verify coverage across all NGINX instances.

FortiBleed: CISA formal warning issued. Rotate Fortinet VPN credentials, enforce MFA.

ShinyHunters campaign: Now 3+ confirmed victims. PeopleSoft remains the primary attack vector.

32 dedicated advisories published this period.

This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including BleepingComputer, The Hacker News, Security.nl, CybersecurityNews.com, Cybersecurity Dive, and Tenable CVE feeds.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!