Vulnerability Intelligence Report — June 26, 2026
Coverage: June 1–26, 2026 | Total CISA KEV additions (period): 22 | New KEVs: 2 (Cisco UCM, PTC Windchill/FlexPLM) | KEV deadline TODAY: QUADRUPLE (Ubiquiti UniFi OS x3 + Lantronix EDS5000 — all BOD 26-04) | Next KEV: Cisco SD-WAN CVE-2026-20262 (June 29) + 2 new due June 28 | Total overdue KEVs: 19 (quadruple deadline passes today)
Previous reports: June 25, 2026 | June 24, 2026
Friday, June 26, 2026 — the quadruple CISA KEV deadline arrives today for Ubiquiti UniFi OS (three CVSS 10.0 vulnerabilities) and Lantronix EDS5000, all under BOD 26-04’s 3-day mandate. As that deadline passes, CISA has added two new KEV entries: Cisco Unified Communications Manager CVE-2026-20230 — confirming the active exploitation we reported yesterday — and PTC Windchill/FlexPLM CVE-2026-12569, a deserialization RCE in widely deployed industrial PLM software. Both carry a June 28 deadline — just two days from today. The biggest story of the day, however, is the cURL project: version 8.21.0 patches a record 18 vulnerabilities including CVE-2026-8932, a flaw that has existed in the codebase for over 25 years (since curl 7.7, March 2001). Given that cURL is installed on over 20 billion devices — every smartphone, tablet, car, TV, game console, and server — this is one of the most broadly impactful patch events in recent memory. Elsewhere: Cacti’s network monitoring framework has a critical command injection (CVSS 9.8) because its escape_command() function literally does nothing, Quest NetVault Backup disclosed 8 SQL injection vulnerabilities chaining to RCE, OpenBSD has a local privilege escalation to root, and GitLab added 3 more CVEs. Microsoft Exchange has a new PoC exploit for an elevation of privilege vulnerability.
Quick Reference — Most Important Items Today
cURL 8.21.0: RECORD 18 vulnerabilities patched — including 25-year-old CVE-2026-8932 — 20+ billion devices affected, all low/medium severity
Cisco UCM CVE-2026-20230: ADDED TO CISA KEV — confirming our June 25 report — deadline June 28 under BOD 26-04
PTC Windchill/FlexPLM CVE-2026-12569: NEW CISA KEV — deserialization RCE in industrial PLM, deadline June 28
QUADRUPLE KEV DEADLINE TODAY: Ubiquiti UniFi OS CVE-2026-34908/34909/34910 (CVSS 10.0) + Lantronix EDS5000 CVE-2025-67038 — BOD 26-04
Cacti CVE-2026-40079: CVSS 9.8 command injection — escape_command() is a no-op, all versions ≤ 1.2.30 affected
Quest NetVault Backup: 8 CVEs (all CVSS 8.8) — SQL injection + XSS chain to remote code execution
OpenBSD CVE-2026-57589: Local privilege escalation to root via use-after-free in SysV semaphores
GitLab: 3 new CVEs (CVE-2026-10086 XSS, CVE-2026-12053 info disclosure, CVE-2026-10712 XSS)
Microsoft Exchange: PoC exploit released for elevation of privilege vulnerability
After today: 19 overdue KEVs, next deadlines June 28 (Cisco UCM + PTC) and June 29 (Cisco SD-WAN)
cURL 8.21.0 — Record 18 Vulnerabilities Patched, Including 25-Year-Old Flaw
Software affected: cURL — the ubiquitous command-line tool and library for data transfer via network protocols. Installed on over 20 billion devices across more than 110 operating systems and 28 CPU architectures. Runs on every smartphone, tablet, car, TV, game console, and server on Earth.
Status: cURL maintainer Daniel Stenberg has released version 8.21.0, patching a record 18 vulnerabilities — the most ever fixed in a single cURL release. The previous record was 11 vulnerabilities patched in early 2016 following a Cure53 security audit. All 18 vulnerabilities are rated low or medium severity. The most notable is CVE-2026-8932, the oldest cURL vulnerability ever reported: it was introduced in cURL 7.7 on March 22, 2001, and has been present in the codebase for over 25 years. Stenberg noted that many of the newly discovered vulnerabilities were found using AI-assisted security tools. While individual severity is low/medium, the aggregate impact is enormous given cURL’s install base — 20 billion instances means that even a medium-severity vulnerability has an unprecedented attack surface. The vulnerabilities span multiple protocols and components within cURL and libcurl. Specific CVE identifiers and technical details are available in the cURL 8.21.0 changelog.
Recommended action: Update cURL and libcurl to 8.21.0 across all systems. This is not a “drop everything” emergency — no critical or high-severity CVEs — but the patch volume and the 25-year-old flaw make this a significant maintenance event. Linux distributions will push updated packages. For containerised deployments, rebuild all images that include cURL/libcurl. For embedded systems and IoT devices, coordinate with firmware vendors for updated builds. Audit your software supply chain: any application that links against libcurl (which is virtually everything) needs the update.
Official source: cURL 8.21.0 Changelog | Security.nl Report
Cisco UCM CVE-2026-20230 + PTC Windchill CVE-2026-12569 — Two New CISA KEV Additions, Both Due June 28
Cisco Unified Communications Manager CVE-2026-20230: As we reported yesterday, security firm Defused confirmed active exploitation of this SSRF-to-RCE vulnerability in Cisco’s enterprise VoIP platform. CISA has now added it to the KEV catalog, confirming the exploitation and setting a June 28, 2026 deadline under BOD 26-04. The patch has been available since June 3 — organisations that have not yet patched are now three weeks behind on a confirmed KEV with active exploitation. WebDialer must be enabled for exploitation (disabled by default). Dedicated advisory published yesterday.
PTC Windchill and FlexPLM CVE-2026-12569: A critical remote code execution vulnerability via deserialization of untrusted data in PTC Windchill PDMlink and PTC FlexPLM — industrial product lifecycle management (PLM) software used by manufacturing, aerospace, automotive, and defence organisations. CISA KEV added June 25 — deadline June 28, 2026. PTC Windchill manages product data across the entire product lifecycle — compromise could expose intellectual property, manufacturing processes, and supply chain data. This is a high-value industrial target. PTC has published a security advisory with patching guidance. The vulnerability also affects all CPS (Creo Parametric Server) versions.
Recommended action: Patch Cisco UCM immediately — this is now a confirmed KEV with active exploitation and a 2-day deadline. For PTC Windchill/FlexPLM: apply patches per PTC advisory CS473270. Both carry June 28 BOD 26-04 deadlines. Organisations in manufacturing, aerospace, and defence should prioritise PTC patching given the sensitivity of PLM data.
Official source: CISA KEV Catalog | Cisco Advisory cisco-sa-cucm-ssrf-cXPnHcW | PTC Advisory CS473270
Cacti CVE-2026-40079 — Critical Command Injection: escape_command() Is a No-Op (CVSS 9.8)
Software affected: Cacti versions 1.2.30 and prior — the open-source network monitoring and fault management framework widely deployed in enterprise NOCs and data centres.
CVE: CVE-2026-40079 | CVSS 9.8 (CRITICAL) | CWE-88: Improper Neutralization of Argument Delimiters in a Command | The escape_command() function at lib/rrd.php is a literal no-op — it returns the $command parameter completely unchanged. The command line builder then passes unsanitized user input directly to the system shell. This is not a subtle bypass or a parsing error — the sanitization function simply does nothing.
Status: This is one of the most starkly simple critical vulnerabilities disclosed this period. Cacti’s escape_command() function was intended to sanitize shell commands before execution, but the implementation returns the input unchanged. Any attacker who can inject into a command string that passes through this function — which is the core RRDtool command builder — can execute arbitrary commands on the Cacti server. Cacti is deployed in network operations centres, data centres, and ISP environments where it has access to SNMP credentials, network device configurations, and monitoring infrastructure. A compromised Cacti server provides an attacker with a privileged position inside the network management plane.
Recommended action: Upgrade Cacti beyond 1.2.30 immediately. The fix is a one-line change in lib/rrd.php — the escape_command() function now actually escapes commands. Audit Cacti access logs for unexpected RRDtool command execution. Restrict Cacti web interface access to trusted administrative networks.
Official source: Cacti GitHub Commit (Fix)
Quest NetVault Backup, OpenBSD, GitLab, Exchange — Critical Updates Across the Stack
Quest NetVault Backup — 8 CVEs (all CVSS 8.8): Quest NetVault Backup disclosed 8 vulnerabilities enabling remote code execution through SQL injection and cross-site scripting. The CVEs cover multiple attack surfaces: NVBULogDaemon command injection (CVE-2026-9787), multiple SQL injection vectors in NVBUDashboard (CVE-2026-9786/7570), NVBULibrarySlot (CVE-2026-9785), NVBULibraryPort (CVE-2026-9784), NVBURemovableMedia (CVE-2026-9783), NVBUDeviceDrive (CVE-2026-9782), and XSS-based authentication bypass in addclient3 (CVE-2026-9780) and viewclient (CVE-2026-7569). NetVault is an enterprise backup and recovery platform — compromise could expose backup data across the entire enterprise. Apply Quest’s patches immediately.
OpenBSD CVE-2026-57589 — Local Privilege Escalation to Root (CVSS 7.4): A use-after-free vulnerability in OpenBSD’s SysV semaphore implementation (sys/kern/sysv_sem.c) allows local privilege escalation to root. The bug is a context switch use-after-free after tsleep in sys_semget(). Affects all versions through OpenBSD 7.9. OpenBSD is widely used in security appliances, firewalls, and bastion hosts — local root escalation on these systems is particularly dangerous. Apply the OpenBSD patch or upgrade.
GitLab — 3 New CVEs: GitLab EE/CE has three new vulnerabilities: stored XSS (CVE-2026-10086, CVSS 8.7), information disclosure via logging (CVE-2026-12053, CVSS 8.6), and stored XSS in CE/EE (CVE-2026-10712, CVSS 8.0). Fixed in GitLab 18.11.6, 19.0.3, and 19.1.1. This brings the cumulative GitLab CVE count to 15 this period. Schedule GitLab upgrades — the patch train continues.
Microsoft Exchange — PoC Exploit Released: A proof-of-concept exploit has been released for an elevation of privilege vulnerability in Microsoft Exchange Server. Specific CVE identifier and Exchange version details are pending. Exchange remains one of the most targeted enterprise applications — apply all outstanding Exchange security updates immediately.
Recommended action: Patch NetVault Backup across all enterprise backup infrastructure. Apply OpenBSD kernel patch on all security appliances and bastion hosts. Schedule GitLab upgrade to 18.11.6/19.0.3/19.1.1. Apply all outstanding Exchange security updates.
KEV Deadline Watch
TODAY (June 26): QUADRUPLE — Ubiquiti UniFi OS CVE-2026-34908/34909/34910 + Lantronix EDS5000 CVE-2025-67038. All four: BOD 26-04 3-day mandate. DEADLINE.
June 28 (2 days): NEW — Cisco UCM CVE-2026-20230 (actively exploited) + PTC Windchill/FlexPLM CVE-2026-12569. Both BOD 26-04. ADDED YESTERDAY.
June 29 (3 days): Cisco SD-WAN CVE-2026-20262. Actively exploited. Dedicated advisory.
OVERDUE — June 23 (+3): TRIPLE — Chromium V8 CVE-2026-11645 + Arista EOS CVE-2026-7473 + Cisco SD-WAN CVE-2026-20245.
OVERDUE — June 22 (+4): LiteLLM CVE-2026-42271.
OVERDUE — June 21 (+5): Splunk CVE-2026-20253 (actively exploited).
OVERDUE — June 19 (+7): Joomla CE CVE-2026-48907 + SolarWinds CVE-2026-28318.
OVERDUE — June 18 (+8): LiteSpeed CVE-2026-54420.
OLDER OVERDUE: Oracle PS (+11), Ivanti (+12), Check Point (+15), Nx Console (+16), Mirasvit (+20), Android (+21), PAN-OS (+25).
After today: The quadruple deadline passes. Two new deadlines arrive June 28 (Cisco UCM + PTC), then Cisco SD-WAN June 29. The BOD 26-04 cadence has now produced 22 KEV additions in 26 days.
Updates on Items from Previous Reports
Cisco UCM CVE-2026-20230: Escalated from “actively exploited per Defused” in yesterday’s report to confirmed CISA KEV with June 28 deadline. Our prediction was correct — CISA acted within 24 hours. Dedicated advisory.
Quadruple KEV Deadline (Today): Ubiquiti UniFi OS + Lantronix EDS5000 deadline passes today. CISA and NCSC (Netherlands) confirm active exploitation of the Ubiquiti vulnerabilities. Organisations that have not patched are now operating past the BOD 26-04 deadline. Ubiquiti advisory | Lantronix advisory.
FortiBleed: 70,000+ Fortinet firewalls confirmed compromised. Updated advisory.
cURL: Record 18 vulnerabilities patched. 25-year-old flaw (CVE-2026-8932) finally fixed. Update to 8.21.0 across all systems — 20 billion device install base. Many vulns found by AI tools.
GitLab: Now 15 CVEs this period. Upgrade to 18.11.6, 19.0.3, or 19.1.1.
AI Framework Vulnerabilities: Four this period (Mastra, LiteLLM, AutoGen Studio, Flowise). The cURL disclosure — where many vulnerabilities were found by AI tools — demonstrates the dual-use nature of AI in security: AI accelerates both vulnerability discovery and exploitation.
Overdue KEVs: 19 total after today. Splunk CVE-2026-20253 and Cisco SD-WAN CVE-2026-20262 are actively exploited. PAN-OS is now 25 days past deadline.
49 dedicated advisories published this period. Cumulative Spring ecosystem CVEs: 35+. Cumulative GitLab CVEs: 15.
This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including BleepingComputer, The Hacker News, Security.nl, CybersecurityNews.com, Cybersecurity Dive, and Tenable CVE feeds.
