Vulnerability Intelligence Report — June 29, 2026
Coverage: June 1–29, 2026 | Total CISA KEV additions (period): 22 | New KEVs: 0 | KEV deadline TODAY: Cisco SD-WAN CVE-2026-20262 — THE FINAL ACTIVE KEV DEADLINE | After today: KEV calendar CLEARS — zero active deadlines remaining | Total overdue KEVs: 27
Previous reports: June 28, 2026 | June 27, 2026
Monday, June 29, 2026 — today marks the end of an era: Cisco SD-WAN CVE-2026-20262 is the final active CISA KEV deadline of this reporting period. After today, the KEV calendar fully clears — zero active deadlines remain, closing out a period that saw 22 KEV additions in 29 days under BOD 26-04’s accelerated 3-day mandate. The double KEV deadline from yesterday (PTC Windchill + Cisco UCM) has now passed, bringing the overdue count to 27 — the highest of the period. The Windows Secure Boot certificate expiry continues to unfold as organisations discover boot failures on unpatched systems. On the new vulnerability front, it is a quiet Monday: ANTLR4, the widely-used parser generator underpinning thousands of compilers and language tools (including Java, C#, Python, and SQL parsers), disclosed a code injection vulnerability in its grammar action block handler (CVE-2026-13500, CVSS 7.3) with a public exploit. While not a drop-everything emergency, ANTLR4’s position in the compiler toolchain makes this a notable development-tool supply chain concern — any organisation that generates code via ANTLR4 grammars from untrusted sources should review. The Gitea act_runner container escape (CVSS 9.9) and the Windows Secure Boot certificate expiry remain the most significant active items from the weekend.
Quick Reference — Most Important Items Today
Cisco SD-WAN CVE-2026-20262 — FINAL ACTIVE KEV DEADLINE TODAY — actively exploited, BOD 26-04 — after today, KEV calendar clears
KEV Period Retrospective: 22 additions in 29 days, BOD 26-04 3-day mandate, 27 overdue — the most aggressive KEV cadence on record
Gitea act_runner CVE-2026-58053: CVSS 9.9 container escape, public PoC — patch CI/CD runners immediately
Windows Secure Boot Certificate Expiry: Operational impact unfolding — boot failures on unpatched systems, apply UEFI firmware updates
ANTLR4 CVE-2026-13500: CVSS 7.3 code injection in grammar action blocks — public exploit, affects dev toolchain supply chain
Double KEV deadline (June 28): PTC Windchill + Cisco UCM — now overdue (+1)
After today: Zero active KEV deadlines. This reporting period is effectively complete.
Cisco SD-WAN CVE-2026-20262 — The Final Active KEV Deadline (TODAY)
Software affected: Cisco Catalyst SD-WAN Manager.
CVE: CVE-2026-20262 | CISA KEV deadline today — June 29, 2026 | Path traversal vulnerability enabling root-level access | Actively exploited | BOD 26-04 3-day mandate applies.
Status: Today is the deadline. This is the last active KEV of the reporting period — after today, the calendar fully clears. Cisco SD-WAN CVE-2026-20262 has been actively exploited in the wild. The path traversal vulnerability enables attackers to gain root-level access to the SD-WAN Manager, which controls routing policies, VPN configurations, and WAN optimisation across the enterprise network. Compromise of the SD-WAN Manager gives an attacker control over the entire wide-area network fabric.
Recommended action: Apply Cisco’s patch per the security advisory immediately. Restrict SD-WAN Manager access to trusted administrators only. This is the final BOD 26-04 deadline of the period.
Official source: CISA KEV Catalog | Cisco Security Advisory | Dedicated advisory
KEV Period Retrospective — 22 Additions in 29 Days Under BOD 26-04
With today’s Cisco SD-WAN deadline, the active KEV calendar for the June 2026 reporting period closes. This has been the most aggressive CISA KEV cadence since BOD 26-04 was established, and the data tells a clear story:
By the numbers:
22 CISA KEV additions in 29 days — an average of one new KEV every 1.3 days. Each addition carried a 3-day remediation deadline under BOD 26-04. 27 vulnerabilities are now overdue, including 4 that are actively exploited (Cisco SD-WAN, Splunk, plus today’s entries). The oldest overdue KEV — Palo Alto PAN-OS CVE-2026-0257 — is 28 days past deadline.
Vendors with the most KEV entries this period: Cisco led with 4 separate CVEs across Unified CM, SD-WAN Manager (x2), and IOS XE. Ubiquiti had 3 simultaneous CVSS 10.0 entries for UniFi OS — the most concentrated single-vendor KEV addition. Other repeat vendors included Oracle, Ivanti, Check Point, and Fortinet (through the FortiBleed campaign, though not directly KEV-catalogued).
Themes: AI framework vulnerabilities emerged as a new pattern — four separate frameworks compromised (Mastra supply chain, LiteLLM, Microsoft AutoGen Studio, Flowise AI). CI/CD and developer toolchain attacks featured prominently (Gitea act_runner, Nx Console, picklescan ML supply chain). Industrial and OT systems entered the KEV catalog (Lantronix EDS5000, PTC Windchill/FlexPLM). The Five Eyes joint advisory mid-period validated the accelerated timeline, explicitly calling for 3-day patching as the new operational baseline.
Operational realities: 27 overdue KEVs means that on average, organisations are not meeting BOD 26-04’s 3-day mandate. The gap between policy and operational capability remains the defining challenge of the accelerated KEV era. The cURL record 18-vulnerability release and the Windows Secure Boot certificate expiry both demonstrated that vulnerability management is no longer just about CVEs — operational events at internet scale demand the same urgency as actively exploited vulnerabilities.
What comes next: The KEV calendar sits at zero active deadlines for the first time in 29 days. This is a window to clear the 27-overdue backlog before the next wave of KEV additions. Cisco SD-WAN CVE-2026-20262 is the final entry — patch it today.
ANTLR4 CVE-2026-13500 — Code Injection in Parser Generator Toolchain (CVSS 7.3)
Software affected: ANTLR4 versions through 4.13.2 — the widely-used parser generator that converts grammar definitions into lexer/parser code in Java, C#, Python, JavaScript, Go, C++, and other languages.
CVE: CVE-2026-13500 | CVSS 7.3 (HIGH) | Code injection in the grammar action block handler (OutputFile.java). A remotely exploitable manipulation of grammar action blocks can lead to code injection. A public exploit is available. The vulnerability allows an attacker who can supply or modify an ANTLR4 grammar file to inject arbitrary code that executes during the code generation phase — before the generated parser is even compiled.
Status: ANTLR4 is embedded in thousands of compilers, linters, formatters, and code analysis tools. Any development pipeline that accepts grammar files from external sources and generates code via ANTLR4 is potentially affected. The CVSS 7.3 reflects the indirect attack path — an attacker needs to influence a grammar file — but the public exploit availability and ANTLR4’s position in the compiler toolchain make this a meaningful developer-tool supply chain concern. Organisations that build custom domain-specific languages, query parsers, or protocol parsers via ANTLR4 should review their grammar sourcing and code generation pipelines.
Recommended action: Upgrade ANTLR4 beyond 4.13.2 when a patched version is released. Review grammar sourcing — do not accept grammar files from untrusted sources. Audit code generation pipelines that use ANTLR4. For CI/CD pipelines that generate code from grammars: ensure generated code is reviewed before compilation.
Official source: VulDB Entry | Public Exploit
Weekend Follow-Up — Gitea act_runner, Windows Secure Boot, Double KEV Deadline Passed
Gitea act_runner CVE-2026-58053 (CVSS 9.9): The critical container escape vulnerability in Gitea’s CI/CD runner continues to be the highest-severity active item. Public PoC available. Upgrade act_runner immediately. Rotate CI/CD secrets. Dedicated advisory.
Windows Secure Boot Certificate Expiry: The operational impact of the Microsoft KEK CA 2011 and UEFI CA 2011 expirations (June 24 and 27) continues to unfold. Organisations are reporting boot failures on systems that have not received UEFI firmware updates. This is infrastructure maintenance at planetary scale — apply manufacturer firmware updates. Linux distributions using shim must also be updated. Operational advisory.
Double KEV Deadline Passed (June 28): PTC Windchill CVE-2026-12569 (webshells deployed, IoCs published) and Cisco UCM CVE-2026-20230 are now 1 day overdue. Organisations past the BOD 26-04 deadline should patch immediately. PTC advisory | Cisco UCM advisory.
KEV Deadline Watch — FINAL EDITION
TODAY (June 29): Cisco SD-WAN CVE-2026-20262. Actively exploited. FINAL ACTIVE KEV DEADLINE OF THE PERIOD.
AFTER TODAY: KEV calendar CLEARS — zero active deadlines. END OF ACTIVE KEV CYCLE.
OVERDUE — June 28 (+1): DOUBLE — PTC Windchill CVE-2026-12569 + Cisco UCM CVE-2026-20230.
OVERDUE — June 26 (+3): QUADRUPLE — Ubiquiti UniFi OS CVE-2026-34908/34909/34910 + Lantronix EDS5000 CVE-2025-67038.
OVERDUE — June 23 (+6): TRIPLE — Chromium V8 + Arista EOS + Cisco SD-WAN CVE-2026-20245.
OVERDUE — June 22 (+7): LiteLLM CVE-2026-42271.
OVERDUE — June 21 (+8): Splunk CVE-2026-20253 (actively exploited).
OLDER OVERDUE: Joomla CE +10, SolarWinds +10, LiteSpeed +11, Oracle PS +14, Ivanti +15, Check Point +18, Nx Console +19, Mirasvit +23, Android +24, PAN-OS +28.
Total overdue after today: 27. This is the window to clear the backlog before the next KEV cycle begins.
Updates on Items from Previous Reports
Cisco SD-WAN CVE-2026-20262: Deadline today — the final entry. Dedicated advisory.
Double KEV Deadline Passed (June 28): PTC Windchill (webshells, IoCs) + Cisco UCM — now overdue. PTC | Cisco UCM.
Gitea act_runner CVE-2026-58053 (CVSS 9.9): Still the highest-severity active item. Public PoC. Advisory.
Windows Secure Boot: Certificate expiry impact unfolding. Advisory.
Node.js June 2026: CVE-2026-48930 (CVSS 9.8). Advisory.
FortiBleed: 70,000+ Fortinet firewalls. Updated advisory.
cURL 8.21.0: Rollout continues. Advisory.
60 dedicated advisories published this period. The KEV calendar clears today. This reporting period is effectively complete.
This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including BleepingComputer, The Hacker News, Security.nl, CybersecurityNews.com, Cybersecurity Dive, and Tenable CVE feeds. This marks the final report of the June 2026 reporting period with active KEV deadlines.
