Stay ahead of emerging threats with expert analysis from 142 published security articles, vulnerability reports, and cybersecurity insights — updated daily with the latest CVEs, threat actor campaigns, and security advisories. As of Sunday, June 14, 2026, the most urgent items for production stacks: the Oracle PeopleSoft zero-day CVE-2026-35273 is being used by the ShinyHunters extortion crew to break into more than 100 universities — a zero-day means a flaw the vendor had no patch ready for when attacks began, so the only defense is applying Oracle's emergency fix the moment it lands and watching for unfamiliar logins. Google has shipped an emergency patch for the Chrome V8 zero-day CVE-2026-11645, already under active exploitation through nothing more than a booby-trapped web page, so update every browser in your business today. The LiteLLM flaw CVE-2026-42271 has landed on the CISA Known Exploited Vulnerabilities (KEV) catalog — the U.S. government's list of bugs confirmed to be under real-world attack — and lets intruders run their own code on exposed AI gateways, the servers that broker requests between your apps and AI models. The Langflow bug CVE-2026-5027 is a path-traversal flaw — one that tricks a server into reaching files outside its intended folder — letting unauthenticated attackers plant code on roughly 7,000 internet-exposed AI servers. And the "Velvet Ant" espionage group quietly backdoored Linux PAM and OpenSSH — the components that handle logins on most Linux servers — to live undetected inside a single network for nearly a decade, a reminder that intrusion detection matters as much as patching. If your business runs Oracle PeopleSoft, Chrome, self-hosted AI tooling like LiteLLM or Langflow, or Linux servers, these advisories require action now — start with the article-level remediation steps below.
Palo Alto Networks confirmed active exploitation of CVE-2026-0257, an authentication bypass in PAN-OS GlobalProtect that lets attackers establish unauthorized VPN sessions without credentials. CVSS 7.8, added to CISA KEV, patches available across all supported branches.
ShinyHunters spent two weeks ransacking universities through an unauthenticated RCE in Oracle PeopleSoft's Environment Management Hub. CVE-2026-35273 carries a CVSS of 9.8, hit 100-plus orgs including the University of Nottingham, and Oracle only published a patch on June 10 after the campaign was already done.
Read moreShinyHunters weaponized an unauthenticated 9.8 CVSS RCE in Oracle PeopleSoft PeopleTools (CVE-2026-35273) as a zero-day from May 27 through June 9, breaching the University of Nottingham and over a hundred mostly higher-education organizations before Oracle issued an out-of-band advisory on June 10.
Read moreA path traversal flaw in Langflow's POST /api/v2/files endpoint allows unauthenticated attackers to write files anywhere the platform process can reach, opening a clean route to remote code execution on the roughly seven thousand exposed instances Censys is currently tracking. Tenable disclosed CVE-2026-5027 in late March, the maintainers shipped a fix in version 1.10.0 on June 10, and VulnCheck honeypots are catching exploitation right now. Patch immediately or pull the instance off the public internet.
Read moreGoogle confirmed active in the wild exploitation of CVE-2026-11645, an out-of-bounds read and write vulnerability in Chrome V8 with a CVSS score of 8.8. The fifth Chrome zero day patched in 2026 lets attackers run code inside the browser sandbox via a crafted HTML page. Update to Chrome 149.0.7827.102 or .103 immediately and force a relaunch across the fleet.
Read moreLiteLLM CVE-2026-42271 chained with Starlette CVE-2026-48710 (BadHost) creates an unauthenticated RCE path scoring CVSS 10.0 against AI gateways. CISA added the flaw to the KEV catalog after confirming active exploitation. Patch LiteLLM 1.83.7 and Starlette 1.0.1 immediately or block the vulnerable MCP test endpoints at your reverse proxy.
Read moreCisco's June 3 advisory for CVE-2026-20230 details a critical-rated SSRF in the Unified Communications Manager WebDialer service, with a CVSS 8.6 base score and a public proof-of-concept already in circulation. An unauthenticated attacker on the network can write arbitrary files to the underlying OS and chain that into root. Cisco has released fixes in 14SU6 and an interim COP for the 15 line, with 15SU5 due in September 2026. Disabling WebDialer is the recommended interim mitigation.
Read moreCisco confirmed active exploitation of CVE-2026-20245, an unpatched command injection flaw in Catalyst SD-WAN Manager that lets authenticated attackers escalate to root and push malicious configurations to edge devices. The CVSS 7.8 bug is the seventh exploited SD-WAN zero-day since 2023 and chains with two prior auth bypass vulnerabilities to enable full remote takeover. No patch is available.
Read moreCisco patched CVE-2026-20230, an unauthenticated SSRF in the Unified Communications Manager WebDialer Web Service that lets remote attackers write arbitrary files and escalate to root. Public proof-of-concept code is already circulating. CVSS 8.6 with a Critical Security Impact Rating from Cisco PSIRT. Version 14SU6 is fixed, but the 15 train waits until September 2026 for 15SU5 with only an interim COP patch available now.
Read moreCISA added CVE-2026-45247, a CVSS 9.8 PHP object deserialization flaw in the Mirasvit Full Page Cache Warmer extension for Adobe Commerce and Magento, to its Known Exploited Vulnerabilities catalog after Imperva confirmed active unauthenticated RCE attacks against gaming and business storefronts in the US, UK, France, and Australia. Patch to version 1.11.12 or disable the extension immediately.
Read moreA newly disclosed HTTP/2 vulnerability dubbed HTTP/2 Bomb lets a single client on a residential connection exhaust 32 gigabytes of server memory in under twenty seconds. The flaw, tracked as CVE-2026-49975 for Apache httpd, affects NGINX, Apache, Microsoft IIS, Envoy, and Cloudflare Pingora. NGINX and Apache shipped fixes. IIS, Envoy, and Pingora remain unpatched as of public disclosure on June 2, 2026.
Read moreAn authentication bypass flaw in PAN-OS GlobalProtect portal and gateway (CVE-2026-0257, CVSS 9.1) is under active exploitation. Rapid7 confirmed in-the-wild attacks beginning May 17, and the CISA federal remediation deadline expired June 1. Patches and workarounds are available across PAN-OS 10.2, 11.1, 11.2, and 12.1 branches.
Read moreA CVSS 9.8 unauthenticated admin account creation flaw in the WP Maps Pro WordPress plugin (CVE-2026-8732) is under active mass exploitation. Wordfence blocked 2,858 attempts and Defiant blocked more than 3,600 within a single 24 hour window. The bug abuses a vendor-support shortcut to mint administrator accounts via an unauthenticated AJAX endpoint. All versions through 6.1.0 are vulnerable. Patch to 6.1.1 and hunt for rogue admins emailed support@flippercode.com.
Read moreA GlobalProtect authentication override flaw in PAN-OS lets unauthenticated attackers forge session cookies and walk into the VPN. Rapid7 observed two waves of in the wild exploitation in May, CISA added the bug to the KEV catalog on May 29 with a June 1 federal deadline, and Palo Alto Networks has confirmed active exploitation against unpatched devices.
Read moreThreat actors are abusing CVE-2026-35616, a CVSS 9.1 pre-authentication API bypass in FortiClient EMS, to hijack endpoint management consoles and push the newly identified EKZ infostealer to every managed endpoint disguised as FortiEndpoint_Patch.exe. Patch to 7.4.7 immediately and hunt for indicators in EMS logs and on managed hosts.
Read moreMicrosoft patched CVE-2026-45659, an 8.8 CVSS deserialization remote code execution flaw in SharePoint Server Subscription Edition, 2019, and 2016. The bug only requires Site Member privileges, a trivially low bar given SharePoint history of being weaponized for mass exploitation.
Read moreThreat actors are mass-exploiting CVE-2026-26980, a critical SQL injection bug in Ghost CMS, to harvest Admin API keys and inject ClickFix malware loaders into more than 700 hijacked sites including Harvard, Oxford, Auburn, and DuckDuckGo. A patch has been available in version 6.19.1 since February.
Read moreA CVSS 10.0 zero-day in the LiteSpeed User-End cPanel Plugin lets any authenticated cPanel user execute arbitrary scripts as root via the lsws.redisAble JSON-API endpoint. LiteSpeed confirms active in-the-wild exploitation. Plugin versions 2.3 through 2.4.4 are vulnerable, with the fix shipped in 2.4.7.
Read moreDrupal disclosed SA-CORE-2026-004 (CVE-2026-9082), a Highly Critical SQL injection in the core database abstraction API that lets unauthenticated attackers escalate privileges and reach remote code execution on PostgreSQL-backed sites. Imperva is tracking 15,000+ attack attempts against nearly 6,000 sites across 65 countries. CISA added the bug to KEV on May 22 with a federal patch deadline of May 27, 2026.
Read moreCisco disclosed CVE-2026-20223, a maximum severity CVSS 10.0 flaw in Secure Workload that allows unauthenticated remote attackers to gain Site Admin privileges by sending crafted requests to internal REST API endpoints. The vulnerability crosses tenant boundaries on both SaaS and on-premises deployments, has no workarounds, and is fixed in releases 3.10.8.3 and 4.0.3.17.
Read moreOur CyberOne MobileAssess platform performs deep static analysis, source code decompilation, and runtime security testing for iOS and Android apps. From one-time assessments to year-long continuous testing, we find what surface-level scanners miss.
Subscribe to our newsletter and get the latest security insights delivered to your inbox.
