Broad Advisory Owner Queue Leads 12 June Cyber Checks
Finding 1: CVE-2026-10087 - GitLab WID-SEC-2026-1886 / CERTFR-2026-AVI-0733 vulnerability batch
Confidence: Medium
GitLab owners should review the BSI and CERT-FR advisory scope and match affected versions against managed instances. Treat this as a patch-routing item unless local exposure or exploitation evidence changes the priority.
Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1886 ; https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0733/.
Finding 2: CVE-2026-20251 - Splunk Enterprise WID-SEC-2026-1877 / CERTFR-2026-AVI-0736 patch batch
Confidence: Medium
Splunk Enterprise and SOAR owners should compare affected versions with the BSI, CERT-FR, and SecurityWeek references. Prioritise environments where Splunk has broad log access or automation privileges.
Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1877 ; https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0736/ ; https://www.securityweek.com/splunk-palo-alto-networks-patch-severe-vulnerabilities/.
Finding 3: CVE-2026-47342 / CVE-2026-50223 - Apache OFBiz template/code injection cluster
Confidence: Low / Unverified
Confirm product presence, exposure, and fixed-version status before wider escalation. The evidence supports advisory review and asset validation, not an active-exploitation claim.
Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1888.
Finding 4: CVE-2026-53435 - Jenkins WID-SEC-2026-1884 vulnerability batch
Confidence: Low / Unverified
Confirm product presence, exposure, and fixed-version status before wider escalation. The evidence supports advisory review and asset validation, not an active-exploitation claim.
Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1884.
Finding 5: CVE-2026-48020 - Traefik StripPrefix route-level auth bypass
Confidence: Medium
Traefik routes using StripPrefix and route-level authentication need a configuration review. The immediate check is whether authentication assumptions change after path rewriting.
Sources: https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0738/ ; https://github.com/advisories/GHSA-xf64-8mw2-4gr2.
Finding 6: CVE-2026-50245 - CISA ICS Brickcom Cameras ICSA-26-162-03
Confidence: Low / Unverified
Asset owners should confirm whether the product is present and whether management paths are exposed. Keep the language in validation mode because the daily intelligence does not establish active exploitation.
Sources: https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-03.
Finding 7: CVE-2026-42947 - CISA ICS Naxclow IoT Platform ICSA-26-162-02
Confidence: Low / Unverified
Asset owners should confirm whether the product is present and whether management paths are exposed. Keep the language in validation mode because the daily intelligence does not establish active exploitation.
Sources: https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-02.
Finding 8: CVE-2026-10557 - CISA ICS Yarbo mobile application/cloud infrastructure ICSA-26-162-01
Confidence: Low / Unverified
Asset owners should confirm whether the product is present and whether management paths are exposed. Keep the language in validation mode because the daily intelligence does not establish active exploitation.
Sources: https://www.cisa.gov/news-events/ics-advisories/icsa-26-162-01.
Finding 9: CVE-2026-21837 - HCL Digital Experience OS command injection
Confidence: Low / Unverified
Confirm product presence, exposure, and fixed-version status before wider escalation. The evidence supports advisory review and asset validation, not an active-exploitation claim.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-21837.
Finding 10: CVE-2026-46444 - Flowise vector-store CRUD authorization bypass
Confidence: Medium
Flowise deployments should move to 3.1.2 or later and review workspace boundaries. Pay special attention to vector-store APIs and evaluator create or update permissions.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-46444 ; https://github.com/advisories/GHSA-hmg2-jjjx-jcp2 ; https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2.
Finding 11: CVE-2026-46480 - Flowise evaluator cross-workspace mass assignment
Confidence: Medium
Flowise deployments should move to 3.1.2 or later and review workspace boundaries. Pay special attention to vector-store APIs and evaluator create or update permissions.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-46480 ; https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-wxrr-jp8m-qq7f ; https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.1.2.
Finding 12: CVE-2026-11401 - AWS Advanced Go Wrapper privilege escalation in Aurora PostgreSQL
Confidence: Low / Unverified
Confirm product presence, exposure, and fixed-version status before wider escalation. The evidence supports advisory review and asset validation, not an active-exploitation claim.
Sources: https://github.com/advisories/GHSA-r236-5pc3-3qcp.
Finding 13: CVE-2026-25559 - OpenBullet2 path traversal to file write/delete and possible RCE
Confidence: Medium
OpenBullet2 exposure should be treated cautiously because the items touch file operations, command execution, and job configuration. Start by finding instances through 0.3.2 and removing exposed access.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-25559 ; https://www.vulncheck.com/advisories/openbullet2-path-traversal-via-wordlist-endpoint.
Finding 14: CVE-2026-25855 - OpenBullet2 FileProxySource authenticated command execution
Confidence: Low / Unverified
OpenBullet2 exposure should be treated cautiously because the items touch file operations, command execution, and job configuration. Start by finding instances through 0.3.2 and removing exposed access.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-25855.
Finding 15: CVE-2026-25856 - OpenBullet2 plain C# job configuration RCE
Confidence: Low / Unverified
OpenBullet2 exposure should be treated cautiously because the items touch file operations, command execution, and job configuration. Start by finding instances through 0.3.2 and removing exposed access.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-25856.
Finding 16: CVE-2026-48053 - Kolibri unauthenticated SSRF in RemoteFacilityUserViewset
Confidence: Low / Unverified
Confirm product presence, exposure, and fixed-version status before wider escalation. The evidence supports advisory review and asset validation, not an active-exploitation claim.
Sources: https://github.com/advisories/GHSA-4mj9-pf4r-cqrc.
Finding 17: CVE-2026-21032 - Samsung Assistant SmartHomeWidgetReceiver exported component script execution
Confidence: Low / Unverified
Confirm product presence, exposure, and fixed-version status before wider escalation. The evidence supports advisory review and asset validation, not an active-exploitation claim.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-21032.
Finding 18: CVE-2026-48059 - Netty HAProxy TLV parsing memory exhaustion
Confidence: Low / Unverified
Confirm product presence, exposure, and fixed-version status before wider escalation. The evidence supports advisory review and asset validation, not an active-exploitation claim.
Sources: https://github.com/advisories/GHSA-h2qv-fj59-j46j.
Finding 19: CVE-2026-48096 - OpenFGA iterator cache-key delimiter injection
Confidence: Low / Unverified
Confirm product presence, exposure, and fixed-version status before wider escalation. The evidence supports advisory review and asset validation, not an active-exploitation claim.
Sources: https://github.com/advisories/GHSA-8396-jffm-qx4w.
Finding 20: CVE-2026-46490 - samlify XML injection in signed SAML assertions
Confidence: Medium
Teams using samlify should upgrade to 2.13.0 or later and review SAML attribute-to-role mapping. The concern is signed assertion handling, so identity impact depends on deployment context.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-46490 ; https://github.com/advisories/GHSA-34r5-q4jw-r36m.
Finding 21: CVE-2026-49233 - Routinator rsync cache path traversal
Confidence: Medium
Routinator operators should upgrade to 0.15.2 and check rsync, RRDP, and API exposure. These items matter because RPKI tooling sits close to routing trust decisions even when the immediate impact is cache traversal or crashes.
Sources: https://www.nlnetlabs.nl/news/2026/Jun/08/routinator-0.15.2-released/ ; https://nvd.nist.gov/vuln/detail/CVE-2026-49233.
Finding 22: CVE-2026-40519 - Nginx Proxy Manager authenticated command injection in setupCertbotPlugins()
Confidence: Medium
Nginx Proxy Manager administrators should inventory versions 2.9.14 through 2.15.1 and restrict certificate-management permissions. Authenticated command injection belongs in the admin-plane queue.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-40519 ; https://github.com/advisories/GHSA-4pgp-q8h4-9wxm ; https://github.com/NginxProxyManager/nginx-proxy-manager/commit/a5db5ed156355e3088e7d1ceb0533d4bae922def.
Finding 23: CVE-2026-49234 - Routinator API crash on crafted select-asn string
Confidence: Medium
Routinator operators should upgrade to 0.15.2 and check rsync, RRDP, and API exposure. These items matter because RPKI tooling sits close to routing trust decisions even when the immediate impact is cache traversal or crashes.
Sources: https://www.nlnetlabs.nl/news/2026/Jun/08/routinator-0.15.2-released/ ; https://nvd.nist.gov/vuln/detail/CVE-2026-49234.
Finding 24: CVE-2026-49235 - Routinator RRDP DTD crash
Confidence: Medium
Routinator operators should upgrade to 0.15.2 and check rsync, RRDP, and API exposure. These items matter because RPKI tooling sits close to routing trust decisions even when the immediate impact is cache traversal or crashes.
Sources: https://www.nlnetlabs.nl/news/2026/Jun/08/routinator-0.15.2-released/ ; https://nvd.nist.gov/vuln/detail/CVE-2026-49235.
Finding 25: CVE-2026-48681 / CVE-2026-46447 / CVE-2026-44917 - OpenStack Ironic conductor file overwrite, boot script injection, and PXE template file read
Confidence: Medium
Private-cloud teams should patch Ironic packages under Ubuntu USN-8421-1 and review conductor integrity. The cluster spans file overwrite, boot script injection, and PXE template file read paths.
Sources: https://ubuntu.com/security/notices/USN-8421-1 ; https://nvd.nist.gov/vuln/detail/CVE-2026-48681.
Finding 26: CVE-2026-11555 - D-Link DGS-1100-08PD web interface least-privilege violation
Confidence: Low / Unverified
Asset owners should confirm whether the product is present and whether management paths are exposed. Keep the language in validation mode because the daily intelligence does not establish active exploitation.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-11555.
Finding 27: CVE-2026-52849 - MATE Desktop Atril EPUB parsing RCE
Confidence: Low / Unverified
Endpoint and application owners should track vendor remediation and reduce exposure to untrusted content or authenticated export paths. The evidence is single-source here, so do not overstate operational impact.
Sources: http://www.zerodayinitiative.com/advisories/ZDI-26-360/.
Finding 28: CVE-2026-8916 - Samsung rlottie numeric truncation RCE
Confidence: Low / Unverified
Endpoint and application owners should track vendor remediation and reduce exposure to untrusted content or authenticated export paths. The evidence is single-source here, so do not overstate operational impact.
Sources: http://www.zerodayinitiative.com/advisories/ZDI-26-359/.
Finding 29: CVE-2026-11442 - Allegra exportReport directory traversal information disclosure
Confidence: Low / Unverified
Endpoint and application owners should track vendor remediation and reduce exposure to untrusted content or authenticated export paths. The evidence is single-source here, so do not overstate operational impact.
Sources: http://www.zerodayinitiative.com/advisories/ZDI-26-357/.
Why This Matters
This is a breadth problem. Security teams have to route GitLab, Splunk, Traefik, Flowise, OpenBullet2, samlify, Routinator, Nginx Proxy Manager, and OpenStack Ironic without turning every single-source advisory into an incident claim.
The evidence depth is uneven. Medium-confidence items have stronger advisory support or fixed-version anchors. LOW / UNVERIFIED items still deserve an inventory check, but the public posture should stay measured until more confirmation appears.
- Recommended Actions
- Assign owners for GitLab, Splunk, Traefik, Flowise, OpenBullet2, samlify, Routinator, Nginx Proxy Manager, and OpenStack Ironic.
- Confirm exposed management or API paths before escalating LOW / UNVERIFIED items.
- Patch or upgrade where fixed versions are named, including Flowise 3.1.2, samlify 2.13.0, and Routinator 0.15.2.
- Keep CISA ICS, D-Link, endpoint, and ZDI application rows in validation queues unless asset presence and exposure are confirmed.
All findings grounded in a13e intelligence sweeps through 04:55 UTC 12 June 2026.
Update: Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows
Confidence: Medium
The anonymous security researcher going by the name Chaotic Eclipse (aka Nightmare-Eclipse) has released a proof-of-concept (PoC) exploit for yet another Microsoft Defender zero-day named RoguePlanet. "The exploit is a race condition, so it's a hit or miss," the researcher, who published the exploit
Sources: https://thehackernews.com/2026/06/microsoft-defender-rogueplanet-zero-day.html
Update: CISA tells govt agencies to patch critical exploited flaws in 3 days
Confidence: Medium
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced a new Binding Operational Directive, 26-04, that prioritizes security updates for Federal Civilian Executive Branch (FCEB) agencies. [...]
Sources: https://www.bleepingcomputer.com/news/security/cisa-tells-govt-agencies-to-patch-critical-exploited-flaws-in-3-days/
Update: Max severity Ivanti Sentry vulnerability now exploited in attacks
Confidence: Medium
Attackers are now targeting a recently patched maximum-severity flaw in Ivanti Sentry, enabling them to execute code with root privileges on Internet-exposed secure mobile gateways. [...]
Sources: https://www.bleepingcomputer.com/news/security/max-severity-ivanti-sentry-vulnerability-now-exploited-in-attacks/
Update: ‘GreatXML’ Zero-Day Exploit Bypasses BitLocker
Confidence: Medium
The PoC exploits Microsoft Defender’s offline scan to spawn a SYSTEM shell when rebooting in Recovery Mode. The post ‘GreatXML’ Zero-Day Exploit Bypasses BitLocker appeared first on SecurityWeek .
Sources: https://www.securityweek.com/greatxml-zero-day-exploit-bypasses-bitlocker/
Update: WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine CVE-2025-8088
Confidence: Medium
Two Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released. The activity has been attributed by Trend Micro to Earth Dahu (aka Gamaredon) and SHADOW-EARTH-066 (aka UA Known Exploited (CISA KEV).
Sources: https://thehackernews.com/2026/06/winrar-flaw-exploited-by-russia-aligned.html
Update: June 2026 Patch Tuesday: Microsoft Patches 206 Vulnerabilities Including Three Publicly Disclosed Zero-Days
Confidence: Medium
Route to the relevant asset owner for patch evidence.
Sources: https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-june-2026/
Update: ServiceNow Flaw Exploited to Gain Unauthorized Access to Customer Instances
Confidence: Medium
ServiceNow has warned about a security incident in which unknown threat actors exploited a flaw to obtain deeper unauthorized access to susceptible instances. "On June 5, 2026, ServiceNow applied a security update to hosted customer instances," the company revealed in an advisory that requires custo
Sources: https://thehackernews.com/2026/06/servicenow-flaw-exploited-to-gain.html
Update: Cisco customers encounter another SD-WAN zero-day under attack
Confidence: Medium
The defect marks the seventh actively exploited zero-day in Cisco SD-WANs this year, and the vendor has yet to release a patch. The post Cisco customers encounter another SD-WAN zero-day under attack appeared first on CyberScoop .
Sources: https://cyberscoop.com/cisco-sdwan-zero-day-vulnerability-exploited-cve202620245/