Oracle PeopleSoft CVE-2026-35273 - Stability Brief for Exposure Owners
Finding 1: Oracle PeopleSoft CVE-2026-35273 Remains The Lead Watchpoint
Confidence: High
Oracle states that CVE-2026-35273 is remotely exploitable without authentication, and Google Cloud threat intelligence attributes education-sector exploitation to ShinyHunters and UNC6240. Current reporting also names the University of Nottingham as a UK victim, giving this item confirmed UK impact without relying on wider exposure-scale claims.
The practical action remains unchanged: inventory internet-reachable PeopleSoft PeopleTools 8.61 and 8.62, check PSEMHUB exposure, apply Oracle mitigation, and review logs from 27 May 2026 onward. Sources: https://www.oracle.com/security-alerts/alert-cve-2026-35273.html ; https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit/ ; https://thehackernews.com/2026/06/shinyhunters-exploits-oracle-peoplesoft.html ; https://cyberscoop.com/oracle-peoplesoft-zero-day-vulnerability-shinyhunters-extortion/.
Finding 2: UPDATE: Ivanti Sentry CVE-2026-10520 Has Active-Exploitation Patch Pressure
Confidence: Medium
Ivanti Sentry remains a high-priority exposure check because current reporting says CISA ordered federal agencies to patch an actively exploited issue within three days. The affected deployments are Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1.
Teams should verify external exposure and fixed-version status before treating any appliance as complete. Sources: https://www.bleepingcomputer.com/news/security/cisa-gives-feds-3-days-to-patch-ivanti-flaw-exploited-in-attacks/ ; https://www.theregister.com/patches/2026/06/10/ivanti-urges-sentry-users-to-patch-two-critical-bugs/5253428 ; https://thehackernews.com/2026/06/ivanti-fortinet-and-sap-release-patches.html.
Finding 3: Langflow CVE-2026-5027 And LangGraph Keep AI Workflows In Scope
Confidence: Medium
The intelligence reports exploited unauthenticated RCE in Langflow before 1.9.0, with /api/v2/files exposure and suspicious file writes as the first checks. LangGraph is also back in the queue because patched versions are now identified across SQLite and Redis checkpointer packages.
Self-hosted AI workflow owners should patch Langflow to 1.9.0 or later, update affected LangGraph packages, and restrict user-controlled filter input to state-history endpoints. Sources: https://thehackernews.com/2026/06/unpatched-langflow-flaw-cve-2026-5027.html ; https://thehackernews.com/2026/06/langgraph-flaw-chain-exposes-self.html.
Finding 4: ServiceNow And File Browser Need Narrow Owner Checks
Confidence: Low / Unverified
ServiceNow reported a hosted update and customer trust notification for an issue that allowed successful table queries against a subset of customer instances. File Browser has several GitHub Advisory Database entries covering public-share bypass, symlink scope escape, archive traversal, and command-execution allowlist bypass.
For ServiceNow, confirm the 5 June hosted update and review relevant table-query activity from 2 June 2026 onward. For File Browser, check v1 and v2 version exposure against the published GHSA entries and prioritise deployments that expose sharing or command-execution features. Sources: https://thehackernews.com/2026/06/servicenow-flaw-exploited-to-gain.html ; https://github.com/advisories/GHSA-j9jx-hp4c-ghhh ; https://github.com/advisories/GHSA-239w-m3h6-ch8v ; https://github.com/advisories/GHSA-gxjx-7m74-hcq8 ; https://github.com/advisories/GHSA-8c9q-7855-wfxq.
Why This Matters
The operational signal is real, and the evidential wording has been tightened to keep the public brief aligned with sourced facts. PeopleSoft and Ivanti remain the top owner-assignment priorities, with AI workflow and SaaS exposure checks close behind.
- Recommended Actions
- Keep PeopleSoft wording tied to sourced facts: active exploitation, Oracle mitigation guidance, and the named University of Nottingham impact.
- Run PeopleSoft and Ivanti exposure checks first, because both connect to exploitation or urgent remediation pressure.
- Route Langflow, LangGraph, File Browser, ServiceNow, MongoDB, Spring, IBM i, Chrome, FortiPortal, Keycloak, Snappy, Budibase, and GeoServer items to product owners with confidence labels intact.
- Treat Low / Unverified items as owner-mapping work unless local exposure changes the risk.
All findings are grounded in source collection through 04:55 UTC on 13 June 2026.
Update: Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows
Confidence: Medium
The anonymous security researcher going by the name Chaotic Eclipse (aka Nightmare-Eclipse) has released a proof-of-concept (PoC) exploit for yet another Microsoft Defender zero-day named RoguePlanet. "The exploit is a race condition, so it's a hit or miss," the researcher, who published the exploit
Sources: https://thehackernews.com/2026/06/microsoft-defender-rogueplanet-zero-day.html
Update: CVE-2026-11986 / WID-SEC-2026-1894 - Keycloak admin-ui-ext file manipulation CVE-2026-11986
Confidence: Medium
CVE-2026-11986 / WID-SEC-2026-1894 - Keycloak admin-ui-ext file manipulation Confidence: LOW / UNVERIFIED. Classification: NEW. Why promoted: new CERT-Bund Keycloak admin-ui-ext advisory absent from the published-intel exclusion ledger.
Sources: https://access.redhat.com/security/cve/CVE-2026-11986
Update: Budibase CVE-2026-48150 lets workspace builders become global admins CVE-2026-48150
Confidence: Medium
Budibase CVE-2026-48150 lets workspace builders become global admins Confidence: LOW / UNVERIFIED. Classification: NEW. Why promoted: new GHSA Budibase advisory absent from the published-intel exclusion ledger. GitHub Advisory Databas
Sources: https://github.com/Budibase/budibase/security/advisories/GHSA-6xp4-cf37-ppjh
Update: UPDATE(patchreleased): LangGraph self-hosted AI-agent flaw chain can reach RCE CVE-2025-67644
Confidence: Medium
UPDATE(patchreleased): LangGraph self-hosted AI-agent flaw chain can reach RCE Confidence: MEDIUM. Classification: UPDATED(patchreleased). Why promoted: poll sidecar marks materialeventtype=patchreleased; the sweep gives patched package versions.
Update: LangGraph Flaw Chain Exposes Self-Hosted AI Agents to Remote Code Execution CVE-2026-28277
Confidence: Medium
Cybersecurity researchers have disclosed details of three now-patched security flaws impacting LangGraph, including a critical vulnerability chain that could result in remote code execution. LangGraph is an open-source framework created by LangChain to build complex, stateful, and multi-agent artifi
Sources: https://thehackernews.com/2026/06/langgraph-flaw-chain-exposes-self.html
Update: CVE-2026-46643 - Snappy binary path escaping issue CVE-2026-46643
Confidence: Medium
CVE-2026-46643 - Snappy binary path escaping issue Confidence: LOW / UNVERIFIED. Classification: NEW. Why promoted: new MSRC Snappy advisory absent from the published-intel exclusion ledger. MSRC published a Snappy binary path issue w
Sources: https://github.com/KnpLabs/snappy/releases/tag/v1.7.1
Update: MongoDB CVE-2026-11933 gets BSI and CERT-FR patch routing CVE-2026-11933
Confidence: Medium
MongoDB CVE-2026-11933 gets BSI and CERT-FR patch routing Confidence: MEDIUM. Classification: NEW. Why promoted: new BSI/CERT-FR MongoDB advisory pair absent from the published-intel exclusion ledger. BSI CERT-Bund and CERT-FR publish
Sources: https://jira.mongodb.org/browse/SERVER-128125
Update: IBM i CVE-2026-7870 high advisory enters EU owner routing CVE-2026-7870
Confidence: Medium
IBM i CVE-2026-7870 high advisory enters EU owner routing Confidence: LOW / UNVERIFIED. Classification: NEW. Why promoted: new BSI IBM i advisory absent from the published-intel exclusion ledger. BSI CERT-Bund lists IBM i as high seve
Sources: https://www.ibm.com/support/pages/node/7275756
Update: CVE-2026-46683 - Snappy SSRF and local file read CVE-2026-46683
Confidence: Medium
CVE-2026-46683 - Snappy SSRF and local file read Confidence: LOW / UNVERIFIED. Classification: NEW. Why promoted: new MSRC Snappy advisory absent from the published-intel exclusion ledger. MSRC published a Snappy issue involving SSRF
Sources: https://github.com/KnpLabs/snappy/releases/tag/v1.7.0
Update: ServiceNow Flaw Exploited to Gain Unauthorized Access to Customer Instances
Confidence: Medium
ServiceNow has warned about a security incident in which unknown threat actors exploited a flaw to obtain deeper unauthorized access to susceptible instances. "On June 5, 2026, ServiceNow applied a security update to hosted customer instances," the company revealed in an advisory that requires custo
Sources: https://thehackernews.com/2026/06/servicenow-flaw-exploited-to-gain.html
Update: CVE-2026-12007 / WID-SEC-2026-1893 - Google Chrome high multi-CVE update CVE-2026-12007
Confidence: Medium
CVE-2026-12007 / WID-SEC-2026-1893 - Google Chrome high multi-CVE update Confidence: LOW / UNVERIFIED. Classification: NEW. Why promoted: new CERT-Bund Chrome advisory absent from the published-intel exclusion ledger. CERT-Bund publis
Sources: https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_01962725236.html