Splunk Enterprise CVE-2026-20253 Leads 14 June Patch Validation
Finding 1: Splunk Enterprise CVE-2026-20253 / SVD-2026-0603 Requires Upgrade Validation
Confidence: Medium
Splunk lists affected Enterprise 10.2.0-10.2.3 and 10.0.0-10.0.6 releases, with fixes in 10.4.0, 10.2.4, and 10.0.7. The advisory material rates the issue CVSS 9.8 and describes unauthenticated file create or truncate operations through a PostgreSQL sidecar endpoint.
This is the clearest new assignment item in today's intelligence. Prioritise internet-reachable or broadly network-reachable Splunk Enterprise instances, then confirm that upgrade validation has actually completed. Sources: Splunk SVD-2026-0603 and The Hacker News Splunk reporting.
Finding 2: Chrome CVE-2026-11645 Keeps Managed Browsers In The Patch Queue
Confidence: High
Chrome CVE-2026-11645 is a V8 out-of-bounds read/write issue and remains a fleet patch item. The intelligence cites fixed Chrome versions 149.0.7827.102/.103, depending on platform.
Managed endpoint teams should verify Chrome 149.0.7827.102/.103 or later and include Chromium-derived applications in follow-up checks. Treat this as deployment validation across the estate, not as a claim about local compromise. Sources: Google Chrome stable channel update, NVD, and The Hacker News Chrome reporting.
Finding 3: npm v12 Will Make Dependency Install Scripts Explicit
Confidence: Medium
npm v12 will change default lifecycle-script behaviour so dependency install scripts are not executed unless they are explicitly allowed. That is not an incident, but it is a concrete supply-chain control change for CI, build agents, and developer workstations.
Software teams should inventory packages that rely on lifecycle hooks or native builds, then prepare explicit allowScripts approvals before npm v12 adoption. Sources: GitHub npm v12 changelog, SecurityWeek, and The Hacker News npm reporting.
Finding 4: Allegra CVE-2026-11443 / ZDI-26-358 Needs Product-Owner Routing
Confidence: Low / Unverified
ZDI describes an Allegra downloadAttachment cross-site scripting authentication-bypass vulnerability. The intelligence includes a CVE, product reference, CVSS context, and vendor update reference, but actionability depends on confirmed Allegra use.
Route this only to known Allegra owners. If Allegra is not present, keep it as advisory tracking rather than a general escalation. Source: ZDI-26-358.
Finding 5: MSRC CVE-2026-45447 And CVE-2026-47167 Add Dependency Patch Work
Confidence: Low / Unverified
MSRC entries for CVE-2026-45447 and CVE-2026-47167 add low-urgency patch-routing work for Microsoft-packaged OpenSSL and Vim-style components. The intelligence does not elevate these above normal dependency maintenance.
Route the items to Windows, OpenSSL, and Vim package owners through existing patch baselines. Sources: MSRC CVE-2026-45447 and MSRC CVE-2026-47167.
Finding 6: OceanLotus SPECTRALVIPER / FireAnt Activity Adds Campaign Tracking
Confidence: Medium
ESET reports OceanLotus/APT32 activity involving SPECTRALVIPER tooling and FireAnt-related targeting. There is no CVE or broad patch action attached to this item.
Track indicators where APAC finance, Vietnam-facing investment workflows, or FireAnt platform usage exists. Outside that exposure profile, this is threat tracking rather than immediate remediation. Sources: ESET OceanLotus research and The Hacker News OceanLotus reporting.
Update: Oracle PeopleSoft CVE-2026-35273 Names University Of Nottingham
Confidence: Medium
Current reporting gives the PeopleSoft issue a concrete UK academia anchor by naming the University of Nottingham. The intelligence also cites Oracle mitigation guidance, CISA KEV status, and reporting on expanded exposure.
The sourced facts support University of Nottingham, Oracle guidance, and CISA KEV status. UK education and adjacent organisations should confirm PeopleSoft PeopleTools 8.61/8.62 and Campus Solutions exposure, apply Oracle guidance, and review logs from 27 May 2026 onward. Sources: ITPro, Oracle, CISA KEV, and CyberScoop.
Update: Ivanti Sentry CVE-2026-10520 Remains Under Deadline Pressure
Confidence: Medium
Current reporting keeps Ivanti Sentry fixed-version validation in the P1 queue. The affected versions cited in the intelligence are before R10.5.2, R10.6.2, and R10.7.1.
Verify fixed versions or isolate externally reachable Ivanti Sentry appliances. The safe claim is patch-pressure and fixed-version validation, tied to BleepingComputer and The Register reporting. Sources: BleepingComputer and The Register.
Update: Langflow CVE-2026-5027 Keeps Exposed AI Builders In Scope
Confidence: Medium
The intelligence reports exposed Langflow instances being targeted through an unauthenticated file-write/RCE path. The update guidance is to move Langflow to 1.9.0 or later.
AI workflow owners should update Langflow and inspect exposed /api/v2/files paths for suspicious writes. Keep this in the developer-platform queue because exposed AI builders often sit close to automation, credentials, and data movement. Sources: The Hacker News Langflow reporting and NVD.
Update: LangGraph Self-Hosted Packages Have Fixed Versions
Confidence: Medium
The LangGraph update names affected package ranges and fixed versions: langgraph-checkpoint-sqlite before 3.0.1, langgraph before 1.0.10, and @langchain/langgraph-checkpoint-redis before 1.0.1.
Patch affected self-hosted LangGraph packages and restrict untrusted access to state-history and filter inputs. Sources: The Hacker News LangGraph reporting and the LangGraph GitHub security advisory.
Update: Unit 42 AI-Agent Skill Research Expands Supply-Chain Controls
Confidence: Low / Unverified
Unit 42 describes integrity risks in third-party AI-agent skills, including the need to verify provenance and detect multi-stage behaviour. This is best treated as control-gap work, not as a breach claim.
Add AI-agent skill inventory, provenance checks, and permission review to developer-platform baselines. Source: Unit 42 AI-agent supply-chain research.
Update: Samsung rlottie CVE-2026-8916 Depends On Application Reachability
Confidence: Low / Unverified
ZDI describes numeric truncation in Samsung rlottie with remote-code-execution potential. The operational priority depends on whether an application workflow exposes the library to attacker-controlled content.
Identify products using Samsung rlottie and monitor vendor update channels. Source: ZDI-26-359.
Update: MATE Desktop Atril CVE-2026-52849 Requires Local Exposure Context
Confidence: Low / Unverified
ZDI describes a heap-based buffer overflow in MATE Desktop Atril EPUB parsing that can lead to code execution after user interaction. This does not justify broad escalation unless MATE or Atril is present.
Route to Linux desktop owners only where MATE Desktop Atril is deployed, and keep the item as low-priority advisory tracking elsewhere. Source: ZDI-26-360.
Why This Matters
This is a mixed routing day. Splunk, Chrome, PeopleSoft, Ivanti Sentry, Langflow, and LangGraph have concrete version or exposure checks that can be assigned now. npm v12 and AI-agent skill integrity should become developer-platform control work before they turn into avoidable build or provenance gaps.
The lower-confidence ZDI and research-lab items are still useful, but only when tied to inventory. Allegra, Samsung rlottie, and MATE Atril should not displace the higher-value patch queue unless local exposure is confirmed.
- Recommended Actions
- Validate Splunk Enterprise 10.2.x and 10.0.x deployments and upgrade to 10.4.0, 10.2.4, or 10.0.7 where applicable.
- Confirm PeopleSoft, Ivanti Sentry, Chrome, Langflow, and LangGraph fixed-version status across accountable owners.
- Prepare npm v12 allowScripts approvals and add AI-agent skill provenance checks to developer-platform baselines.
- Route Allegra, Samsung rlottie, MATE Atril, and MSRC dependency items only where inventory confirms exposure.
- Track OceanLotus indicators where APAC finance, Vietnam-facing investment workflows, or FireAnt platform usage makes them relevant.
All findings grounded in a13e intelligence sweeps through 04:55 UTC 14 June 2026.
Update: ShinyHunters is actively extorting universities after exploiting an unpatched Oracle flaw
Confidence: Medium
Oracle still hasn't patched the vulnerability the group has been using in its attacks since late May. The post ShinyHunters is actively extorting universities after exploiting an unpatched Oracle flaw appeared first on CyberScoop .
Sources: https://cyberscoop.com/oracle-peoplesoft-zero-day-vulnerability-shinyhunters-extortion/
Update: CISA orders feds to patch actively exploited Ivanti flaw by Sunday
Confidence: Medium
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to patch an actively exploited Ivanti Sentry flaw within three days, as mandated by the newly issued Binding Operational Directive (BOD) 26-04. [...]
Sources: https://www.bleepingcomputer.com/news/security/cisa-gives-feds-3-days-to-patch-ivanti-flaw-exploited-in-attacks/