CRITICAL 4 min read 17 Jun 2026

Fortinet FortiSandbox CVE-2026-39813 Exploitation Leads Supply-Chain Review

Today's findings consolidate 4 findings (3 new, 1 update), led by active FortiSandbox exploitation, then WordPress CDN supply-chain review, Atomic Arch AUR exposure, and Ubuntu OpenImageIO patching.

Key findings
01
Update: Fortinet FortiSandbox CVE-2026-39813, CVE-2026-39808, And CVE-2026-25089
HIGH
[High] Confidence: High Previously covered 17 June 2026; today's delta: active exploitation is now the lead operational signal, so FortiSandbox owners need remediation evidence and telemetry review.
CVE-2026-39813
02
Finding 1: OptinMonster WordPress Plugin Hit By CDN Supply-Chain Attack
MEDIUM
[Medium] Confidence: Medium The OptinMonster, TrustPulse, and PushEngage update matters because a CDN compromise changes where defenders need to look. The affected path is not only the WordPress plugin version on disk; it is also the code loaded through the vendor's CDN and the telemetry around pages that used those assets.
03
Finding 2: Atomic Arch Supply Chain Attack Expands To 1,500 AUR Packages
MEDIUM
[Medium] Confidence: Medium The Atomic Arch campaign is reported to have expanded to about 1,500 Arch User Repository packages. That makes the AUR consumption model the immediate control point for Linux workstation and build-host owners, especially where AUR packages enter developer environments or automated build paths.
04
Finding 3: Ubuntu OpenImageIO CVE-2026-43903 Patch Validation
MEDIUM
[Medium] Confidence: Medium Ubuntu USN-8438-1 fixes OpenImageIO malformed-file parsing issues tracked under CVE-2026-43903. The affected systems are the ones that process untrusted images, including media conversion workers, CI jobs, and upload-processing paths.
CVE-2026-43903
05
Update: NEW: Cacti CVE-2026-1513 enters BSI queue CVE-2026-1513
MEDIUM
[Medium] Confidence: Medium NEW: Cacti CVE-2026-1513 enters BSI queue Confidence: LOW / UNVERIFIED. Action: Check exposed Cacti monitoring systems and route patch validation to monitoring owners.
CVE-2026-1513
06
Update: NEW: LibreOffice CVE-2026-6039 adds desktop baseline work CVE-2026-6039
MEDIUM
[Medium] Confidence: Medium NEW: LibreOffice CVE-2026-6039 adds desktop baseline work Confidence: LOW / UNVERIFIED. Action: Add to desktop patch baselines, especially environments processing untrusted office files.
CVE-2026-6039
07
Update: NEW: Joomla Content Editor CVE-2026-48907 enters CISA KEV CVE-2026-48907
MEDIUM
[Medium] Confidence: Medium NEW: Joomla Content Editor CVE-2026-48907 enters CISA KEV Confidence: MEDIUM. Action: Treat exposed Joomla Content Editor estates as exploited until remediated; verify plugin version and webshell/file-change telemetry.
CVE-2026-48907
08
Update: NEW: Ubuntu ships FreeRDP CVE-2026-45700 code-execution fixes CVE-2026-45700
MEDIUM
[Medium] Confidence: Medium NEW: Ubuntu ships FreeRDP CVE-2026-45700 code-execution fixes Confidence: MEDIUM. Action: Patch freerdp2/freerdp3 on admin workstations, jump boxes, and remote-support hosts.
CVE-2026-45700
09
Update: NEW: Ricoh/KonicaMinolta universal print driver CVE-2026-50100 CVE-2026-50100
MEDIUM
[Medium] Confidence: Medium NEW: Ricoh/KonicaMinolta universal print driver CVE-2026-50100 Confidence: LOW / UNVERIFIED. Action: Route to endpoint and print owners; prioritize privileged workstation fleets.
CVE-2026-50100
10
Update: CVE-2026-54303: n8n: Reflected XSS via Facebook, WhatsApp, and Microsoft Teams Trigger Webhook V CVE-2026-54303
MEDIUM
[Medium] Confidence: Medium n8n: Reflected XSS via Facebook, WhatsApp, and Microsoft Teams Trigger Webhook Verification Endpoints Sources: https://github.com/advisories/GHSA-h86q-fx34-gfjr
CVE-2026-54303
11
Update: NEW: Angular CVE-2026-50168 enters BSI high-severity routing CVE-2026-50168
MEDIUM
[Medium] Confidence: Medium NEW: Angular CVE-2026-50168 enters BSI high-severity routing Confidence: LOW / UNVERIFIED. Action: Route to web application owners for dependency exposure checks and fixed-version validation. Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1930
CVE-2026-50168
12
Update: NEW: Moxa NPort serial device server CVE cluster reaches CERT-FR and BSI CVE-2026-10825
MEDIUM
[Medium] Confidence: Medium NEW: Moxa NPort serial device server CVE cluster reaches CERT-FR and BSI Confidence: HIGH. Action: Route NPort 6000-G2 and W2150A/W2250A advisories to OT/network owners; validate fixed versions and segmentation.
CVE-2026-10825
13
Update: NEW: FreeRDP WID-SEC-2026-1933 lands as EU advisory
MEDIUM
[Medium] Confidence: Medium NEW: FreeRDP WID-SEC-2026-1933 lands as EU advisory Confidence: LOW / UNVERIFIED. Action: Check RDP clients, jump hosts, and remote-support tooling for affected FreeRDP builds. Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1933
14
Update: NEW: Mattermost WID-SEC-2026-1932 adds collaboration-platform checks
MEDIUM
[Medium] Confidence: Medium NEW: Mattermost WID-SEC-2026-1932 adds collaboration-platform checks Confidence: LOW / UNVERIFIED. Action: Identify self-hosted Mattermost owners and verify patched versions. Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1932
15
Update: NEW: Snipe-IT CVE-2026-54329 enters high-severity owner routing CVE-2026-54329
MEDIUM
[Medium] Confidence: Medium NEW: Snipe-IT CVE-2026-54329 enters high-severity owner routing Confidence: LOW / UNVERIFIED. Action: Route to Snipe-IT asset-inventory owners and confirm upstream fixed release. Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1939
CVE-2026-54329
16
Update: NEW: jq CVE-2026-54679 appears as unpatched BSI advisory CVE-2026-54679
MEDIUM
[Medium] Confidence: Medium NEW: jq CVE-2026-54679 appears as unpatched BSI advisory Confidence: LOW / UNVERIFIED. Action: Track remediation for jq in automation images and CI runners; defer urgent action until vendor package fixes are confirmed.
CVE-2026-54679

Fortinet FortiSandbox CVE-2026-39813 Exploitation Leads Supply-Chain Review

Update: Fortinet FortiSandbox CVE-2026-39813, CVE-2026-39808, And CVE-2026-25089

Confidence: High

Previously covered 17 June 2026; today's delta: active exploitation is now the lead operational signal, so FortiSandbox owners need remediation evidence and telemetry review.

Attackers are reported to be actively exploiting three Fortinet FortiSandbox vulnerabilities: CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089. The Fortinet PSIRT entry and exploitation reporting make this more than a routine patch notice for security-appliance owners.

Teams using FortiSandbox should verify the JRPC/API remediation path, confirm that fixed versions are deployed, and hunt for related exploitation telemetry. The CVSS score attached to CVE-2026-39813 is important, but the active-exploitation report is the reason this item leads today.

Sources: The Hacker News Fortinet exploitation report; Fortinet PSIRT FG-IR-26-243; BSI WID-SEC-2026-1094.

Finding 1: OptinMonster WordPress Plugin Hit By CDN Supply-Chain Attack

Confidence: Medium

The OptinMonster, TrustPulse, and PushEngage update matters because a CDN compromise changes where defenders need to look. The affected path is not only the WordPress plugin version on disk; it is also the code loaded through the vendor's CDN and the telemetry around pages that used those assets.

WordPress and marketing-site owners should identify whether they use OptinMonster or related Awesome Motive plugins, check for unexpected script behaviour, and preserve web logs that could show suspicious CDN-delivered activity. This finding remains caveated because the public detail is still driven by ecosystem reporting rather than a CVE or a fuller vendor advisory.

Sources: BleepingComputer OptinMonster CDN supply-chain report.

Finding 2: Atomic Arch Supply Chain Attack Expands To 1,500 AUR Packages

Confidence: Medium

The Atomic Arch campaign is reported to have expanded to about 1,500 Arch User Repository packages. That makes the AUR consumption model the immediate control point for Linux workstation and build-host owners, especially where AUR packages enter developer environments or automated build paths.

The right response is targeted review, not panic. Check which teams allow AUR packages, pause optional AUR intake where it is not business-critical, and wait for validated package names and hashes before launching broad incident response across Linux estates.

Sources: SecurityWeek Atomic Arch AUR supply-chain report.

Finding 3: Ubuntu OpenImageIO CVE-2026-43903 Patch Validation

Confidence: Medium

Ubuntu USN-8438-1 fixes OpenImageIO malformed-file parsing issues tracked under CVE-2026-43903. The affected systems are the ones that process untrusted images, including media conversion workers, CI jobs, and upload-processing paths.

This is a clean patch-validation item. Apply the Ubuntu update where OpenImageIO is present, then confirm whether any externally supplied image files are processed in privileged or shared environments.

Sources: Ubuntu USN-8438-1.

Why This Matters

Today's intelligence has two speeds. FortiSandbox needs fast proof of remediation because exploitation is already reported. The supply-chain items need disciplined exposure checks because the public detail is still thinner, but the possible reach is broad enough to justify owner action now.

The practical lesson is simple: security appliances, marketing plugins, package repositories, and media-processing libraries now sit on the same daily triage board. Asset ownership and telemetry access decide which team can reduce risk first.

  • Recommended Actions
  • Verify FortiSandbox fixed versions and hunt for CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 exploitation telemetry.
  • Identify OptinMonster, TrustPulse, and PushEngage usage, then review CDN-loaded plugin code and web logs.
  • Review AUR package consumption on Linux workstations and build hosts; wait for validated package names and hashes before broad response.
  • Apply Ubuntu USN-8438-1 to OpenImageIO systems that process untrusted image files.
  • Keep OptinMonster and Atomic Arch labelled as caveated until vendor advisories, CVEs, package names, or hashes improve the evidence.

All findings grounded in a13e intelligence sweeps through 04:55 UTC 17 June 2026.

Update: NEW: Cacti CVE-2026-1513 enters BSI queue CVE-2026-1513

Confidence: Medium

NEW: Cacti CVE-2026-1513 enters BSI queue Confidence: LOW / UNVERIFIED. Action: Check exposed Cacti monitoring systems and route patch validation to monitoring owners. Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1931

Sources: https://cve.naver.com/detail/cve-2026-1513.html

Update: NEW: LibreOffice CVE-2026-6039 adds desktop baseline work CVE-2026-6039

Confidence: Medium

NEW: LibreOffice CVE-2026-6039 adds desktop baseline work Confidence: LOW / UNVERIFIED. Action: Add to desktop patch baselines, especially environments processing untrusted office files. Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1929

Sources: https://www.libreoffice.org/about-us/security/advisories/cve-2026-6039

Update: NEW: Joomla Content Editor CVE-2026-48907 enters CISA KEV CVE-2026-48907

Confidence: Medium

NEW: Joomla Content Editor CVE-2026-48907 enters CISA KEV Confidence: MEDIUM. Action: Treat exposed Joomla Content Editor estates as exploited until remediated; verify plugin version and webshell/file-change telemetry. Sources: https://www.cisa.gov/known-exploited-vulnerabilities-ca Known Exploited (CISA KEV).

Sources: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?vulnId=CVE-2026-48907

Update: NEW: Ubuntu ships FreeRDP CVE-2026-45700 code-execution fixes CVE-2026-45700

Confidence: Medium

NEW: Ubuntu ships FreeRDP CVE-2026-45700 code-execution fixes Confidence: MEDIUM. Action: Patch freerdp2/freerdp3 on admin workstations, jump boxes, and remote-support hosts. Sources: https://ubuntu.com/security/notices/USN-8432-1

Sources: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mpxh-8fq3-x8mh

Update: NEW: Ricoh/KonicaMinolta universal print driver CVE-2026-50100 CVE-2026-50100

Confidence: Medium

NEW: Ricoh/KonicaMinolta universal print driver CVE-2026-50100 Confidence: LOW / UNVERIFIED. Action: Route to endpoint and print owners; prioritize privileged workstation fleets. Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1925

Sources: https://jp.ricoh.com/security/products/vulnerabilities/vul?id=ricoh-2025-000002

Update: CVE-2026-54303: n8n: Reflected XSS via Facebook, WhatsApp, and Microsoft Teams Trigger Webhook V CVE-2026-54303

Confidence: Medium

n8n: Reflected XSS via Facebook, WhatsApp, and Microsoft Teams Trigger Webhook Verification Endpoints

Sources: https://github.com/advisories/GHSA-h86q-fx34-gfjr

Update: NEW: Angular CVE-2026-50168 enters BSI high-severity routing CVE-2026-50168

Confidence: Medium

NEW: Angular CVE-2026-50168 enters BSI high-severity routing Confidence: LOW / UNVERIFIED. Action: Route to web application owners for dependency exposure checks and fixed-version validation. Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1930

Update: NEW: Moxa NPort serial device server CVE cluster reaches CERT-FR and BSI CVE-2026-10825

Confidence: Medium

NEW: Moxa NPort serial device server CVE cluster reaches CERT-FR and BSI Confidence: HIGH. Action: Route NPort 6000-G2 and W2150A/W2250A advisories to OT/network owners; validate fixed versions and segmentation. Sources: https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0760/ ; http

Update: NEW: FreeRDP WID-SEC-2026-1933 lands as EU advisory

Confidence: Medium

NEW: FreeRDP WID-SEC-2026-1933 lands as EU advisory Confidence: LOW / UNVERIFIED. Action: Check RDP clients, jump hosts, and remote-support tooling for affected FreeRDP builds. Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1933

Update: NEW: Mattermost WID-SEC-2026-1932 adds collaboration-platform checks

Confidence: Medium

NEW: Mattermost WID-SEC-2026-1932 adds collaboration-platform checks Confidence: LOW / UNVERIFIED. Action: Identify self-hosted Mattermost owners and verify patched versions. Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1932

Update: NEW: Snipe-IT CVE-2026-54329 enters high-severity owner routing CVE-2026-54329

Confidence: Medium

NEW: Snipe-IT CVE-2026-54329 enters high-severity owner routing Confidence: LOW / UNVERIFIED. Action: Route to Snipe-IT asset-inventory owners and confirm upstream fixed release. Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1939

Update: NEW: jq CVE-2026-54679 appears as unpatched BSI advisory CVE-2026-54679

Confidence: Medium

NEW: jq CVE-2026-54679 appears as unpatched BSI advisory Confidence: LOW / UNVERIFIED. Action: Track remediation for jq in automation images and CI runners; defer urgent action until vendor package fixes are confirmed. Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?na

cve-2026-10825cve-2026-1513cve-2026-25089cve-2026-39808cve-2026-39813cve-2026-43903cve-2026-45700cve-2026-48907cve-2026-50100cve-2026-50168

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.

Try DCV Try CloudSigma ← Back to feed