PTC FlexPLM / Windchill CVE-2026-12569 Leads EU Advisory Routing
Finding 1: PTC FlexPLM / Windchill CVE-2026-12569 enters EU unpatched critical routing
Confidence: Medium
PTC FlexPLM / Windchill CVE-2026-12569 is the day's clearest EU owner assignment item. CERT-Bund lists WID-SEC-2026-1991 and Positive Technologies provides vulnerability context, so PLM and manufacturing owners should check exposure and compensating controls whilst patch status is clarified.
Sources: CERT-Bund WID-SEC-2026-1991; Positive Technologies.
Finding 2: Drupal Core WID-SEC-2026-2002 critical batch reaches BSI and CERT-FR routing
Confidence: Medium
Drupal Core has stronger evidence than most items today because both BSI/CERT-Bund and CERT-FR appear in the intelligence. Internet-facing Drupal sites should be identified first, then patched-version evidence should be collected from site owners.
Sources: CERT-Bund WID-SEC-2026-2002; CERT-FR CERTFR-2026-AVI-0771.
Finding 3: NGINX and NGINX Plus CVE batch adds reverse-proxy patch work
Confidence: Medium
NGINX and NGINX Plus require reverse-proxy owner routing across public ingress, API gateways, and managed proxy layers. The issue is not only patching; teams need to know where NGINX is embedded in platforms they do not manage directly.
Sources: CERT-Bund WID-SEC-2026-1995; CERT-FR CERTFR-2026-AVI-0775.
Finding 4: iba AG ibaPDA CVE-2026-8024 adds OT-adjacent code-execution checks
Confidence: Unverified
The ibaPDA item is a single-source advisory row, so it should stay caveated. OT and production-data owners should map deployments and validate vendor remediation status before opening a wider incident track.
Sources: CERT-Bund WID-SEC-2026-1986.
Finding 5: Mitel MiCollab WID-SEC-2026-1990 reaches EU high-severity routing
Confidence: Unverified
Mitel MiCollab enters the EU queue through a CERT-Bund multi-vulnerability advisory. Communications-platform owners should match exposure and watch CSAF or vendor channels for CVE expansion.
Sources: CERT-Bund WID-SEC-2026-1990.
Finding 6: vLLM CVE-2026-12491 appears in CERT-Bund unpatched advisory queue
Confidence: Unverified
vLLM is relevant because model-serving components increasingly sit near sensitive data and internal tools. Production owners should check whether vLLM is deployed and track upstream remediation before changing risk posture.
Sources: CERT-Bund WID-SEC-2026-1992.
Finding 7: Sonatype Nexus Repository Manager CVE-2026-10741 enters EU disclosure queue
Confidence: Unverified
Nexus Repository Manager deserves repository-owner attention even with limited corroboration. Validate versions, review package visibility, and check whether metadata or package access controls need a temporary restriction.
Sources: CERT-Bund WID-SEC-2026-1987.
Finding 8: IBM WebSphere Application Server CVE batch enters EU routing
Confidence: Unverified
WebSphere is an ownership and exposure-inventory task. Identify application and middleware owners, then schedule patch validation for exposed admin and application tiers.
Sources: CERT-Bund WID-SEC-2026-2001.
Finding 9: Budibase SQL injection and code execution advisory lands
Confidence: Unverified
Budibase sits close to internal data connectors, so even a single-source advisory should be routed. Confirm versions and review exposed apps that can reach privileged data stores.
Sources: CERT-Bund WID-SEC-2026-2000.
Finding 10: NCSC Fortinet firewall and VPN targeting advisory
Confidence: Unverified
NCSC's Fortinet advisory is useful exposure-review context, not yet a CVE-specific escalation in today's intelligence. Use it to validate firewall and VPN estate hygiene, then wait for CVE, IOC, patch-version, or victim anchors before raising severity.
Sources: NCSC UK.
Finding 11: NL Portal CVE-2026-54683 incomplete authorisation fix affects document downloads
Confidence: Unverified
NL Portal has a fixed-version path in the GitHub advisory. Upgrade to 3.0.3, or block affected REST and GraphQL document-content endpoints until the fix is in place.
Sources: GitHub Advisory Database GHSA-jr45-52cw-69h5.
Finding 12: MSRC elixir-grpc/grpc CVE-2026-48854 memory-exhaustion advisory
Confidence: Unverified
The MSRC advisory should go to service owners who run elixir-grpc/grpc in exposed or high-volume paths. Apply package updates where available and consider request-size limits whilst testing proceeds.
Sources: MSRC CVE-2026-48854.
Finding 13: BBOT CVE-2026-12565 through CVE-2026-12568 affect archive and workflow ingestion
Confidence: Unverified
BBOT belongs with security-automation owners. Check scheduled reconnaissance jobs, pinned containers, and archive ingestion paths before assuming the exposure is limited to developer laptops.
Sources: GitHub Advisory Database.
Finding 14: undici CVE-2026-9675, CVE-2026-9678, and CVE-2026-9697 add Node transport checks
Confidence: Unverified
undici is a common Node HTTP and WebSocket dependency, so SBOM and lockfile checks matter more than manual inventory. Prioritise services that call trusted APIs or handle outbound authentication flows.
Sources: GitHub Advisory Database.
Finding 15: Apollo APG-01 BT CVE-2026-50034 adds medical-device advisory work
Confidence: Unverified
The Apollo APG-01 BT advisory should be routed to healthcare, clinical engineering, or lab network owners. Map deployments and confirm mitigation status before making assumptions about exposure.
Sources: CISA ICSMA-26-169-01.
Finding 16: AzeoTech DAQFactory CVE-2026-12390 reaches CISA ICS routing
Confidence: Unverified
DAQFactory is an OT and lab-automation routing item. Validate affected versions in facilities and operational environments, then fit remediation into maintenance windows.
Sources: CISA ICSA-26-169-02.
Finding 17: AVer PTC camera CVE-2026-40624 enters CISA ICS owner routing
Confidence: Unverified
AVer PTC camera deployments should be inventoried, firmware should be checked, and camera management interfaces should be isolated where exposure is unnecessary. Treat this as physical-security infrastructure work, not only IT patching.
Sources: CISA ICSA-26-169-01.
Finding 18: Schneider Electric CVE-2026-4827 adds energy OT patch routing
Confidence: Unverified
Schneider Electric CVE-2026-4827 should go to substation, telemetry, and power-management owners. The first ask is affected-version evidence, followed by remediation planning that respects operational constraints.
Sources: CISA ICSA-26-169-07.
Finding 19: gemini-mcp-tool CVE-2026-0755 exposes command injection and file exfiltration
Confidence: Unverified
The gemini-mcp-tool advisory points at command-injection and file-exfiltration risk in AI-adjacent tooling. Review package versions, disable risky invocation paths during updates, and rotate workspace secrets if exposure is suspected.
Sources: GitHub Advisory Database GHSA-4h5r-5jm8-jxjm.
Finding 20: Microsoft Copilot CVE-2026-42895 tampering advisory enters tenant review
Confidence: Unverified
Microsoft Copilot CVE-2026-42895 is a tenant-review item. Validate service-side remediation status and confirm whether any customer-side control or configuration action is required.
Sources: MSRC CVE-2026-42895.
Finding 21: Splunk AI Toolkit CVE-2026-20266 OS command injection patched in 5.7.4
Confidence: Unverified
Splunk AI Toolkit has a clear patch target in the collected report. Upgrade to 5.7.4, or uninstall the toolkit where immediate update is blocked.
Sources: SecurityWeek.
Finding 22: ShapedPlugin paid WordPress update flow delivered backdoored builds
Confidence: Unverified
The ShapedPlugin report is supply-chain work for WordPress estates. Update affected paid plugins, hunt for fake WooCommerce plugin names, rotate secrets, and review privileged users.
Sources: BleepingComputer.
Finding 23: Agent runtime CVE-2026-53846 dependency-path issue
Confidence: Unverified
This GitHub advisory concerns dependency installation influenced by workspace configuration. Upgrade to the fixed release and avoid dependency installation from untrusted workspaces until patched.
Sources: GitHub Advisory Database GHSA-24vr-rprv-67rf.
Finding 24: Agent runtime CVE-2026-53858 dependency-root issue
Confidence: Unverified
This related GitHub advisory concerns runtime dependency root resolution. Upgrade to the fixed release and keep gateway, plugin, and tool allowlists narrow.
Sources: GitHub Advisory Database GHSA-wc84-j36w-pw4x.
Update: Attackers Exploit Three Fortinet FortiSandbox Flaws, One Patched Last Week CVE-2026-39813
Confidence: Medium
Bad actors are exploiting multiple security vulnerabilities in Fortinet FortiSandbox, according to threat intelligence firm Defused Cyber. In a post shared on X, the company said it has observed exploitation of CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 over the past 24 hours. CVE-2026-39813
Sources: https://thehackernews.com/2026/06/attackers-exploit-three-fortinet.html
Update: CISA Flags LiteSpeed cPanel Plugin Flaw Exploited for Root Privilege Escalation CVE-2026-54420
Confidence: Medium
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a security flaw impacting LiteSpeed cPanel Plugin to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 18, 2026. The vulnerability in que Known Exploited (CISA KEV).
Sources: https://thehackernews.com/2026/06/cisa-flags-litespeed-cpanel-plugin-flaw.html
Update: Sayonara, SocGholish: Operation Endgame Disrupts Major Cybercrime Operation
Confidence: Medium
Key Findings Global law enforcement and private sector partners worked to disrupt activity related to TA569, as part of Operation Endgame. TA569 is one of the most prominent cybercriminal threat groups in Proofpoint threat data, which our researchers have tracked since 2018.&nb
Sources: https://www.proofpoint.com/us/blog/threat-insight/sayonara-socgholish-operation-endgame-disrupts-major-cybercrime-operation