ELEVATED 3 min read 28 Jun 2026

CVE-2026-25521 Locutus and Cisco CVE-2026-20230 Anchor the 28 June Priority Queue

Today’s intelligence is consolidated into 14 priority findings, with 8 new rows and 6 updates. The action pattern is split between developer trust boundaries, supply-chain exposure, exploited Cisco infrastructure, and two campaign-watch items. 4 further items tracked below.

Key findings
01
Cisco Unified Communications Manager CVE-2026-20230 KEV deadline
HIGH
CVSS 8.6 high · CWE-918 Server-Side Request Forgery · EPSS 99th percentile · CISA KEV (actively exploited). Cisco Unified Communications Manager CVE-2026-20230 is a new exploited-infrastructure item because the evidence ties it to active exploitation and a CISA Known Exploited Vulnerabilities deadline. That makes it higher priority than lower-confidence validation findings.
CVE-2026-20230
02
Cisco Catalyst SD-WAN Manager CVE-2026-20245 exploitation detail
HIGH
CVSS 7.8 high · CWE-116 Improper Encoding or Escaping of Output · EPSS 95th percentile · CISA KEV (actively exploited). Cisco Catalyst SD-WAN Manager CVE-2026-20245 is an updated exploitation-detail finding, and it is listed in the CISA Known Exploited Vulnerabilities catalogue (added 2026-06-09, remediation due 2026-06-23, now overdue).
CVE-2026-20245
03
CVE-2026-25521 Locutus prototype pollution patched in 2.0.39
CRITICAL
CVSS 9.4 critical · CWE-1321 Prototype Pollution · EPSS 17th percentile. CVE-2026-25521 is a newly promoted Locutus dependency finding. The current evidence names prototype pollution in Locutus versions 2.0.12 through 2.0.38, with 2.0.39 as the update target.
CVE-2026-25521
04
Hanwha Vision CVE-2024-54013 web server request-handling access risk
HIGH
CVSS 8.7 high · CWE-306 Missing Authentication for Critical Function · EPSS 5th percentile. Hanwha Vision CVE-2024-54013 is a new camera-firmware routing item. The current intelligence describes a web server request-handling access risk and points to the manufacturer’s patch reference.
CVE-2024-54013
05
Amazon Q Developer CVE-2026-12957 MCP trust-boundary flaw
HIGH
CVSS 8.5 high · CWE-732 Incorrect Permission Assignment for Critical Resource · EPSS 2th percentile. CVE-2026-12957 remains in the developer-agent trust-boundary queue, with the current delta centred on patch-release proof. The relevant control question is whether repository-level MCP configuration can cross trust boundaries before teams have established trust in a repository.
CVE-2026-12957
06
Linux kernel CVE-2026-46097 debugfs use-after-free
HIGH
CVSS 7.8 high · CWE-416 Use After Free · EPSS 2th percentile. Linux kernel CVE-2026-46097 is a new debugfs use-after-free item. The affected context in the current intelligence is the edt-ft5x06 debugfs path or similar embedded and touchscreen stacks.
CVE-2026-46097
07
pnpm CVE-2026-50015 malicious patch arbitrary write/delete
HIGH
CVSS 7.3 high · CWE-22 Path Traversal · EPSS 16th percentile. CVE-2026-50015 is an updated pnpm finding with patch-release proof. The current risk is malicious patch material that can write or delete files outside expected paths.
CVE-2026-50015
08
pnpm CVE-2026-50016 transitive alias path traversal
HIGH
CVSS 8.8 high · CWE-23 Relative Path Traversal · EPSS 23th percentile. CVE-2026-50016 is an updated pnpm finding with expanded supply-chain reach. The evidence points to transitive dependency aliases, lockfiles, and symlink replacement paths, including CI that installs untrusted repositories with --ignore-scripts.
CVE-2026-50016
09
pnpm CVE-2026-50017 repository-selected registry credential exposure
MEDIUM
CVSS 6.9 medium · CWE-200 Exposure of Sensitive Information to an Unauthorized Actor · EPSS 23th percentile. CVE-2026-50017 is an updated pnpm finding with expanded supply-chain reach around repository-selected registry behaviour and unscoped user-level npm credentials.
CVE-2026-50017
10
pnpm CVE-2026-55180 environment secret expansion into registry requests
MEDIUM
CVSS 6.5 medium · CWE-200 Exposure of Sensitive Information to an Unauthorized Actor · EPSS 11th percentile. CVE-2026-55180 is an updated pnpm finding with new-victim material in the current intelligence. The issue is repository configuration expanding victim environment secrets into registry requests before scripts run.
CVE-2026-55180

Cisco Unified Communications Manager CVE-2026-20230 KEV deadline

Cisco Unified Communications Manager CVE-2026-20230 is a new exploited-infrastructure item because the evidence ties it to active exploitation and a CISA Known Exploited Vulnerabilities deadline. That makes it higher priority than lower-confidence validation findings.

Identify exposed Cisco Unified CM ownership, validate Cisco fixes, and hunt for suspicious arbitrary-file writes on affected endpoints. Keep the response specific to Unified CM exposure rather than turning it into a broad Cisco recap.

Identifiers: CVE-2026-20230

Sources: [BleepingComputer Cisco Unified CM report](https://www.bleepingcomputer.com/news/security/cisa-sets-urgent-deadline-to-fix-cisco-flaw-exploited-in-attacks/); [CISA Known Exploited Vulnerabilities catalogue](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Cisco Catalyst SD-WAN Manager CVE-2026-20245 exploitation detail

Cisco Catalyst SD-WAN Manager CVE-2026-20245 is an updated exploitation-detail finding, and it is listed in the CISA Known Exploited Vulnerabilities catalogue (added 2026-06-09, remediation due 2026-06-23, now overdue). The current intelligence adds zero-day timing, root-level access, anti-forensic behaviour, and communications-service-provider victim context.

Validate CVE-2026-20245 fixes and hunt for rogue peering, altered or restored configuration files, suspicious netadmin-to-root activity, and anti-forensic changes.

Identifiers: CVE-2026-20245

Sources: [The Hacker News Cisco SD-WAN report](https://thehackernews.com/2026/06/cisco-catalyst-sd-wan-zero-day-cve-2026.html); [CISA Known Exploited Vulnerabilities catalogue](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

All findings grounded in a13e intelligence sweeps through 04:55 UTC 28 June 2026.

CVE-2026-25521 Locutus prototype pollution patched in 2.0.39

CVE-2026-25521 is a newly promoted Locutus dependency finding. The current evidence names prototype pollution in Locutus versions 2.0.12 through 2.0.38, with 2.0.39 as the update target.

Treat this as dependency-owner validation rather than an incident trigger. Search dependency manifests and SBOMs for Locutus in the affected version range, update to 2.0.39 where present, and close the item quickly where Locutus is absent.

Identifiers: CVE-2026-25521

Sources: [NVD CVE-2026-25521](https://nvd.nist.gov/vuln/detail/CVE-2026-25521)

Hanwha Vision CVE-2024-54013 web server request-handling access risk

Hanwha Vision CVE-2024-54013 is a new camera-firmware routing item. The current intelligence describes a web server request-handling access risk and points to the manufacturer’s patch reference.

Route this to teams that own Hanwha Vision camera estates, including physical security and facilities where appropriate. Confirm affected models and apply the manufacturer patch where the device inventory matches.

Identifiers: CVE-2024-54013

Sources: [NVD CVE-2024-54013](https://nvd.nist.gov/vuln/detail/CVE-2024-54013); [Hanwha Vision camera vulnerability report](https://www.hanwhavision.com/wp-content/uploads/2026/04/Camera-Vulnerability-ReportCVE-2024-5401154013.pdf)

Amazon Q Developer CVE-2026-12957 MCP trust-boundary flaw

CVE-2026-12957 remains in the developer-agent trust-boundary queue, with the current delta centred on patch-release proof. The relevant control question is whether repository-level MCP configuration can cross trust boundaries before teams have established trust in a repository.

Update Amazon Q Developer and Language Servers for AWS, inspect repository-level .amazonq/mcp.json or equivalent MCP configuration, and restrict trusted-workspace flows for untrusted repositories.

Identifiers: CVE-2026-12957

Sources: [The Hacker News Amazon Q report](https://thehackernews.com/2026/06/amazon-q-developer-flaw-could-let.html); [SecurityWeek Amazon Q report](https://www.securityweek.com/amazon-q-flaw-enabled-cloud-credential-theft-via-malicious-repositories/)

Linux kernel CVE-2026-46097 debugfs use-after-free

Linux kernel CVE-2026-46097 is a new debugfs use-after-free item. The affected context in the current intelligence is the edt-ft5x06 debugfs path or similar embedded and touchscreen stacks.

Prioritise kernel update validation where that driver path is relevant. For ordinary server fleets without the affected exposure, keep it in normal kernel maintenance unless stronger evidence appears.

Identifiers: CVE-2026-46097

Sources: [NVD CVE-2026-46097](https://nvd.nist.gov/vuln/detail/CVE-2026-46097); [Linux kernel reference](https://git.kernel.org/)

pnpm CVE-2026-50015 malicious patch arbitrary write/delete

CVE-2026-50015 is an updated pnpm finding with patch-release proof. The current risk is malicious patch material that can write or delete files outside expected paths.

Upgrade pnpm where affected, audit patchedDependencies and .patch file headers, and treat patch artefacts from untrusted repositories as high-trust input until the estate is fixed.

Identifiers: CVE-2026-50015

Sources: [GitHub Advisory GHSA-rxhj-4m44-96r4](https://github.com/advisories/GHSA-rxhj-4m44-96r4)

pnpm CVE-2026-50016 transitive alias path traversal

CVE-2026-50016 is an updated pnpm finding with expanded supply-chain reach. The evidence points to transitive dependency aliases, lockfiles, and symlink replacement paths, including CI that installs untrusted repositories with --ignore-scripts.

Audit dependency aliases, lockfiles, and shared-builder install paths. This matters in pipelines that treat dependency installation as safe simply because lifecycle scripts are disabled.

Identifiers: CVE-2026-50016

Sources: [GitHub Advisory GHSA-hwx4-2j3j-g496](https://github.com/advisories/GHSA-hwx4-2j3j-g496)

pnpm CVE-2026-50017 repository-selected registry credential exposure

CVE-2026-50017 is an updated pnpm finding with expanded supply-chain reach around repository-selected registry behaviour and unscoped user-level npm credentials.

Scope registry tokens by URL, remove broad user-level npm credentials from shared builders, and rotate credentials if untrusted repositories were installed in environments with usable registry authentication.

Identifiers: CVE-2026-50017

Sources: [GitHub Advisory GHSA-cjhr-43r9-cfmw](https://github.com/advisories/GHSA-cjhr-43r9-cfmw)

pnpm CVE-2026-55180 environment secret expansion into registry requests

CVE-2026-55180 is an updated pnpm finding with new-victim material in the current intelligence. The issue is repository configuration expanding victim environment secrets into registry requests before scripts run.

Hunt registry requests and CI logs for expanded secrets, rotate exposed tokens, and block project .npmrc placeholders from expanding into authentication destinations.

Identifiers: CVE-2026-55180

Sources: [GitHub Advisory GHSA-3qhv-2rgh-x77r](https://github.com/advisories/GHSA-3qhv-2rgh-x77r)

Also tracked

  • Miasma Mini Shai-Hulud npm/GitHub Actions compromise
  • Polymarket third-party frontend supply-chain compromise
  • CL-STA-1062/TinyRCT Southeast Asia government and critical-infrastructure campaign
  • Turla/STOCKSTAY Ukraine espionage backdoor
cve-2024-54013cve-2026-12957cve-2026-20230cve-2026-20245cve-2026-25521cve-2026-46097cve-2026-50015cve-2026-50016cve-2026-50017cve-2026-55180

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.

Try DCV Try CloudSigma ← Back to feed