Skip to main content

Weekly Vulnerability Briefing: 1567 CVEs, 2 KEV Entries, 276 Unpatched Critical/High

Jun 01 - Jun 08, 2026
Total CVEs
1567
Critical + High
708
KEV
2
Public Exploits
183

Executive Summary

Overview

For the reporting period 2026-06-01 to 2026-06-08, vuln.today data shows 1567 total CVEs published, broken down as 138 CRITICAL, 570 HIGH, 615 MEDIUM, 184 LOW, and 60 UNKNOWN. The dataset includes 2 CISA KEV entries, 183 CVEs with public exploits/POCs, 864 with patches available, and 276 unpatched CRITICAL/HIGH issues. Week-over-week volume decreased 5% from the previous week's 1648 CVEs.

Critical Threats

  • CVE-2025-48595 (HIGH, CVSS 8.4) - Google Android (versions 14, 15, 16, and 16-qpr2) local privilege escalation via integer overflow (CWE-190). Confirmed actively exploited (CISA KEV); public exploit code available; EPSS 0.0%. No vendor-released patch identified at time of analysis. Action: "Within 24 hours: Audit enterprise inventory to identify all devices running Android 14, 15, 16, or 16-qpr2; assess exposure of identified devices in high-risk contexts (administrative access, corporat".
  • CVE-2026-28318 (HIGH, CVSS 7.5, AV:N/AC:L/PR:N/UI:N) - SolarWinds Serv-U remote denial-of-service via crafted POST requests using Content-Encoding: deflate (CWE-400). Unauthenticated. Confirmed actively exploited (CISA KEV); public exploit code available; EPSS 0.1%. No vendor-released patch identified at time of analysis. Action: "Within 24 hours: inventory all SolarWinds Serv-U deployments and assess network exposure; restrict inbound access to Serv-U to authorized IP ranges only. Within 7 days: deploy WAF or network filtering".
  • CVE-2025-71318 (CRITICAL, CVSS 9.3) - Riello UPS NetMan 204 unauthenticated administrative access enabling read of sensitive configuration and privileged power-control commands. Public exploit code available (Exploit-DB 52183); EPSS 0.2%. No vendor-released patch identified at time of analysis. Action: "24 hours: Inventory all NetMan 204 units in your environment; implement network-level access restrictions to management interfaces using firewalls or VLANs; change any default credentials. 7 days: Dep".
  • CVE-2025-71317 (CRITICAL, CVSS 9.3) - Riello UPS NetMan 204 hard-coded backdoor account ('eurek'/'eurek') exposed through cgi-bin/login.cgi (CWE-798). Public exploit code available (Exploit-DB 52183); EPSS 0.1%. No vendor-released patch identified at time of analysis. Action: "24 HOURS: Inventory all Riello UPS NetMan 204 devices; immediately network-isolate or disconnect non-critical units; disable or reset the hard-coded 'eurek' account to a unique credential via the devi".
  • CVE-2025-71316 (CRITICAL, CVSS 9.2) - Microsoft SQLite sqldiff.exe arbitrary DLL loading on Windows via Best-Fit Unicode-to-ANSI conversion abuse. Public exploit code available; EPSS 0.0%. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: "Within 24 hours: Inventory all Windows systems running SQLite, sqldiff.exe, and applications that invoke this utility. Within 7 days: Apply available vendor patch from SQLite to all identified systems".
  • CVE-2026-43624 (HIGH, CVSS 8.8) - F5-TTS (through 1.1.20) arbitrary file write via unsanitized project_name parameter passed to os.path.join() in the finetune Gradio interface. Public exploit code available; EPSS 0.1%. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: "Within 24 hours: Identify all F5-TTS instances running version 1.1.20 or earlier and restrict network access to trusted networks only. Within 7 days: Apply the vendor patch released via PR #1294 (conf".
  • CVE-2026-49491 (HIGH, CVSS 8.8) - Pixa Bank 2.0 SQL injection via UNION-based payloads in the 'rib' parameter of agence-ajax.php (PHP). Public exploit code available (Packet Storm); EPSS 0.1%. No vendor-released patch identified at time of analysis. Action: "24 hours: Inventory all Pixa Bank 2.0 deployments; restrict internet access to agence-ajax.php or take systems offline. 7 days: Monitor vendor advisory for security patch release; establish testing en".
  • CVE-2026-49143 (HIGH, CVSS 8.7) - BrowserStack Runner (through 0.9.5) remote code execution via crafted JSON to /_log handler abusing vm.runInNewContext() and eval() (Node.js). Public exploit code available; EPSS 0.2%. No vendor-released patch identified at time of analysis. Action: "Within 24 hours: Inventory all systems running BrowserStack Runner 0.9.5 and earlier; assess criticality of test workflows dependent on this tool. Within 7 days: Implement network segmentation to isol".
  • CVE-2026-49136 (HIGH, CVSS 8.7) - Banana Slides (through 0.4.0) path traversal in generate_image() via incomplete os.path.startswith() prefix check enabling arbitrary image-format file reads. Public exploit code available; EPSS 0.1%. Upstream fix available (PR/commit); released patched version not independently confirmed. Action: "Within 24 hours: Identify all Banana Slides deployments running version 0.4.0 and apply the patch available per vendor advisory (commit e8bc490 or later) or disable image generation functionality imme".
  • CVE-2026-43623 (HIGH, CVSS 8.7) - microtar (through 0.1.0) stack-based buffer overflow in raw_to_header() via strcpy() on non-null-terminated 100-byte ustar fields, writing up to 355 bytes into a 100-byte buffer. Public exploit code available; EPSS 0.0%. No vendor-released patch identified at time of analysis. Action: "Within 24 hours: Inventory all applications and services using microtar; isolate affected systems from sensitive networks and external file inputs. Within 7 days: Implement strict input validation (re".

Threat Landscape

Top affected vendors by CVE count: Google (452), Suse (417), Red Hat (388), WordPress (74), Microsoft (61), Linux (36), Apple (25), Apache (18), Samsung (14), and D-Link (5). Top attack techniques observed: Information Disclosure (432), Authentication Bypass (284), Denial Of Service (246), RCE (173), Memory Corruption (162), Buffer Overflow (153), XSS (122), Use After Free (121), Privilege Escalation (105), and SQLi (71). Patches are available for 864 of 1567 CVEs, while 276 CRITICAL/HIGH entries remain unpatched. One CVE in the dataset (CVE-2026-21404, MEDIUM) carries linked threat intelligence (MISP Galaxies, MITRE ATT&CK, CISA).

Key Trends

  • Volume decreased 5% week-over-week (1567 vs. previous 1648).
  • Vendor concentration is heavy in the top three (Google 452, Suse 417, Red Hat 388), which together account for the majority of the top-vendor list.
  • Information Disclosure (432) and Authentication Bypass (284) lead the attack-technique distribution.
  • Patches are available for 864 of 1567 CVEs (~55%), with 276 CRITICAL/HIGH entries unpatched.
  • KEV entries account for 2 of 1567 CVEs; public exploits/POCs account for 183 of 1567.

Recommendations

Per-CVE actions (reproduced from input):

  • CVE-2025-48595: "Within 24 hours: Audit enterprise inventory to identify all devices running Android 14, 15, 16, or 16-qpr2; assess exposure of identified devices in high-risk contexts (administrative access, corporat".
  • CVE-2026-28318: "Within 24 hours: inventory all SolarWinds Serv-U deployments and assess network exposure; restrict inbound access to Serv-U to authorized IP ranges only. Within 7 days: deploy WAF or network filtering".
  • CVE-2025-71318: "24 hours: Inventory all NetMan 204 units in your environment; implement network-level access restrictions to management interfaces using firewalls or VLANs; change any default credentials. 7 days: Dep".
  • CVE-2025-71317: "24 HOURS: Inventory all Riello UPS NetMan 204 devices; immediately network-isolate or disconnect non-critical units; disable or reset the hard-coded 'eurek' account to a unique credential via the devi".
  • CVE-2025-71316: "Within 24 hours: Inventory all Windows systems running SQLite, sqldiff.exe, and applications that invoke this utility. Within 7 days: Apply available vendor patch from SQLite to all identified systems".
  • CVE-2026-43624: "Within 24 hours: Identify all F5-TTS instances running version 1.1.20 or earlier and restrict network access to trusted networks only. Within 7 days: Apply the vendor patch released via PR #1294 (conf".
  • CVE-2026-49491: "24 hours: Inventory all Pixa Bank 2.0 deployments; restrict internet access to agence-ajax.php or take systems offline. 7 days: Monitor vendor advisory for security patch release; establish testing en".
  • CVE-2026-49143: "Within 24 hours: Inventory all systems running BrowserStack Runner 0.9.5 and earlier; assess criticality of test workflows dependent on this tool. Within 7 days: Implement network segmentation to isol".
  • CVE-2026-49136: "Within 24 hours: Identify all Banana Slides deployments running version 0.4.0 and apply the patch available per vendor advisory (commit e8bc490 or later) or disable image generation functionality imme".
  • CVE-2026-43623: "Within 24 hours: Inventory all applications and services using microtar; isolate affected systems from sensitive networks and external file inputs. Within 7 days: Implement strict input validation (re".

Dataset-level guidance: prioritize remediation for the 2 CISA KEV entries and the 183 CVEs with public exploit code; review the 276 unpatched CRITICAL/HIGH CVEs for compensating controls where vendor fixes are not yet available; and schedule deployment of available patches across the 864 CVEs with vendor-released fixes.

Top 10 Priority CVEs

112
CVE-2025-48595 HIGH KEV POC

Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) stems from an integer overflow (CWE-190) that can be triggered without user interaction to achieve code execution. With CVSS 8.4 and SSVC technical impact rated 'total,' a local attacker on the device can elevate privileges across security boundaries without additional execution rights. No public exploit identified at time of analysis and SSVC reports exploitation status as 'none.'
108
CVE-2026-28318 HIGH KEV POC

Remote denial-of-service in SolarWinds Serv-U allows unauthenticated attackers to crash the Serv-U service by sending specially crafted POST requests using Content-Encoding: deflate. The flaw carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and maps to CWE-400 (uncontrolled resource consumption), affecting service availability without compromising confidentiality or integrity; no public exploit identified at time of analysis.
66
CVE-2025-71318 CRITICAL POC

Unauthenticated administrative access in Riello UPS NetMan 204 network management cards allows remote attackers to read sensitive configuration and invoke privileged power-control commands by requesting administrative pages directly. With CVSS 4.0 score 9.3, publicly available exploit code exists (Exploit-DB 52183), enabling attackers to trigger UPS shutdown, reboot, bypass-switching, and battery tests against the protected infrastructure without any credentials.
66
CVE-2025-71317 CRITICAL POC

Remote unauthenticated administrative access to Riello UPS NetMan 204 devices is possible via a hard-coded backdoor account ('eurek'/'eurek') exposed through the cgi-bin/login.cgi endpoint. The flaw (CWE-798) carries a CVSS 4.0 base of 9.3 and publicly available exploit code exists (Exploit-DB 52183, VulnCheck advisory), enabling full takeover of UPS management functions including configuration changes and enabling telnet/SSH. No public exploit identified at time of analysis as actively exploited in CISA KEV, but the trivially abusable static credential makes opportunistic exploitation highly likely.
66
CVE-2025-71316 CRITICAL POC

Arbitrary DLL loading in SQLite's sqldiff.exe utility on Windows allows attackers to achieve code execution by abusing the Microsoft C runtime's Unicode-to-ANSI Best-Fit character conversion. Specially crafted Unicode characters in command-line arguments can be transformed into ASCII characters that sqldiff then parses as the '-L' option, loading an attacker-supplied DLL. Publicly available exploit research (Blackhat EU 2024 'WorstFit' presentation) demonstrates the technique, though no public exploit identified targeting sqldiff specifically and it is not listed in CISA KEV.
64
CVE-2026-43624 HIGH POC

Arbitrary file write in F5-TTS through 1.1.20 allows unauthenticated remote attackers to create directories and write attacker-controlled JSON anywhere the server process has write access by abusing unsanitized project_name parameters in the finetune Gradio interface. The flaw stems from passing user input directly to os.path.join() - supplying an absolute path bypasses the intended base directory entirely. Publicly available exploit code exists, and an upstream patch has been merged via PR #1294.
64
CVE-2026-49491 HIGH POC

Unauthenticated SQL injection in Pixa Bank 2.0 allows remote attackers to exfiltrate database contents by submitting UNION-based payloads in the 'rib' parameter of the agence-ajax.php endpoint. Publicly available exploit code exists (Packet Storm) and the issue was disclosed by VulnCheck, making opportunistic exploitation likely against any internet-exposed instance. No public exploit identified at time of analysis as actively exploited in the wild (not on CISA KEV), but the trivial attack complexity and existing PoC elevate practical risk.
64
CVE-2026-49143 HIGH POC

Remote code execution in BrowserStack Runner through version 0.9.5 allows network-adjacent unauthenticated attackers to execute arbitrary code on the host system by sending crafted JSON to the /_log HTTP handler. The flaw stems from unsafe use of vm.runInNewContext() combined with eval(), and a known sandbox-escape technique via util.format and this.constructor.constructor enables full host compromise. No public exploit identified at time of analysis, but the technique is well-documented and the CVSS 8.8 score reflects high impact across confidentiality, integrity, and availability.
64
CVE-2026-49136 HIGH POC

Path traversal in Banana Slides through 0.4.0 allows unauthenticated remote attackers to read arbitrary image-format files outside the uploads directory via the generate_image() function in the AI service backend. The flaw stems from an incomplete prefix check using os.path.startswith() without a trailing separator, letting sibling directories whose names share the uploads folder prefix bypass containment. Publicly available exploit code exists (GitHub issue #429), and a vendor patch has been released in commit e8bc490.
64
CVE-2026-43623 HIGH POC

Stack-based buffer overflow in microtar through 0.1.0 allows remote attackers to corrupt stack memory and potentially achieve code execution when an application using the library parses a malicious TAR archive. The flaw in raw_to_header() uses strcpy() on non-null-terminated 100-byte ustar fields, enabling writes of up to 355 bytes into a 100-byte buffer. Publicly available exploit code exists and the issue was reported by VulnCheck, raising the practical risk despite no current CISA KEV listing.
Previous Week Next Week

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy