Skip to main content

Weekly Vulnerability Briefing: 1678 CVEs, 4 KEV Entries, 267 Unpatched CRITICAL/HIGH

Jun 08 - Jun 15, 2026
Total CVEs
1678
Critical + High
887
KEV
4
Public Exploits
114

Executive Summary

Overview

Per vuln.today data for the reporting period 2026-06-08 to 2026-06-15, 1678 CVEs were published, representing a +7% week-over-week change from the previous week's 1565 CVEs. Severity breakdown: 134 CRITICAL, 753 HIGH, 643 MEDIUM, 104 LOW, and 44 UNKNOWN. The dataset includes 4 CISA KEV entries, 114 public exploits/POCs, 1067 patches available, and 267 unpatched CRITICAL/HIGH vulnerabilities.

Critical Threats

  • CVE-2026-10520 (CRITICAL, CVSS 10.0) - Ivanti Sentry. Confirmed actively exploited (CISA KEV); public exploit code available; EPSS 0.2%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Ivanti Sentry deployments and immediately isolate or disconnect any internet-facing instances from public networks. Within 7 days: Implement strict network segmentation l
  • CVE-2026-50751 (CRITICAL, CVSS 9.3) - Microsoft. Confirmed actively exploited (CISA KEV); public exploit code available; EPSS 0.0%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify all Quantum (R80.40-R82.10) and Spark (R80.20.X-R82.00.X) appliances and verify affected firmware versions; disable IKEv1 protocol if operationally feasible; begin monitoring
  • CVE-2026-35273 (CRITICAL, CVSS 9.8) - Oracle Peoplesoft Enterprise Peopletools. Confirmed actively exploited (CISA KEV); public exploit code available; EPSS 0.0%. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify and inventory all Oracle PeopleSoft PeopleTools 8.61 and 8.62 instances across production and non-production environments. Within 7 days: Apply compensating controls (restric
  • CVE-2026-11645 (HIGH, CVSS 8.8) - Google. Confirmed actively exploited (CISA KEV); public exploit code available; EPSS 0.1%. Patch available per vendor advisory. Action: 24 hours: Identify Chrome deployment scope and inventory across endpoints. 7 days: Deploy Chrome 149.0.7827.103 or later to all systems; prioritize endpoints with access to business-critical applicati
  • CVE-2026-10523 (CRITICAL, CVSS 9.9) - Ivanti. Public exploit code available; EPSS 0.3%; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Identify and inventory all Ivanti Sentry deployments; assess network exposure; enable enhanced logging for administrative account creation activity. Within 7 days: Restrict network ac
  • CVE-2026-42647 (CRITICAL, CVSS 9.3) - Joomsport. Public exploit code available; EPSS 5.2%; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: Within 24 hours: Inventory all WordPress installations using Beardev JoomSport plugin and identify instances running version 5.7.7 or earlier; assess criticality of plugin to business operations. With
  • CVE-2026-42904 (CRITICAL, CVSS 9.6) - Microsoft. EPSS 0.1%. Patch available per vendor advisory. Action: Within 24 hours: Identify and catalog all Windows systems and determine which are on networks exposed to untrusted adjacent systems. Within 7 days: Deploy network segmentation and access controls limi
  • CVE-2026-48558 (CRITICAL, CVSS 9.5) - Jwt Attack, Simplehelp. Public exploit code available; EPSS 0.2%; exploitation risk is elevated. Patch available per vendor advisory. Action: 24 hours: Audit all SimpleHelp instances to identify versions 5.5.15 and prior or 6.0 pre-release builds. 7 days: Implement firewall-level network segmentation restricting SimpleHelp access; enforce I
  • CVE-2026-25555 (CRITICAL, CVSS 9.3) - Openbullet2. Public exploit code available; EPSS 0.1%; exploitation risk is elevated. No vendor-released patch identified at time of analysis. Action: 24 hours: Identify all OpenBullet2 instances running version 0.3.2 or earlier; immediately remove internet-facing access and isolate from external networks; begin comprehensive monitoring of admin con
  • CVE-2026-9067 (CRITICAL, CVSS 9.1) - WordPress. Public exploit code available; EPSS 0.1%; exploitation risk is elevated. Patch available per vendor advisory. Action: Within 24 hours: Inventory all WordPress installations to identify those running Schema & Structured Data for WP & AMP plugin and document current versions. Within 7 days: Upgrade all affected instanc

Threat Landscape

Top affected vendors are Microsoft (241), Google (125), Adobe (84), Linux (63), WordPress (60), Tenda (52), Apache (49), Apple (47), Red Hat (24), and Suse (18). The most prevalent attack techniques in the dataset are Information Disclosure (402), Denial Of Service (310), Authentication Bypass (305), Buffer Overflow (244), XSS (199), RCE (146), Memory Corruption (143), Use After Free (106), Path Traversal (67), and SQLi (58). Of 1678 published CVEs, 1067 have patches available while 267 CRITICAL/HIGH remain unpatched. Threat intelligence linkage is recorded for CVE-2026-10557 (CRITICAL), CVE-2026-7368 (HIGH), CVE-2026-50245 (HIGH), CVE-2026-50005 (HIGH), and CVE-2026-50101 (CRITICAL).

Key Trends

  • CVE volume rose +7% week-over-week (1678 vs. 1565 the prior week).
  • Vendor concentration is led by Microsoft (241) and Google (125), with Adobe (84), Linux (63), and WordPress (60) rounding out the top five.
  • Attack technique distribution is dominated by Information Disclosure (402), Denial Of Service (310), and Authentication Bypass (305).
  • Patch coverage stands at 1067 of 1678 CVEs, while 267 CRITICAL/HIGH remain unpatched.
  • The dataset includes 4 CISA KEV entries and 114 public exploits/POCs.

Recommendations

  • CVE-2026-10520: Within 24 hours: Identify all Ivanti Sentry deployments and immediately isolate or disconnect any internet-facing instances from public networks. Within 7 days: Implement strict network segmentation l
  • CVE-2026-50751: Within 24 hours: Identify all Quantum (R80.40-R82.10) and Spark (R80.20.X-R82.00.X) appliances and verify affected firmware versions; disable IKEv1 protocol if operationally feasible; begin monitoring
  • CVE-2026-35273: Within 24 hours: Identify and inventory all Oracle PeopleSoft PeopleTools 8.61 and 8.62 instances across production and non-production environments. Within 7 days: Apply compensating controls (restric
  • CVE-2026-11645: 24 hours: Identify Chrome deployment scope and inventory across endpoints. 7 days: Deploy Chrome 149.0.7827.103 or later to all systems; prioritize endpoints with access to business-critical applicati
  • CVE-2026-10523: Within 24 hours: Identify and inventory all Ivanti Sentry deployments; assess network exposure; enable enhanced logging for administrative account creation activity. Within 7 days: Restrict network ac
  • CVE-2026-42647: Within 24 hours: Inventory all WordPress installations using Beardev JoomSport plugin and identify instances running version 5.7.7 or earlier; assess criticality of plugin to business operations. With
  • CVE-2026-42904: Within 24 hours: Identify and catalog all Windows systems and determine which are on networks exposed to untrusted adjacent systems. Within 7 days: Deploy network segmentation and access controls limi
  • CVE-2026-48558: 24 hours: Audit all SimpleHelp instances to identify versions 5.5.15 and prior or 6.0 pre-release builds. 7 days: Implement firewall-level network segmentation restricting SimpleHelp access; enforce I
  • CVE-2026-25555: 24 hours: Identify all OpenBullet2 instances running version 0.3.2 or earlier; immediately remove internet-facing access and isolate from external networks; begin comprehensive monitoring of admin con
  • CVE-2026-9067: Within 24 hours: Inventory all WordPress installations to identify those running Schema & Structured Data for WP & AMP plugin and document current versions. Within 7 days: Upgrade all affected instanc
  • Dataset-level: Prioritize the 4 CISA KEV entries and the 114 CVEs with public exploits/POCs for triage. Address the 267 unpatched CRITICAL/HIGH items through compensating controls until vendor fixes are released.

Top 10 Priority CVEs

140
CVE-2026-10520 CRITICAL KEV POC

Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to achieve root-level command execution via OS command injection. With a maximum CVSS score of 10.0 and a network-accessible, no-interaction attack vector, this represents a critical exposure for any internet-facing Sentry appliance, though no public exploit has been identified at time of analysis.
137
CVE-2026-50751 CRITICAL KEV POC

Authentication bypass in Check Point Quantum Security Gateway and Spark Firewalls allows unauthenticated remote attackers to establish Remote Access and Mobile Access VPN sessions without valid credentials by abusing a logic flaw in deprecated IKEv1 certificate validation. The flaw (CVSS 9.3, CWE-287) was reported by Check Point themselves and publicly available exploit code exists, though EPSS exploitation probability remains very low (0.01%) and the issue is not currently listed in CISA KEV. Affected deployments include multiple Quantum R80.40-R82.10 trains and Spark R80.20.X-R82.00.X firmware.
124
CVE-2026-35273 CRITICAL KEV POC

Remote takeover of Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62 is possible through the Updates Environment Management component via unauthenticated HTTP requests. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) indicates trivial network-based exploitation against any internet- or intranet-exposed instance, with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, but Oracle's 'easily exploitable' language and the unauthenticated nature make this a high-priority patching target.
119
CVE-2026-11645 HIGH KEV POC

Remote code execution in Google Chrome's V8 JavaScript engine prior to 149.0.7827.103 allows a remote attacker to execute arbitrary code inside the renderer sandbox by enticing a victim to visit a crafted HTML page. The flaw is an out-of-bounds read and write (CWE-125) rated High severity by Chromium with a CVSS 8.8, and no public exploit identified at time of analysis, though V8 memory-corruption issues historically attract exploit development.
90
CVE-2026-10523 CRITICAL POC

Authentication bypass in Ivanti Sentry prior to R10.5.2, R10.6.2, and R10.7.1 allows remote attackers to create arbitrary administrative accounts and gain full admin control of the mobile management gateway. The flaw is rated CVSS 9.9 with a scope-changed vector, indicating compromise extends beyond the immediate vulnerable component. No public exploit identified at time of analysis, though Ivanti Sentry has a recurring history of being targeted by advanced threat actors.
72
CVE-2026-42647 CRITICAL POC

Blind SQL injection in Beardev JoomSport (WordPress plugin) through version 5.7.7 allows remote unauthenticated attackers to inject crafted SQL into backend database queries. The CVSS 9.3 score reflects a scope-changed impact with high confidentiality exposure and partial availability impact, and no public exploit has been identified at time of analysis though Patchstack has catalogued the issue.
68
CVE-2026-42904 CRITICAL

Privilege elevation in the Windows TCP/IP networking stack allows an unauthenticated attacker on an adjacent network to gain elevated privileges by triggering a heap-based buffer overflow (CWE-122). The CVSS 9.6 score with scope change (S:C) indicates the compromise crosses security boundaries beyond the vulnerable component itself. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
68
CVE-2026-48558 CRITICAL POC

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attackers to forge OIDC identity tokens and obtain fully authenticated technician sessions, because the server accepts ID tokens without verifying their cryptographic signature. Publicly available exploit code exists and the flaw can also bypass MFA in some configurations, making vulnerable remote-support deployments a high-priority target despite no current CISA KEV listing.
66
CVE-2026-25555 CRITICAL POC

Authentication bypass in OpenBullet2 through 0.3.2 lets unauthenticated remote attackers obtain full admin access by sending an empty X-Api-Key HTTP header, because the API key middleware compares the submitted value against a default empty AdminApiKey string. With CVSS 4.0 score 9.3, publicly available exploit code, and a writeup from VulnCheck/Hackernoon, this is a trivially exploitable flaw exposing the admin console and every API endpoint of any internet-reachable deployment running default configuration.
66
CVE-2026-9067 CRITICAL POC

Unauthenticated arbitrary file upload in the Schema & Structured Data for WP & AMP WordPress plugin before version 1.60 allows remote attackers to upload any file type accepted by WordPress's media library through frontend AJAX handlers intended for images and videos only. The plugin fails to perform user capability checks and does not validate uploaded file content against the endpoint's declared media type. Publicly available exploit code exists via WPScan, increasing the urgency for immediate patching despite no confirmed in-the-wild exploitation.
Previous Week

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy