Trending vulnerabilities

What: Heap buffer overflow in NGINX ngx_http_proxy_v2_module and ngx_http_grpc_module (F5 NGINX Plus and Open Source); CVSS 9.2, allows unauthenticated RCE or DoS.

Why it matters: F5 released emergency out-of-band patches within days of disclosure (June 17–19, 2026). CVSS 9.2 critical severity, affects widely-deployed reverse proxy infrastructure. Multiple sources confirm active patching and defender awareness; social chatter reflects urgent vendor response.

Where it's seen: News aggregator coverage (TheHackerNews, CyberSecGuru), security bulletin republication, multi-CVE bundle discussions alongside CVE-2026-42530 (HTTP/3 QPACK use-after-free). Chatter emphasizes "emergency patch" and unauthenticated RCE risk.

What: Unauthenticated arbitrary file deletion vulnerability in Avada Fusion Builder WordPress plugin (≤3.15.3), affecting ~1M sites. CVSS 9.1 (Critical).

Why it matters: Posts cite vendor patch available (3.15.4), active discussion of file deletion risk, and widespread WordPress plugin exposure. No public PoC or confirmed in-the-wild exploitation evident; KEV status unknown but high CVSS and patch availability suggest legitimate vulnerability with defender urgency.

Where it's seen: Security feed aggregators (Vulmon, Wordfence), cybersecurity Twitter/Bluesky accounts sharing advisory summaries and patch guidance. Framing emphasizes scale (1M installations) and severity (CVSS 9.1) but limited technical depth on actual exploitation.

What: Airoha Bluetooth audio SDK authorization flaw in Apple Beats Studio Buds allowing unpaired nearby attackers to establish pairing and eavesdrop via microphone without user consent (CVSS 8.8).

Why it matters: Apple has released firmware 1B211 patch; high CVSS and no-user-interaction requirement drive vendor urgency. Not yet KEV-listed, and no public PoC reported, but patch availability and coordinated disclosure indicate credible vulnerability. Defender triage is active.

Where it's seen: Security news outlets and social platforms echoing Apple's advisory; multilingual coverage (English, French, Japanese) amplifies reach. Firmware version and patch details circulating. No exploit code or in-the-wild reports yet.

What: Authenticated arbitrary file write in Cisco Catalyst SD-WAN Manager web UI (CVE-2026-20262, CVSS 6.5) allowing file creation/overwrite and potential root escalation via malformed HTTP requests.

Why it matters: KEV-listed as of 2026-06-15; multiple posts confirm active in-the-wild exploitation. Cisco released patches same day. Requires valid credentials but post-exploit escalation to root is documented. This is the sixth SD-WAN Manager flaw exploited in 2026, signaling sustained targeting of network infrastructure.

Where it's seen: Security news aggregators (HackersNews, SecurityAffairs) reporting patches and active exploitation; defender community posts emphasizing urgent patching and access restriction; no public PoC details shared yet, but weaponization confirmed.

What: Unauthenticated PHP code upload and execution in Joomla JCE (Joomla Content Editor) extension versions 1.0.0–2.9.99.4 via improper editor profile creation. CVSS 10.0.

Why it matters: KEV-listed (added 2026-06-16); patch released (2.9.99.5); multiple posts reference active scanning and exploitation; defenders are triaging now. EPSS near zero reflects low prevalence at time of publication, not severity.

Where it's seen: Threat feeds, security blogs, and practitioner alerts emphasizing immediate patching. Posts consistently cite CISA KEV status, patch availability, and scanning activity—no speculation about exploitability.

What: Authentication bypass in Cap-go (mobile app deployment platform) before version 12.128.2 allowing OTP verification manipulation and account takeover via 2FA disablement.

Why it matters: Social chatter describes CRITICAL severity with no patch available and vendors urged to release updates. No KEV listing, no CVSS/EPSS scoring, and NVD metadata missing—but coherent cross-platform reports (Bluesky, X) from threat feeds published June 19, 2026 suggest real vulnerability disclosure. Defender guidance to monitor vendor channels indicates active advisory phase.

Where it's seen: Threat intelligence feeds (OffSeq radar, Vulmon), social media aggregators flagging authentication bypass. Reports frame as unpatched; Cap-go 12.128.2 cited as fix version. No public PoC evident in snippets.

What: Gravity SMTP plugin for WordPress allows unauthenticated REST API access to a sensitive data endpoint, leaking system configuration, plugin versions, and API credentials (CVE-2026-4020, CVSS 7.5 HIGH).

Why it matters: Active exploitation confirmed in the wild; security researchers documented ~560 rotating IPs and 3,300 user agents scanning for the vulnerability. Attacker infrastructure analysis published. No KEV listing yet but in-the-wild activity and detailed reporting indicate defenders are actively triaging.

Where it's seen: Security researcher blogs documenting attack patterns and threat actor infrastructure; social media amplification on Bluesky and Hacker News discussing attacker tooling and commonalities.

What: Out-of-bounds read in Squid Proxy when accessing misbehaving FTP servers (CVE-2026-47729), dubbed "Squidbleed" by researchers; claimed to affect all versions since 1997 in default config.

Why it matters: Social chatter invokes Heartbleed analogy and claims memory leakage, but official OSS Security post clarifies the actual flaw is a narrow OOB read tied to FTP server interaction, not pervasive default-config exposure. No KEV listing, no CVSS assigned, no confirmed PoC or in-the-wild exploitation yet. Squid maintainers have patched (v7.6); vendors' urgency unclear.

Where it's seen: Security researchers and aggregators amplifying "Squidbleed" branding; French and English-language infosec blogs repeating the Heartbleed comparison; increased actor chatter noted by VulDB but unverified. Heavy marketing-style framing vs. technical detail.

What: Capgo before v12.128.2 leaks organization membership and billing status via unauthenticated Supabase PostgREST RPC endpoints (is_trial_org, is_paying_org).

Why it matters: Posts confirm vendor patched in v12.128.2 same-day (June 20, 2026); information disclosure allows account enumeration and competitive intelligence. No KEV listing, CVSS/EPSS unavailable, no PoC or in-the-wild exploitation signal yet—early coordinated disclosure pattern.

Where it's seen: Social media alert accounts (CVEnew, infoflowcloud, Bluesky) broadcasting advisory summary within hours of patch release; no researcher PoC, defender triage, or incident reports visible.

What: Supply-chain RCE in Nx Console (build tool UI for Nx & Lerna) via malicious version 18.95.0 published to marketplaces for ~18–36 minutes on 19 May 2026. No CVSS assigned; EPSS 0.00952.

Why it matters: KEV-listed as actively exploited (added 2026-05-27). Public chatter links CVE to real-world incidents: SEC 8-K filing by Karman Holdings (June 1), alleged chaining with CVE-2026-45321 in dev tooling attacks, and sanctions evasion allegations. Supply-chain nature means downstream risk is asymmetric.

Where it's seen: CISA KEV catalog announcement, threat intel aggregators, developer security accounts flagging urgent patching. Corporate disclosures (8-K) and dark-web chatter cited. Patch path clear (upgrade to 18.100.0).

What: Unauthenticated remote code execution in Oracle PeopleSoft Enterprise PeopleTools 8.61/8.62 via HTTP (CVSS 9.8 CRITICAL). Affects environment management component.

Why it matters: KEV-listed as of 2026-06-12. ShinyHunters/UNC6240 exploited as zero-day May 27–June 9, breaching 100+ organizations including universities. No patch available yet—only mitigations. 40GB data theft and extortion campaign confirmed. Oracle issued out-of-band security alert June 10.

Where it's seen: High-volume social chatter referencing Mandiant attribution, threat intel briefs, and university breach alerts. IOCs and tactical details circulating. News aggregators and security researcher posts dominant signal.

What: Arbitrary file deletion vulnerability in "The Database for Contact Form 7" WordPress plugin due to insufficient path validation; affects 70,000+ sites (CVSS 8.1).

Why it matters: High CVSS score and broad plugin footprint. Social posts reference patch availability (v1.5.2), suggesting vendor acknowledgment and active remediation. No KEV listing or confirmed in-the-wild exploitation yet, but unauthenticated attack surface and full site takeover potential elevate urgency for WordPress administrators.

Where it's seen: Twitter/Bluesky amplification of CVE announcement; chatter centers on patch guidance. No public PoC or exploitation reports in supplied posts; advisory metadata incomplete.

What: ProxySQL 2.0.0–3.0.8 accepts spoofed source IPs via malformed PROXY protocol v1 frames, bypassing client_addr-based routing and ACL rules (CVSS 10.0 CRITICAL).

Why it matters: Published 19 June 2026; patch (3.0.9) available same day. No KEV listing yet, but vulnerability enables read-write splitting and schema isolation bypass on any exposed frontend. Affects real deployments using client_addr for access control.

Where it's seen: Threat feeds and security social media amplifying NVD advisory within hours. No public PoC, active exploitation reports, or mass scanning chatter observed yet. Discussion is advisory-driven, not incident-driven.

What: Authorization bypass in Capgo <12.128.2 affecting the public.upsert_version_meta SECURITY DEFINER function exposed via PostgREST RPC, allowing unauthenticated cross-tenant metrics poisoning.

Why it matters: Published today (June 20, 2026); enables unauthenticated attackers to manipulate metrics across tenant boundaries. No KEV listing yet, CVSS/EPSS not yet available. Vendor patch (12.128.2) already exists, suggesting coordinated disclosure and rapid response.

Where it's seen: Automated CVE feeds and security aggregators amplifying the advisory within hours of publication. No working PoC, in-the-wild exploitation reports, or defender triage signals observed yet—only initial advisory chatter.

What: LiteSpeed cPanel plugin before 2.4.8 mishandles symlinks, allowing FTP/web shell users on shared CloudLinux/CageFS servers to escalate privileges (CVSS 8.5).

Why it matters: KEV-listed 2026-06-15; confirmed in-the-wild exploitation in May 2026. CISA issued emergency directive requiring federal agencies patch by June 18. Shared hosting blast radius affects thousands of tenants per server.

Where it's seen: CISA advisory, news coverage, vendor patches, C-suite briefings. Social chatter dominated by government deadline and active threat confirmation. No speculation—all posts cite CISA KEV listing and May exploitation.

What: Scope escalation in Capgo (before 12.128.2) via POST /functions/v1/apikey endpoint; allows app-limited API keys to mint unrestricted keys.

Why it matters: Published today (June 20, 2026); rapid social amplification across Twitter and Bluesky within hours. Vendor has released patch (12.128.2), signaling active remediation. No KEV listing, CVSS/EPSS, or public PoC confirmed in metadata, but privilege escalation via API key minting is high-impact if weaponized.

Where it's seen: Alert accounts and infosec news bots (CVEnew, infoflowcloud) amplifying vendor advisory within 1-2 hours of publication. Translation efforts suggest international spread. No defender triage questions or working exploit code observed yet.

What: Capgo before 12.128.2 contains an authentication logic flaw allowing users with team/organization security settings permissions to bypass or improperly enforce two-factor authentication.

Why it matters: Published today (June 20, 2026); vendor has released a patched version (12.128.2), signaling acknowledged severity. No KEV listing, CVSS/EPSS, or public PoC in the chatter yet. Social signal is pure feed amplification of the CVE identifier with no independent analysis or exploitation reports.

Where it's seen: Automated CVE feed posts on X and Bluesky repeating the advisory text verbatim; no security researcher commentary, defender questions, or incident reports visible.

What: Local privilege escalation in Microsoft Defender's Malware Protection Engine via race condition, affecting Windows 10/11. CVSS 7.8 (HIGH), EPSS 0.30%.

Why it matters: Microsoft acknowledged the zero-day on 2026-06-16 and stated a patch is in development. Posts 7–8 claim public PoC exists, but NVD and official channels show no KEV listing, no patch released, and vendor still developing the fix. The "public PoC" claim lacks corroboration in authoritative sources.

Where it's seen: Multilingual social chatter (Japanese, English) across Bluesky citing news aggregators (HackerNews, HelpNetSecurity, EbisudaTech). Rhetoric emphasizes zero-day + race condition + SYSTEM escalation. Post 7 asserts PoC availability without evidence.

What: Cap-go before version 12.128.2 contains an authentication logic flaw allowing account hijacking via unverified email sign-up and 2FA bypass (CVSS 9.1).

Why it matters: Social chatter cites a critical severity rating and account takeover potential, but no CVE metadata (NVD enrichment, EPSS, KEV listing) exists yet. No vendor advisory, PoC, or confirmed in-the-wild exploitation mentioned. Posts link to third-party threat databases (offseq, thehackerwire) rather than official Cap-go security channels, suggesting early-stage disclosure or speculative coverage.

Where it's seen: Three Bluesky posts from June 19–20, 2026, amplifying the vulnerability across infosec channels with hashtag promotion but minimal technical detail or remediation guidance beyond version pinning.

What: Denial-of-service vulnerability in Hitachi Virtual Storage Platform 10G iSCSI interface; remote network-based attack possible (CVSS 8.6).

Why it matters: Published 19 June 2026, gaining rapid social traction on Bluesky within hours. No KEV listing, no public PoC, no vendor advisory visible in metadata. Chatter is primarily automated/low-effort translation posts with minimal analysis or defender engagement. CVSS 8.6 warrants attention but absence of advisory detail or exploitation signals suggests early-stage disclosure.

Where it's seen: Bluesky posts (Japanese and English) announcing the CVE and CVSS score; appears to be bot/automated notification activity rather than organic security community discussion.

What: OpenSSL TLS/DTLS Heartbeat Extension buffer over-read (CVE-2014-0160, Heartbleed) affecting OpenSSL 1.0.1 before 1.0.1g; allows remote attackers to leak process memory including private keys. CVSS 7.5 HIGH, EPSS 0.99999.

Why it matters: KEV-listed since May 2022. Heartbleed is a canonical memory-disclosure vulnerability exploited at scale in 2014 and remains a reference point for severity. The social chatter conflates Heartbleed with newer vulnerabilities (Squidbleed, OpenCode RCE) as rhetorical comparisons, not active Heartbleed exploitation—evidence of historical impact, not current weaponization.

Where it's seen: Posts use "Heartbleed" as a severity metaphor for unrelated 2026 CVEs; no new Heartbleed PoCs or in-the-wild activity reported. Discussion centers on supply chain and agentic risks, not OpenSSL patching urgency.

What: Remote code execution in Cisco Identity Services Engine (ISE) and ISE-PIC (versions 3.1–3.5) requiring authenticated admin access; CVSS reported as 9.1 in social posts.

Why it matters: Cisco released patches June 17, 2026; chatter emphasizes admin-authenticated command execution leading to root access with no workarounds. No KEV listing yet, no public PoC confirmed, but vendor urgently patching and defenders triaging admin-plane exposure suggests real risk window.

Where it's seen: Official Cisco advisories cited, security alert accounts (CCBalert, NCIIPC) amplifying patch directive, threat intelligence vendors (OffSeq) labeling "CRITICAL," and practitioner discussion distinguishing this (authenticated RCE) from CVE-2026-20190 (unauthenticated disclosure).