Trending vulnerabilities

What: Gravity SMTP WordPress plugin (≤2.1.4) exposes 365 KB of sensitive system data via unauthenticated REST API endpoint—CVSS 7.5 HIGH.

Why it matters: Real vulnerability with clear attack surface (no auth required, REST endpoint discoverable). Posts reference active reconnaissance ("attackers are the same client"), suggesting in-the-wild targeting. No KEV listing yet, but EPSS low (0.03) and chatter is recent (June 2026). CrowdSec advisory noted; defenders likely triaging WordPress instances.

Where it's seen: French-language security media, HackerNews discussion threads, blog coverage from honeylabs and cyberveille flagging live reconnaissance activity and shared attacker infrastructure.

What: LiteSpeed cPanel plugin before 2.4.8 mishandles symlinks, allowing FTP/web shell users on shared CloudLinux/CageFS servers to escalate privileges (CVSS 8.5).

Why it matters: KEV-listed 2026-06-15; confirmed in-the-wild exploitation in May 2026. CISA issued emergency directive requiring federal agencies patch by June 18. Shared hosting blast radius affects thousands of tenants per server.

Where it's seen: CISA advisory, news coverage, vendor patches, C-suite briefings. Social chatter dominated by government deadline and active threat confirmation. No speculation—all posts cite CISA KEV listing and May exploitation.

What: OS command injection in Fortinet FortiSandbox 4.4.0–4.4.8 enabling unauthenticated code execution (CVSS 9.8 critical, EPSS 0.66 high).

Why it matters: Multiple security vendors and honeypot operators report active exploitation of CVE-2026-39808 in the wild alongside two related FortiSandbox flaws. Fortinet patched in April 2026. No KEV listing yet, but credible defender signals (Defused, SOCRadar) confirm attack attempts. High EPSS and CVSS reinforce urgency.

Where it's seen: Security news outlets (Help Net Security, The Hacker News), threat intel platforms citing honeypot detections, multilingual coverage signaling broad awareness. Grouped with CVE-2026-39813 and CVE-2026-25089 in coordinated exploitation campaigns.

What: Unauthenticated remote code execution in Oracle PeopleSoft Enterprise PeopleTools 8.61/8.62 via HTTP (CVSS 9.8 CRITICAL). Affects environment management component.

Why it matters: KEV-listed as of 2026-06-12. ShinyHunters/UNC6240 exploited as zero-day May 27–June 9, breaching 100+ organizations including universities. No patch available yet—only mitigations. 40GB data theft and extortion campaign confirmed. Oracle issued out-of-band security alert June 10.

Where it's seen: High-volume social chatter referencing Mandiant attribution, threat intel briefs, and university breach alerts. IOCs and tactical details circulating. News aggregators and security researcher posts dominant signal.

What: Command injection in Microsoft 365 Copilot allowing unauthorized information disclosure via crafted URLs; CVSS 6.5 (Medium).

Why it matters: Posts describe a working one-click exfiltration chain (prompt injection + SSRF) exposing emails, MFA codes, and files. Microsoft deployed server-side mitigation. Not KEV-listed and no independent PoC confirmation visible, but researcher disclosures cite technical exploitation mechanics and real-world impact.

Where it's seen: Named "SearchLeak" across Bluesky and X; researcher breakdowns detailing injection chains; vendor acknowledgment of mitigation; threat intel aggregation citing the vulnerability as patched.

What: Path traversal vulnerability in Fortinet FortiSandbox 4.4.0–5.0.5 (CVSS 9.8 CRITICAL) allowing privilege escalation; attack vector details incomplete in NVD.

Why it matters: Social chatter reports active exploitation within 24 hours of patch release (April 2026), with IOCs and mass attacks cited. However, CVE is not KEV-listed and EPSS remains low (0.24). Posts bundle three vulnerabilities together, conflating signal; no confirmed PoC or independent defender triage visible.

Where it's seen: Journalist coverage (Help Net Security, regional security blogs), threat intel aggregators citing "active exploitation" and IOCs, but no technical deep-dive, no PoC repository link, no vendor emergency advisory evident in posts.

What: Authentication bypass in SimpleHelp remote support versions ≤5.5.15 and 6.0 pre-release when OIDC is enabled; attacker can forge identity tokens to seize admin sessions and bypass MFA. CVSS 10.0 CRITICAL.

Why it matters: Published 4 days ago with zero EPSS percentile, no KEV listing yet. Chatter shows FOFA identified 106K+ exposed instances; vendors have issued patches (5.5.16, 6.0RC2). No public PoC or in-the-wild exploitation confirmed in posts, but remote, unauthenticated, no-interaction attack surface is severe for managed service providers and enterprises using OIDC.

Where it's seen: Infosec Twitter/Bluesky circulation of NVD description, FOFA database alerts, vulnerability aggregators. Tone emphasizes criticality and patch availability rather than exploit tooling or active abuse.

What: Elevation of privilege in Microsoft Malware Protection Engine (Defender) allowing SYSTEM-level code execution via race condition on fully patched Windows 10/11. CVSS 7.8 (HIGH).

Why it matters: Microsoft acknowledged RoguePlanet on 2026-06-16 and is developing a patch. Not yet KEV-listed; no confirmed public PoC or in-the-wild exploitation reported. Social chatter conflates "zero-day" status with active exploitation—Microsoft's public acknowledgment and imminent patch suggest rapid response to a real vulnerability, but no defender triage signals yet visible.

Where it's seen: Threat intel accounts and security news aggregators amplifying the NVD advisory with speculative claims about bypass capabilities and IOC counts. No technical PoC, no vendor advisory detail beyond Microsoft's statement.

What: Path traversal in Windows WinRAR allows arbitrary code execution via malicious archives (CVSS 8.8, EPSS 0.93).

Why it matters: KEV-listed since August 2025. Confirmed in-the-wild exploitation by Russian-aligned APT groups (Gamaredon, SHADOW-EARTH-066) targeting Ukrainian critical infrastructure and government since late 2025—over 12 documented spearphishing waves through May 2026. Patch available but adoption remains poor; attackers continue active campaigns.

Where it's seen: Threat intelligence reports (Trend Micro, ESET, Harfang Lab, Stalkware) documenting sustained exploitation campaigns. Social chatter focuses on Gamaredon's use of GiftedCrook infostealer, GammaDrop payloads, and HTA delivery chains; discussion of archive format evasion (ARJ spoofing) as attackers adapt.

What: OS command injection in Fortinet FortiSandbox 4.2–5.0.5 and Cloud/PaaS variants allowing unauthenticated remote code execution via malformed HTTP requests (CVSS 9.8 CRITICAL).

Why it matters: Fortinet issued patches within 8 days of disclosure. Social chatter confirms active exploitation of this CVE alongside related FortiSandbox flaws (CVE-2026-39813, CVE-2026-39808). Multiple security vendors and threat intelligence firms report attackers weaponizing the vulnerability. Unauthenticated RCE on a sandbox/threat-analysis appliance creates direct risk to downstream security operations.

Where it's seen: Vendor advisories, Help Net Security and TheHackerNews coverage citing active attacks, security vendor (SecPod) mitigation guidance, multi-language social alerts flagging critical severity and exploitation.

What: Unauthenticated file create/truncate via unprotected PostgreSQL sidecar endpoint in Splunk Enterprise <10.2.4, 10.0.7 and Splunk Cloud <10.4.2604.3, 10.2.2510.14 (CVSS 9.8 Critical).

Why it matters: CVSS 9.8 critical severity, FOFA shows 94K+ exposed instances. Watchtowr published technical writeup June 13; post #7 claims honeypot detection of active exploitation attempts as of June 15. Not yet KEV-listed but pre-auth RCE chain documented and public PoC imminent.

Where it's seen: Security researchers, FOFA asset search, threat intel feeds, and Splunk-focused practitioners discussing urgent patching. Claims of active scanning and exploitation attempts in honeypots. No major vendor advisory yet visible in posts.

What: Improper access control in Fortinet FortiClientEMS 7.4.5–7.4.6 allows unauthenticated attackers to execute arbitrary code or commands. CVSS 9.8 CRITICAL; EPSS 0.97559.

Why it matters: KEV-listed 2 days after NVD publication (2026-04-06). Active in-the-wild exploitation reported delivering EKZ credential stealer via unauthenticated API access. Multiple credible sources (ArcticWolf, security researchers) confirm malware campaigns targeting FortiClient EMS to steal endpoint credentials. Fortinet patched urgently.

Where it's seen: GitHub PoC published. Security vendor advisories and threat intel reports document active exploitation. Social chatter emphasizes unauthenticated RCE risk and real-world malware delivery chains. Defenders actively triaging compromised EMS instances.

What: JWT validation bypass in Perry authentication library (before 0.5.1166) allows indefinite reuse of expired bearer tokens, bypassing session revocation and logout (CVSS 9.1 CRITICAL).

Why it matters: Published June 16, 2026 — same day as social chatter — affecting any application using Perry's jwt.verify() with expired tokens. High CVSS score and direct authentication bypass make this actionable for defenders. However, no KEV listing, no public PoC observed, and chatter is primarily vulnerability aggregator republication with no confirmed in-the-wild exploitation or urgent vendor patching signal.

Where it's seen: Threat intelligence feeds and security news sites amplifying the CVE metadata within hours of publication; no exploit code, defender triage questions, or vendor emergency patches noted yet.

What: OAuth authorization code exchange bypass in ThingsBoard v4.3.0.1 allowing authentication bypass (CVSS 9.8).

Why it matters: FOFA scanning reports 14K+ exposed instances detected over the past year, suggesting widespread deployment. High CVSS score and authentication bypass class indicate critical impact if exploited, though no KEV listing, vendor advisory, or public PoC confirmed yet.

Where it's seen: FOFA-driven threat intel chatter flagging exposed instances; scanning/reconnaissance activity but no reported active exploitation or vendor response visible in provided posts.

What: NVIDIA NeMo Framework (Linux) deserialization vulnerability allowing untrusted data processing leading to code execution, privilege escalation, and data tampering (CVSS 7.8 HIGH).

Why it matters: Published 16 June 2026; NVIDIA has issued patched version (v2.7.3) cited in vendor guidance. No KEV listing yet, but bundled with two sibling CVEs (CVE-2026-24155, CVE-2026-24252) all enabling code execution. Chatter emphasizes immediate patching urgency and affects AI/ML infrastructure operators.

Where it's seen: Social posts aggregating NVD metadata and vendor advisories; security news wire coverage; calls-to-action for version upgrade. No public PoC or in-the-wild exploitation reported; discussion remains vendor-advisory driven.

What: Heap use-after-free in OpenSSL's PKCS#7/S/MIME signature verification (PKCS7_verify) triggered by malformed SignedData with empty digestAlgorithms; affects process stability and potentially enables remote code execution.

Why it matters: OpenSSL patched this alongside 17 other vulnerabilities on 2026-06-09; described as high-severity by vendor and journalists. No KEV listing or public PoC yet, but immediate patch availability and mainstream security media coverage signal real impact. S/MIME processing is widespread in mail and document workflows.

Where it's seen: Vendor advisory links, SecurityWeek coverage, Lobsters discussion, trending CVE aggregators. Heavy emphasis on patch availability rather than exploitation proof.

What: Integer overflow in Pacemaker's remote message decompression allowing unauthenticated DoS via memory corruption (CVSS 8.6 HIGH).

Why it matters: Published 16 June 2026 with no KEV listing yet. Posts are aggregator/feed repeats of NVD data within hours of publication—no PoC, no vendor advisory signals, no defender triage reports. Standard disclosure chatter only.

Where it's seen: Automated social feeds republishing CVE feeds and vulnerability aggregator content. No original security research, no patch announcements, no in-the-wild reports.

What: Code injection vulnerability in NVIDIA NeMo Framework (all platforms) enabling remote code execution, privilege escalation, and data tampering. CVSS 7.8 HIGH.

Why it matters: Published 16 June 2026; security researcher recommendation to update to v2.7.3 indicates patch availability and active advisory awareness. Not yet KEV-listed, but immediate patching guidance and multiple CVE linkage suggest vendor coordination. No public PoC reported in chatter.

Where it's seen: Security feed aggregation (HackerWire, PatchStack) and researcher alerts on social platforms within 24 hours of NVD publication. Bundled with two related NeMo CVEs (24252, 24228) amplifying visibility.

What: Secure Boot bypass vulnerability (CVE-2023-24932, "BlackLotus") affecting Windows UEFI firmware; CVSS 6.7 MEDIUM.

Why it matters: Social chatter links this to SprySOCKS backdoor (Earth Lusca) allegedly used against government targets in Taiwan, Thailand, Pakistan, Honduras. ESET researcher coverage suggests active use in targeted intrusions. However, CVE is not KEV-listed and published nearly 3 years ago; current June 2026 posts appear to recycle earlier reporting mixed with new SprySOCKS campaign details. The vulnerability itself is real but weaponization timing unclear.

Where it's seen: Spanish-language infosec posts on Bluesky; references to ESET findings, The Hacker News article, and defensive guidance (PowerShell mitigation tips). No fresh PoC or scanning signals reported.

What: Privilege escalation to root in LiteSpeed User-End cPanel Plugin before 2.4.5 via mishandled Redis enable/disable function; affects cPanel users on vulnerable versions.

Why it matters: NVD explicitly states "exploited in the wild in May 2026"; social chatter corroborates active attacks. No CVSS official score in metadata, but posts cite "10.0" (unverified). Vendor has patched (2.4.5 released). Detection command provided in advisory. Not yet KEV-listed, but recent exploitation and patch urgency signal real-world weaponization.

Where it's seen: Security news outlets and threat intel accounts reporting "active exploit" and "root access"; defenders discussing detection via grep patterns on cPanel logs; vendor remediation guidance circulating.

What: Improper authentication in OAuth implementation allows account hijacking in phpBB even when OAuth is disabled; affects default installations (CVSS 9.8 CRITICAL).

Why it matters: Published today with CRITICAL score and demonstrated account hijacking (admin account takeover reported on forum). No KEV listing yet, but real-world proof shown in social posts. Default configurations vulnerable, affecting widespread phpBB deployments.

Where it's seen: Social chatter emphasizes severity and real demonstration; vulnerability aggregator coverage active same day. No vendor advisory or patch timeline visible in posts, but exploitation proof already circulating informally.

What: Remote code execution in Crawl4AI via sandbox escape in computed field expression evaluation; attacker bypasses validation using generator and frame object attributes (gi_frame, f_back, f_builtins).

Why it matters: No CVE metadata yet published (NVD not enriched, no CVSS, not KEV-listed). Social signal originates from single MDR vendor; no public PoC, vendor advisory, or defender triage activity visible. Metadata sparse; vulnerability class (sandbox escape RCE) is serious if confirmed, but confirmation pending authoritative sources.

Where it's seen: Single MDR vendor posting alert; no corroborating researcher PoC, Crawl4AI maintainer response, or downstream defender chatter detected.