Trending vulnerabilities

What: Authentication bypass in Check Point Remote Access and Mobile Access VPN via deprecated IKEv1 key exchange; unauthenticated remote attackers can establish VPN sessions without valid credentials.

Why it matters: KEV-listed as of 2026-06-08; active in-the-wild exploitation confirmed by Qilin ransomware affiliate; CISA mandated 3-day patch deadline for federal agencies; vendors patching urgently; defenders actively triaging and remediating legacy IKEv1 configurations.

Where it's seen: Security advisories, threat intelligence platforms, journalist coverage across multiple languages (English, Indonesian, Japanese), ransomware intelligence feeds, CISA directives, and defender action alerts spanning 24–48 hours post-disclosure.

What: Authentication bypass in Palo Alto Networks PAN-OS GlobalProtect portal and gateway allowing unauthorized VPN access (EPSS 0.2%, no CVSS assigned).

Why it matters: KEV-listed as of 2026-05-29; vendor confirms active in-the-wild exploitation in enterprise environments within 16 days of CVE publication. No Panorama or Cloud NGFW impact limits blast radius but VPN gateway compromise is critical.

Where it's seen: Social chatter dominated by vendor confirmation posts and security news aggregators amplifying active exploitation claims. Posts are consistent—no PoC links observed, but defender urgency signaled by KEV addition and vendor advisory timing.

What: Authentication bypass in SimpleHelp remote support versions ≤5.5.15 and 6.0 pre-release when OIDC is enabled; attacker can forge identity tokens to seize admin sessions and bypass MFA. CVSS 10.0 CRITICAL.

Why it matters: Published 4 days ago with zero EPSS percentile, no KEV listing yet. Chatter shows FOFA identified 106K+ exposed instances; vendors have issued patches (5.5.16, 6.0RC2). No public PoC or in-the-wild exploitation confirmed in posts, but remote, unauthenticated, no-interaction attack surface is severe for managed service providers and enterprises using OIDC.

Where it's seen: Infosec Twitter/Bluesky circulation of NVD description, FOFA database alerts, vulnerability aggregators. Tone emphasizes criticality and patch availability rather than exploit tooling or active abuse.

What: Command injection in Microsoft 365 Copilot allowing unauthorized information disclosure via crafted URLs; CVSS 6.5 (Medium).

Why it matters: Posts describe a working one-click exfiltration chain (prompt injection + SSRF) exposing emails, MFA codes, and files. Microsoft deployed server-side mitigation. Not KEV-listed and no independent PoC confirmation visible, but researcher disclosures cite technical exploitation mechanics and real-world impact.

Where it's seen: Named "SearchLeak" across Bluesky and X; researcher breakdowns detailing injection chains; vendor acknowledgment of mitigation; threat intel aggregation citing the vulnerability as patched.

What: Unauthenticated PHP code upload and execution in Joomla JCE (Joomla Content Editor) extension versions 1.0.0–2.9.99.4 via improper access control in editor profile creation. CVSS 10.0.

Why it matters: KEV-listed 2026-06-16, added to CISA's exploited vulnerabilities catalog one day before today. Multiple sources report active in-the-wild exploitation. Fixed version 2.9.99.5 available. High CVSS and immediate government listing signal urgent patch priority for defenders running affected Joomla instances.

Where it's seen: News outlets, threat intelligence feeds, and security Twitter reporting active exploitation. Defenders discussing monitoring, disabling JCE, and applying patches. Detection scripts circulating. No dispute over legitimacy—advisory published 2026-06-05, KEV addition 2026-06-16 corroborated across posts.

What: Unauthenticated file create/truncate via unprotected PostgreSQL sidecar endpoint in Splunk Enterprise <10.2.4, 10.0.7 and Splunk Cloud <10.4.2604.3, 10.2.2510.14 (CVSS 9.8 Critical).

Why it matters: CVSS 9.8 critical severity, FOFA shows 94K+ exposed instances. Watchtowr published technical writeup June 13; post #7 claims honeypot detection of active exploitation attempts as of June 15. Not yet KEV-listed but pre-auth RCE chain documented and public PoC imminent.

Where it's seen: Security researchers, FOFA asset search, threat intel feeds, and Splunk-focused practitioners discussing urgent patching. Claims of active scanning and exploitation attempts in honeypots. No major vendor advisory yet visible in posts.

What: OS Command Injection in Ivanti Sentry (pre-R10.5.2/R10.6.2/R10.7.1) enabling unauthenticated remote root code execution. CVSS 10.0 CRITICAL.

Why it matters: Public PoC dropped June 9; defenders report active exploitation in-the-wild, confirmed backdoored instances, and mass vulnerable infrastructure. Ivanti has issued patches. Not yet KEV-listed but exploitation signal is credible and widespread.

Where it's seen: Security researchers posting detection telemetry (19+ vulns scanned, 2+ confirmed compromised), public PoC availability, ShadowServer IP feeds tagged for the CVE, patch advisories from Ivanti, and urgent defender triage chatter across social media.

What: Jenkins 2.567 and earlier suffer unsafe deserialization of arbitrary types from attacker-controlled config.xml, enabling user impersonation, Script Console access, and arbitrary file read (CVSS 8.8).

Why it matters: DefusedCyber confirmed in-the-wild exploitation attempts hitting decoys since June 15. Vendor patches available per Jenkins advisory. Active scanning and POC development reported across security community. Not yet KEV-listed but exploitation activity is credible and current.

Where it's seen: Security researchers posting live exploitation tracking, technical breakdowns of gadget chains, vendor advisory links, and exploitation scanning tools across Twitter/Bluesky. Engagement driven by active threat confirmation rather than disclosure timing.

What: Out-of-bounds read/write in V8 JavaScript engine in Google Chrome prior to 149.0.7827.103; allows remote code execution via crafted HTML; CVSS 8.8 HIGH.

Why it matters: Google released a patch the same day this CVE was published (2026-06-09), and multiple sources report active in-the-wild exploitation. No KEV listing yet, but vendor urgency and defender chatter indicate real weaponization. V8 bugs affecting billions of Chrome users carry immediate triage weight.

Where it's seen: Coordinated coverage across Help Net Security and The Hacker News; social posts emphasize "zero-day exploited in the wild" and urgent patching. Posts cite Chrome 149.0.7827.103 as the fix. No PoC code visible in sample, but tone reflects established exploitation, not speculation.

What: Path traversal in Windows WinRAR allows arbitrary code execution via malicious archives (CVSS 8.8, EPSS 0.93).

Why it matters: KEV-listed since August 2025. Confirmed in-the-wild exploitation by Russian-aligned APT groups (Gamaredon, SHADOW-EARTH-066) targeting Ukrainian critical infrastructure and government since late 2025—over 12 documented spearphishing waves through May 2026. Patch available but adoption remains poor; attackers continue active campaigns.

Where it's seen: Threat intelligence reports (Trend Micro, ESET, Harfang Lab, Stalkware) documenting sustained exploitation campaigns. Social chatter focuses on Gamaredon's use of GiftedCrook infostealer, GammaDrop payloads, and HTA delivery chains; discussion of archive format evasion (ARJ spoofing) as attackers adapt.

What: Path traversal vulnerability in Fortinet FortiSandbox 4.4.0–5.0.5 (CVSS 9.8 CRITICAL) allowing privilege escalation; attack vector details incomplete in NVD.

Why it matters: Social chatter reports active exploitation within 24 hours of patch release (April 2026), with IOCs and mass attacks cited. However, CVE is not KEV-listed and EPSS remains low (0.24). Posts bundle three vulnerabilities together, conflating signal; no confirmed PoC or independent defender triage visible.

Where it's seen: Journalist coverage (Help Net Security, regional security blogs), threat intel aggregators citing "active exploitation" and IOCs, but no technical deep-dive, no PoC repository link, no vendor emergency advisory evident in posts.

What: Stack-based buffer overflow in Yealink SIP-T46U firmware upgrade handler (sprintf in /api/upgrade/upgrade) triggered via uid/start_offset manipulation. CVSS 8.0 HIGH. Local network attack only.

Why it matters: Public exploit available; vendor unresponsive to disclosure. However, KEV not yet listed, and attack surface is limited to local network access (requires proximity). Real vulnerability but constrained threat model — primarily relevant for organizations with untrusted internal networks or physical access risks.

Where it's seen: Same-day infosec aggregator chatter on Bluesky and X (Vulmon feeds). Posts cite NVD description verbatim; no independent PoC analysis or defender triage reports visible yet. Appears to be coordinated disclosure thread.

What: OS command injection in Fortinet FortiSandbox 4.4.0–4.4.8 enabling unauthenticated code execution (CVSS 9.8 critical, EPSS 0.66 high).

Why it matters: Multiple security vendors and honeypot operators report active exploitation of CVE-2026-39808 in the wild alongside two related FortiSandbox flaws. Fortinet patched in April 2026. No KEV listing yet, but credible defender signals (Defused, SOCRadar) confirm attack attempts. High EPSS and CVSS reinforce urgency.

Where it's seen: Security news outlets (Help Net Security, The Hacker News), threat intel platforms citing honeypot detections, multilingual coverage signaling broad awareness. Grouped with CVE-2026-39813 and CVE-2026-25089 in coordinated exploitation campaigns.

What: Cross-site scripting (XSS) in Microsoft Exchange Server on-premises allowing email spoofing; CVSS 8.1 HIGH.

Why it matters: Microsoft confirmed active exploitation in-the-wild as of 2026-05-14. Posts cite emergency patching and mitigation guidance. Not yet KEV-listed but vendor advisory + confirmed active abuse signals immediate triage priority for on-prem Exchange operators.

Where it's seen: Coordinated social chatter across security news outlets (HelpNetSecurity, The Hacker News) and Bluesky; consistent framing of "actively exploited zero-day" with remediation paths (EOMT, service updates). No public PoC mentioned, but threat actor activity confirmed by Microsoft.

What: Path traversal vulnerability in Langflow's POST /api/v2/files endpoint allowing unauthenticated arbitrary file write via unsanitized filename parameter (CVSS 8.8).

Why it matters: Social chatter claims active in-the-wild exploitation for RCE on unpatched Langflow instances, but CVE is not KEV-listed and EPSS is extremely low (0.1%). Claims of "active exploitation" lack corroborating PoC links, vendor advisory dates, or defender triage reports. Hacker News coverage amplifies unverified assertions.

Where it's seen: Recycled Hacker News headlines across Bluesky; Indonesian security blog; sensationalized "silent crisis" framing; no linked PoCs, no vendor patch timeline, no defender confirmation.

What: OS command injection in Fortinet FortiSandbox 4.2–5.0.5 and Cloud/PaaS variants allowing unauthenticated remote code execution via malformed HTTP requests (CVSS 9.8 CRITICAL).

Why it matters: Fortinet issued patches within 8 days of disclosure. Social chatter confirms active exploitation of this CVE alongside related FortiSandbox flaws (CVE-2026-39813, CVE-2026-39808). Multiple security vendors and threat intelligence firms report attackers weaponizing the vulnerability. Unauthenticated RCE on a sandbox/threat-analysis appliance creates direct risk to downstream security operations.

Where it's seen: Vendor advisories, Help Net Security and TheHackerNews coverage citing active attacks, security vendor (SecPod) mitigation guidance, multi-language social alerts flagging critical severity and exploitation.

What: Reference counting bug in Linux kernel KVM/arm64 vGIC-ITS translation cache invalidation allowing concurrent double-free; no CVSS assigned, EPSS 0.0005%.

Why it matters: Social media claims "guest-to-host escape" and "PoC" under marketing name "ITScape," but NVD description documents a race condition in cache cleanup, not a direct escape vector. No KEV listing, no official PoC confirmed, EPSS near-zero. Vendor (Linux) patched the bug as a correctness fix, not emergency response.

Where it's seen: Coordinated Bluesky posts from low-engagement accounts rebranding a routine kernel fix as critical escape exploit; sensationalized framing mismatches actual advisory scope.

What: Elevation of privilege in Microsoft Malware Protection Engine (Defender) allowing SYSTEM-level code execution via race condition on fully patched Windows 10/11. CVSS 7.8 (HIGH).

Why it matters: Microsoft acknowledged RoguePlanet on 2026-06-16 and is developing a patch. Not yet KEV-listed; no confirmed public PoC or in-the-wild exploitation reported. Social chatter conflates "zero-day" status with active exploitation—Microsoft's public acknowledgment and imminent patch suggest rapid response to a real vulnerability, but no defender triage signals yet visible.

Where it's seen: Threat intel accounts and security news aggregators amplifying the NVD advisory with speculative claims about bypass capabilities and IOC counts. No technical PoC, no vendor advisory detail beyond Microsoft's statement.

What: Stack-based buffer overflow in Totolik N300RH web management interface (wireless.so setWiFiBasicConfig). CVSS 9.8 critical; remote code execution via malformed KeyStr argument.

Why it matters: NVD states exploit is public. However, CVE not yet KEV-listed. Social chatter is copy-paste alert spam with no PoC links, defender triage questions, or vendor patch updates. Low EPSS (0.41%) and no evidence of active scanning or in-the-wild exploitation. Appears to be early-stage disclosure amplification.

Where it's seen: Repetitive social media alerts (same few posts duplicated); no independent researcher PoCs, no vendor advisory from Totolik, no security firm hunting reports.

What: Capsule Kubernetes multi-tenancy controller privilege escalation (CVE-2026-22872, CVSS 9.1). Tenant owners can create cluster-scoped resources via controller's cluster-admin privileges, bypassing namespace restrictions and achieving cross-tenant privilege escalation.

Why it matters: Patch available (v0.13.0) and real fix deployed; requires Tenant Owner role + default cluster-admin configuration to exploit. Not yet KEV-listed; no public PoC or in-the-wild exploitation reported. CVSS is high but EPSS extremely low (0.28%), signaling limited real-world weaponization probability.

Where it's seen: Identical recycled alert posts across Bluesky with no original analysis, PoC links, or defender triage questions. Pure advisory amplification without exploitation evidence or vendor urgency signals.

What: Gravity SMTP WordPress plugin (≤2.1.4) exposes full system configuration via unauthenticated REST API endpoint, revealing PHP version, plugins, API keys, database details. CVSS 7.5 HIGH.

Why it matters: Active opportunistic scanning observed across ~560 IPs and 3,300+ user agents coordinated by shared cloud infrastructure. Honeylabs documented organized exploitation attempts within months of disclosure. No KEV listing, but real-world attack telemetry confirms weaponization.

Where it's seen: Security research blogs (Honeylabs), social media amplification on Bluesky and HackerNews discussing attacker infrastructure patterns. Plugin maintainers likely patching; defenders triaging WordPress instances for exposure.

What: Heap use-after-free in OpenSSL's PKCS#7/S/MIME signature verification (PKCS7_verify) triggered by malformed SignedData with empty digestAlgorithms; affects process stability and potentially enables remote code execution.

Why it matters: OpenSSL patched this alongside 17 other vulnerabilities on 2026-06-09; described as high-severity by vendor and journalists. No KEV listing or public PoC yet, but immediate patch availability and mainstream security media coverage signal real impact. S/MIME processing is widespread in mail and document workflows.

Where it's seen: Vendor advisory links, SecurityWeek coverage, Lobsters discussion, trending CVE aggregators. Heavy emphasis on patch availability rather than exploitation proof.