The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Microsoft June 2026 Patch Tuesday

Published: 2026-06-09

Last Updated: 2026-06-09 17:34:29 UTC

by Johannes Ullrich (Version: 1)

Microsoft today released patches for 204 vulnerabilities. 38 of these vulnerabilities are considered critical, and three have been disclosed before today. Six of the vulnerabilities affect Microsoft cloud solutions and do not require any user action. In addition, Microsoft incorporated 360 different vulnerabilities affecting Chromium into its Edge browser.

This is certainly a busier-than-usual patch Tuesday. In particular, the large number of patched Chromium/Edge vulnerabilities underscores the impact of AI tools on vulnerability discovery.

Some noteworthy vulnerabilities:

CVE-2026-49160: This vulnerability was made public a week ago. As implemented, the "HPACK" compression algorithm in HTTP/2 and HTTP/3 can lead to a "compression bomb" that consumes excessive resources. Many HTTP/2 implementations are vulnerable. Microsoft addressed this issue by adding a "MaxHeadersCount" registry setting that limits the amount of allocated resources.

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-49160

CVE-2026-47291: Affecting the Microsoft web server engine http.sys, just like CVE-2026-49160, this vulnerability is rated critical and allows for remote code execution. The integer overflow requires an oversized request to trigger it. Microsoft recommends restricting the "MaxRequestBytes" to prevent exploitation until the patch can be rolled out.

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47291

CVE-2026-45648: A stack-based buffer overflow in Active Directory Domain Services. A successful attack requires authentication, and Microsoft considers exploit development as "unlikely".

- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45648

Microsoft fixed three different BitLocker security feature bypass vulnerabilities. One of the vulnerabilities was already publicly known. An "anonymous" researcher is credited with the discovery, but I assume it is one of the "Nightmare Eclipse" vulnerabilities.

Several critical vulnerabilities affect Microsoft Office, Outlook, and Word ...

Read the full entry: https://isc.sans.edu/diary/Microsoft+June+2026+Patch+Tuesday/33064/

How has use of framing protection security headers changed in the past 3 years?

Published: 2026-06-10

Last Updated: 2026-06-10 08:29:21 UTC

by Jan Kopriva (Version: 1)

Back in 2023, I wrote a diary (https://isc.sans.edu/diary/29698) discussing how commonly X-Frame-Options and CSP headers containing the frame-ancestors directive were used on 1 million most popular domains on the internet (based on the Tranco list), and how they were set. Given that three years have passed since then, I thought it might be interesting to repeat the analysis and see what – if anything – has changed in the meantime.

Before we get to the data, however, let’s briefly recap what the headers in question do and why they are important.

Both headers basically serve the same fundamental purpose – they inform a browser whether the content of a given web page may be embedded in an iframe or similar object on another web page. Without either of these headers in place, any web page may freely load any other web page in an iframe, which can be quite beneficial in some instances, but also provides a functionality that is commonly abused by phishing actors.

The most common abuse scenario is related to a generic framing attack, and leads to what is sometimes called an “overlay phishing”. It is based on an attacker creating a malicious page which loads a legitimate website (usually the official company website of the recipient of the phishing) in a full-screen iframe, then overlays a fake login prompt on top of it. The result is that the victim sees what may appear to be the real login page. Setting either X-Frame-Options or CSP with the frame-ancestors directive on the legitimate site effectively mitigates this approach, because the browser will refuse to load the page inside an iframe in the first place, and all that would be displayed would be a fake login form over a browser message informing the user that a page cannot be loaded (which should make the credential stealing form apper less than trustworthy to most people).

This is a good reason why these headers are worth implementing on any organization's web site, regardless of how prominent or otherwise “interesting” the organization might consider itself to be.

For completeness’ sake, it should be mentioned that although the two security headers serve a similar purpose, they are not exactly equal. The X-Frame-Options header is the older of the two mechanisms and, while functional, is relatively limited in what it can express. It supports three directives: DENY (the page may not be framed by anyone), SAMEORIGIN (the page may only be framed by pages on the same origin/domain), and ALLOW-FROM (the page may be framed by a specific origin/domain).

Although the header in general is still widely supported and does its job well, its ALLOW-FROM directive was never universally supported by all browsers and is now considered obsolete. More importantly, however, the X-Frame-Options header as a whole has been basically superseded by the Content Security Policy frame-ancestors directive.

The CSP frame-ancestors directive offers considerably more flexibility than X-Frame-Options. It supports the same basic use cases (frame-ancestors 'none' being equivalent to DENY, frame-ancestors 'self' being equivalent to SAMEORIGIN), but also enables some additional ones (such as supporting wildcard matching for subdomains etc.). Modern browsers therefore generally treat frame-ancestors as the authoritative directive, ignoring X-Frame-Options entirely when both are present. That said, X-Frame-Options remains relevant for legacy browser compatibility and – in practice – both headers can be sent simultaneously without any harm, which is what many HTTP servers actually do.

With this context in mind, let us look at how the use of these headers has evolved since 2023 ...

Read the full entry: https://isc.sans.edu/diary/How+has+use+of+framing+protection+security+headers+changed+in+the+past+3+years/33068/

TeamPCP Supply Chain Campaign: Activity Through 2026-06-07

Published: 2026-06-08

Last Updated: 2026-06-08 17:07:37 UTC

by Kenneth Hartman (Version: 1)

This diary continues the Internet Storm Center's tracking of the TeamPCP supply chain campaign, first documented in the SANS white paper When the Security Scanner Became the Weapon (https://www.sans.org/white-papers/when-security-scanner-became-weapon) and most recently in the handler diary Activity Through 2026-05-24 (https://isc.sans.edu/diary/33014). Since that update, the story moved into two new places: the United States government, which formally caught up to the campaign, and the wider population of attackers now wielding the Mini Shai-Hulud framework that TeamPCP open-sourced last month.

Bottom line up front

Two developments stand out since the last update. First, the federal response that prior coverage flagged as conspicuously absent arrived in a roughly 48-hour burst: on 2026-05-27 CISA added the campaign's primary tracking vulnerabilities to its Known Exploited Vulnerabilities catalog, and on 2026-05-28 it issued its first standalone advisory naming the Nx Console and GitHub repository compromises. Second, the leaked Mini Shai-Hulud framework produced its first significant in-the-wild npm wave: beginning 2026-06-01, a credential-stealing worm that Wiz named "Miasma" compromised dozens of @redhat-cloud-services packages, followed two days later by a "Phantom Gyp" variant that reached 57 more. Vendors trace the malware to the TeamPCP lineage but now explicitly caution that a copycat using the public toolkit cannot be ruled out. The affiliated extortion channels stayed frozen, so this period's activity was ecosystem-scale worming rather than named-victim extortion.

How this developed

The last update closed with two open questions: whether CISA would act on a campaign it had so far left out of the KEV catalog, and whether the framework TeamPCP published to GitHub would produce copycat attacks. Both resolved in the affirmative. CISA's KEV addition and standalone advisory closed the government-silence gap within roughly a day of each other. A week later, the Red Hat npm compromise demonstrated that the open-sourced code is now operational in other hands. The throughline is that the campaign has entered a phase where its tradecraft outlives any single operator: the same techniques, subverted build pipelines that emit validly signed artifacts and install-time credential theft, now arrive from attackers who may have no direct connection to TeamPCP at all.

What changed, by theme ...

Read the full entry: https://isc.sans.edu/diary/TeamPCP+Supply+Chain+Campaign+Activity+Through+20260607/33060/

The Evil MSI Background is Back! (2026.06.05)

https://isc.sans.edu/diary/The+Evil+MSI+Background+is+Back/33054/

Microsoft's Coreutils for Windows (2026.06.04)

https://isc.sans.edu/diary/Microsofts+Coreutils+for+Windows/33048/

Continuing Scans for swagger.json (2026.06.03)

https://isc.sans.edu/diary/Continuing+Scans+for+swaggerjson/33044/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2026-50751 - Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows unauthenticated remote attackers to bypass user authentication and establish VPN connections without a valid password.

Product: Check Point Remote Access VPN and Mobile Access

CVSS Score: 9.3

** KEV since 2026-06-08 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-50751

ISC Podcast: https://isc.sans.edu/podcastdetail/9964

NVD References:

- https://support.checkpoint.com/results/sk/sk185033

- https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/

- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-50751

CVE-2026-28318 - SolarWinds Serv-U can be crashed by specially crafted POST requests without authentication by using Content-Encoding: deflate.

Product: Solarwinds Serv-U 15.5.4

CVSS Score: 7.5

** KEV since 2026-06-05 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-28318

NVD References:

- https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-4-hotfix-1_release_notes.htm

- https://www.solarwinds.com/trust-center/security-advisories/CVE-2026-28318

- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-28318

CVE-2026-20245 - Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, is vulnerable to command injection attacks, allowing an authenticated, local attacker to execute arbitrary commands as root by uploading a crafted file to the affected system.

Product: Cisco Catalyst SD-WAN Manager

CVSS Score: 7.8

** KEV since 2026-06-09 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-20245

NVD References:

- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx

- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW

- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20245

CVE-2026-11645 - Google Chromium V8 Out-of-Bounds Read and Write Vulnerability

Product: Google Chrome

CVSS Score: 8.8

** KEV since 2026-06-09 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-11645

NVD References:

- https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html

- https://issues.chromium.org/issues/506689381

- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-11645

CVE-2026-7473 - Arista EOS is vulnerable to incorrect decapsulation and forwarding of unexpected tunneled packets on affected platforms, potentially leading to the unexpected processing of non-configured tunnel traffic and exploitation in the wild.

Product: Arista EOS

CVSS Score: 5.8

** KEV since 2026-06-09 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7473

NVD References:

- https://www.arista.com/en/support/advisories-notices/security-advisory/22872-security-advisory-0137

- https://www.arista.com/en/support/advisories-notices/security-advisory/24005-security-advisory-0137

- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-7473

CVE-2022-0492 - Linux kernel's cgroup_release_agent_write vulnerability in the kernel/cgroup/cgroup-v1.c function allows for privilege escalation and namespace isolation bypass.

Product: Linux kernel/cgroup/cgroup-v1.c function

CVSS Score: 0

** KEV since 2026-06-02 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-0492

CVE-2025-10263 - ARM: CVE-2025-10263 Completion of affected memory accesses might not be guaranteed by completion of a TLBI [kernel]

Product: ARM Cortex-X925, Cortex-X4, Cortex-X3, Cortex-X2, Cortex-X1 & X1C, Cortex-A710, Cortex-A78, A78AE & A78C, Cortex-A77, Cortex-A76 & A76A

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10263

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-10263

CVE-2026-49160 - Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network.

Product: HTTP/2

CVSS Score: 7.5

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-49160

ISC Diary: https://isc.sans.edu/diary/33064

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-49160

CVE-2026-0826 - Poly Voice products on the Linux platform may be vulnerable to remote code execution due to a buffer overflow when the admin has enabled ICE.

Product: Poly Voice products on the Linux platform

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0826

ISC Podcast: https://isc.sans.edu/podcastdetail/9956

CVE-2026-9614 - Ivanti Neurons for ITSM (cloud and on-premises) has an Improper Access Control vulnerability that can be exploited by a remote authenticated attacker to gain administrative access.

Product: Ivanti Neurons for ITSM

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-9614

ISC Podcast: https://isc.sans.edu/podcastdetail/9956

CVE-2026-7198, CVE-2026-7312 - Vulnerabilities in Progress Sitefinity before 15.4.8630

Product: Progress Sitefinity

CVSS Scores: 9.8 - 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7198 (improper access control)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7312 (insufficiently protected credentials)

NVD References: https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026

CVE-2026-8037 - API in Progress ADC Products are vulnerable to OS Command Injection Remote Code Execution attacks, enabling unauthorized users to execute arbitrary commands on the LoadMaster appliance through input manipulation.

Product: Progress ADC Products

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-8037

NVD References: https://community.progress.com/s/article/LoadMaster-Critical-Security-Bulletin-June-2026-CVE-2026-8037-CVE-2026-33691

CVE-2026-42074 - OpenClaude's dangerouslyDisableSandbox parameter allowed an untrusted user to achieve full host-level code execution before version 0.5.1.

Product: OpenClaude

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42074

NVD References: https://github.com/Gitlawb/openclaude/security/advisories/GHSA-m77w-p5jj-xmhg

CVE-2026-42849, CVE-2026-49448 - Vulnerabilities in Authentik, an open-source identity provider.

Product: Authentik

CVSS Scores: 9.3 - 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42849 (cross-site scripting)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-49448 (improper authentication)

NVD References:

- https://github.com/goauthentik/authentik/security/advisories/GHSA-pgff-5mx8-fqj3

- https://github.com/goauthentik/authentik/security/advisories/GHSA-xp7f-xjjx-gwm8

CVE-2026-32625 - LibreChat 0.8.3 and below has a vulnerability that enables authenticated users to compromise cryptographic materials and database credentials by manipulating MCP server configurations.

Product: LibreChat

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-32625

NVD References: https://github.com/danny-avila/LibreChat/security/advisories/GHSA-4pcc-j6m6-wcwx

CVE-2025-14771 - Files or directories accessible to external parties vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24.

Product: ABB T-MAC Plus 4.0-24

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-14771

CVE-2026-47065 - Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232

Product: Apache MINA

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-47065

NVD References: https://lists.apache.org/thread/y7xj1bl8qo47p9bktb11hg5v6k1d4dyj

CVE-2026-50076 - Apache Fory fory-core Java SDK before 1.1.0 allows remote attackers to invoke classpath-present readResolve/readExternal hooks via crafted serialized data.

Product: Apache Fory

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-50076

NVD References: https://fory.apache.org/security

CVE-2026-29167, CVE-2026-42535, CVE-2026-42535 - Vulnerabilities in Apache HTTP Server.

Product: Apache HTTP Server

CVSS Scores: 9.1 - 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-29167 (use after free)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42535 (exposure of resource to wrong sphere)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-44631 (buffer underflow)

NVD References: https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2026-5241 - Huggingface/transformers version 5.2.0 is vulnerable to remote code execution due to an issue in the LightGlue model loading path, allowing attacker-controlled models to execute arbitrary code during initialization.

Product: Huggingface Transformers 5.2.0

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-5241

CVE-2026-20230 - Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) are vulnerable to SSRF attacks due to improper input validation for specific HTTP requests, allowing an unauthenticated attacker to write files to the underlying operating system and potentially elevate privileges to root.

Product: Cisco Unified Communications Manager (Unified CM)

CVSS Score: 8.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-20230

ISC Podcast: https://isc.sans.edu/podcastdetail/9960

NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssrf-cXPnHcW

CVE-2026-46266 - The Linux kernel vulnerability has been resolved by dropping incoming ICMP packets targeting RAW sockets using IPPROTO_RAW.

Product: Linux Kernel

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-46266

CVE-2026-41283 - OpenStack Mistral through 22.0.0 is vulnerable to Arbitrary Remote Code Execution through exposed APIs, potentially enabling unauthorized exfiltration of service credentials.

Product: OpenStack Mistral

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-41283

NVD References: https://www.openwall.com/lists/oss-security/2026/06/03/14

CVE-2026-49185, CVE-2026-49186, CVE-2026-49188, CVE-2026-49191, CVE-2026-50208, CVE-2026-50211, CVE-2026-50214, CVE-2026-50225 - Multiple vulnerabilities in Acer Connect_M6E_5G_Firmware

Product: Acer Connect_M6E_5G_Firmware

CVSS Scores: 9.1 - 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-49185 (OS command injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-49186 (improper authentication)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-49188 (active debug code)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-49191 (improper authentication)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-50208 (use of insufficiently random values)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-50211 (use of externally-controlled format string)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-50214 (insufficient verification of data authenticity)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-50225 (missing authentication for critical function)

NVD References: https://community.acer.com/en/kb/articles/19707

CVE-2026-10880 - OSNexus QuantaStor SDS Manager is vulnerable to SQL injection in the login endpoint, allowing an attacker to bypass authentication and log in as an administrator without a valid password.

Product: OSNexus QuantaStor SDS Manager

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-10880

NVD References: https://blog.blacklanternsecurity.com/p/cve-2026-10880-osnexus-quantastor

CVE-2026-25550 - Seagull Software BarTender 2010, 2016, and 2019 are vulnerable to unauthenticated remote code execution via its .NET Remoting service on TCP port 7375.

Product: Seagull Software BarTender

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25550

CVE-2026-48040 - The netty incubator codec.bhttp library is vulnerable to memory corruption and information disclosure by unauthenticated network attackers when cryptographic operations are triggered with crafted OHTTP requests.

Product: Netty-Incubator-Codec-bhttp

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-48040

NVD References: https://github.com/netty/netty-incubator-codec-ohttp/security/advisories/GHSA-32hf-8jw3-v4qq

CVE-2025-71316 - SQLite's 'sqldiff.exe' vulnerability in handling Unicode to ANSI conversion in Windows C runtime could allow an attacker to load a malicious DLL through the '-L' option, fixed on or around 2025-12-26.

Product: SQLite sqldiff.exe

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-71316

CVE-2024-27890, CVE-2024-27892 - Arista EOS with OpenConfig configured is vulnerable to unauthorized gNMI Set requests, potentially leading to unintended configuration changes.

Product: Arista EOS

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-27890

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-27892

NVD References: https://www.arista.com/en/support/advisories-notices/security-advisory/19862-security-advisory-0099

CVE-2026-35075 - Firmware image for the vulnerable product contains a default password that allows an unauthenticated remote attacker to gain full access to all affected devices.

Product: MBS-Solutions Universal Gateway

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-35075

NVD References: https://www.certvde.com/en/advisories/VDE-2026-039/

CVE-2026-7762, CVE-2026-7763 - Heap-based buffer overflow vulnerabilities in the Morse Micro HaLowLink 2 software versions prior to 2.11.13

Product: Morse Micro HaLowLink 2

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7762

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7763

NVD References:

- https://www.morsemicro.com/security-advisories/MM-SA-2026-002

- https://www.morsemicro.com/security-advisories/MM-SA-2026-001

CVE-2026-9270, CVE-2026-11362 - DataDog::DogStatsd versions through 0.07 for Perl allow metric injections due to input sanitization issues.

Product: DataDog DogStatsd

CVSS Scores: 9.1 - 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-9270

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-11362

CVE-2026-45744 - Termix's GET /ssh/file_manager/ssh/resolvePath endpoint allows authenticated users to execute arbitrary commands on the connected remote host via OS command injection prior to version 2.3.2.

Product: Termix

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45744

NVD References: https://github.com/Termix-SSH/Termix/security/advisories/GHSA-37f4-wq95-pg33

CVE-2026-45746 - Termix web-based server management platform is vulnerable to a critical Broken Access Control issue in File Manager functionality, allowing attackers to access and manipulate active sessions of other users and execute commands on their VPS.

Product: Termix

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45746

NVD References: https://github.com/Termix-SSH/Termix/security/advisories/GHSA-cx2r-843c-vww8

CVE-2026-45748 - Termix's `POST /ssh/tunnel/connect` endpoint prior to version 2.3.2 allows persistent OS command injection through user-controlled fields, with the issue being patched in the new version.

Product: Termix

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45748

NVD References: https://github.com/Termix-SSH/Termix/security/advisories/GHSA-xmjh-8cc2-qm49

CVE-2026-45750 - Termix allows for shell command injection via the GET /ssh/file_manager/ssh/resolvePath endpoint prior to version 2.3.2.

Product: Termix

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45750

NVD References: https://github.com/Termix-SSH/Termix/security/advisories/GHSA-v26q-rpv5-9m72

CVE-2026-46389 - UDS Identity Config is vulnerable to a logic error in the `client-kubernetes-secret` Keycloak client authenticator, allowing an attacker to authenticate as a client with any `client_secret` value and obtain OAuth2 tokens scoped to the client's service account.

Product: UDS Identity Config

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-46389

NVD References: https://github.com/defenseunicorns/uds-identity-config/security/advisories/GHSA-8mg2-6588-r4hw

CVE-2026-45758 - Guardrails AI users who installed version 0.10.1 from PyPI on May 11, 2026 may be affected by a malicious package published by an attacker, prompting the need to upgrade to version 0.10.2 or downgrade to version 0.10.0 and rotate any accessible credentials as a precaution.

Product: Guardrails Ai

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45758

NVD References: https://github.com/guardrails-ai/guardrails/blob/main/SECURITY_ADVISORY.md

CVE-2026-11393 - AgentCore CLI before v0.14.2 allows authenticated remote threat actors to execute arbitrary code via crafted collaborationInstruction in Bedrock Agent collaborator, remediated by upgrading to version 0.14.2.

Product: AgentCore CLI

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-11393

NVD References: https://github.com/aws/agentcore-cli/security/advisories/GHSA-m4x6-gwgp-4pm7

CVE-2026-27671 - SAP NetWeaver and ABAP Platform are vulnerable to memory corruption due to improper RFC protocol validation, allowing unauthenticated attackers to exploit logical errors and impact the application's confidentiality, integrity, and availability.

Product: SAP NetWeaver ABAP Platform

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27671

CVE-2026-40128 - SAP NetWeaver Application Server Java allows unauthenticated attackers to manipulate file inclusion parameters via a malicious HTTP logon request, potentially giving them access to sensitive information or disrupting the local system.

Product: SAP NetWeaver Application Server Java

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40128

CVE-2026-44748 - SAP NetWeaver Application Server ABAP and ABAP Platform allow an attacker to send modified signed XML documents leading to unauthorized access to sensitive user data and disruption of normal system usage, posing a high impact on confidentiality, integrity, and availability.

Product: SAP NetWeaver Application Server ABAP

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-44748

CVE-2026-5067 - Zephyr's HTTP server WebSocket upgrade path is vulnerable to memory corruption from a crafted Sec-WebSocket-Key header.

Product: Zephyr HTTP server WebSocket

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-5067

NVD References: https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-wgr4-9pwq-94vj

CVE-2026-9698 - DBI versions before 1.648 for Perl have a vulnerability where error messages are saved in a limited-sized buffer, allowing attackers to trigger a buffer overflow.

Product: Perl DBI

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-9698

NVD References: https://www.openwall.com/lists/oss-security/2026/06/09/9

CVE-2026-45648 - Windows Active Directory Domain Services Remote Code Execution Vulnerability

Product: Microsoft Active Directory Domain Services

CVSS Score: 8.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45648

ISC Diary: https://isc.sans.edu/diary/33064

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45648

CVE-2026-47291 - HTTP.sys Remote Code Execution Vulnerability

Product: Microsoft Windows HTTP.sys

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-47291

ISC Diary: https://isc.sans.edu/diary/33064

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47291

CVE-2026-11165, CVE-2026-11634, CVE-2026-11638, CVE-2026-11651, CVE-2026-11654, CVE-2026-11659, CVE-2026-11671, CVE-2026-11697 - Multiple vulnerabilities in Google Chrome

Product: Google Chrome

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-11165 (use after free)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-11634 (use after free)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-11638 (use after free)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-11651 (use after free)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-11654 (use after free)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-11659 (improper input validation)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-11671 (use after free)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-11697 (improper input validation)

NVD References: https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html

The following CVEs do not require customer action:

CVE-2026-48567 - Azure HorizonDB Elevation of Privilege Vulnerability

Product: Microsoft Azure HorizonDB

CVSS Score: 10.0

NO CUSTOMER ACTION REQUIRED

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-48567

ISC Diary: https://isc.sans.edu/diary/33064

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48567

CVE-2026-48579 - Microsoft Exchange Online Information Disclosure Vulnerability

Product: Microsoft Exchange Online

CVSS Score: 9.1

NO CUSTOMER ACTION REQUIRED

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-48579

ISC Diary: https://isc.sans.edu/diary/33064

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48579

CVE-2026-45497 - Microsoft M365 Copilot Remote Code Execution Vulnerability

Product: Microsoft Copilot

CVSS Score: 7.7

NO CUSTOMER ACTION REQUIRED

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-45497

ISC Diary: https://isc.sans.edu/diary/33064

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45497

CVE-2026-42824 - M365 Copilot Information Disclosure Vulnerability

Product: Microsoft Copilot

CVSS Score: 6.5

NO CUSTOMER ACTION REQUIRED

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42824

ISC Diary: https://isc.sans.edu/diary/33064

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42824

CVE-2026-47644 - Copilot Chat (Microsoft Edge) Information Disclosure Vulnerability

Product: Microsoft Copilot Chat

CVSS Score: 6.

NO CUSTOMER ACTION REQUIRED

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-47644

ISC Diary: https://isc.sans.edu/diary/33064

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47644

CVE-2026-47655 - Microsoft Graph Information Disclosure Vulnerability

Product: Microsoft Graph

CVSS Score: 6.5

NO CUSTOMER ACTION REQUIRED

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-47655

ISC Diary: https://isc.sans.edu/diary/33064

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47655