Trending vulnerabilities

What: Critical remote code execution flaw in libssh2 allowing a malicious SSH server to trigger memory corruption on connecting clients.

Why it matters: Public PoC code is circulating on GitHub; social chatter highlights ubiquitous deployment in dev tools, backup agents, and appliances making inventory difficult. OSS Security and security researchers are actively discussing exploitation paths. No KEV listing yet, but high engagement and PoC availability suggest real weaponization risk.

Where it's seen: GitHub PoC drops, OSS Security advisory amplification, practitioner concern about hidden libssh2 instances in supply chain tooling and embedded appliances. Meme-format discussion ("no way to prevent this") signals recognition of systemic exposure.

What: Linux net/mlx5e Mellanox driver vulnerability affecting network interface handling; no CVSS assigned and NVD metadata sparse.

Why it matters: Social chatter focuses on perceived vendor silence and transparency gaps rather than exploitation evidence. No KEV listing, no confirmed PoC, no urgent patch signal—posts frame concern around communication failures and systemic disclosure issues, not active weaponization.

Where it's seen: Bluesky discussions centered on Microsoft's response adequacy and vulnerability transparency, with repetitive framing of "band-aid" fixes and unclear impacts. No PoC drops, exploit chatter, or defender triage reports visible.

What: Linux kernel btrfs readahead path fails to handle ENOENT errors on RAID stripe tree relocation, causing kernel panic via invalid scatter-gather list submission (CVSS 5.5 Medium).

Why it matters: Affects btrfs balance/relocation operations on systems using RAID stripe trees with preallocated extents. Not KEV-listed. No public PoC or in-the-wild exploitation reported. Fix merged into kernel mainline as a patch to skip readahead on RST; no urgent vendor patching signal. Local DoS risk only (crash during filesystem maintenance).

Where it's seen: Social chatter is speculative—posts ask "where's the proof?" and claim "data manipulation" and "exposes data to attackers" without evidence. NVD description and kernel commit show a kernel-level assertion failure, not an attack vector. No defender triage activity or working exploit.

What: Null pointer dereference in AMD display driver (drm/amd/display) affecting Linux kernel; CVSS 5.5 (medium).

Why it matters: Coverity static analysis identified 10 potential null pointer dereference paths in display clock manager code. No KEV listing, no public PoC, no in-the-wild exploitation reported. Kernel patch merged October 2024 resolves the issue prophylactically.

Where it's seen: Social media posts (Bluesky) using formulaic, sensational titles ("Red Flags," "Serious Oversight," "Urgent Action") without technical detail or evidence of real-world impact. No defender activity, no vendor emergency patching signals noted.

What: Unauthenticated remote code execution in Oracle PeopleSoft Enterprise PeopleTools 8.61/8.62 via HTTP (CVSS 9.8 CRITICAL). Affects environment management component.

Why it matters: KEV-listed as of 2026-06-12. ShinyHunters/UNC6240 exploited as zero-day May 27–June 9, breaching 100+ organizations including universities. No patch available yet—only mitigations. 40GB data theft and extortion campaign confirmed. Oracle issued out-of-band security alert June 10.

Where it's seen: High-volume social chatter referencing Mandiant attribution, threat intel briefs, and university breach alerts. IOCs and tactical details circulating. News aggregators and security researcher posts dominant signal.

What: Improper Authorization in Apache Tomcat (versions 7.0–11.0) where security constraints on the default servlet fail to enforce HTTP method restrictions, allowing unauthorized access to protected resources.

Why it matters: Published 29 June 2026, this is a fresh authorization bypass affecting widely-deployed Tomcat versions. Not yet KEV-listed and no CVSS assigned. Social chatter is largely advisory republication and translation; no public PoC or confirmed in-the-wild exploitation reported. Apache has issued patches (11.0.23, 10.1.56, 9.0.119).

Where it's seen: Multilingual posts on Bluesky summarizing the vulnerability and linking to security advisories; coverage includes bundled CVEs. Typical early-disclosure pattern—defenders triaging patch eligibility, no weaponization signals.

What: Linux kernel frag-transfer helpers fail to propagate SKBFL_SHARED_FRAG flag when moving packet fragments, allowing unprivileged users to write into page-cache-backed memory via ESP input or netfilter dup rules. CVSS not assigned; EPSS 0.0013 (very low baseline).

Why it matters: Kernel patch merged; Tails emergency release (7.8.1) and Debian kernel update deployed within weeks of disclosure. Social chatter brands it "DirtyClone" and claims root LPE, but no CVE advisory confirms active exploitation. KEV not listed. Real fix addresses memory corruption path, but low EPSS and absence of public PoC or in-the-wild reports suggest limited weaponization so far.

Where it's seen: Vendor patch advisories (Debian, Tails), cybersecurity blogs republishing with sensational "root access" framing, Bluesky/Twitter aggregating CVE lists. No researcher PoC posts or defender triage questions observed.

What: Improper Authentication vulnerability in Apache Tomcat EncryptionInterceptor allows replay attacks in cluster deployments across versions 7.0.100–11.0.22 (CVSS/EPSS not yet assigned).

Why it matters: Published 29 Jun 2026; Apache has released patches (11.0.23, 10.1.56, 9.0.119). No KEV listing, no public PoC, no in-the-wild exploitation reports yet. Social chatter is primarily vendor advisory summaries and vulnerability notice aggregation—early-stage awareness rather than active exploitation signal.

Where it's seen: Security bulletin feeds, multilingual vulnerability aggregators, Apache mailing list cross-posts, and patch management tracking sites. No researcher PoC, no defender triage requests, no scanning reports.

What: Apache Tomcat CRL configuration error-handling flaw in FFM-based connectors (11.0.0–11.0.22, 10.1.0–10.1.55, 9.0.83–9.0.118) allowing invalid CRL configs to pass silently without triggering failure.

Why it matters: Vendor issued patch guidance same day (v11.0.23, 10.1.56, 9.0.119); no CVSS/EPSS assigned yet, no KEV listing, no public PoC reported. Social chatter is purely advisory rebroadcasting. Risk is moderate—misconfigurations could degrade certificate validation but requires misconfiguration to exploit.

Where it's seen: Automated CVE notification feeds, vendor security advisories, and multilingual security blogs (Russian, Japanese) republishing the Apache advisory. No defender triage questions, no working exploit demos.

What: Always-Incorrect Control Flow Implementation in Apache Tomcat 8.5–11.0 where special roles and empty authorization constraints are omitted from logged effective web.xml, potentially obscuring security configuration.

Why it matters: Published June 29, 2026; not KEV-listed and no CVSS/EPSS assigned yet. Vendor patches available (11.0.23, 10.1.56, 9.0.119). Social chatter is recycled CVE enumeration across multiple language channels; no PoC, no in-the-wild exploitation reports, no defender triage signals.

Where it's seen: Multilingual Bluesky posts listing CVE alongside other Tomcat flaws; vendor advisory amplification; no technical deep-dives or exploitation discussion.

What: Improper Neutralization of Script-Related HTML Tags (Basic XSS) in Apache Tomcat's number guess example application, affecting versions 7.0.0–11.0.22 across multiple branches. No CVSS/EPSS assigned.

Why it matters: XSS in example code is low-impact unless deployed to production; this affects only bundled demo application, not core Tomcat. No KEV listing, no PoC evidence, no widespread exploitation signal. Vendor advisory issued same day as disclosure with patches available.

Where it's seen: Routine vendor advisory amplification on social media (Bluesky, security feeds); basic announcement recycling. No defender triage urgency, no PoC drops, no real-world deployment concern reported.

What: Always-Incorrect Control Flow Implementation in Apache Tomcat's rewrite valve (versions 8.5–11.0) allowing OR-chain condition bypass, affecting routing/access control logic.

Why it matters: Published 29 June 2026; not KEV-listed; no CVSS/EPSS assigned yet; no public PoC or in-the-wild exploitation reported. Apache advisory recommends upgrade to patched versions (11.0.23, 10.1.56, 9.0.119). Social chatter is primarily multilingual vulnerability list aggregation and security vendor blogs—no defender triage signals or confirmed attacks.

Where it's seen: Bluesky posts linking CVE lists; security vendor advisories; no PoC repositories or exploitation reports visible.

What: Unauthenticated file creation/truncation in Splunk Enterprise and Cloud Platform via unprotected PostgreSQL sidecar endpoint. CVSS 9.8 CRITICAL, EPSS 0.017.

Why it matters: KEV-listed as of 18 June; Splunk confirmed limited in-the-wild exploitation; CISA mandated federal agencies patch by 21 June (tomorrow). No credential required to trigger; compromised SIEM silences downstream alerts, making this operationally catastrophic for defenders.

Where it's seen: Mainstream security news, CTI call-outs, and urgent vendor patching directives. Posts emphasize KEV listing, tight deadline, and active exploitation confirmation from Splunk PSIRT.

What: Missing authentication step in Apache Tomcat JNDIRealm with GSSAPI allows password bypass; affects versions 7.0.0–11.0.4 across multiple release lines.

Why it matters: Published 29 June 2026 with vendor patches issued same day (11.0.5, 10.1.37, 9.0.101). Authentication bypass is high-severity; no CVSS/EPSS assigned yet and not KEV-listed. Social chatter is predominantly automated feed rebroadcasts and security news aggregators, not defender reports or PoC activity.

Where it's seen: Bluesky CVE notification bots and security blog auto-posts; Russian language summaries; Apache mailing list thread referenced. No independent researcher PoC, no in-the-wild exploitation chatter.

What: Langflow unauthenticated remote code execution (CVE-2026-33017, CVSS 9.8) in the POST /api/v1/build_public_tmp endpoint—accepts attacker-supplied Python code executed without sandboxing in versions prior to 1.9.0.

Why it matters: KEV-listed as of 25 March 2026; confirmed in-the-wild exploitation documented by Sysdig TRT and Trend Micro, including Monero cryptominer deployment and AWS credential theft via KeyHunter botnet using NATS-as-C2. Vendor patched (1.9.0 released).

Where it's seen: Security research reports (Sysdig, Trend Micro, gbhackers) detailing active campaigns; multiple threat-intel posts citing IOCs and C2 infrastructure; social chatter mixing legitimate threat reports with marketing-inflected "AI gateway" framing.

What: CryptX Perl library versions before 0.088_001 perform non-constant-time comparison of AEAD authentication tags in streaming decrypt_done(), enabling timing-based tag forgery across GCM, CCM, ChaCha20Poly1305, EAX, and OCB modes.

Why it matters: Published June 29, 2026; timing oracle allows attackers to recover authentication tags byte-by-byte and forge authenticated messages. Not KEV-listed; no public PoC or vendor advisories detected yet in supplied metadata. Early-stage disclosure.

Where it's seen: Bluesky posts republishing NVD description verbatim; predominantly Russian-language crypto security blogs amplifying the advisory. No defender questions, no PoC drops, no urgent patching signals yet.

What: Remote code execution in PTC Windchill PDMlink and FlexPLM via improper input validation; unauthenticated network-accessible vulnerability (CVSS 9.3, EPSS 0.5%).

Why it matters: KEV-listed 2026-06-25 with confirmed active exploitation in the wild. CISA formally added to known exploited catalog based on evidence of real-world abuse. No patch available yet; vendors issuing urgent restriction guidance.

Where it's seen: Multiple security feeds (OffSeq, CVESentinel, HackerNews) citing CISA catalog addition and active exploitation. Defender chatter focuses on network segmentation and vendor update tracking. One post claims web shells observed on login pages.

What: Stored XSS in Team Members WordPress plugin (versions ≤8.7) via admin settings; requires authenticated admin access on multisite or unfiltered_html-disabled installs. CVSS 4.4 (medium).

Why it matters: Published same day; no KEV listing, no public PoC confirmed, no vendor advisory signal yet. Requires admin-level permissions—lowers real-world risk substantially. Chatter is primarily feed-flooding and automated CVE tracking, not defender triage or exploitation reports.

Where it's seen: Bluesky posts recycling NVD data and risk aggregator summaries; no working exploit, no vendor response, no WordPress security team advisory visible yet.

What: OS command injection in Progress Kemp LoadMaster API allows unauthenticated remote code execution as root via unsanitized input (CVSS 9.6 CRITICAL).

Why it matters: WatchTowr Labs published detailed technical analysis with working PoC ("Enterprise Tech In, Shell Out"); vendor patch available; affects critical load-balancer infrastructure; pre-auth exploitation requires no credentials.

Where it's seen: Technical research labs (WatchTowr), infosec news aggregation (The Hacker News), multilingual security blogs, and social amplification of the advisory. No KEV listing yet but high engagement suggests rapid discovery phase.

What: NLTK 3.9.4 path traversal via percent-encoded sequences (..%2f) in nltk.data.load/find, bypassing incomplete regex validation; CVSS 7.5 HIGH.

Why it matters: Published today with working exploitation mechanism documented (regex bypass via URL decoding). Affects NLP web apps, Jupyter notebooks, and CLI tools. Not yet KEV-listed but CVSS 7.5 and clear attack vector (arbitrary file read) warrant immediate triage. Default pathsec.ENFORCE=False setting increases risk.

Where it's seen: Same-day social amplification on Bluesky (eng-language and Russian posts), threat radar alerting, descriptions rehashing NVD details and mitigation advice.

What: Path traversal in Zephyr RTOS HTTP server static-filesystem handler (CVE-2026-8023, CVSS 7.5) allows unauthenticated remote arbitrary file read via unresolved ../ segments in request URLs; affects versions 4.0.0–4.4.0 with CONFIG_FILE_SYSTEM enabled.

Why it matters: Published 29 June 2026; no KEV listing yet but NVD description confirms working vulnerability (missing canonicalization in http_server_remove_dot_segments() code path), confirmed patch available. Zephyr IoT/embedded deployments exposed without authentication required.

Where it's seen: Real-time Bluesky chatter from security engineers (same day publication), threat radar indexing, vendor advisory circulation beginning. No public PoC exploit code yet in snippets.

What: Logic error in Zephyr OS IPv6 Neighbor Discovery handlers (subsys/net/ip/ipv6_nbr.c) allows attackers to inject forged RA/NS/NA messages by bypassing validation checks; affects v1.14.0 through <v4.5.0. CVSS 8.1 HIGH.

Why it matters: Operator precedence bug silently disables mandatory Hop Limit == 255 check and RFC 4861 validation, enabling on-link attackers (and potentially remote via Hop-Limit bypass) to perform MITM, traffic redirection, DNS injection, neighbor-cache poisoning, and DoS. Not a memory-safety issue but critical authentication weakness in embedded IoT/networking devices.

Where it's seen: Zephyr security advisories, technical threat intelligence feeds, and international security blogs discussing the flaw. No public PoC yet; early disclosure phase (CVE published 2026-06-29).