Trending vulnerabilities

What: Command injection in Cisco Catalyst SD-WAN Manager CLI via crafted file upload allows authenticated local attackers to execute arbitrary commands and escalate to root (CVSS 7.8, EPSS 0.09922).

Why it matters: KEV-listed as of June 9. Mandiant confirmed in-the-wild exploitation beginning ~March 2026 (two months pre-disclosure). Attackers escalated from admin SSH to root via malicious CSV upload, pushed config changes to edge devices, and erased tracks. Cisco released patch May 14; CISA patch deadline already passed as of post dates.

Where it's seen: Mandiant threat intelligence reports, DFIR analyst posts, security news aggregators emphasizing "zero-day exploited for months." Defender chatter confirms triage activity on internet-reachable SD-WAN controllers.

What: Unauthenticated server-side request forgery (SSRF) in Cisco Unified Communications Manager WebDialer enabling file write and privilege escalation to root; CVSS 8.6, EPSS 97th percentile.

Why it matters: Active in-the-wild exploitation confirmed by honeypot telemetry showing full-chain RCE and webshell deployment; public exploit code available; Cisco issued Critical SIR advisory and released patches (14SU6, 15SU5); high EPSS score reflects rapid weaponization post-disclosure. WebDialer disabled by default but widely enabled in production.

Where it's seen: Security news outlets, threat intel feeds, and defender communities reporting automated attack sweeps via Tor; researchers documenting same-day weaponization; international advisories (Portugal flagged); practitioners debating EPSS vs. CVSS relevance for triage.

What: Linux kernel frag-transfer helpers fail to propagate SKBFL_SHARED_FRAG flag when moving packet fragments, allowing unprivileged users to write into page-cache-backed memory via ESP input or netfilter dup rules. CVSS not assigned; EPSS 0.0013 (very low baseline).

Why it matters: Kernel patch merged; Tails emergency release (7.8.1) and Debian kernel update deployed within weeks of disclosure. Social chatter brands it "DirtyClone" and claims root LPE, but no CVE advisory confirms active exploitation. KEV not listed. Real fix addresses memory corruption path, but low EPSS and absence of public PoC or in-the-wild reports suggest limited weaponization so far.

Where it's seen: Vendor patch advisories (Debian, Tails), cybersecurity blogs republishing with sensational "root access" framing, Bluesky/Twitter aggregating CVE lists. No researcher PoC posts or defender triage questions observed.

What: Linux kernel net/sched pedit (packet editing) Copy-on-Write logic flaw allows local privilege escalation via page cache corruption (CVE-2026-46331, EPSS 0.29%).

Why it matters: Social chatter claims public PoC and root exploitation; however, CVE is not KEV-listed, CVSS unassigned, and EPSS extremely low (0.20 percentile). Patch merged upstream early June 2026. No vendor advisories or defender triage signals detected—mostly blog/news amplification using dramatic language ("one-click root," "critical"). Actual risk appears overstated in sensational coverage.

Where it's seen: Tech news outlets and security bloggers republishing the kernel commit with inflated threat claims; platform engineers (Replit) noting their minimal kernel is unaffected; kernel developers discussing the late-May upstream fix.

What: Unauthenticated remote code execution in Oracle PeopleSoft Enterprise PeopleTools 8.61/8.62 via HTTP (CVSS 9.8 CRITICAL). Affects environment management component.

Why it matters: KEV-listed as of 2026-06-12. ShinyHunters/UNC6240 exploited as zero-day May 27–June 9, breaching 100+ organizations including universities. No patch available yet—only mitigations. 40GB data theft and extortion campaign confirmed. Oracle issued out-of-band security alert June 10.

Where it's seen: High-volume social chatter referencing Mandiant attribution, threat intel briefs, and university breach alerts. IOCs and tactical details circulating. News aggregators and security researcher posts dominant signal.

What: Remote code execution in PTC Windchill PDMlink and FlexPLM via improper input validation; unauthenticated network-accessible vulnerability (CVSS 9.3, EPSS 0.5%).

Why it matters: KEV-listed 2026-06-25 with confirmed active exploitation in the wild. CISA formally added to known exploited catalog based on evidence of real-world abuse. No patch available yet; vendors issuing urgent restriction guidance.

Where it's seen: Multiple security feeds (OffSeq, CVESentinel, HackerNews) citing CISA catalog addition and active exploitation. Defender chatter focuses on network segmentation and vendor update tracking. One post claims web shells observed on login pages.

What: Unauthenticated file creation/truncation in Splunk Enterprise and Cloud Platform via unprotected PostgreSQL sidecar endpoint. CVSS 9.8 CRITICAL, EPSS 0.017.

Why it matters: KEV-listed as of 18 June; Splunk confirmed limited in-the-wild exploitation; CISA mandated federal agencies patch by 21 June (tomorrow). No credential required to trigger; compromised SIEM silences downstream alerts, making this operationally catastrophic for defenders.

Where it's seen: Mainstream security news, CTI call-outs, and urgent vendor patching directives. Posts emphasize KEV listing, tight deadline, and active exploitation confirmation from Splunk PSIRT.

What: Local privilege escalation in Microsoft Defender (CVSS 7.8) exploited in ransomware campaigns after zero-day use and public PoC release.

Why it matters: KEV-listed as of 22 April; confirmed in-the-wild exploitation by ransomware gangs post-patch; public PoC circulating; Microsoft patched 14 April after Huntress disclosure; CISA actively tracking operational abuse.

Where it's seen: Coordinated social chatter across security community (Bluesky, threat intel forums) documenting escalation from zero-day to ransomware weaponization; vendor advisory and KEV inclusion driving urgent awareness; defender triage ongoing.

What: Out-of-bounds write in FFmpeg's MagicYUV decoder (libavcodec) enabling DoS and remote code execution via malicious media files; affects FFmpeg before 8.1.2 (CVSS 8.8).

Why it matters: FFmpeg 8.1.2 patched June 17; widespread downstream impact (Jellyfin, Kodi, OBS, Nextcloud, Emby). Social chatter highlights zero-click RCE on home servers from 50KB video files. Not KEV-listed yet, but defender triage active (Ubuntu still working patches). Credible threat signal from JFrog/BleepingComputer coverage and sysadmin urgency.

Where it's seen: Tech media coverage, sysadmin forums flagging Ubuntu patch lag, multilingual security blogs emphasizing ecosystem reach. Memory-safety meme posts recycling the disclosure.

What: Lantronix EDS5000 2.1.0.0R3 HTTP RPC module executes unsanitized OS commands from the username parameter during failed authentication, allowing unauthenticated command injection as root (CVSS 9.8).

Why it matters: KEV-listed as of 2026-06-23 with confirmed active exploitation. CISA has issued urgent patching directive with federal agency deadline of 2026-06-26. Serial-to-IP converters are critical OT/ICS infrastructure; compromised devices enable lateral movement and network takeover.

Where it's seen: Coordinated alerts across Bluesky and X from CISA, threat intelligence platforms (ZoomEye, TRC), and vulnerability tracking services. Posts emphasize imminent deadline and root-level access implications. No public PoC posted yet, but active exploitation reported.

What: OS command injection in Progress Kemp LoadMaster API allows unauthenticated remote code execution as root via unsanitized input (CVSS 9.6 CRITICAL).

Why it matters: WatchTowr Labs published detailed technical analysis with working PoC ("Enterprise Tech In, Shell Out"); vendor patch available; affects critical load-balancer infrastructure; pre-auth exploitation requires no credentials.

Where it's seen: Technical research labs (WatchTowr), infosec news aggregation (The Hacker News), multilingual security blogs, and social amplification of the advisory. No KEV listing yet but high engagement suggests rapid discovery phase.

What: Squidbleed — a 29-year-old heap overread in Squid Proxy default configuration that leaks HTTP Authorization headers and session credentials across shared-network users (CVSS/EPSS unknown; NVD not yet enriched).

Why it matters: Social chatter emphasizes Heartbleed-style memory disclosure affecting all Squid versions by default. Posts reference a PoC and research project, but no KEV listing, vendor advisory, or confirmed in-the-wild exploitation yet. Metadata gap (NVD enrichment pending) prevents validation of scope and severity claims.

Where it's seen: Twitter and Bluesky amplifying a single research narrative (Squidbleed project); posts repeat identical phrasing suggesting coordinated or syndicated coverage. One security news outlet aggregating; low absolute engagement (top post ~10 interactions). No defender triage signals, no patch guidance.

What: Insufficient input validation in Citrix NetScaler ADC and Gateway when configured as SAML IDP, causing memory overread in pre-authentication contexts (CVE-2026-8451).

Why it matters: Researcher-discovered zero-day identified in March, now publicly disclosed same-day with vendor patches available. Pre-auth scope and memory-read nature present risk to exposed appliances; watchTowr Labs framing suggests active research momentum and imminent defensive triage.

Where it's seen: Researcher (watchTowr Labs) disclosure posts on Bluesky/X announcing public advisory and patch availability; defender chatter recommending immediate NetScaler ADC/Gateway patching; part of larger NetScaler vulnerability cluster (DoS, unauthenticated file read).

What: Linux net/mlx5e Mellanox driver vulnerability affecting network interface handling; no CVSS assigned and NVD metadata sparse.

Why it matters: Social chatter focuses on perceived vendor silence and transparency gaps rather than exploitation evidence. No KEV listing, no confirmed PoC, no urgent patch signal—posts frame concern around communication failures and systemic disclosure issues, not active weaponization.

Where it's seen: Bluesky discussions centered on Microsoft's response adequacy and vulnerability transparency, with repetitive framing of "band-aid" fixes and unclear impacts. No PoC drops, exploit chatter, or defender triage reports visible.

What: Authenticated arbitrary file write in Cisco Catalyst SD-WAN Manager web UI (CVE-2026-20262, CVSS 6.5) allowing file creation/overwrite and potential root escalation via malformed HTTP requests.

Why it matters: KEV-listed as of 2026-06-15; multiple posts confirm active in-the-wild exploitation. Cisco released patches same day. Requires valid credentials but post-exploit escalation to root is documented. This is the sixth SD-WAN Manager flaw exploited in 2026, signaling sustained targeting of network infrastructure.

Where it's seen: Security news aggregators (HackersNews, SecurityAffairs) reporting patches and active exploitation; defender community posts emphasizing urgent patching and access restriction; no public PoC details shared yet, but weaponization confirmed.

What: Langflow unauthenticated remote code execution (CVE-2026-33017, CVSS 9.8) in the POST /api/v1/build_public_tmp endpoint—accepts attacker-supplied Python code executed without sandboxing in versions prior to 1.9.0.

Why it matters: KEV-listed as of 25 March 2026; confirmed in-the-wild exploitation documented by Sysdig TRT and Trend Micro, including Monero cryptominer deployment and AWS credential theft via KeyHunter botnet using NATS-as-C2. Vendor patched (1.9.0 released).

Where it's seen: Security research reports (Sysdig, Trend Micro, gbhackers) detailing active campaigns; multiple threat-intel posts citing IOCs and C2 infrastructure; social chatter mixing legitimate threat reports with marketing-inflected "AI gateway" framing.

What: Heap buffer over-read in OpenSSL's CMS password-based decryption (RFC 3211 PWRI key unwrap) when processing attacker-supplied stream-mode cipher OIDs; affects CMS_decrypt() and related functions. CVSS 7.5 HIGH.

Why it matters: DoS-only impact (crash on unmapped memory boundary, unlikely); no information disclosure; no KEV listing; no public PoC; low EPSS (0.003). Social chatter is sensational ("critical," "ready to explode") but mischaracterizes severity—actual risk is modest crash condition.

Where it's seen: Generic OpenSSL advisory roundup posts and opinion pieces with alarmist framing; no defender triaging signals, no vendor urgency reported, no exploitation evidence.

What: Improper Authentication vulnerability in Apache Tomcat EncryptionInterceptor allows replay attacks in cluster deployments across versions 7.0.100–11.0.22 (CVSS/EPSS not yet assigned).

Why it matters: Published 29 Jun 2026; Apache has released patches (11.0.23, 10.1.56, 9.0.119). No KEV listing, no public PoC, no in-the-wild exploitation reports yet. Social chatter is primarily vendor advisory summaries and vulnerability notice aggregation—early-stage awareness rather than active exploitation signal.

Where it's seen: Security bulletin feeds, multilingual vulnerability aggregators, Apache mailing list cross-posts, and patch management tracking sites. No researcher PoC, no defender triage requests, no scanning reports.

What: Apache Tomcat CRL configuration error-handling flaw in FFM-based connectors (11.0.0–11.0.22, 10.1.0–10.1.55, 9.0.83–9.0.118) allowing invalid CRL configs to pass silently without triggering failure.

Why it matters: Vendor issued patch guidance same day (v11.0.23, 10.1.56, 9.0.119); no CVSS/EPSS assigned yet, no KEV listing, no public PoC reported. Social chatter is purely advisory rebroadcasting. Risk is moderate—misconfigurations could degrade certificate validation but requires misconfiguration to exploit.

Where it's seen: Automated CVE notification feeds, vendor security advisories, and multilingual security blogs (Russian, Japanese) republishing the Apache advisory. No defender triage questions, no working exploit demos.

What: Improper Authorization in Apache Tomcat (versions 7.0–11.0) where security constraints on the default servlet fail to enforce HTTP method restrictions, allowing unauthorized access to protected resources.

Why it matters: Published 29 June 2026, this is a fresh authorization bypass affecting widely-deployed Tomcat versions. Not yet KEV-listed and no CVSS assigned. Social chatter is largely advisory republication and translation; no public PoC or confirmed in-the-wild exploitation reported. Apache has issued patches (11.0.23, 10.1.56, 9.0.119).

Where it's seen: Multilingual posts on Bluesky summarizing the vulnerability and linking to security advisories; coverage includes bundled CVEs. Typical early-disclosure pattern—defenders triaging patch eligibility, no weaponization signals.

What: Improper trust boundary enforcement in Language Servers for AWS (Amazon Q Developer extension) before v1.65.0 allows arbitrary code execution and cloud credential theft when a developer opens a malicious workspace. CVSS 7.8 (HIGH).

Why it matters: AWS has issued a patch (v1.65.0+); researcher (Wiz) disclosed the flaw with real-world attack chain (malicious repo → MCP config execution → credential exfiltration). Social chatter reflects urgent patching guidance and defender triage activity. Not yet KEV-listed but vendor-acknowledged with remediation.

Where it's seen: Security researcher disclosure, vendor advisory, multi-language social amplification, defender guidance posts emphasizing immediate upgrade and repo-trust hygiene.

What: Bleichenbacher-style oracle attack on OpenSSL CMS_decrypt and PKCS7_decrypt functions via error/decryption side-channels; affects RSA PKCS#1 v1.5 key transport. CVSS 3.7 (LOW), EPSS 0.26969.

Why it matters: OpenSSL explicitly states "we are not aware of any applications that provide a remote attacker opportunity to mount an attack" and considers real-world exploitation "very unlikely." No KEV listing. Theoretical attack requiring attacker control of CMS message and ability to observe decryption side-channel—impractical in most deployments. Social chatter reflects alarm-fatigue and skepticism rather than exploitation concern.

Where it's seen: Bluesky posts use sensational framing ("Cryptographic Fortresses," "Surveillance Threats," "Systemic Failure") with minimal technical detail; no PoC, vendor advisory, or defender triage signals. Heavy repetition and speculation, light signal.