Vulnerability Report - June 2026

All vulnerability reports

Introduction

This vulnerability report has been generated with the help of AI, using the VulnMCP tooling on top of Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently sighted vulnerabilities for June 2026, based on data aggregated from Vulnerability-Lookup, the CISA Known Exploited Vulnerabilities catalog, the CIRCL KEV catalog, the ENISA EUVD feed, honeypot observations from The Shadowserver Foundation, and contributor comments and bundles. Sightings come from MISP, Exploit-DB, Bluesky, Mastodon, Telegram, GitHub Gists, Nuclei, SPLOITUS, Metasploit, and more. For further details, please visit this page.

New in this report: the Shadowserver KEV catalog, built from honeypot-observed exploitation attempts, makes its first appearance in our monthly reports. A big thank you to The Shadowserver Foundation for making this data available to the community.

June’s threat landscape was dominated by actively exploited flaws in enterprise infrastructure: remote-access and management software, network appliances, and identity-adjacent services. Nine of the ten most sighted vulnerabilities of the month are listed in the CISA KEV catalog (eight of them added during June), a strong signal that sighting activity closely tracked in-the-wild exploitation.

The Month at a Glance

7,454 CVEs were published in June 2026 (from the CVE List v5 source alone), up from 6,953 in May – a 14.5% month-over-month increase and the highest monthly volume of the year so far. On top of that, Vulnerability-Lookup ingested 7,315 GitHub security advisories and 745 PySec advisories over the same period.

Area chart showing the evolution of published CVEs per month in 2026, rising from about 4,300 in January to a peak of nearly 8,000 in June

Evolution of published CVEs in 2026 (CVE Program source), as shown on the Vulnerability-Lookup dashboard. The July data point only covers the first days of the month.

Vulnerability-Lookup collected 27,251 sightings during June 2026, including 18,123 “seen” observations, 8,542 exploitation-related sightings, and 71 “confirmed” sightings (mostly newly published Nuclei detection templates). No “patched” or “proof of concept” type sightings were recorded this month. Across the monitored KEV catalogs, 23 entries were added by CISA, 4 by CIRCL, 1 was reported through the ENISA / EU CSIRTs Network feed, and 6 new vulnerabilities appeared in The Shadowserver Foundation’s honeypot-observed exploitation feed.

The most sighted vulnerability of the month was CVE-2026-35273, a missing-authentication flaw in Oracle PeopleSoft Enterprise PeopleTools (Updates Environment Management), added to the CISA KEV catalog on June 12 with known ransomware campaign use – the only entry of the month with that flag.

Cisco had a particularly rough month, with three KEV-listed issues: an unauthenticated SSRF in Unified Communications Manager (CVE-2026-20230), a privilege escalation in Catalyst SD-WAN Controller (CVE-2026-20245) and a path traversal in Catalyst SD-WAN Manager (CVE-2026-20262) – the SD-WAN line remaining a target for the second month in a row after May’s Emergency-Directive flaw. Remote-access and remote-management tooling was the other clear cluster: unauthenticated root-level command injection in Ivanti Sentry (CVE-2026-10520, also observed against Shadowserver honeypots), an OIDC authentication bypass in SimpleHelp (CVE-2026-48558), an IKEv1 authentication bypass in Check Point Security Gateway (CVE-2026-50751, confirmed exploited by Check Point), and a pre-authentication RCE in BeyondTrust Remote Support / Privileged Remote Access (CVE-2026-1731) reported by NCSC-FI through the ENISA CNW feed.

Other notable KEV additions include a trio of Ubiquiti UniFi OS flaws (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) added the same day, an unauthenticated arbitrary file creation/truncation in Splunk Enterprise via a PostgreSQL sidecar endpoint (CVE-2026-20253), and – for the second month running – an AI-stack entry, with a command injection in BerriAI LiteLLM (CVE-2026-42271) following May’s LiteLLM SQL injection. On the client side, both Google Chrome (V8) (CVE-2026-11645) and Android Framework (CVE-2025-48595) were KEV-listed and appeared in the top 10. The high-sighting Windows Netlogon stack-based buffer overflow (CVE-2026-41089) rounded out the picture, and CISA also re-anchored legacy issues – the Linux kernel cgroups v1 container-escape CVE-2022-0492 and Oracle WebLogic CVE-2024-21182 – while Shadowserver honeypots still registered attacks against the 2017 HP iLO 4 authentication bypass (CVE-2017-12542).

Across the month’s KEV additions, the dominant weakness patterns were missing authentication for critical functions (CWE-306: PeopleSoft, Splunk), authentication bypass and improper authentication (CWE-287/CWE-294: SimpleHelp, Check Point, PAN-OS GlobalProtect), OS command and code injection (CWE-77/78/94: Ivanti Sentry, Lantronix EDS5000, LiteLLM), path traversal (CWE-22: Ubiquiti UniFi OS, Cisco SD-WAN Manager, FortiSandbox), server-side request forgery (CWE-918: Cisco Unified CM), and memory corruption in widely deployed client software (CWE-787/CWE-190: Windows Netlogon, Chrome V8, Android Framework). In overall published volume, cross-site scripting (CWE-79) and SQL injection (CWE-89) once again topped the monthly CWE ranking (see the Top 10 Weaknesses chart below).

Top 10 Vendors of the Month

Top 10 Vendors of the Month

Top 10 Assigners of the Month

Top 10 Assigners of the Month

Top 10 Vulnerabilities of the Month

VulnerabilitySighting CountVendorProductVLAI Severity
CVE-2026-35273192OraclePeopleSoft Enterprise PeopleToolsCritical (confidence: 0.9967)
CVE-2026-20245183CiscoCatalyst SD-WAN ControllerHigh (confidence: 0.9894)
CVE-2026-50751139Check PointQuantum Security GatewayCritical (confidence: 0.7947)
CVE-2026-20230138CiscoUnified Communications ManagerHigh (confidence: 0.6151)
CVE-2026-0257125Palo Alto NetworksPAN-OS (GlobalProtect)Medium (confidence: 0.9371)
CVE-2026-20253119SplunkSplunk EnterpriseCritical (confidence: 0.9624)
CVE-2026-41089101MicrosoftWindows (Netlogon)Critical (confidence: 0.9326)
CVE-2026-10520100IvantiSentryCritical (confidence: 0.9849)
CVE-2025-4859597GoogleAndroid (Framework)High (confidence: 0.9277)
CVE-2026-1164591GoogleChrome (V8)High (confidence: 0.9938)

Known Exploited Vulnerabilities

New entries have been added to the major Known Exploited Vulnerabilities catalogs during June.

Catalog coverage

30 distinct vulnerabilities entered at least one of the tracked KEV catalogs during June. The matrix below shows, for each of them, which catalogs cover it (as of publication) – built with the new KEV catalog coverage feature of Vulnerability-Lookup. The KEVIntel catalog, the highest-volume of the tracked feeds with 335 new entries in June alone, covers 28 of the 30; conversely, two entries (HP iLO 4 and the MeiG router) are visible only through Shadowserver’s honeypots, and the Ivanti Sentry command injection is the only vulnerability of the month present in four catalogs at once.

VulnerabilityFirst addedCISACIRCLENISAKEVIntelShadowserver
CVE-2017-125422026-06-30
CVE-2026-485582026-06-29
CVE-2026-202302026-06-25
CVE-2026-125692026-06-25
CVE-2026-349102026-06-23
CVE-2026-349092026-06-23
CVE-2026-349082026-06-23
CVE-2025-670382026-06-23
CVE-2026-398132026-06-22
CVE-2026-363562026-06-21
CVE-2026-202532026-06-18
CVE-2026-489072026-06-16
CVE-2026-544202026-06-15
CVE-2026-202622026-06-15
CVE-2026-352732026-06-12
CVE-2026-105202026-06-10
CVE-2026-74732026-06-09
CVE-2026-202452026-06-09
CVE-2026-116452026-06-09
CVE-2026-507512026-06-08
CVE-2026-422712026-06-08
CVE-2026-244232026-06-08
CVE-2024-85222026-06-08
CVE-2025-340332026-06-07
CVE-2026-283182026-06-05
CVE-2026-17312026-06-04
CVE-2026-452472026-06-03
CVE-2025-485952026-06-02
CVE-2022-04922026-06-02
CVE-2024-211822026-06-01

CISA

The CISA KEV catalog added 23 entries in June. The Oracle PeopleSoft entry is flagged with known ransomware campaign use.

CVE IDDate AddedVendorProductVLAI Severity
CVE-2026-485582026-06-29SimpleHelpSimpleHelpCritical (confidence: 0.9723)
CVE-2026-125692026-06-25PTCWindchill and FlexPLMCritical (confidence: 0.9946)
CVE-2026-202302026-06-25CiscoUnified Communications ManagerHigh (confidence: 0.6151)
CVE-2025-670382026-06-23LantronixEDS5000Critical (confidence: 0.9956)
CVE-2026-349082026-06-23UbiquitiUniFi OSCritical (confidence: 0.9784)
CVE-2026-349092026-06-23UbiquitiUniFi OSCritical (confidence: 0.9783)
CVE-2026-349102026-06-23UbiquitiUniFi OSCritical (confidence: 0.9642)
CVE-2026-202532026-06-18SplunkSplunk EnterpriseCritical (confidence: 0.9624)
CVE-2026-489072026-06-16Widget FactoryJoomla Content Editor (JCE)Critical (confidence: 0.993)
CVE-2026-544202026-06-15LiteSpeedcPanel PluginHigh (confidence: 0.9896)
CVE-2026-202622026-06-15CiscoCatalyst SD-WAN ManagerMedium (confidence: 0.7478)
CVE-2026-352732026-06-12OraclePeopleSoft Enterprise PeopleToolsCritical (confidence: 0.9967)
CVE-2026-105202026-06-11IvantiSentryCritical (confidence: 0.9849)
CVE-2026-202452026-06-09CiscoCatalyst SD-WAN ControllerHigh (confidence: 0.9894)
CVE-2026-74732026-06-09AristaExtensible Operating System (EOS)Medium (confidence: 0.5082)
CVE-2026-116452026-06-09GoogleChromium V8High (confidence: 0.9938)
CVE-2026-422712026-06-08BerriAILiteLLMHigh (confidence: 0.6121)
CVE-2026-507512026-06-08Check PointSecurity GatewayCritical (confidence: 0.7947)
CVE-2026-283182026-06-05SolarWindsServ-UHigh (confidence: 0.9813)
CVE-2026-452472026-06-03MirasvitFull Page Cache Warmer (Magento 2)Critical (confidence: 0.9944)
CVE-2025-485952026-06-02GoogleAndroid FrameworkHigh (confidence: 0.9277)
CVE-2022-04922026-06-02LinuxKernel (cgroups v1)High (confidence: 0.9381)
CVE-2024-211822026-06-01OracleWebLogic ServerHigh (confidence: 0.9972)

More KEV entries from the CISA Catalog.

CIRCL

The CIRCL KEV catalog added 4 entries during June. The Check Point IKEv1 authentication bypass was confirmed on the basis of Check Point’s own report of active exploitation in the wild; the Cisco SD-WAN and Ivanti Sentry entries are marked as suspected exploitation.

CVE IDDate AddedVendorProductVLAI Severity
CVE-2026-202452026-06-25CiscoCatalyst SD-WAN ControllerHigh (confidence: 0.9894)
CVE-2026-398132026-06-22FortinetFortiSandboxCritical (confidence: 0.8265)
CVE-2026-105202026-06-12IvantiSentryCritical (confidence: 0.9849)
CVE-2026-507512026-06-08Check PointQuantum Security GatewayCritical (confidence: 0.7947)

More KEV entries from the CIRCL Catalog.

ENISA (EUVD)

A single new entry was reported through the ENISA / EU CSIRTs Network (CNW) KEV feed during June: a critical pre-authentication remote code execution in BeyondTrust Remote Support and Privileged Remote Access, reported by NCSC-FI.

CVE IDDate ReportedVendorProductVLAI Severity
CVE-2026-17312026-06-04BeyondTrustRemote Support (RS) / Privileged Remote Access (PRA)Critical (confidence: 0.9813)

More KEV entries from the ENISA Catalog.

The Shadowserver Foundation

The Shadowserver KEV catalog is fed by honeypot-observed exploitation attempts. 6 vulnerabilities were observed for the first time during June, two of which are also in the CISA KEV catalog. Notably, the 2017 HP iLO 4 authentication bypass was still drawing attack traffic at the very end of the month.

CVE IDFirst SeenVendorProductSeverity (Shadowserver)
CVE-2017-125422026-06-30HPHP iLO 4Critical (CVSS 10.0)
CVE-2026-363562026-06-21MeiGSmart FORGE_SLT711Critical (CVSS 9.1)
CVE-2026-105202026-06-10IvantiSentryCritical (CVSS 10.0)
CVE-2026-244232026-06-08SmarterToolsSmarterMailCritical (CVSS 9.8)
CVE-2024-85222026-06-08WordPressLearnPress pluginHigh (CVSS 7.5)
CVE-2025-340332026-06-075VTechnologiesBlue Angel Software Suite

More KEV entries from the Shadowserver Catalog.

Top 10 Weaknesses of the Month

Top 10 Weaknesses of the Month

Insights from Contributors

Community contributions in June ranged from data-quality improvements to supply-chain research:

Contributors also curated vendor advisories into bundles during June:

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Funding

eu_funded_en

The main objective of Federated European Team for Threat Analysis (FETTA) is improvement of Cyber Threat Intelligence (CTI) products available to the public and private sector in Poland, Luxembourg, and the European Union as a whole.
Developing actionable CTI products (reports, indicators, etc) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.

The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCL’s contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.

Press release