Vulnerability Report - June 2026
Introduction
This vulnerability report has been generated with the help of AI, using the VulnMCP tooling on top of Vulnerability-Lookup, with contributions from the platform’s community.
It highlights the most frequently sighted vulnerabilities for June 2026, based on data aggregated from Vulnerability-Lookup, the CISA Known Exploited Vulnerabilities catalog, the CIRCL KEV catalog, the ENISA EUVD feed, honeypot observations from The Shadowserver Foundation, and contributor comments and bundles. Sightings come from MISP, Exploit-DB, Bluesky, Mastodon, Telegram, GitHub Gists, Nuclei, SPLOITUS, Metasploit, and more. For further details, please visit this page.
June’s threat landscape was dominated by actively exploited flaws in enterprise infrastructure: remote-access and management software, network appliances, and identity-adjacent services. Nine of the ten most sighted vulnerabilities of the month are listed in the CISA KEV catalog (eight of them added during June), a strong signal that sighting activity closely tracked in-the-wild exploitation.
The Month at a Glance
7,454 CVEs were published in June 2026 (from the CVE List v5 source alone), up from 6,953 in May – a 14.5% month-over-month increase and the highest monthly volume of the year so far. On top of that, Vulnerability-Lookup ingested 7,315 GitHub security advisories and 745 PySec advisories over the same period.

Evolution of published CVEs in 2026 (CVE Program source), as shown on the Vulnerability-Lookup dashboard. The July data point only covers the first days of the month.
Vulnerability-Lookup collected 27,251 sightings during June 2026, including 18,123 “seen” observations, 8,542 exploitation-related sightings, and 71 “confirmed” sightings (mostly newly published Nuclei detection templates). No “patched” or “proof of concept” type sightings were recorded this month. Across the monitored KEV catalogs, 23 entries were added by CISA, 4 by CIRCL, 1 was reported through the ENISA / EU CSIRTs Network feed, and 6 new vulnerabilities appeared in The Shadowserver Foundation’s honeypot-observed exploitation feed.
The most sighted vulnerability of the month was CVE-2026-35273, a missing-authentication flaw in Oracle PeopleSoft Enterprise PeopleTools (Updates Environment Management), added to the CISA KEV catalog on June 12 with known ransomware campaign use – the only entry of the month with that flag.
Cisco had a particularly rough month, with three KEV-listed issues: an unauthenticated SSRF in Unified Communications Manager (CVE-2026-20230), a privilege escalation in Catalyst SD-WAN Controller (CVE-2026-20245) and a path traversal in Catalyst SD-WAN Manager (CVE-2026-20262) – the SD-WAN line remaining a target for the second month in a row after May’s Emergency-Directive flaw. Remote-access and remote-management tooling was the other clear cluster: unauthenticated root-level command injection in Ivanti Sentry (CVE-2026-10520, also observed against Shadowserver honeypots), an OIDC authentication bypass in SimpleHelp (CVE-2026-48558), an IKEv1 authentication bypass in Check Point Security Gateway (CVE-2026-50751, confirmed exploited by Check Point), and a pre-authentication RCE in BeyondTrust Remote Support / Privileged Remote Access (CVE-2026-1731) reported by NCSC-FI through the ENISA CNW feed.
Other notable KEV additions include a trio of Ubiquiti UniFi OS flaws (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) added the same day, an unauthenticated arbitrary file creation/truncation in Splunk Enterprise via a PostgreSQL sidecar endpoint (CVE-2026-20253), and – for the second month running – an AI-stack entry, with a command injection in BerriAI LiteLLM (CVE-2026-42271) following May’s LiteLLM SQL injection. On the client side, both Google Chrome (V8) (CVE-2026-11645) and Android Framework (CVE-2025-48595) were KEV-listed and appeared in the top 10. The high-sighting Windows Netlogon stack-based buffer overflow (CVE-2026-41089) rounded out the picture, and CISA also re-anchored legacy issues – the Linux kernel cgroups v1 container-escape CVE-2022-0492 and Oracle WebLogic CVE-2024-21182 – while Shadowserver honeypots still registered attacks against the 2017 HP iLO 4 authentication bypass (CVE-2017-12542).
Across the month’s KEV additions, the dominant weakness patterns were missing authentication for critical functions (CWE-306: PeopleSoft, Splunk), authentication bypass and improper authentication (CWE-287/CWE-294: SimpleHelp, Check Point, PAN-OS GlobalProtect), OS command and code injection (CWE-77/78/94: Ivanti Sentry, Lantronix EDS5000, LiteLLM), path traversal (CWE-22: Ubiquiti UniFi OS, Cisco SD-WAN Manager, FortiSandbox), server-side request forgery (CWE-918: Cisco Unified CM), and memory corruption in widely deployed client software (CWE-787/CWE-190: Windows Netlogon, Chrome V8, Android Framework). In overall published volume, cross-site scripting (CWE-79) and SQL injection (CWE-89) once again topped the monthly CWE ranking (see the Top 10 Weaknesses chart below).
Top 10 Vendors of the Month
Top 10 Assigners of the Month
Top 10 Vulnerabilities of the Month
| Vulnerability | Sighting Count | Vendor | Product | VLAI Severity |
|---|---|---|---|---|
| CVE-2026-35273 | 192 | Oracle | PeopleSoft Enterprise PeopleTools | Critical (confidence: 0.9967) |
| CVE-2026-20245 | 183 | Cisco | Catalyst SD-WAN Controller | High (confidence: 0.9894) |
| CVE-2026-50751 | 139 | Check Point | Quantum Security Gateway | Critical (confidence: 0.7947) |
| CVE-2026-20230 | 138 | Cisco | Unified Communications Manager | High (confidence: 0.6151) |
| CVE-2026-0257 | 125 | Palo Alto Networks | PAN-OS (GlobalProtect) | Medium (confidence: 0.9371) |
| CVE-2026-20253 | 119 | Splunk | Splunk Enterprise | Critical (confidence: 0.9624) |
| CVE-2026-41089 | 101 | Microsoft | Windows (Netlogon) | Critical (confidence: 0.9326) |
| CVE-2026-10520 | 100 | Ivanti | Sentry | Critical (confidence: 0.9849) |
| CVE-2025-48595 | 97 | Android (Framework) | High (confidence: 0.9277) | |
| CVE-2026-11645 | 91 | Chrome (V8) | High (confidence: 0.9938) |
Known Exploited Vulnerabilities
New entries have been added to the major Known Exploited Vulnerabilities catalogs during June.
Catalog coverage
30 distinct vulnerabilities entered at least one of the tracked KEV catalogs during June. The matrix below shows, for each of them, which catalogs cover it (as of publication) – built with the new KEV catalog coverage feature of Vulnerability-Lookup. The KEVIntel catalog, the highest-volume of the tracked feeds with 335 new entries in June alone, covers 28 of the 30; conversely, two entries (HP iLO 4 and the MeiG router) are visible only through Shadowserver’s honeypots, and the Ivanti Sentry command injection is the only vulnerability of the month present in four catalogs at once.
| Vulnerability | First added | CISA | CIRCL | ENISA | KEVIntel | Shadowserver |
|---|---|---|---|---|---|---|
| CVE-2017-12542 | 2026-06-30 | ✓ | ||||
| CVE-2026-48558 | 2026-06-29 | ✓ | ✓ | |||
| CVE-2026-20230 | 2026-06-25 | ✓ | ✓ | |||
| CVE-2026-12569 | 2026-06-25 | ✓ | ✓ | |||
| CVE-2026-34910 | 2026-06-23 | ✓ | ✓ | |||
| CVE-2026-34909 | 2026-06-23 | ✓ | ✓ | |||
| CVE-2026-34908 | 2026-06-23 | ✓ | ✓ | |||
| CVE-2025-67038 | 2026-06-23 | ✓ | ✓ | |||
| CVE-2026-39813 | 2026-06-22 | ✓ | ✓ | |||
| CVE-2026-36356 | 2026-06-21 | ✓ | ||||
| CVE-2026-20253 | 2026-06-18 | ✓ | ✓ | |||
| CVE-2026-48907 | 2026-06-16 | ✓ | ✓ | |||
| CVE-2026-54420 | 2026-06-15 | ✓ | ✓ | |||
| CVE-2026-20262 | 2026-06-15 | ✓ | ✓ | |||
| CVE-2026-35273 | 2026-06-12 | ✓ | ✓ | |||
| CVE-2026-10520 | 2026-06-10 | ✓ | ✓ | ✓ | ✓ | |
| CVE-2026-7473 | 2026-06-09 | ✓ | ✓ | |||
| CVE-2026-20245 | 2026-06-09 | ✓ | ✓ | ✓ | ||
| CVE-2026-11645 | 2026-06-09 | ✓ | ✓ | |||
| CVE-2026-50751 | 2026-06-08 | ✓ | ✓ | ✓ | ||
| CVE-2026-42271 | 2026-06-08 | ✓ | ✓ | |||
| CVE-2026-24423 | 2026-06-08 | ✓ | ✓ | ✓ | ||
| CVE-2024-8522 | 2026-06-08 | ✓ | ✓ | |||
| CVE-2025-34033 | 2026-06-07 | ✓ | ✓ | |||
| CVE-2026-28318 | 2026-06-05 | ✓ | ✓ | |||
| CVE-2026-1731 | 2026-06-04 | ✓ | ✓ | ✓ | ||
| CVE-2026-45247 | 2026-06-03 | ✓ | ✓ | |||
| CVE-2025-48595 | 2026-06-02 | ✓ | ✓ | |||
| CVE-2022-0492 | 2026-06-02 | ✓ | ✓ | |||
| CVE-2024-21182 | 2026-06-01 | ✓ | ✓ |
CISA
The CISA KEV catalog added 23 entries in June. The Oracle PeopleSoft entry is flagged with known ransomware campaign use.
More KEV entries from the CISA Catalog.
CIRCL
The CIRCL KEV catalog added 4 entries during June. The Check Point IKEv1 authentication bypass was confirmed on the basis of Check Point’s own report of active exploitation in the wild; the Cisco SD-WAN and Ivanti Sentry entries are marked as suspected exploitation.
| CVE ID | Date Added | Vendor | Product | VLAI Severity |
|---|---|---|---|---|
| CVE-2026-20245 | 2026-06-25 | Cisco | Catalyst SD-WAN Controller | High (confidence: 0.9894) |
| CVE-2026-39813 | 2026-06-22 | Fortinet | FortiSandbox | Critical (confidence: 0.8265) |
| CVE-2026-10520 | 2026-06-12 | Ivanti | Sentry | Critical (confidence: 0.9849) |
| CVE-2026-50751 | 2026-06-08 | Check Point | Quantum Security Gateway | Critical (confidence: 0.7947) |
More KEV entries from the CIRCL Catalog.
ENISA (EUVD)
A single new entry was reported through the ENISA / EU CSIRTs Network (CNW) KEV feed during June: a critical pre-authentication remote code execution in BeyondTrust Remote Support and Privileged Remote Access, reported by NCSC-FI.
| CVE ID | Date Reported | Vendor | Product | VLAI Severity |
|---|---|---|---|---|
| CVE-2026-1731 | 2026-06-04 | BeyondTrust | Remote Support (RS) / Privileged Remote Access (PRA) | Critical (confidence: 0.9813) |
More KEV entries from the ENISA Catalog.
The Shadowserver Foundation
The Shadowserver KEV catalog is fed by honeypot-observed exploitation attempts. 6 vulnerabilities were observed for the first time during June, two of which are also in the CISA KEV catalog. Notably, the 2017 HP iLO 4 authentication bypass was still drawing attack traffic at the very end of the month.
| CVE ID | First Seen | Vendor | Product | Severity (Shadowserver) |
|---|---|---|---|---|
| CVE-2017-12542 | 2026-06-30 | HP | HP iLO 4 | Critical (CVSS 10.0) |
| CVE-2026-36356 | 2026-06-21 | MeiG | Smart FORGE_SLT711 | Critical (CVSS 9.1) |
| CVE-2026-10520 | 2026-06-10 | Ivanti | Sentry | Critical (CVSS 10.0) |
| CVE-2026-24423 | 2026-06-08 | SmarterTools | SmarterMail | Critical (CVSS 9.8) |
| CVE-2024-8522 | 2026-06-08 | WordPress | LearnPress plugin | High (CVSS 7.5) |
| CVE-2025-34033 | 2026-06-07 | 5VTechnologies | Blue Angel Software Suite | – |
More KEV entries from the Shadowserver Catalog.
Top 10 Weaknesses of the Month
Insights from Contributors
Community contributions in June ranged from data-quality improvements to supply-chain research:
- Impact of MISP.disableUserSelfManagement on exploitability – a practical exploitability note on GCVE-1-2026-20092 explaining that when
MISP.disableUserSelfManagementis enabled on a MISP instance, non-admin users cannot reach the vulnerable endpoint – a useful triage criterion for instance operators. - CPE is missing – a data-quality contribution on CVE-2021-35394, adding the correct Realtek Jungle SDK CPE identifier via the GCVE CPE registry.
- Wolves in the Repository: A Software Engineering Analysis of the XZ Utils Supply Chain Attack – a pointer to an academic analysis of CVE-2024-3094, reconstructing how the XZ Utils attackers manipulated the open-source development process itself – community management, CI/CD configuration, and infrastructure contributions – to plant and maintain a backdoor.
Contributors also curated vendor advisories into bundles during June:
- Remote Code Execution and Cross-Site Scripting in pgAdmin 4 | CCB Belgium (3 CVEs) – pgAdmin 4 before 9.16 can be exploited to execute arbitrary commands and exfiltrate database credentials.
- Security Advisory Ivanti Sentry (2 CVEs) – grouping the KEV-listed root-level command injection CVE-2026-10520 with CVE-2026-10523.
- NEWS for rsync 3.4.3 (7 CVEs) – six new CVEs fixed in rsync 3.4.3, two of them reachable from a normal pull or an authenticated daemon connection.
Thank you
Thank you to all the contributors and our diverse sources!
If you want to contribute to the next report, you can create your account.
Feedback and Support
If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
Funding

The main objective of Federated European Team for Threat Analysis (FETTA) is improvement of Cyber Threat Intelligence (CTI) products available to the public and private sector in Poland, Luxembourg, and the European Union as a whole.
Developing actionable CTI products (reports, indicators, etc) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.
The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCL’s contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.


