Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

Attackers exploit unpatched Langflow flaw for unauthenticated code execution

VulnCheck reports that attackers are actively exploiting an unpatched flaw in Langflow, a popular open-source platform for building AI applications. The bug (CVE-2026-5027, rated 8.8) is a path-traversal weakness: the file-upload endpoint does not clean the supplied filename, so an attacker can use directory-climbing sequences to write files anywhere on the server, a foothold that leads to remote code execution. Tenable, which found it, says the maintainers did not respond after three contact attempts in early 2026, and there is still no official fix. Early exploitation appears to be probing, with attackers writing harmless test files, but that usually precedes heavier attacks.

Check
Identify any internet-facing Langflow instances, confirm the version, and review the server filesystem and web logs for unexpected files written via the /api/v2/files upload endpoint.
Affected
Internet-exposed Langflow deployments where the file-upload endpoint is reachable (CVE-2026-5027). No vendor patch is available yet, and active exploitation is already under way.
Fix
Until a fix ships, take Langflow off the public internet or place it behind authentication and a WAF that blocks path-traversal payloads, and restrict the upload endpoint.

Microsoft finally patches actively exploited Exchange OWA spoofing zero-day

Microsoft has shipped the first full patch for an Exchange Server zero-day that attackers have been exploiting since May. The flaw (CVE-2026-42897) is a cross-site scripting bug in Outlook Web Access: an attacker emails a victim, and when the message is opened in OWA, malicious JavaScript runs inside the victim's authenticated session, allowing session-token theft and mailbox impersonation without ever touching the server. It affects Exchange Server 2016, 2019, and Subscription Edition, and CISA added it to its known-exploited list back in May. Until this week only temporary mitigations existed; the June security updates provide the permanent fix.

Check
Confirm the June 2026 security update is applied to all on-premises Exchange servers, and review OWA and mailbox audit logs for suspicious script activity or session hijacking since May.
Affected
On-premises Microsoft Exchange Server 2016, 2019, and Subscription Edition exposing Outlook Web Access (CVE-2026-42897), a spoofing and cross-site scripting flaw exploited in attacks since May.
Fix
Apply the June 2026 Exchange security update now to replace the earlier mitigation-only guidance, then reset potentially exposed OWA sessions and rotate credentials for affected mailboxes.

Critical Ivanti Sentry flaw gives unauthenticated attackers root

Ivanti has patched two critical flaws in Sentry, its mobile gateway appliance (formerly MobileIron Sentry) that sits in line between mobile devices and back-end systems like Exchange. The worst, CVE-2026-10520, rated a perfect 10, is an OS command injection in an internal configuration API that mistakenly accepts commands from anyone who can reach it over the internet, with no login, granting remote code execution as root. The second, CVE-2026-10523 (9.9), is an authentication bypass that lets attackers create their own admin accounts. No exploitation has been seen yet, but watchTowr has already published a patch analysis and a detection script, so the window is closing fast.

Check
Identify Ivanti Sentry appliances and their version, restrict who can reach the management and configuration endpoints, and run watchTowr's detection script to confirm whether instances are vulnerable.
Affected
Ivanti Sentry (formerly MobileIron Sentry) versions 10.5.1, 10.6.1, 10.7.0 and earlier, exposed to untrusted networks (CVE-2026-10520 root RCE; CVE-2026-10523 admin-account auth bypass).
Fix
Upgrade Ivanti Sentry to R10.5.2, R10.6.2, or R10.7.1 immediately, then review appliances for rogue administrator accounts and any signs of command execution before patching.

ShinyHunters extorts Oracle PeopleSoft customers in widening data-theft spree

The extortion group ShinyHunters is running a wave of data-theft attacks against organizations using Oracle PeopleSoft, the enterprise software that large institutions rely on for HR, payroll, finance, and student records. Both cloud and on-premises instances are affected, and the gang claims data from more than 100 organizations. Attackers typically log in with stolen employee credentials, move through the PeopleSoft environment, and exfiltrate large datasets before demanding a Bitcoin ransom. A confirmed victim is the University of Nottingham, where a breach of an Oracle student-records system exposed 454,635 accounts. Researchers have shared attacker IP addresses and noted the use of MeshCentral remote-access agents.

Check
Review PeopleSoft access logs for logins from unfamiliar IPs or locations, check for MeshCentral or other unexpected remote-access agents, and confirm whether your org received a ShinyHunters extortion demand.
Affected
Organizations running cloud or on-premises Oracle PeopleSoft, particularly those with reused or phishable employee credentials and limited monitoring of administrative access to HR, finance, and student-records modules.
Fix
Enforce phishing-resistant MFA on all PeopleSoft accounts, rotate exposed credentials, block the shared attacker IPs, remove unauthorized remote-access tools, and tighten access controls and logging on instances.

China-linked JDY botnet scans US military networks for fresh flaws

Lumen's Black Lotus Labs warns that JDY, a covert botnet tied to Chinese state-linked groups including Volt Typhoon, has more than doubled to over 1,500 hacked home and small-office routers, firewalls, and IoT devices. Unlike a DDoS botnet, JDY is a distributed scanning network: it fingerprints exposed services across the internet and flags systems vulnerable to newly disclosed bugs, often within hours of disclosure. It keeps a heavy focus on the US, especially military and associated networks, and survived the 2024 FBI takedown of its parent KV-botnet. Because traffic comes from thousands of ordinary residential IPs, simple IP blocking does not stop it.

Check
Inventory internet-facing routers, firewalls, and IoT devices, especially Ubiquiti, DrayTek, Hikvision, and Linksys gear, for end-of-life models and missing patches that JDY scans for after disclosure.
Affected
Internet-exposed SOHO routers, firewalls, and IoT devices, particularly end-of-life hardware; US military and associated networks are a stated focus of the reconnaissance.
Fix
Patch edge devices promptly after vendor disclosures, replace end-of-life hardware, disable remote management where unneeded, and rely on behavioral rather than IP-based detection for scanning activity.

Six protobuf.js flaws let malicious schemas run code in Node.js apps

Researchers at Cyera have disclosed six vulnerabilities, collectively named Proto6, in protobuf.js, a JavaScript and TypeScript library for Google's Protocol Buffers data format that sees more than 50 million downloads a week. The flaws stem from the library trusting schema and metadata by default, so a single malicious schema or crafted payload can crash a service, inject code, or lead to remote code execution. Cyera demonstrated real attacks including poisoning CI/CD pipelines to leak build secrets and crashing WhatsApp automation bots. Because protobuf.js is embedded across cloud services, AI platforms, and build systems, the reach is broad. Fixed versions are 7.5.6 and 8.0.2.

Check
Inventory applications and pipelines that depend on protobuf.js directly or transitively, and identify any that deserialize Protobuf data or generate code from schemas supplied by untrusted sources.
Affected
Node.js applications, cloud client libraries, CI/CD pipelines, and messaging frameworks using protobuf.js before 7.5.6 or 8.0.2 (CVEs include CVE-2026-44289, CVE-2026-44295) that process untrusted schemas.
Fix
Upgrade protobuf.js to 7.5.6 or 8.0.2 and protobufjs-cli to 1.2.1 or 2.0.2, and treat incoming schemas and descriptors as untrusted input rather than safe data.

Cyberattack halts Australia's second-largest sugar producer mid-harvest

Mackay Sugar, Australia's second-largest sugar producer, has shut down two of its Queensland mills after a cybersecurity incident, halting production and stopping sugarcane harvesting at the peak of the season. The company confirmed the attack on Wednesday and has brought in outside cybersecurity experts and local authorities to investigate and restore systems. It has not yet said who was responsible or whether data was stolen, but the operational shutdown is consistent with a ransomware attack. The incident is the latest example of attackers disrupting food and agriculture operations, a sector whose industrial systems are increasingly targeted for maximum pressure.

Check
Food, agriculture, and manufacturing operators should review how cleanly their IT and operational-technology networks are separated, and confirm a ransomware shutdown of IT could not halt production lines.
Affected
Industrial and agricultural organizations where a compromise of business IT systems can cascade into operational-technology environments and force a full production shutdown, as happened at Mackay Sugar's mills.
Fix
Segment IT from operational-technology networks, keep offline tested backups, rehearse ransomware recovery for production systems, and pre-arrange incident-response and authority contacts before an attack hits.

Microsoft ships record 200-plus June patches, including three zero-days

Microsoft's June 2026 Patch Tuesday is the largest on record, fixing more than 200 vulnerabilities (independent counts put the total above 206), including three publicly disclosed zero-days that are not yet being exploited. The standout is CVE-2026-45586, a Windows CTFMON elevation-of-privilege flaw that grants SYSTEM access, which matches the GreenPlasma bug a researcher dropped in protest of Microsoft's bug-bounty handling; a BitLocker bypass called YellowKey was also fixed. The update includes 33 critical flaws, most of them remote code execution, hitting Remote Desktop, Hyper-V, Office, and cryptographic services. Microsoft flagged 15 issues as more likely to be exploited soon.

Check
Inventory Windows endpoints and servers against the June 2026 update level, and prioritize systems exposed to Remote Desktop, Hyper-V hosts, and anything processing untrusted Office documents.
Affected
Windows, Office, Remote Desktop Client, Hyper-V, Secure Boot, BitLocker, and Exchange. Three publicly disclosed zero-days (CVE-2026-45586, CVE-2026-50507, CVE-2026-49160) and 33 critical flaws, mostly remote code execution.
Fix
Test and deploy the June 2026 security updates promptly, prioritizing the publicly disclosed zero-days and critical RCE flaws. Where patching lags, restrict RDP exposure and segment Hyper-V hosts.

Unpatched Defender zero-day RoguePlanet gives SYSTEM on current Windows

Hours after Patch Tuesday, the researcher known as Nightmare Eclipse published a working exploit, dubbed RoguePlanet, for an unpatched Microsoft Defender flaw that opens a command prompt with full SYSTEM privileges on fully updated Windows 10 and 11. The bug is a race condition, so the exploit is hit or miss, but the researcher reports a 100 percent success rate on some machines. They posted the proof-of-concept on a self-hosted Git server after Microsoft had earlier taken down their GitHub and GitLab repositories. It is the latest in a string of Windows zero-days (BlueHammer, RedSun, YellowKey, GreenPlasma) the researcher has released in protest of Microsoft's disclosure practices.

Check
Confirm Microsoft Defender real-time and tamper protection are enabled and current on Windows 10 and 11 endpoints, and watch for unexpected SYSTEM-level command shells spawned from Defender processes.
Affected
Fully patched Windows 10 and Windows 11 systems, including current and Canary builds, running Microsoft Defender; a public proof-of-concept exists and no fix is available yet.
Fix
No patch exists yet; watch for a Microsoft advisory and apply it when released. Meanwhile, rely on EDR behavioral detection and least-privilege controls to limit privilege-escalation impact.

Google patches actively exploited Chrome V8 zero-day, fifth this year

Google has shipped an emergency Chrome fix for a zero-day in V8, the browser's JavaScript and WebAssembly engine, that attackers are already exploiting in the wild. The flaw (CVE-2026-11645, rated 8.8) is an out-of-bounds memory read and write that lets a malicious web page run code inside Chrome's sandbox, and can help defeat protections like ASLR to set up a fuller compromise. Google confirmed an exploit exists but withheld details until most users update. It is the fifth actively exploited Chrome zero-day of 2026. The fix is in Chrome 149.0.7827.102/103 for desktop; Chromium-based browsers like Edge and Brave need the same update.

Check
Check Chrome and Chromium-based browser versions across managed endpoints (chrome://version or MDM inventory) and confirm they are at or above the June 8 patched build.
Affected
Google Chrome desktop before 149.0.7827.102/103 on Windows, macOS, and Linux (CVE-2026-11645, a V8 out-of-bounds read/write), plus Chromium-based browsers such as Edge and Brave.
Fix
Update Chrome to 149.0.7827.102 or later and relaunch to apply it. Push the update through enterprise policy and patch all Chromium-based browsers in your fleet.