Researchers at Calif.io disclosed Squidbleed, a Heartbleed-style memory leak in the widely used Squid web proxy that exposes one user's cleartext HTTP traffic, including passwords, cookies, and session tokens, to anyone else allowed to use the same proxy. The flaw (CVE-2026-47729) is a heap over-read in Squid's decades-old FTP directory parser and is present in the default configuration of every Squid version. To exploit it, an attacker needs proxy access and must point the proxy at an FTP server they control. Only cleartext HTTP and TLS-intercepting setups are exposed; normal HTTPS tunnels are not. A proof-of-concept is public.
Zafran Security disclosed four vulnerabilities, collectively named DifyTap, in Dify, a popular open-source platform for building AI agents and workflows. Two are critical, two need no authentication, and three allow cross-tenant access on Dify's multi-tenant cloud, meaning one customer could quietly read another's private AI conversations and model responses, a covert exfiltration channel. The flaws include an authorization bypass that exposes any application's trace data (CVE-2026-41947), a path traversal into the internal Plugin Daemon API (CVE-2026-41948), and a file-preview authorization bypass (CVE-2026-41949). Most were fixed in Dify 1.14.2, but the path-traversal flaw remains unpatched pending the next release.
FFmpeg has patched PixelSmash, a heap overflow in the MagicYUV video decoder of its libavcodec library that a crafted AVI, MKV, or MOV file can trigger, even during automated thumbnail generation or media scanning. The flaw (CVE-2026-8461) can crash applications or, where address-space randomization is disabled or bypassed, lead to remote code execution; researchers demonstrated full code execution on a Jellyfin media server. Because FFmpeg is embedded almost everywhere video is processed, the bug reaches many self-hosted tools, including Jellyfin, Kodi, Emby, Nextcloud, PhotoPrism, and OBS Studio. The fix shipped in FFmpeg 8.1.2, and several affected projects have updated or added mitigations.
The original 2011 Microsoft certificates that underpin UEFI Secure Boot begin expiring in late June 2026, and organizations that have not rolled out the replacement 2023 certificates risk a slow erosion of boot-level security. Devices will keep starting normally, but once the old certificate authorities lapse they stop receiving Secure Boot updates for pre-boot components, leaving them more exposed to bootkits, and future bootloaders signed only with the new keys may fail to verify. Most consumer Windows PCs receive the 2023 certificates automatically through Windows Update, but Windows Server and many self-managed or older fleets need manual action. A second certificate that signs the Windows bootloader expires in October.
Attackers are mass-exploiting a flaw in Gravity SMTP, a WordPress email plugin installed on about 100,000 sites, to harvest credentials without any login. The bug (CVE-2026-4020) leaves a REST API endpoint with a permission check that always passes, so a single unauthenticated request returns a 365 KB system report containing API keys, secrets, and OAuth tokens for connected email services like Amazon SES, Mailjet, and Zoho, plus detailed software-stack information. Wordfence has blocked more than 17 million attempts, with activity spiking around June 6 and 7. A patch shipped in version 2.1.5, but updating does not revoke keys attackers may have already grabbed.
A critical Splunk Enterprise flaw disclosed earlier this month is now being exploited in the wild, and CISA has added it to its known-exploited list with a June 21 federal patch deadline. The bug (CVE-2026-20253, rated 9.8) is a missing-authentication issue in a PostgreSQL sidecar service: an unauthenticated, network-reachable attacker can create or truncate arbitrary files on the Splunk host, which can cascade into log corruption, broken monitoring, and remote code execution. Both Splunk and Resecurity have confirmed active exploitation, and a public proof-of-concept and Nuclei template exist. Because Splunk underpins many SOC and SIEM operations, a compromise can blind defenders.
Researchers at Paradigm Shift published usbliter8, a working exploit that runs unauthorized code inside the SecureROM of Apple's A12 and A13 chips, the boot code burned into the silicon of devices from the iPhone XS through the iPhone 11, plus the S4 and S5 Apple Watch chips. Because the flaw lives in immutable hardware, no software update can fix it, so affected devices stay vulnerable for life. The catch is that it is not remote: an attacker needs physical possession of the device, must put it in DFU mode, and connect it to a special USB board, after which the exploit runs in under two seconds. It succeeds 2019's checkm8.
F5 has issued out-of-band patches for two critical flaws in NGINX, the web server and reverse proxy that runs a large share of the internet. CVE-2026-42530 (a use-after-free in the HTTP/3 module) and CVE-2026-42055 (a heap overflow in the HTTP/2 proxy and gRPC modules), both rated 9.2, let a remote, unauthenticated attacker corrupt memory in an NGINX worker, crashing it for a denial of service and, where address-space randomization is disabled or bypassed, potentially running code. They affect non-default configurations across NGINX Open Source, Plus, Gateway Fabric, and Instance Manager. F5 has not seen exploitation yet, but its products are frequent attacker targets.
Cisco has patched serious flaws in Identity Services Engine (ISE), the platform many organizations use to control who and what connects to their network. The most severe is a critical remote-code-execution bug that can give an attacker root-level control of the appliance. A second flaw, CVE-2026-20190, is an unauthenticated information-disclosure issue caused by weak authorization checks, letting a remote attacker pull sensitive data, including hashed credentials, that could fuel follow-on attacks and lateral movement. All versions of ISE and ISE-PIC are affected, though which flaws apply varies by release. Cisco has not reported active exploitation, but ISE sits at the heart of network access control.
A critical flaw in the Joomla Content Editor (JCE), one of the most widely used editor extensions for the Joomla CMS, is being actively exploited to take over websites. The bug (CVE-2026-48907, rated a perfect 10) is an access-control failure that lets an unauthenticated attacker create editor profiles and then upload and run arbitrary PHP code, leading to full server compromise. CISA added it to its known-exploited list and ordered federal agencies to patch by June 19. Working exploit code is public and attacks are automated, so even sites with no public registration are at risk. Patching closes the hole but does not remove anything attackers already planted.