Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7

Exploited LiteSpeed cPanel plugin flaw lets hosting users gain root

CISA has added a LiteSpeed cPanel plugin flaw to its known-exploited list and given federal agencies until June 18 to patch. The bug (CVE-2026-54420, rated 8.5) lets a user who already has FTP or web-shell access on a shared hosting server escalate to root by abusing how the plugin follows symbolic links, on servers running CloudLinux or CageFS. On multi-tenant hosting that turns one compromised account into full control of the whole server and every site on it. Namecheap reported it after spotting suspicious activity, and LiteSpeed flagged active exploitation in early June. The fix is LiteSpeed WHM Plugin 5.3.2.1 with cPanel plugin 2.4.8.

Check
Identify shared-hosting servers running the LiteSpeed cPanel plugin on CloudLinux or CageFS, confirm the version, and review logs for unexpected privilege changes or suspicious command activity.
Affected
Shared hosting servers running the LiteSpeed cPanel user-end plugin before 2.4.8 on CloudLinux or CageFS (CVE-2026-54420); any account with FTP or web-shell access can escalate to root.
Fix
Upgrade to LiteSpeed WHM Plugin 5.3.2.1 (cPanel plugin 2.4.8) or later now. If you cannot patch immediately, remove the user-end plugin, then hunt for signs of prior root-level compromise.

Attackers now exploiting three critical FortiSandbox flaws, one with AI-built exploit

Threat-intelligence firm Defused reports that attackers are now exploiting three critical flaws in Fortinet's FortiSandbox, the appliance other Fortinet products rely on to judge whether files are malicious. Two (CVE-2026-39813, a JRPC API path traversal that bypasses authentication, and CVE-2026-39808, an unauthenticated command-injection that runs code as root) were patched in April; the third (CVE-2026-25089) only last week. All are unauthenticated and rated critical. Compromising a sandbox is especially dangerous because attackers can make it wave real malware through as clean. Notably, the exploit for one flaw appears to have been generated with AI and is likely faulty, yet attackers are trying it anyway.

Check
Identify FortiSandbox, FortiSandbox Cloud, and PaaS instances and their versions, confirm whether the web and JRPC API interfaces are reachable from untrusted networks, and review logs for unauthenticated command execution.
Affected
FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS that are unpatched against CVE-2026-39813, CVE-2026-39808, or CVE-2026-25089, especially instances exposed to untrusted networks; all three need no authentication.
Fix
Upgrade FortiSandbox to the fixed releases for all three CVEs immediately, restrict management and API interfaces to trusted networks, and treat any unpatched appliance as potentially compromised pending review.

Google Vertex AI SDK flaw let attackers hijack model uploads across tenants

Palo Alto's Unit 42 disclosed a flaw, nicknamed Pickle in the Middle, in Google Cloud's Vertex AI SDK for Python that let an attacker with no access to a victim's project hijack their machine-learning model uploads and run code across tenant boundaries. When a model was uploaded without a custom staging bucket, the SDK generated a predictable storage bucket name from the project ID and region and failed to verify ownership, so an attacker could pre-create that bucket, receive the victim's model, and swap in a malicious one that executes on deployment. Google fully fixed it in SDK version 1.148.0 in April; Unit 42 saw no exploitation in the wild.

Check
Check the google-cloud-aiplatform SDK version everywhere it runs, including notebooks, CI jobs, and training pipelines, and confirm whether model uploads relied on default, auto-generated staging buckets.
Affected
Google Cloud Vertex AI users on google-cloud-aiplatform SDK versions before 1.148.0 who uploaded models without specifying their own staging bucket; no CVE was assigned and no exploitation was observed.
Fix
Update the Vertex AI SDK to 1.148.0 or later so bucket-ownership checks are active, and always set an explicit staging bucket pointing to Cloud Storage you control when uploading models.

Cisco patches exploited SD-WAN Manager flaw that gives root access

Cisco has patched a flaw in Catalyst SD-WAN Manager (formerly vManage), the console used to manage thousands of SD-WAN devices, that attackers were already exploiting as a zero-day to gain root. The bug (CVE-2026-20262) stems from weak validation of file uploads in the web interface, letting an authenticated low-privilege remote attacker create or overwrite any file on the system by sending crafted HTTP requests, and from there run commands as root. It affects every deployment type, including on-premises, Cisco-managed cloud, and the FedRAMP government edition, regardless of configuration. It is the latest in a run of exploited Cisco SD-WAN Manager zero-days this year.

Check
Identify Catalyst SD-WAN Manager instances and versions, and before upgrading run the request admin-tech command on each control component to preserve evidence, then review file-upload and web UI logs.
Affected
Cisco Catalyst SD-WAN Manager (formerly vManage) across all deployment types, including on-premises, Cloud-Pro, Cisco-managed cloud, and the FedRAMP government edition (CVE-2026-20262), regardless of device configuration.
Fix
Upgrade to the fixed Catalyst SD-WAN Manager release now, restrict management-interface access to trusted administrators and networks, and audit for unauthorized files or configuration changes pushed to edge devices.

SimpleHelp flaw lets unauthenticated attackers create rogue admin technicians

A critical flaw in SimpleHelp, a remote support and management tool used by IT teams and managed service providers, lets an unauthenticated attacker create a privileged technician account and skip multi-factor authentication. The bug (CVE-2026-48558) only affects servers configured to use OpenID Connect (OIDC) single sign-on, including Azure AD, and stems from how the server validates identity assertions from the login provider. A rogue technician can then remote into managed machines and run scripts, giving attackers a foothold across every connected endpoint. Researchers found roughly 14,000 SimpleHelp servers exposed online, with about 7 percent using the vulnerable OIDC setup. The flaw affects versions 5.5.15 and earlier.

Check
Determine whether your SimpleHelp servers use OIDC single sign-on (generic or Azure AD) and are running 5.5.15 or earlier, then review the technician account list for unfamiliar or recently created accounts.
Affected
SimpleHelp servers version 5.5.15 and earlier and 6.0 pre-release builds configured for OpenID Connect authentication (CVE-2026-48558), especially those exposed to the internet with group-authenticated logins allowed.
Fix
Update SimpleHelp to the latest patched release immediately. Until then, restrict server access to trusted networks and remove any unrecognized technician accounts found during review.

One-click Microsoft 365 Copilot flaw could silently steal emails and codes

Researchers at Varonis disclosed SearchLeak, a flaw chain in Microsoft 365 Copilot Enterprise Search that let a single click on a legitimate microsoft.com link silently pull a victim's emails, calendar, and indexed files, including security and MFA codes, with no password or further interaction. It worked by smuggling instructions into the search URL's query parameter, which Copilot obeyed as commands, then exfiltrating the data through a Bing image request that bypassed content protections. Because the link used a real Microsoft domain, anti-phishing filters were unlikely to flag it. Microsoft assigned CVE-2026-42824, rated it critical, and fixed it on its backend, so no customer action is required.

Check
No patching is needed since Microsoft fixed this server-side; instead review what data Microsoft 365 Copilot can access and whether broad permissions would amplify a similar AI-assistant flaw.
Affected
Microsoft 365 Copilot Enterprise Search users were exposed (CVE-2026-42824) before Microsoft's server-side fix; the broader risk is any AI assistant that mixes untrusted input with access to internal data.
Fix
No customer action is required, as Microsoft has remediated the flaw. To reduce future AI-assistant risk, tighten Copilot data permissions, apply least privilege to identities, and monitor assistant activity.

Critical Splunk Enterprise flaw allows unauthenticated remote code execution

Splunk has patched a critical flaw in Splunk Enterprise that lets an unauthenticated attacker run code on the server, a serious risk given Splunk often sits at the heart of a company's security monitoring. The bug (CVE-2026-20253, rated 9.8) is in the PostgreSQL sidecar service added in Splunk 10, whose internal API has no authentication yet is reachable through the main web app's proxy. An attacker can write or overwrite files on the host and chain that into remote code execution. The sidecar is off by default on on-premises Windows but enabled out of the box on Splunk Enterprise running in AWS. Splunk Cloud is not affected.

Check
Check Splunk Enterprise versions and whether the PostgreSQL sidecar service is enabled, especially on AWS-hosted instances, and use watchTowr's detection tool to test for unauthenticated access to the API.
Affected
Splunk Enterprise 10 and later below versions 10.2.4 and 10.0.7 with the PostgreSQL sidecar service active (CVE-2026-20253); AWS-hosted instances are exposed by default. Splunk Cloud is unaffected.
Fix
Upgrade Splunk Enterprise to 10.2.4 or 10.0.7 or later immediately. Until patched, restrict network access to the web interface and sidecar endpoints, and disable the sidecar service if unused.

Decade-old phpBB auth bypass lets anyone become admin, then run code

A critical flaw in phpBB, the open-source forum software running on thousands of sites, lets an unauthenticated attacker obtain a valid login session as any user, including an administrator, with a single HTTP request. The bug (CVE-2026-48611, rated 9.4) works in the default configuration and traces back to code from 2014. An admin session gives full read, write, and delete access to the forum and, on the latest branch, opens a path to remote code execution and full server takeover. A second, lower-severity flaw affecting only OAuth-configured installs was also fixed. phpBB released version 3.3.17 to patch both.

Check
Identify phpBB installations and their versions, prioritizing internet-facing forums, and confirm whether any are running version 3.3.16 or earlier or the 4.0.0-a2 alpha.
Affected
phpBB forums version 3.3.16 and earlier and 4.0.0-a2 in the default database authentication mode (CVE-2026-48611); a second flaw (CVE-2026-48612) affects only OAuth-configured installs.
Fix
Upgrade to phpBB 3.3.17 immediately; there is no safe 4.x release yet, so 4.x users should move to the patched master branch. No configuration workaround fully closes the bypass.

LangGraph flaw chain exposes self-hosted AI agents to code execution

Check Point has disclosed three now-patched flaws in LangGraph, the popular LangChain framework for building AI agents, that can be chained for remote code execution on self-hosted servers. The chain combines an SQL injection (CVE-2025-67644) with an unsafe msgpack deserialization bug (CVE-2026-28277): an attacker who can reach the agent's stored-state endpoint plants a malicious checkpoint that runs code when loaded. A compromised LangGraph server exposes everything the agent can touch, including model API keys, customer data, and internal network access. It is only exploitable in self-hosted deployments using the SQLite or Redis checkpointer; LangChain's managed LangSmith platform is not affected.

Check
Identify self-hosted LangGraph deployments using the SQLite or Redis checkpointer, check whether the get_state_history endpoint is exposed without authentication, and confirm the framework version against the patched releases.
Affected
Self-hosted LangGraph servers using the SQLite or Redis checkpointer with user-controlled filter input (CVE-2025-67644, CVE-2026-28277, CVE-2026-27022). Managed LangSmith deployments are not affected.
Fix
Upgrade LangGraph to the patched versions, require authentication on self-hosted servers, avoid long-lived static secrets, segment the network, and treat AI agents as privileged identities with least-privilege access.

Oracle issues emergency PeopleSoft fix as exploited zero-day drives breaches

The ShinyHunters data-theft wave against Oracle PeopleSoft, covered yesterday, now has a confirmed root cause: a zero-day. Oracle has issued an out-of-band emergency mitigation for CVE-2026-35273, a critical flaw (rated 9.8) in PeopleSoft PeopleTools that lets an unauthenticated attacker run code on the server over HTTP, with no login required. Google's Mandiant says the bug was exploited from May 27 to June 9, before any advisory existed, and notified more than 100 affected organizations, 68 percent of them universities. The exposed component is the Environment Management Hub. Affected versions are PeopleTools 8.61 and 8.62; a full patch is still pending.

Check
Determine whether PeopleSoft PeopleTools 8.61 or 8.62 is in use and whether the Environment Management Hub is reachable externally, then review logs for the published attacker IPs and credential-spray activity.
Affected
Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62 with the Environment Management Hub exposed to untrusted networks (CVE-2026-35273); PeopleSoft Enterprise Applications customers may also be affected.
Fix
Apply Oracle's emergency mitigations from the June out-of-band alert immediately and restrict access to the Environment Management Hub, then watch for the full patch and assume compromise where exposed.