Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

Google June Android update fixes 124 flaws including exploited Framework zero-day CVE-2025-48595 - also added to CISA KEV same day

Google has released the June 2026 Android security patches addressing 124 vulnerabilities, including CVE-2025-48595, a high-severity Android Framework flaw under limited, targeted exploitation. Local attackers can abuse it to gain code execution and escalate privileges on Android 14 or later. Google fixed 18 critical vulnerabilities this cycle across System, Framework, and Qualcomm closed-source components; the most severe is a critical Framework flaw enabling remote privilege escalation with no user interaction. Two patch levels shipped (2026-06-01 and 2026-06-05). CISA added CVE-2025-48595 to its KEV catalog the same day. Pixel devices get updates immediately; other vendors typically lag. Similar Android Framework flaws have historically been abused by commercial spyware.

Check
Inventory Android fleet by version and patch level. Confirm devices show the 2026-06-05 patch level. Prioritize Android 14+ devices for CVE-2025-48595; push updates via MDM where possible.
Affected
Android 14 and later unpatched against the June 2026 update. CVE-2025-48595 is under limited targeted exploitation; high-interest individuals face the greatest risk from likely-spyware abuse.
Fix
Apply the June 2026 Android update (2026-06-05 patch level). Non-Pixel users: pressure OEMs for timely rollout. FCEB agencies must remediate CVE-2025-48595 per CISA KEV deadline.

Critical Kirki WordPress flaw CVE-2026-8206 exploited to hijack admin accounts via password-reset redirect - 500,000 installs, 222+ attacks blocked

Hackers are exploiting CVE-2026-8206, a critical privilege-escalation flaw in the Kirki - Freeform Page Builder WordPress plugin, to take over any account including administrators. Defiant's Wordfence blocked over 222 attempts against customers in 24 hours. The plugin is active on more than 500,000 sites; the bug was introduced in version 6.0.0 and affects up to 6.0.6 (nearly 40% of the userbase). It stems from a custom REST password-reset endpoint that accepts an arbitrary email: when a username is supplied, the plugin sends a valid reset link to the attacker-controlled address instead of the owner's. The vendor fixed it in 6.0.7 on May 18; admins should upgrade or disable immediately.

Check
Inventory WordPress sites for the Kirki plugin and confirm version. Audit user accounts and password-reset logs for reset links sent to unfamiliar email addresses since version 6.0.0 deployment.
Affected
Kirki - Freeform Page Builder versions 6.0.0 through 6.0.6 (nearly 40% of 500,000+ installs). The REST password-reset endpoint sends valid reset links to attacker-supplied email addresses for any user.
Fix
Upgrade Kirki to 6.0.7 or disable the plugin immediately. Remove unauthorized admin accounts, rotate all admin credentials, and audit for web shells, malicious plugins, and backdoors.

HP Poly VVX VoIP phones: unauthenticated root RCE CVE-2026-0826 via oversized ICE candidate in SIP INVITE, patches available

Rapid7 has disclosed CVE-2026-0826, a critical unauthenticated stack-based buffer overflow in HP Poly VoIP phones that gives a remote attacker root-level code execution. Discovered during zero-day research against a Poly VVX 450, the flaw sits in SDP parsing for ICE-enabled phones: the device copies a candidate attribute into a 256-byte stack buffer without a length check, so an oversized ICE candidate in a crafted SIP INVITE overflows the stack and can overwrite the program counter. NX is enabled but ASLR misbehaves, loading shared libraries at fixed addresses that make a ROP chain practical. An attacker needs no authentication. Patches are available for affected models.

Check
Inventory HP Poly VoIP phones (VVX and ICE-enabled models) by firmware. Confirm SIP/VoIP interfaces are not reachable from untrusted networks. Apply the CVE-2026-0826 patch for affected models.
Affected
HP Poly VoIP phones (VVX 450 confirmed) with ICE enabled. An unauthenticated SIP INVITE carrying an oversized ICE candidate triggers a root-level stack overflow; fixed-address libraries make ROP practical.
Fix
Apply Rapid7-referenced patches immediately. Place VoIP phones on a dedicated VLAN with strict ACLs. Block SIP from untrusted networks and monitor for malformed INVITE traffic.

CISA adds 4-year-old Linux kernel cgroups container-escape CVE-2022-0492 to KEV after active exploitation evidence

CISA has added CVE-2022-0492 to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The four-year-old Linux kernel flaw is an improper-authentication issue in the cgroups v1 release_agent feature that can be abused for container escape and privilege escalation to root on the host. It is well known among container-security researchers as a path to breaking out of misconfigured containers lacking AppArmor/SELinux or seccomp restrictions. Its appearance on KEV signals active in-the-wild abuse, likely in cloud and container environments. FCEB agencies must remediate by the BOD 22-01 deadline; all organizations running container workloads on older kernels should patch and verify hardening immediately.

Check
Inventory container hosts running kernels unpatched against CVE-2022-0492. Check for containers running without AppArmor/SELinux or seccomp confinement, which makes the release_agent escape exploitable.
Affected
Linux hosts on older kernels with the cgroups v1 release_agent flaw, especially containers lacking AppArmor/SELinux or seccomp restrictions. Active exploitation now confirmed via CISA KEV listing.
Fix
Patch host kernels. Enforce seccomp and AppArmor/SELinux on all containers. Drop CAP_SYS_ADMIN where unneeded. FCEB agencies must remediate by the CISA KEV deadline.

Critical Windows Netlogon RCE CVE-2026-41089 now exploited - unauthenticated code execution on domain controllers, all Server versions, CCB Belgium warns

The Centre for Cybersecurity Belgium (CCB) has warned that threat actors are now exploiting CVE-2026-41089, a critical Windows Netlogon vulnerability that Microsoft patched during the May 2026 Patch Tuesday. Netlogon is a core Windows Server RPC service that authenticates users and services on domain-based networks. The flaw is a stack-based buffer overflow that lets an unauthenticated attacker send a specially crafted network request to a domain controller and gain remote code execution without signing in or any prior access. It impacts all currently supported Windows Server versions, including the latest release. Because domain controllers are high-value targets, successful exploitation can lead to full domain compromise.

Check
Inventory all domain controllers and confirm the May 2026 Patch Tuesday update (CVE-2026-41089) is applied. Review Netlogon RPC traffic and DC event logs for anomalous unauthenticated requests.
Affected
All currently supported Windows Server versions acting as domain controllers, unpatched against the May 2026 fix. Unauthenticated attackers can gain RCE on a DC, enabling full domain compromise.
Fix
Apply the May 2026 Patch Tuesday update to every domain controller immediately. Restrict Netlogon RPC exposure to trusted networks. Monitor for post-exploitation lateral movement from DCs.

CISA adds Oracle WebLogic Server CVE-2024-21182 to KEV after active exploitation evidence - FCEB patch deadline set

CISA has added CVE-2024-21182, an unspecified vulnerability in Oracle WebLogic Server, to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. WebLogic is a widely deployed Java EE application server that frequently sits on internet-facing infrastructure, making it a recurring target for initial access and cryptomining campaigns. Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed flaws by the assigned deadline, and CISA urges all organizations to prioritize patching. Oracle addressed the flaw in a prior Critical Patch Update; organizations running unpatched WebLogic instances should apply the relevant CPU and audit for signs of exploitation immediately.

Check
Inventory Oracle WebLogic Server instances, especially internet-facing ones, and confirm the relevant Oracle Critical Patch Update addressing CVE-2024-21182 is applied. Audit logs for exploitation indicators.
Affected
Oracle WebLogic Server instances unpatched against CVE-2024-21182. Internet-facing deployments are at highest risk; WebLogic is a recurring target for initial access and cryptomining.
Fix
Apply the relevant Oracle Critical Patch Update immediately. FCEB agencies must remediate by the CISA KEV deadline. Remove WebLogic admin consoles from public internet exposure.

WP Maps Pro CVE-2026-8732 actively exploited to create unauthenticated admin accounts on WordPress sites - 'temporary access' AJAX endpoint flaw

Hackers are actively exploiting CVE-2026-8732, a critical unauthenticated flaw in the WP Maps Pro WordPress plugin that lets attackers create rogue administrator accounts. The plugin, a premium interactive-map and store-locator tool with over 15,800 sales on Envato Market, is affected in versions 6.1.0 and older. The flaw stems from a 'temporary access' feature meant to let vendor support staff troubleshoot customer sites: the AJAX endpoint was reachable by unauthenticated users and relied only on a nonce exposed in frontend JavaScript. A crafted request creates a new administrator user, generates a passwordless login URL, and sends it to a remote system. Researcher David Brown reported it.

Check
Inventory WordPress sites for the WP Maps Pro plugin and confirm version. Audit the WordPress users table for unexpected administrator accounts created recently. Review AJAX endpoint access logs.
Affected
WP Maps Pro versions 6.1.0 and older on WordPress. The unauthenticated AJAX 'temporary access' endpoint lets anyone create an admin account and receive a passwordless login URL.
Fix
Update WP Maps Pro to the patched version immediately. Remove any unauthorized administrator accounts. Rotate all admin credentials and audit for backdoors, web shells, or plugin/theme tampering.

CIFSwitch Linux LPE: forged cifs.spnego key descriptions trick cifs.upcall into running as root - cifs-utils 6.14+ across multiple distros

SpaceX security engineer Asim Manizada has disclosed CIFSwitch, a Linux kernel local privilege escalation in the CIFS subsystem that lets an unprivileged user forge cifs.spnego key descriptions and trick the kernel's key-request mechanism into running cifs.upcall as root. CIFS (Common Internet File System) mounts and accesses files across a network; when a share uses Kerberos, the kernel asks the user-space cifs-utils helper to authenticate. The CIFS subsystem fails to verify that cifs.spnego key requests originate from the kernel's CIFS client, so a local attacker can supply a forged key and gain root. It affects cifs-utils 6.14 and higher, plus some older variants, across multiple distributions.

Check
Inventory Linux hosts with cifs-utils 6.14+ that mount Kerberos-authenticated CIFS shares. Identify multi-user systems where untrusted local users have shell access. Check distribution advisories for patched cifs-utils.
Affected
Linux distributions shipping cifs-utils 6.14 and higher (some older variants also affected) where the kernel CIFS subsystem fails to verify cifs.spnego key-request origin. Local shell access required.
Fix
Apply distribution kernel and cifs-utils updates as they ship. Where patches lag, restrict local user access on systems mounting Kerberos CIFS shares. Monitor request-key and cifs.upcall invocations.

Palo Alto PAN-OS GlobalProtect authentication bypass CVE-2026-0257 actively exploited since May 17, added to CISA KEV - patch urgently

Palo Alto Networks has confirmed that CVE-2026-0257 (CVSS 7.8), a GlobalProtect authentication-bypass flaw in PAN-OS and Prisma Access, is under active exploitation. The flaw lets attackers bypass authentication and establish an unauthorized VPN connection; it affects firewalls with a GlobalProtect portal or gateway when authentication-override cookies are enabled and a specific certificate configuration exists. Rapid7 identified successful exploitation across numerous customers dating back to May 17, with a second wave on May 21, attributed to the same threat actor; in two cases the attacker received a VPN IP and reached the internal network. CISA added the CVE to its KEV catalog on May 29.

Check
Inventory PAN-OS and Prisma Access firewalls with GlobalProtect portal/gateway configured. Check whether authentication-override cookies are enabled. Review VPN logs for unauthorized sessions since May 17.
Affected
PAN-OS firewalls with GlobalProtect portal or gateway when authentication-override cookies are enabled and a specific certificate configuration exists. Exploitation confirmed across numerous Rapid7 customers since May 17.
Fix
Apply the Palo Alto patch urgently. Temporary mitigation: disable the authentication-override feature or generate a dedicated certificate for it. FCEB agencies must remediate per CISA KEV deadline.

ChatGPhish: ChatGPT auto-renders attacker Markdown links, images, and QR codes from summarized web pages as trusted clickable phishing

Permiso Security has disclosed ChatGPhish, a vulnerability in OpenAI ChatGPT that abuses the assistant's implicit trust in Markdown links and images sourced from third-party pages it has just summarized. The chatgpt.com response renderer auto-fetches those images and surfaces the links as live clickable elements inside the trusted assistant UI. An attacker who appends a small payload to any web page a victim later asks ChatGPT to summarize can leak the victim's IP, User-Agent, and Referer via attacker-hosted images, render fake system-style security alerts, plant malicious clickable links, and serve a QR code from an S3 bucket to bypass desktop URL filters via the victim's phone.

Check
Warn staff that ChatGPT summaries of untrusted pages can render attacker links, fake alerts, and QR codes. Treat clickable elements in AI summaries with the same caution as email links.
Affected
Any organization using ChatGPT for research or summarization of third-party web content. The trusted-UI rendering of attacker Markdown bypasses normal phishing-awareness instincts and desktop URL filters.
Fix
Apply OpenAI's fix once available. Train users not to scan QR codes or click links surfaced inside AI summaries without verification. Restrict enterprise ChatGPT connectors that auto-summarize untrusted URLs.