Introduction

This vulnerability report has been generated with the help of AI, using the VulnMCP tooling on top of Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently sighted vulnerabilities for June 2026, based on data aggregated from Vulnerability-Lookup, the CISA Known Exploited Vulnerabilities catalog, the CIRCL KEV catalog, the ENISA EUVD feed, honeypot observations from The Shadowserver Foundation, and contributor comments and bundles. Sightings come from MISP, Exploit-DB, Bluesky, Mastodon, Telegram, GitHub Gists, Nuclei, SPLOITUS, Metasploit, and more. For further details, please visit this page.

New in this report: the Shadowserver KEV catalog, built from honeypot-observed exploitation attempts, makes its first appearance in our monthly reports. A big thank you to The Shadowserver Foundation for making this data available to the community.

June’s threat landscape was dominated by actively exploited flaws in enterprise infrastructure: remote-access and management software, network appliances, and identity-adjacent services. Nine of the ten most sighted vulnerabilities of the month are listed in the CISA KEV catalog (eight of them added during June), a strong signal that sighting activity closely tracked in-the-wild exploitation.

The Month at a Glance

7,454 CVEs were published in June 2026 (from the CVE List v5 source alone), up from 6,953 in May – a 14.5% month-over-month increase and the highest monthly volume of the year so far. On top of that, Vulnerability-Lookup ingested 7,315 GitHub security advisories and 745 PySec advisories over the same period.

Image

Vulnerability-Lookup collected 27,251 sightings during June 2026, including 18,123 “seen” observations, 8,542 exploitation-related sightings, and 71 “confirmed” sightings (mostly newly published Nuclei detection templates). No “patched” or “proof of concept” type sightings were recorded this month. Across the monitored KEV catalogs, 23 entries were added by CISA, 4 by CIRCL, 1 was reported through the ENISA / EU CSIRTs Network feed, and 6 new vulnerabilities appeared in The Shadowserver Foundation’s honeypot-observed exploitation feed.

The most sighted vulnerability of the month was CVE-2026-35273, a missing-authentication flaw in Oracle PeopleSoft Enterprise PeopleTools (Updates Environment Management), added to the CISA KEV catalog on June 12 with known ransomware campaign use – the only entry of the month with that flag.

Cisco had a particularly rough month, with three KEV-listed issues: an unauthenticated SSRF in Unified Communications Manager (CVE-2026-20230), a privilege escalation in Catalyst SD-WAN Controller (CVE-2026-20245) and a path traversal in Catalyst SD-WAN Manager (CVE-2026-20262) – the SD-WAN line remaining a target for the second month in a row after May’s Emergency-Directive flaw. Remote-access and remote-management tooling was the other clear cluster: unauthenticated root-level command injection in Ivanti Sentry (CVE-2026-10520, also observed against Shadowserver honeypots), an OIDC authentication bypass in SimpleHelp (CVE-2026-48558), an IKEv1 authentication bypass in Check Point Security Gateway (CVE-2026-50751, confirmed exploited by Check Point), and a pre-authentication RCE in BeyondTrust Remote Support / Privileged Remote Access (CVE-2026-1731) reported by NCSC-FI through the ENISA CNW feed.

Other notable KEV additions include a trio of Ubiquiti UniFi OS flaws (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) added the same day, an unauthenticated arbitrary file creation/truncation in Splunk Enterprise via a PostgreSQL sidecar endpoint (CVE-2026-20253), and – for the second month running – an AI-stack entry, with a command injection in BerriAI LiteLLM (CVE-2026-42271) following May’s LiteLLM SQL injection. On the client side, both Google Chrome (V8) (CVE-2026-11645) and Android Framework (CVE-2025-48595) were KEV-listed and appeared in the top 10. The high-sighting Windows Netlogon stack-based buffer overflow (CVE-2026-41089) rounded out the picture, and CISA also re-anchored legacy issues – the Linux kernel cgroups v1 container-escape CVE-2022-0492 and Oracle WebLogic CVE-2024-21182 – while Shadowserver honeypots still registered attacks against the 2017 HP iLO 4 authentication bypass (CVE-2017-12542).

Across the month’s KEV additions, the dominant weakness patterns were missing authentication for critical functions (CWE-306: PeopleSoft, Splunk), authentication bypass and improper authentication (CWE-287/CWE-294: SimpleHelp, Check Point, PAN-OS GlobalProtect), OS command and code injection (CWE-77/78/94: Ivanti Sentry, Lantronix EDS5000, LiteLLM), path traversal (CWE-22: Ubiquiti UniFi OS, Cisco SD-WAN Manager, FortiSandbox), server-side request forgery (CWE-918: Cisco Unified CM), and memory corruption in widely deployed client software (CWE-787/CWE-190: Windows Netlogon, Chrome V8, Android Framework). In overall published volume, cross-site scripting (CWE-79) and SQL injection (CWE-89) once again topped the monthly CWE ranking (see the Top 10 Weaknesses chart below).

Top 10 Vendors of the Month

Image

Top 10 Assigners of the Month

Image

Top 10 Vulnerabilities of the Month

Vulnerability Sighting Count Vendor Product VLAI Severity
CVE-2026-35273 192 Oracle PeopleSoft Enterprise PeopleTools Critical (confidence: 0.9967)
CVE-2026-20245 183 Cisco Catalyst SD-WAN Controller High (confidence: 0.9894)
CVE-2026-50751 139 Check Point Quantum Security Gateway Critical (confidence: 0.7947)
CVE-2026-20230 138 Cisco Unified Communications Manager High (confidence: 0.6151)
CVE-2026-0257 125 Palo Alto Networks PAN-OS (GlobalProtect) Medium (confidence: 0.9371)
CVE-2026-20253 119 Splunk Splunk Enterprise Critical (confidence: 0.9624)
CVE-2026-41089 101 Microsoft Windows (Netlogon) Critical (confidence: 0.9326)
CVE-2026-10520 100 Ivanti Sentry Critical (confidence: 0.9849)
CVE-2025-48595 97 Google Android (Framework) High (confidence: 0.9277)
CVE-2026-11645 91 Google Chrome (V8) High (confidence: 0.9938)

Known Exploited Vulnerabilities

New entries have been added to the major Known Exploited Vulnerabilities catalogs during June.

Catalog coverage

30 distinct vulnerabilities entered at least one of the tracked KEV catalogs during June. The matrix below shows, for each of them, which catalogs cover it (as of publication) – built with the new KEV catalog coverage feature of Vulnerability-Lookup. The KEVIntel catalog, the highest-volume of the tracked feeds with 335 new entries in June alone, covers 28 of the 30; conversely, two entries (HP iLO 4 and the MeiG router) are visible only through Shadowserver’s honeypots, and the Ivanti Sentry command injection is the only vulnerability of the month present in four catalogs at once.

Vulnerability First added CISA CIRCL ENISA KEVIntel Shadowserver
CVE-2017-12542 2026-06-30
CVE-2026-48558 2026-06-29
CVE-2026-20230 2026-06-25
CVE-2026-12569 2026-06-25
CVE-2026-34910 2026-06-23
CVE-2026-34909 2026-06-23
CVE-2026-34908 2026-06-23
CVE-2025-67038 2026-06-23
CVE-2026-39813 2026-06-22
CVE-2026-36356 2026-06-21
CVE-2026-20253 2026-06-18
CVE-2026-48907 2026-06-16
CVE-2026-54420 2026-06-15
CVE-2026-20262 2026-06-15
CVE-2026-35273 2026-06-12
CVE-2026-10520 2026-06-10
CVE-2026-7473 2026-06-09
CVE-2026-20245 2026-06-09
CVE-2026-11645 2026-06-09
CVE-2026-50751 2026-06-08
CVE-2026-42271 2026-06-08
CVE-2026-24423 2026-06-08
CVE-2024-8522 2026-06-08
CVE-2025-34033 2026-06-07
CVE-2026-28318 2026-06-05
CVE-2026-1731 2026-06-04
CVE-2026-45247 2026-06-03
CVE-2025-48595 2026-06-02
CVE-2022-0492 2026-06-02
CVE-2024-21182 2026-06-01

CISA

The CISA KEV catalog added 23 entries in June. The Oracle PeopleSoft entry is flagged with known ransomware campaign use.

CVE ID Date Added Vendor Product VLAI Severity
CVE-2026-48558 2026-06-29 SimpleHelp SimpleHelp Critical (confidence: 0.9723)
CVE-2026-12569 2026-06-25 PTC Windchill and FlexPLM Critical (confidence: 0.9946)
CVE-2026-20230 2026-06-25 Cisco Unified Communications Manager High (confidence: 0.6151)
CVE-2025-67038 2026-06-23 Lantronix EDS5000 Critical (confidence: 0.9956)
CVE-2026-34908 2026-06-23 Ubiquiti UniFi OS Critical (confidence: 0.9784)
CVE-2026-34909 2026-06-23 Ubiquiti UniFi OS Critical (confidence: 0.9783)
CVE-2026-34910 2026-06-23 Ubiquiti UniFi OS Critical (confidence: 0.9642)
CVE-2026-20253 2026-06-18 Splunk Splunk Enterprise Critical (confidence: 0.9624)
CVE-2026-48907 2026-06-16 Widget Factory Joomla Content Editor (JCE) Critical (confidence: 0.993)
CVE-2026-54420 2026-06-15 LiteSpeed cPanel Plugin High (confidence: 0.9896)
CVE-2026-20262 2026-06-15 Cisco Catalyst SD-WAN Manager Medium (confidence: 0.7478)
CVE-2026-35273 2026-06-12 Oracle PeopleSoft Enterprise PeopleTools Critical (confidence: 0.9967)
CVE-2026-10520 2026-06-11 Ivanti Sentry Critical (confidence: 0.9849)
CVE-2026-20245 2026-06-09 Cisco Catalyst SD-WAN Controller High (confidence: 0.9894)
CVE-2026-7473 2026-06-09 Arista Extensible Operating System (EOS) Medium (confidence: 0.5082)
CVE-2026-11645 2026-06-09 Google Chromium V8 High (confidence: 0.9938)
CVE-2026-42271 2026-06-08 BerriAI LiteLLM High (confidence: 0.6121)
CVE-2026-50751 2026-06-08 Check Point Security Gateway Critical (confidence: 0.7947)
CVE-2026-28318 2026-06-05 SolarWinds Serv-U High (confidence: 0.9813)
CVE-2026-45247 2026-06-03 Mirasvit Full Page Cache Warmer (Magento 2) Critical (confidence: 0.9944)
CVE-2025-48595 2026-06-02 Google Android Framework High (confidence: 0.9277)
CVE-2022-0492 2026-06-02 Linux Kernel (cgroups v1) High (confidence: 0.9381)
CVE-2024-21182 2026-06-01 Oracle WebLogic Server High (confidence: 0.9972)

More KEV entries from the CISA Catalog.

CIRCL

The CIRCL KEV catalog added 4 entries during June. The Check Point IKEv1 authentication bypass was confirmed on the basis of Check Point’s own report of active exploitation in the wild; the Cisco SD-WAN and Ivanti Sentry entries are marked as suspected exploitation.

CVE ID Date Added Vendor Product VLAI Severity
CVE-2026-20245 2026-06-25 Cisco Catalyst SD-WAN Controller High (confidence: 0.9894)
CVE-2026-39813 2026-06-22 Fortinet FortiSandbox Critical (confidence: 0.8265)
CVE-2026-10520 2026-06-12 Ivanti Sentry Critical (confidence: 0.9849)
CVE-2026-50751 2026-06-08 Check Point Quantum Security Gateway Critical (confidence: 0.7947)

More KEV entries from the CIRCL Catalog.

ENISA (EUVD)

A single new entry was reported through the ENISA / EU CSIRTs Network (CNW) KEV feed during June: a critical pre-authentication remote code execution in BeyondTrust Remote Support and Privileged Remote Access, reported by NCSC-FI.

CVE ID Date Reported Vendor Product VLAI Severity
CVE-2026-1731 2026-06-04 BeyondTrust Remote Support (RS) / Privileged Remote Access (PRA) Critical (confidence: 0.9813)

More KEV entries from the ENISA Catalog.

The Shadowserver Foundation

The Shadowserver KEV catalog is fed by honeypot-observed exploitation attempts. 6 vulnerabilities were observed for the first time during June, two of which are also in the CISA KEV catalog. Notably, the 2017 HP iLO 4 authentication bypass was still drawing attack traffic at the very end of the month.

CVE ID First Seen Vendor Product Severity (Shadowserver)
CVE-2017-12542 2026-06-30 HP HP iLO 4 Critical (CVSS 10.0)
CVE-2026-36356 2026-06-21 MeiG Smart FORGE_SLT711 Critical (CVSS 9.1)
CVE-2026-10520 2026-06-10 Ivanti Sentry Critical (CVSS 10.0)
CVE-2026-24423 2026-06-08 SmarterTools SmarterMail Critical (CVSS 9.8)
CVE-2024-8522 2026-06-08 WordPress LearnPress plugin High (CVSS 7.5)
CVE-2025-34033 2026-06-07 5VTechnologies Blue Angel Software Suite

More KEV entries from the Shadowserver Catalog.

Top 10 Weaknesses of the Month

Image

Insights from Contributors

Community contributions in June ranged from data-quality improvements to supply-chain research:

Contributors also curated vendor advisories into bundles during June:

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
github.com/vulnerability-lookup/…/issues/

Funding

Image

The main objective of Federated European Team for Threat Analysis (FETTA) is improvement of Cyber Threat Intelligence (CTI) products available to the public and private sector in Poland, Luxembourg, and the European Union as a whole.
Developing actionable CTI products (reports, indicators, etc) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.

The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCL’s contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.

Press release