|
|
|
TODAY'S CALL
A perfect CVSS 10.0 just dropped for Azure HorizonDB. CVE-2026-48567 lets an unauthenticated attacker spoof credentials and escalate to full control over the network, no prior access needed. Nobody's exploiting it in the wild yet, but a 10.0 doesn't stay quiet for long. Patch this one first, then circle back for the rest.
|
|
DO FIRST
| • |
Apply the latest Microsoft security update for Azure HorizonDB as soon as it is available
(CVE-2026-48567)
|
| • |
Apply the latest Microsoft security update for Copilot
(CVE-2026-45497)
|
| • |
Update Chrome to version 149.0.7827.53 or later
(CVE-2026-11296)
|
| • |
Remove or update the Hybrid Composer plugin immediately
(CVE-2019-25738)
|
| • |
Update SQLite to the version released on or after 2025-12-26
(CVE-2025-71316)
|
|
|
Clear the most in the fewest moves
2 updates close
multiple CVEs at once. Each row is one maintenance decision.
| ACTION |
CVES |
URGENCY |
IMPACT |
|
Update Chrome to version 149.0.7827.53 or later
|
427
2 critical
|
Patch this week, internet-facing only
|
Browser relaunch
|
|
Remove or update the Hybrid Composer plugin immediately
|
7
2 critical
|
Patch immediately, internet-facing only
|
—
|
|
|
TOP THREAT TODAY
|
|
An attacker can bypass authentication in Azure HorizonDB by spoofing credentials and escalate privileges, all over the network with no prior access required. CVSS 10.0 tells the whole story: unauthenticated, network-accessible, and full impact. No reports of wild exploitation yet, but a perfect 10 gets patched first, period.
Who's affected: Anyone running Azure HorizonDB instances
| |
Patch immediately if internet-facing or otherwise exposed.
Apply the latest Microsoft security update for Azure HorizonDB as soon as it is available. Check the Azure portal for update status and restrict network access to HorizonDB endpoints until patched.
Exposure:
Network-reachable systems
|
NVD
Ref 1
|
|
|
CVE-2026-45497
CVSS 7.7
|
HIGH
|
An authenticated user of Microsoft Copilot can inject commands and execute arbitrary code remotely. The attacker needs valid credentials first, which lowers the blast radius, but any compromised or malicious insider account could use this to run code on the backend. CVSS 7.7.
Affects: Teams using Microsoft Copilot services
| |
Patch this week.
Apply the latest Microsoft security update for Copilot. Review Copilot access logs for unexpected command patterns while you wait for the patch to roll out.
Exposure:
Network-reachable systems
|
NVD
Ref 1
|
|
CVE-2026-11296
CVSS 7.5
|
HIGH
|
A bug in Chrome's ImageCapture API lets an attacker who has already compromised the renderer process escalate privileges via a crafted HTML page. This is a sandbox escape scenario, but it requires the renderer to be compromised first, which significantly raises the bar. Chromium rates this low severity. CVSS 7.5.
Affects: Anyone managing Chrome or Chromium-based browser deployments (Edge, Brave, etc.) on desktops
| |
Patch this week.
Update Chrome to version 149.0.7827.53 or later. If you manage Chromium-based browsers like Edge, watch for corresponding updates from those vendors.
Exposure:
Internet-facing systems
·
Op impact:
Browser relaunch
|
ONE UPDATE · 427 CVEs
2 CRITICAL
NVD
Ref 1
Ref 2
|
|
CVE-2019-25738
CVSS 9.8
|
CRITICAL
|
The Hybrid Composer plugin (version 1.4.6) for WordPress lets unauthenticated attackers change any WordPress option by hitting the admin-ajax.php endpoint. The practical attack is simple: enable user registration, set the default role to administrator, register an account, and take over the site. No login required. CVSS 9.8.
Affects: WordPress site owners and hosts running the Hybrid Composer plugin version 1.4.6 or earlier
| |
Patch immediately for internet-facing systems.
Remove or update the Hybrid Composer plugin immediately. Audit your WordPress user list for rogue administrator accounts and check the 'anyone can register' and 'default role' settings under Settings > General.
Exposure:
Internet-facing systems
|
ONE UPDATE · 7 CVEs
2 CRITICAL
NVD
Ref 1
Ref 2
|
|
CVE-2025-71316
CVSS 9.8
|
CRITICAL
|
The sqldiff.exe tool bundled with SQLite on Windows mishandles Unicode-to-ANSI conversion in command line arguments. An attacker can craft a command line string that tricks the -L option into loading an arbitrary DLL. Exploitation requires getting a user to run sqldiff with a malicious argument, so there's a user-interaction component here. CVSS 9.8.
Affects: Windows users and developers running SQLite's sqldiff.exe tool, especially in automated pipelines or scripts that process untrusted input
| |
Patch this week.
Update SQLite to the version released on or after 2025-12-26. If you can't update immediately, stop using sqldiff.exe with untrusted input and remove it from any automated workflows.
Exposure:
Network-reachable systems
·
Op impact:
Endpoint reboot
|
NVD
Ref 1
Ref 2
|
|
Community Signal Check
|
Cisco SD-WAN Manager zero-day exploited for root access, no patch yet (CVE-2026-20245)
Attackers are exploiting an unpatched privilege escalation bug in Cisco Catalyst SD-WAN Manager to get root. A low-privilege local user can upload crafted files and run arbitrary commands as root across all deployment types, including cloud and FedRAMP. No patch exists yet. Cisco says to upgrade to versions that fix CVE-2026-20182 as a workaround.
BleepingComputer
•
active_exploitation
|
|
Cisco Unified CM SSRF to root exploit code is public (CVE-2026-20230)
Public proof-of-concept code now exists for an unauthenticated file-write bug in Cisco Unified CM that chains to root. Version 14 users: update to 14SU6. Version 15 users: apply the interim COP patch now, because the full fix in 15SU5 won't ship until September.
TechTimes
•
vendor_advisory
|
|
Windows Netlogon RCE exploited against domain controllers (CVE-2026-41089)
Attackers are hitting domain controllers with CVE-2026-41089, a stack-based buffer overflow in Windows Netlogon that gives unauthenticated remote code execution. Microsoft patched this in May 2026, but exploitation has picked back up. If you skipped last month's cumulative update on your DCs, fix that today.
Help Net Security
•
active_exploitation
|
|
CISA KEV: Mirasvit Full Page Cache Warmer RCE exploited in the wild (CVE-2026-45247)
CISA added CVE-2026-45247 to the Known Exploited Vulnerabilities catalog on June 3. It's an unauthenticated deserialization bug in the Mirasvit Full Page Cache Warmer Magento extension that gives attackers remote code execution. If you run this plugin, patch or pull it now.
CISA
•
active_exploitation
|
|
|
SECURE BOOT ·
19 days until Microsoft Secure Boot certificates begin expiring (June 24, 2026).
How to remediate →
|
|
Also patched this window
Lower-priority items that cleared the enterprise filter. Scan for anything in your estate.
9.1
CVE-2026-48579 · microsoft:exchange
Improper authorization in Microsoft Exchange Online allows an unauthorized attacker to disclose information over a network.
|
7.2
CVE-2019-25737
Live Chat Unlimited 2.8.3 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers…
|
8.1
CVE-2025-59874 · identity:keycloak
HCL Hive Telco Observability is affected by a Required directives missing from the CSP issue is detected in keycloak…
|
7.8
CVE-2026-11332
A flaw was found in ansible-core.
|
7.8
CVE-2026-20245 · browser:edge
A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated,…
|
7.0
CVE-2026-50265
A flaw was found in libinput.
|
9.9
CVE-2026-43986
Versions prior to 2.17.1 expose a public `/image/` route that resolves attacker-controlled entries…
|
9.1
CVE-2026-50076
Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0…
|
10.0
CVE-2026-49777
Improper Validation of Specified Quantity in Input vulnerability in ShapedPlugin, LLC Product Slider Pro…
|
7.6
CVE-2026-41234
Froxlor is open source server administration software.
|
Plus 5 more this window. See
NVD
for the full list.
|
|
Recent from the blog
Everything is critical, so nothing is critical
A third of last year's CVEs were rated High or Critical, but only a few percent ever get exploited. The severity score was never a risk sco…
Three CVEs keep getting called the Nx attack, and only one of them is this one
An 18-minute window on the VS Code marketplace ended with 3,800 of GitHub's own repositories copied. The interesting part isn't the speed.…
The patch triage meeting that ends with owners, not opinions
The short-list is built before anyone sits down. The meeting exists to put a name and a clock on each item, then end. Here's how to run it…
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
