|
|
|
TODAY'S CALL
Five patches today, nothing exploited in the wild yet, but one deserves your full attention right now. MariaDB with Galera replication has a CVSS 10.0 unauthenticated RCE: if you have `wsrep_notify_cmd` enabled, an attacker controlling a joiner node name can inject shell commands straight into the server. Chrome on macOS and MongoDB also picked up 8.8-rated use-after-free bugs worth patching this cycle.
|
|
DO FIRST
| • |
Update 389-ds-base to the latest patched version from your distro's repos
(CVE-2026-11774)
|
| • |
Apply the latest firmware update from IEI Integration Corp
(CVE-2026-11845)
|
| • |
Upgrade to MariaDB 10.6.27, 10.11.18, 11.4.12, 11.8.8, or 12.3.2
(CVE-2026-49261)
|
| • |
Update Chrome to 149.0.7827.115 or later on all managed macOS endpoints
(CVE-2026-12020)
|
| • |
Upgrade MongoDB Server to the latest patched version
(CVE-2026-11933)
|
|
|
Clear the most in the fewest moves
2 updates close
multiple CVEs at once. Each row is one maintenance decision.
| ACTION |
CVES |
URGENCY |
IMPACT |
|
Update Chrome to 149.0.7827.115 or later on all managed macOS endpoints
|
29
|
Patch within 24 hours, internet-facing only
|
Browser relaunch
|
|
Apply the latest firmware update from IEI Integration Corp
|
5
|
Patch this week, internet-facing only
|
Endpoint reboot
|
|
|
TOP THREAT TODAY
|
|
An integer overflow in the SASL I/O layer of 389 Directory Server lets an attacker bypass the max packet size check and smash the heap with about 2 MB of controlled data. The catch: the attacker needs a successful SASL bind first (SSF > 0), so they need valid credentials. In FreeIPA or Red Hat IdM environments, that bar is low: any domain user, enrolled host, or service account with a Kerberos ticket can trigger this remotely for a crash or potential code execution.
Who's affected: Anyone running 389 Directory Server (389-ds-base), especially FreeIPA or Red Hat Identity Management deployments
| |
Patch within 24 hours for internet-facing systems.
Update 389-ds-base to the latest patched version from your distro's repos. If you can't patch immediately, audit which principals have SASL bind access and monitor for abnormally large SASL packets.
Exposure:
Internet-facing systems
|
NVD
Ref 1
Ref 2
|
|
|
CVE-2026-11845
CVSS 7.2
|
HIGH
|
A privileged remote attacker can inject arbitrary OS commands into the IEI iVEC Virtualization Edge Computer and run them on the device. You need elevated access to exploit this, which lowers the real-world risk somewhat, but if an attacker already has a privileged session (or steals one), they own the box completely.
Affects: Anyone deploying IEI Integration Corp iVEC Virtualization Edge Computers
| |
Patch this week.
Apply the latest firmware update from IEI Integration Corp. If no patch is available yet, restrict management interface access to a dedicated out-of-band network and enforce strong credential hygiene.
Exposure:
Internet-facing systems
·
Op impact:
Endpoint reboot
|
ONE UPDATE · 5 CVEs
NVD
Ref 1
Ref 2
|
|
CVE-2026-49261
CVSS 10.0
|
CRITICAL
|
This is a CVSS 10.0. If you run MariaDB with Galera replication and have `wsrep_notify_cmd` enabled, an attacker who controls the joiner node name can embed shell commands in it and the server will execute them. That's full remote code execution with no authentication required, straight through a clustering feature. The blast radius covers MariaDB 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1.
Affects: Anyone running MariaDB with Galera/wsrep clustering and wsrep_notify_cmd enabled
| |
Patch immediately if internet-facing or otherwise exposed.
Upgrade to MariaDB 10.6.27, 10.11.18, 11.4.12, 11.8.8, or 12.3.2. If you can't upgrade right now, disable `wsrep_notify_cmd` immediately as a stopgap.
Exposure:
Network-reachable systems
·
Op impact:
Service restart
|
NVD
Ref 1
Ref 2
|
|
CVE-2026-12020
CVSS 8.8
|
HIGH
|
A use-after-free bug in Chrome's Autofill feature on macOS lets an attacker corrupt heap memory through a crafted web page. All it takes is getting a user to visit a malicious site. Chromium rates this High severity, and at CVSS 8.8 it's worth patching quickly even though there's no known exploitation yet.
Affects: Anyone running Google Chrome on macOS prior to version 149.0.7827.115, plus Chromium-based browsers (Edge, Brave, etc.) on macOS that haven't pulled in this fix
| |
Patch within 24 hours for internet-facing systems.
Update Chrome to 149.0.7827.115 or later on all managed macOS endpoints. Check for updates in Chromium-based browsers as well.
Exposure:
Internet-facing systems
·
Op impact:
Browser relaunch
|
ONE UPDATE · 29 CVEs
NVD
Ref 1
Ref 2
|
|
CVE-2026-11933
CVSS 8.8
|
HIGH
|
A use-after-free in MongoDB's server-side JavaScript engine lets an authenticated user with read privileges leak process memory or crash the server. The attacker needs to be able to run server-side JS, which means using operators like $where or $function. If you've disabled server-side JavaScript (which many hardening guides recommend), you're not exposed.
Affects: Anyone running MongoDB Server with server-side JavaScript enabled (the default) who grants read access to untrusted or semi-trusted users
| |
Patch this week.
Upgrade MongoDB Server to the latest patched version. As a short-term mitigation, disable server-side JavaScript by setting `security.javascriptEnabled: false` in your mongod config if your application doesn't rely on $where, $function, or mapReduce with custom JS.
Exposure:
Network-reachable systems
|
NVD
Ref 1
|
|
Community Signal Check
|
Ivanti Sentry CVSS 10 RCE and auth bypass now exploited in the wild
Two critical bugs in Ivanti Sentry are being exploited at scale. CVE-2026-10520 (CVSS 10.0) is an unauthenticated OS command injection giving root, and CVE-2026-10523 (CVSS 9.9) is an auth bypass that lets attackers create admin accounts. Shadowserver confirmed backdoored instances within hours of public PoC release. If your Sentry appliances face the internet, patch now.
Ivanti / Shadowserver
•
active_exploitation
|
|
Check Point VPN zero-day auth bypass tied to Qilin ransomware
Attackers are bypassing Check Point VPN authentication via deprecated IKEv1 key exchange, no credentials needed. Post-exploitation includes ELF payload retrieval, and Rapid7 ties the campaign to Qilin ransomware operations going back to at least May 7. If you run Remote Access VPN, Mobile Access, or Spark Firewall, patch and audit VPN sessions immediately.
Rapid7
•
active_exploitation
|
|
KB5094125 fixes BitLocker recovery boot loops on Windows Server 2025
An April security update changed TPM PCR7 measurements on Windows Server 2025, forcing BitLocker-protected servers into recovery boot loops on every restart. KB5094125 (June 9) fixes it. After installing, restore default PCR profiles via Group Policy or re-enable BitLocker to clear the issue.
Windows News
•
regression
|
|
June cumulative updates fail to install on upgraded Windows 11 PCs (0x80073712, 0x800f0993)
KB5094126 and KB5093998 are failing to install on machines that were upgraded from Windows 10 or older Windows 11 builds to 24H2/25H2, throwing errors 0x80073712 or 0x800f0993. These boxes will also block future monthly updates. Microsoft says to remove the broken package via DISM or do an in-place Windows 11 upgrade to unblock patching.
BleepingComputer
•
broken_patch
|
|
|
SECURE BOOT ·
12 days until Microsoft Secure Boot certificates begin expiring (June 24, 2026).
How to remediate →
|
|
Also patched this window
Lower-priority items that cleared the enterprise filter. Scan for anything in your estate.
7.8
CVE-2026-10847
A local privilege escalation vulnerability exists in Check Point Identity Agent Full for Windows OS.
|
9.9
CVE-2026-47370
A malicious actor with access to the network and low privileges could exploit an Improper Input Validation…
|
9.8
CVE-2026-49060
Incorrect Privilege Assignment vulnerability in Hippoo Mobile App for WooCommerce allows Privilege Escalation.
|
9.3
CVE-2026-42647
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beardev JoomSport allows Blind SQL Injection.
|
9.3
CVE-2026-39494
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW Plugins…
|
7.3
CVE-2026-48546
KanaDojo before 0.1.18 contains a sandbox escape vulnerability that allows an attacker to execute arbitrary code…
|
9.9
CVE-2026-47369
A malicious actor with access to the network and low privileges could exploit an Improper Input Validation…
|
9.9
CVE-2026-47365 · cms:wordpress
Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote…
|
8.8
CVE-2026-46519
Prior to version 3.6.0, mcp-server-kubernetes exposes three environment variables (ALLOW_ONLY_READONLY_TOOLS,…
|
8.7
CVE-2026-44494
From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any…
|
Plus 9 more this window. See
NVD
for the full list.
|
|
Recent from the blog
A crash got a federal patch deadline. Here's why that's the right call
CVE-2026-28318 is a 7.5 denial-of-service bug in SolarWinds Serv-U, the kind that usually waits. CISA listed it on KEV two days after the f…
Three June 30 Microsoft 365 retirements that fail silently
A printer stops scanning to email, a conference-room keyboard's mute key dies, a town hall won't schedule. None of these will announce them…
Your Azure CLI session has an MFA exemption you never asked for
Two Entra Conditional Access changes land in the same fortnight, and they're the lead evidence in a longer story: Microsoft is closing the…
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
|
