Sponsored by
PatchDay Alert: 2026-06-01
|
|
|
TODAY'S CALL
Rough start to June. Attackers are already exploiting an auth bypass on Palo Alto PAN-OS firewalls that lets them VPN straight into your network with zero credentials (CVE-2026-0257). That one tops a 5-item list that also includes a CVSS 9.6 Chrome sandbox escape and a nasty RCE in the Amazon Redshift Python driver.
|
|
DO FIRST
| • |
Apply the latest PAN-OS security update from Palo Alto Networks immediately, and audit VPN logs for unauthorized sessions
(CVE-2026-0257)
|
| • |
Upgrade the redshift-connector pip package to the latest patched version
(CVE-2026-8838)
|
| • |
Upgrade Gotenberg to the latest patched v8 release
(CVE-2026-44829)
|
| • |
Update Chrome to 148.0.7778.216 or later
(CVE-2026-9874)
|
| • |
Upgrade GitHub CLI to 2.93.0 or later
(CVE-2026-48501)
|
|
|
Clear the most in the fewest moves
2 updates close
multiple CVEs at once. Each row is one maintenance decision.
| ACTION |
CVES |
URGENCY |
IMPACT |
|
Update Chrome to 148.0.7778.216 or later
|
151
9 critical
|
Patch within 24 hours, internet-facing only
|
Browser relaunch
|
|
Upgrade Gotenberg to the latest patched v8 release
|
3
|
Patch within 24 hours, network-reachable only
|
Endpoint reboot
|
|
|
TOP THREAT TODAY
|
|
An attacker can bypass authentication on Palo Alto Networks PAN-OS firewalls and establish an unauthorized VPN connection. This is already exploited in the wild, and the EPSS score of 0.42 (97th percentile) confirms high exploit probability. If your firewall is internet-facing, an attacker can tunnel straight into your network without credentials.
Who's affected: Anyone running Palo Alto Networks firewalls with PAN-OS, especially with GlobalProtect or other VPN services exposed to the internet
| |
Patch immediately given active exploitation.
Apply the latest PAN-OS security update from Palo Alto Networks immediately, and audit VPN logs for unauthorized sessions.
Exposure:
Active exploitation (KEV)
·
Op impact:
Service restart
|
NVD
KEV
|
|
|
CVE-2026-8838
CVSS 9.8
EPSS 0.08%
|
CRITICAL
|
The Amazon Redshift Python driver (redshift-connector) has a remote code execution bug caused by unsafe use of eval(). An attacker who can control input to the driver can execute arbitrary code on your system. CVSS 9.8, no authentication required.
Affects: Developers and data engineers using the pip package redshift-connector in Python applications or ETL pipelines
| |
Patch within 24 hours for internet-facing systems.
Upgrade the redshift-connector pip package to the latest patched version.
Exposure:
Internet-facing systems
·
Op impact:
Endpoint reboot
|
NVD
Ref 1
Ref 2
|
|
CVE-2026-44829
CVSS 8.8
|
HIGH
|
Gotenberg, a popular document-conversion API, has a path traversal bug. An attacker can craft a zip upload with Windows-style path separators in the filename to write files outside the intended directory. CVSS 8.8. If your Gotenberg instance accepts uploads from untrusted users, this could lead to code execution on the server.
Affects: Teams running Gotenberg v8 as a document conversion service, especially instances exposed to user-uploaded files
| |
Patch within 24 hours if internet-facing or otherwise exposed.
Upgrade Gotenberg to the latest patched v8 release. If you can't patch right away, restrict upload access to trusted sources only.
Exposure:
Network-reachable systems
·
Op impact:
Endpoint reboot
|
ONE UPDATE · 3 CVEs
NVD
Ref 1
Ref 2
|
|
CVE-2026-9874
CVSS 9.6
EPSS 0.07%
|
CRITICAL
|
A use-after-free bug in Chrome's Dawn graphics layer (WebGPU) lets an attacker escape the browser sandbox via a crafted web page. CVSS 9.6, rated Critical by Chromium. A user only needs to visit a malicious page. No other interaction required.
Affects: Anyone managing Chrome, Chromium, or Chromium-based browsers (Edge, Brave, etc.) across desktops
| |
Patch within 24 hours for internet-facing systems.
Update Chrome to 148.0.7778.216 or later. Push the update through your browser management policy or software deployment tool.
Exposure:
Internet-facing systems
·
Op impact:
Browser relaunch
|
ONE UPDATE · 151 CVEs
9 CRITICAL
NVD
Ref 1
Ref 2
|
|
CVE-2026-48501
CVSS 7.4
EPSS 0.04%
|
HIGH
|
GitHub CLI (gh) versions before 2.93.0 leak your GitHub authentication token to external hosts. When you run gh attestation, gh release verify, or gh release verify-asset, the CLI sends your token to TUF mirrors on GitHub Pages and to Sigstore and Azure Blob Storage endpoints. An attacker controlling one of those mirrors, or able to intercept traffic, could capture your GitHub token. Exploitation requires a specific scenario: you need to run one of the affected commands, and the attacker needs to be in a position to capture the misdirected token.
Affects: Developers and CI/CD pipeline operators using GitHub CLI (gh) for attestation verification or release verification workflows
| |
Patch this week.
Upgrade GitHub CLI to 2.93.0 or later. Review recent CI logs for use of gh attestation, gh release verify, or gh release verify-asset, and rotate any tokens that may have been exposed.
Exposure:
Network-reachable systems
|
NVD
Ref 1
|
|
Community Signal Check
|
Microsoft Defender zero-days CVE-2026-41091 and CVE-2026-45498 exploited in the wild
Attackers are exploiting two Defender zero-days right now. CVE-2026-41091 is a privilege escalation bug that hands out SYSTEM access through improper link resolution, and CVE-2026-45498 is a denial-of-service bug. Both are patched in Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7. Auto-update should cover you, but verify your platform version.
BleepingComputer
•
active_exploitation
|
|
KB5089549 install failures on low-space EFI partitions, permanent fix now available
If your Windows 11 boxes are stuck rolling back KB5089549 at around 35% with error 0x800f0922, the EFI System Partition is probably too small (under 10 MB free). Microsoft shipped a permanent fix as KB5089573 on May 26. Apply that instead, or use the registry workaround if you're blocked.
BleepingComputer
•
broken_patch
|
|
KB5089549 downgrades GPU drivers, no fix until October 2026
Heads up: KB5089549 silently replaces manually installed Nvidia, AMD, and Intel GPU drivers with older OEM-certified versions. Microsoft says the fix won't land until October Patch Tuesday. A Group Policy workaround for Windows 11 Pro is expected in June. If you manage workstations with specific driver requirements, watch for this one after patching.
Your Local Computer Guy
•
regression
|
|
KB5087544 Windows 10 ESU breaks USB multifunction printers (error 0x0000011b)
KB5087544 on Windows 10 ESU is killing USB-connected multifunction printers from Brother, Canon, and Ricoh with error 0x0000011b. If you're still on the ESU program and your users can't print, this is why. Microsoft says a fix is coming in the June optional update.
Your Local Computer Guy
•
broken_patch
|
|
|
SECURE BOOT ·
23 days until Microsoft Secure Boot certificates begin expiring (June 24, 2026).
How to remediate →
|
|
Also patched this window
Lower-priority items that cleared the enterprise filter. Scan for anything in your estate.
7.1
CVE-2026-47397
PraisonAI has an Arbitrary File Write in Python API
|
9.9
CVE-2026-45663
In 0.29.1 and earlier, a command injection vulnerability exists in the Docker file upload functionality.
|
9.9
CVE-2026-45633
In 0.26.6 and earlier, Dokploy contains a command injection vulnerability in the /docker-container-logs WebSocket endpoint.
|
9.8
CVE-2026-34311 · oracle:hospitality_opera_5_property_services
Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera).
|
9.8
CVE-2026-10042
manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe…
|
9.8
CVE-2026-46817
Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission).
|
9.8
CVE-2026-8732 · cms:wordpress
The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.
|
9.8
CVE-2026-45288
Marten is a .NET Transactional Document DB and Event Store on PostgreSQL.
|
9.1
CVE-2026-48188
An improper Input Validation vulnerability in OTRS or ((OTRS)) Community Edition database layer module allows…
|
9.1
CVE-2026-46819
Vulnerability in the Oracle Internet Procurement Connector product of Oracle E-Business Suite (component: Internal Operations).
|
Plus 35 more this window. See
NVD
for the full list.
|
|
Recent from the blog
Enforcing and proving BitLocker TPM+PIN across an Intune fleet
Requiring a startup PIN is one toggle. Landing it on already-encrypted devices and proving it took across the whole fleet is the actual wor…
Gogs has a critical RCE and no one is coming to fix it
Rapid7 found a push-button remote code execution flaw in Gogs, shipped a Metasploit module with it, and ran 72 days from report to publicat…
Palo Alto's third edge zero-day in two years rhymes with the first two
CISA's federal deadline for CVE-2026-0300 landed four days before a patch existed. The deadline is not the story. The third PAN-OS portal z…
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
|
Not just another AI newsletter
Most AI newsletters summarize headlines. MavSource is different.
We aggregate updates from all major AI newsletters, podcasts, company news, AI labs, public and private company activity, GitHub projects, funding rounds, earnings calls, and investor letters — hundreds of sources every day. Then we summarize what matters, analyze emerging trends, and add our own founder commentary so you understand why a development may matter — not just what happened.
One 5-minute email, every morning. Built for investors, founders, and operators who want to understand AI as a business, technology, and market trend — not just another news cycle.
The daily email is free. It's also the entry point to a deeper intelligence product covering watchlists, public-company read-throughs, startup trackers, and investor-letter tracking.
