|
|
|
TODAY'S CALL
No active exploitation today, but a couple of these are ugly enough to move on fast. Splunk's PostgreSQL sidecar has an unauth file-write bug at CVSS 9.8, and Red Hat's migration-planner has a CVSS 9.6 SQL injection triggered by importing a crafted spreadsheet. Five patches total, none on fire yet, but don't let the Splunk one sit.
|
|
DO FIRST
| • |
Update httpd to the patched version provided by your distro (Azure Linux: upgrade past 2.4.67-1)
(CVE-2026-29167)
|
| • |
Upgrade Splunk Enterprise to 10.2.4 or 10.0.7 (depending on your branch) immediately
(CVE-2026-20253)
|
| • |
Update SQLite to 3.53.2 or later through your distro's package manager
(CVE-2026-11822)
|
| • |
Apply the patched version of migration-planner as soon as the vendor publishes it
(CVE-2026-53474)
|
| • |
Upgrade Dulwich to 1.2.5 or later via pip
(CVE-2026-42305)
|
|
|
Clear the most in the fewest moves
2 updates close
multiple CVEs at once. Each row is one maintenance decision.
| ACTION |
CVES |
URGENCY |
IMPACT |
|
Update httpd to the patched version provided by your distro (Azure Linux: upgrade past 2.4.67-1)
|
12
1 critical
|
Patch this week, network-reachable only
|
Service restart
|
|
Update SQLite to 3.53.2 or later through your distro's package manager
|
2
|
Patch this week
|
—
|
|
|
TOP THREAT TODAY
|
|
A use-after-free bug in Apache HTTP Server's mod_ldap module lets an attacker potentially crash or compromise the server when per-directory LDAP configurations are in use. Exploitation requires mod_ldap to be enabled with per-directory auth configs, so if you don't use LDAP authentication in Apache, your exposure is minimal. Still, with a CVSS of 8.6, this is a serious memory corruption issue on any box where mod_ldap is active.
Who's affected: Apache HTTP Server operators using mod_ldap for per-directory authentication, especially those running httpd 2.4.67 or earlier on Azure Linux 3.0
| |
Patch this week.
Update httpd to the patched version provided by your distro (Azure Linux: upgrade past 2.4.67-1). If you can't patch quickly, disable mod_ldap if it's not needed.
Exposure:
Network-reachable systems
·
Op impact:
Service restart
|
ONE UPDATE · 12 CVEs
1 CRITICAL
NVD
MSRC
|
|
|
CVE-2026-20253
CVSS 9.8
|
CRITICAL
|
An unauthenticated attacker who can reach the Splunk PostgreSQL sidecar service endpoint can create or truncate arbitrary files on the Splunk server. No credentials needed, no user interaction. A CVSS 9.8 means this is about as bad as it gets: think data destruction, config tampering, or chaining file writes into code execution.
Affects: Splunk Enterprise operators running versions below 10.2.4 or 10.0.7, and Splunk Cloud Platform users on versions below 10.4.2604.3 or 10.2.2510.14
| |
Patch immediately for internet-facing systems.
Upgrade Splunk Enterprise to 10.2.4 or 10.0.7 (depending on your branch) immediately. For Splunk Cloud, confirm with Splunk support that your instance has been updated to 10.4.2604.3 or 10.2.2510.14.
Exposure:
Internet-facing systems
·
Op impact:
Service restart
|
NVD
Ref 1
|
|
CVE-2026-11822
CVSS 7.8
EPSS 0.01%
|
HIGH
|
A memory corruption bug in SQLite's FTS5 (full-text search) extension can be triggered by crafted database content. Exploitation typically requires an attacker to feed a malicious database file or query to an application using FTS5, so the risk depends heavily on whether your apps accept untrusted SQLite databases. CVSS 7.8 reflects local exploitation with potential code execution.
Affects: Anyone running applications that use SQLite's FTS5 extension, especially on Azure Linux 3.0 with sqlite 3.44.0-3 or earlier
| |
Patch this week.
Update SQLite to 3.53.2 or later through your distro's package manager. On Azure Linux 3.0, upgrade past sqlite 3.44.0-3.
Exposure:
Estate exposure
|
ONE UPDATE · 2 CVEs
NVD
MSRC
|
|
CVE-2026-53474
CVSS 9.6
|
CRITICAL
|
An authenticated attacker can upload a crafted RVTools .xlsx spreadsheet to the migration-planner tool, and malicious SQL embedded in cell values gets executed when cluster names are processed. That's SQL injection via spreadsheet import, and it lets the attacker read arbitrary files on the server, including Kubernetes service account tokens. At CVSS 9.6, a successful exploit can lead to full compromise of the SaaS environment.
Affects: Teams running Red Hat migration-planner that accept RVTools .xlsx uploads, especially in OpenShift or Kubernetes-backed SaaS environments
| |
Patch immediately if internet-facing or otherwise exposed.
Apply the patched version of migration-planner as soon as the vendor publishes it. Until then, restrict who can upload RVTools files and audit recent uploads for suspicious cell content.
Exposure:
Network-reachable systems
|
NVD
Ref 1
Ref 2
|
|
CVE-2026-42305
CVSS 8.8
|
HIGH
|
Cloning or checking out a malicious Git repository using Dulwich on Windows lets an attacker write arbitrary files, which chains into remote code execution. The bug exists because Dulwich accepted filenames containing bytes that Windows treats as path separators, and the safety settings (core.protectNTFS, core.protectHFS) were silently ignored due to a config lookup bug. POSIX systems aren't directly exploitable, but they can unknowingly relay a poisoned repo to Windows users.
Affects: Anyone using Dulwich 0.10.0 through 1.2.4 on Windows, or anyone whose CI/CD pipelines or tools use Dulwich to clone untrusted repos. POSIX users who push repos consumed by Windows clients should also upgrade.
| |
Patch within 24 hours for internet-facing systems.
Upgrade Dulwich to 1.2.5 or later via pip. There is no effective workaround on older versions because the protectNTFS config was silently ignored.
Exposure:
Internet-facing systems
·
Op impact:
Endpoint reboot
|
NVD
Ref 1
Ref 2
|
|
Community Signal Check
|
Check Point VPN zero-day CVE-2026-50751 exploited in the wild, tied to Qilin ransomware
Attackers are exploiting CVE-2026-50751, a critical authentication bypass in Check Point Remote Access VPN and Mobile Access (IKEv1 configs), to establish unauthenticated VPN sessions. Post-exploitation payloads and ties to the Qilin ransomware crew have been confirmed. If you run Check Point VPN, patch now and audit your IKEv1 logs.
Rapid7
•
active_exploitation
|
|
Ivanti Sentry critical RCE and auth bypass: CVSS 10.0 and 9.9, exploitation confirmed
Ivanti shipped patches for two brutal Sentry bugs: CVE-2026-10520 (unauthenticated OS command injection, CVSS 10.0) and CVE-2026-10523 (auth bypass, CVSS 9.9). Shadowserver already sees backdoored instances in the wild. If you expose Sentry to the internet, patch today and check for compromise.
Ivanti
•
active_exploitation
|
|
June 2026 cumulative updates failing on upgraded Windows 11 24H2/25H2 systems
If you upgraded machines from Windows 10 to Windows 11 24H2 or 25H2, the June cumulative updates may fail with 0x80073712 or 0x800f0993. Microsoft says a restart should trigger an automatic fix. If that doesn't work, you can unblock installs by removing the affected package with DISM.
BleepingComputer
•
broken_patch
|
|
June Patch Tuesday fix for CVE-2026-50507 triggers BitLocker key errors
The patch for CVE-2026-50507 (Mini-Plasma privilege escalation) can leave devices stuck on a "BitLocker key wasn't loaded correctly" error. Before you panic: toggling WinRE off and back on from an elevated prompt clears it. Test on a handful of machines before you push this one fleet-wide.
BleepingComputer
•
regression
|
|
|
SECURE BOOT ·
13 days until Microsoft Secure Boot certificates begin expiring (June 24, 2026).
How to remediate →
|
|
Also patched this window
Lower-priority items that cleared the enterprise filter. Scan for anything in your estate.
8.8
CVE-2026-20251
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below…
|
7.8
CVE-2026-52750
Ghidra before 12.1 contains a command injection vulnerability in URL annotation handling on Windows where cmd.exe…
|
9.6
CVE-2026-53476
A flaw was found in assisted-migration-agent.
|
9.6
CVE-2026-53471
A flaw was found in migration-planner.
|
9.6
CVE-2026-53470
A flaw was found in migration-planner.
|
9.3
CVE-2026-53475
A flaw was found in assisted-migration-agent.
|
9.1
CVE-2026-53469
A flaw was found in migration-planner.
|
8.8
CVE-2026-6893
A flaw was found in dracut.
|
7.6
CVE-2026-42558
Prior to 4.4.2, a vulnerability chain consisting of Stored XSS and Iframe Sandbox escape in the Xibo CMS allows users…
|
7.6
CVE-2026-20252
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.12, 10.2.2510.
|
Plus 45 more this window. See
NVD
for the full list.
|
|
Recent from the blog
A crash got a federal patch deadline. Here's why that's the right call
CVE-2026-28318 is a 7.5 denial-of-service bug in SolarWinds Serv-U, the kind that usually waits. CISA listed it on KEV two days after the f…
Two AWS bugs you'd never have heard about, and the fix was yours
AWS disclosed two SageMaker SDK flaws on its own bulletins page. They may carry a CVE ID with no CVSS, they'll never hit CISA KEV, and patc…
One cookie to your storefront homepage is shell. CVE-2026-45247 has a Saturday deadline.
An unauthenticated RCE in the Mirasvit Cache Warmer extension is already being hit at scale, and CISA's federal patch deadline is essential…
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
|
