In partnership with
PatchDayAlert: 2026-06-16
|
|
|
TODAY'S CALL
Five CVEs today, none exploited in the wild yet, but the top one deserves your attention right now. CVE-2026-49109 is a CVSS 9.8 PHP Object Injection bug in the Salesforce integration plugin for Contact Form 7 and friends: no auth required, and if the right gadget chain exists in your WordPress stack, it's full RCE. Also worth watching: a privilege escalation bug in Microsoft Defender's Malware Protection Engine that Microsoft has acknowledged but hasn't actually patched yet.
|
|
DO FIRST
| • |
Update the Integration for Salesforce plugin to version 1.4.4 or later immediately via the WordPress plugin dashboard
(CVE-2026-49109)
|
| • |
Watch for an updated Microsoft Malware Protection Engine version and confirm auto-update is enabled
(CVE-2026-50656)
|
| • |
Update OpenSSL to the patched version via your package manager
(CVE-2026-45445)
|
| • |
Update the Ultimate Product Catalog plugin to the latest version
(CVE-2016-20075)
|
| • |
Update GStreamer and the librfb plugin to the latest patched version through your package manager or from the GStreamer project
(CVE-2026-52720)
|
|
|
Clear the most in the fewest moves
2 updates close
multiple CVEs at once. Each row is one maintenance decision.
| ACTION |
CVES |
URGENCY |
IMPACT |
|
Update the Ultimate Product Catalog plugin to the latest version
|
38
3 critical
|
Patch immediately, network-reachable only
|
—
|
|
Update OpenSSL to the patched version via your package manager
|
3
1 critical
|
Patch this week, network-reachable only
|
Endpoint reboot
|
|
|
TOP THREAT TODAY
|
|
An attacker can exploit a PHP Object Injection bug in the Salesforce integration plugin for Contact Form 7, WPForms, Elementor, Formidable, and Ninja Forms without any authentication. At CVSS 9.8, this likely gives an attacker full remote code execution on your WordPress site if the right gadget chain exists in your installed plugins or themes. No login required, no user interaction needed.
Who's affected: WordPress site owners running Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, or Ninja Forms plugin version 1.4.3 or earlier
| |
Patch immediately for internet-facing systems.
Update the Integration for Salesforce plugin to version 1.4.4 or later immediately via the WordPress plugin dashboard.
Exposure:
Internet-facing systems
·
Op impact:
Service restart
|
NVD
Ref 1
|
|
|
CVE-2026-50656
CVSS 7.8
|
HIGH
|
A local privilege escalation bug exists in the Microsoft Malware Protection Engine used by Microsoft Defender. An attacker who already has code running on a box could use this to escalate to SYSTEM. Microsoft has acknowledged the issue but hasn't shipped the fix yet, so keep an eye on Defender engine version updates.
Affects: Anyone running Microsoft Defender on Windows endpoints and servers
| |
Monitor and patch.
Watch for an updated Microsoft Malware Protection Engine version and confirm auto-update is enabled. Run 'Get-MpComputerStatus' in PowerShell to verify your engine version once Microsoft publishes the fix.
Exposure:
Estate exposure
|
NVD
MSRC
|
|
CVE-2026-45445
CVSS 7.5
EPSS 0.33%
|
HIGH
|
OpenSSL has a bug where the initialization vector (IV) is ignored when using AES-OCB mode through the EVP_Cipher() code path. This means nonce reuse can happen silently, which breaks the confidentiality and authenticity guarantees of AES-OCB encryption. If your applications use AES-OCB via OpenSSL, encrypted data may not be as protected as you think.
Affects: Teams running OpenSSL 3.3.7 or earlier, particularly on Azure Linux 3.0 (including cloud-hypervisor, edk2, Node.js, and QEMU packages that bundle or link OpenSSL)
| |
Patch this week.
Update OpenSSL to the patched version via your package manager. On Azure Linux 3.0, update the openssl, nodejs, qemu, edk2, and cloud-hypervisor packages to their latest available versions.
Exposure:
Network-reachable systems
·
Op impact:
Endpoint reboot
|
ONE UPDATE · 3 CVEs
1 CRITICAL
NVD
MSRC
|
|
CVE-2016-20075
CVSS 8.8
|
HIGH
|
WordPress Ultimate Product Catalog version 3.8.6 lets any authenticated user (even contributors) upload arbitrary files, including PHP shells, through the custom file field on the Products tab. An attacker with even the lowest authenticated role can drop a webshell into the upcp-product-file-uploads directory and execute code on your server. This is a 2016-era bug that was only recently assigned a CVE.
Affects: WordPress site owners running Ultimate Product Catalog plugin version 3.8.6 or earlier, especially sites that allow contributor or author registrations
| |
Patch immediately if internet-facing or otherwise exposed.
Update the Ultimate Product Catalog plugin to the latest version. If no patched version is available, deactivate and remove it. Audit the wp-content/upcp-product-file-uploads directory for any suspicious .php files.
Exposure:
Network-reachable systems
|
ONE UPDATE · 38 CVEs
3 CRITICAL
NVD
Ref 1
Ref 2
|
|
CVE-2026-52720
CVSS 8.8
|
HIGH
|
GStreamer's librfb library (the RFB/VNC client component) has a heap buffer overflow because it checks rectangle area instead of checking width and height individually. A malicious VNC server can send an oversized rectangle that writes past the framebuffer boundary. An attacker who tricks a user into connecting to a rogue VNC server could get code execution or crash the application.
Affects: Anyone running GStreamer-based applications that use the librfb plugin for VNC/RFB connections, on any platform
| |
Patch this week.
Update GStreamer and the librfb plugin to the latest patched version through your package manager or from the GStreamer project.
Exposure:
Internet-facing systems
|
NVD
Ref 1
Ref 2
|
|
Community Signal Check
|
CISA adds LiteLLM command injection CVE-2026-42271 to KEV catalog
CISA added CVE-2026-42271 to its Known Exploited Vulnerabilities list. It's a command injection bug in BerriAI LiteLLM that lets authenticated users run arbitrary commands on the host through MCP server test endpoints. If you run LiteLLM, patch now or pull it off the network.
The Hacker News
•
active_exploitation
|
|
Chrome V8 zero-day CVE-2026-11645 exploited in the wild
Google confirmed attackers are exploiting CVE-2026-11645, an out-of-bounds memory access bug in Chrome's V8 engine that allows remote code execution via a crafted web page. Fixes shipped in Chrome 149.0.7827.102/.103. Push browser updates across your fleet today.
The Hacker News
•
active_exploitation
|
|
Check Point VPN zero-day CVE-2026-50751 exploited by Qilin ransomware gang
Attackers are exploiting CVE-2026-50751, a critical authentication bypass in Check Point Remote Access VPN and Mobile Access using deprecated IKEv1. Unauthenticated remote access, no user interaction needed, and at least one confirmed Qilin ransomware incident. If you still have IKEv1-based VPN configs, patch immediately and check your logs back to early May.
BleepingComputer
•
active_exploitation
|
|
Windows Defender privilege escalation CVE-2026-47281 exploited in active attacks
CVE-2026-47281 is a race condition in Windows Defender that grants SYSTEM-level access on Windows 10 and 11. It's already exploited in active attacks. Local access is required but no user interaction, so it's a prime post-compromise escalation path. Make sure June Patch Tuesday updates land quickly.
Arctic Wolf
•
active_exploitation
|
|
|
SECURE BOOT ·
8 days until Microsoft Secure Boot certificates begin expiring (June 24, 2026).
How to remediate →
|
|
Also patched this window
Lower-priority items that cleared the enterprise filter. Scan for anything in your estate.
7.6
CVE-2026-53705
A flaw was found in GStreamer's WavPack audio decoder in gst-plugins-good.
|
7.1
CVE-2026-53703
A vulnerability was found in the GStreamer RealMedia demuxer (gst-plugins-ugly).
|
7.1
CVE-2026-52722
A signed integer overflow vulnerability was found in GStreamer's VMnc decoder.
|
7.1
CVE-2026-52719
An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad.
|
7.1
CVE-2026-53704
A flaw was found in GStreamer's RealMedia demuxer in the gst-plugins-ugly package.
|
10.0
CVE-2026-48836
Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.
|
10.0
CVE-2026-40772
Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.
|
10.0
CVE-2026-52704
Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code Inclusion.
|
9.9
CVE-2026-49774
Improper Control of Generation of Code ('Code Injection') vulnerability in Filipe Nasc RD Station allows Remote Code Inclusion.
|
9.8
CVE-2026-49781
Unauthenticated PHP Object Injection in OttoKit <= 1.1.27 versions.
|
Plus 168 more this window. See
NVD
for the full list.
|
|
Recent from the blog
A crash got a federal patch deadline. Here's why that's the right call
CVE-2026-28318 is a 7.5 denial-of-service bug in SolarWinds Serv-U, the kind that usually waits. CISA listed it on KEV two days after the f…
Three June 30 Microsoft 365 retirements that fail silently
A printer stops scanning to email, a conference-room keyboard's mute key dies, a town hall won't schedule. None of these will announce them…
Your Azure CLI session has an MFA exemption you never asked for
Two Entra Conditional Access changes land in the same fortnight, and they're the lead evidence in a longer story: Microsoft is closing the…
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
|
35% of leads come in after 5PM.
If you don't respond within 5 minutes of a call, conversion drops 80%.
By morning, they've already called someone else.
The businesses closing that gap are seeing real results.
Air Texas booked a $20K job from their very first after-hours call and canceled their $2,000/month answering service.
Premier Heating & Air cut response time from 12 minutes to 1 and tripled lead conversion.
Air Design ran 187 membership jobs through automated outreach and generated $24K with zero manual work.
That's what happens when every call gets answered, every lead gets followed up, and every membership gets worked, automatically.
Podium's AI Operating System does all of it, in one place, built specifically for HVAC, plumbing, electrical, and garage door companies.
