
Threat Digest • CISA KEV Catalog
In June 2026, 23 vulnerabilities were added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog — the authoritative record of vulnerabilities confirmed to be exploited in the wild. Of the 23 KEV additions, 6 are zero-day vulnerabilities and 2 have been exploited by named threat actors in active attacks, spanning products from SimpleHelp, PTC Windchill and FlexPLM, Cisco, Ubiquiti UniFi OS, Splunk Enterprise, Oracle, Ivanti, Google Chrome, Check Point, SolarWinds, and the Linux Kernel.
Section 01
The CISA Known Exploited Vulnerabilities (KEV) catalog is the authoritative source of vulnerabilities confirmed to have been exploited in the wild. In June 2026, 23 vulnerabilities met the criteria for inclusion in CISA's KEV catalog. Of these, 6 are zero-day vulnerabilities and 2 have been exploited by named threat actors and employed in active attacks. CVSS 3.x severity scores across the June 2026 KEV additions range from 5.8 to a maximum of 10.0, with the majority of entries scoring above 7.5, underscoring the critical nature of this month's additions.
Affected products span network and remote-access infrastructure (SimpleHelp, Ivanti Sentry, Check Point Security Gateway, Cisco Unified Communications Manager, Cisco Catalyst SD-WAN Manager), enterprise application platforms (PTC Windchill and FlexPLM, Oracle PeopleSoft Enterprise PeopleTools, Oracle WebLogic Server, Splunk Enterprise), networking and IoT hardware (Lantronix EDS5000, Ubiquiti UniFi OS, Arista Extensible Operating System), web and CMS components (Widget Factory Joomla Content Editor, LiteSpeed cPanel Plugin, Mirasvit Full Page Cache Warmer), the BerriAI LiteLLM AI infrastructure project, SolarWinds Serv-U, Google Chrome, the Linux Kernel, and the Android Framework. Because it is now July 02, 2026, several June KEV due dates listed below have already elapsed and remain overdue for remediation, while the most recent addition, CVE-2026-48558 affecting SimpleHelp, carries a due date of July 02, 2026.
Section 02
| CVE ID | Vulnerability Name | Affected Product | CVSS 3.x | CWE ID | Patch Due Date |
|---|---|---|---|---|---|
CVE-2026-48558 | SimpleHelp Authentication Bypass Vulnerability | SimpleHelp | 10.0 | CWE-347 | July 02, 2026 |
CVE-2026-12569 | PTC Windchill and FlexPLM Improper Input Validation Vulnerability | PTC Windchill and FlexPLM | 9.8 | CWE-20 | June 28, 2026 |
CVE-2026-20230 | Cisco Unified Communications Manager Server-Side Request Forgery (SSRF) Vulnerability | Cisco Unified Communications Manager | 8.6 | CWE-918 | June 28, 2026 |
CVE-2026-20262 | Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability | Cisco Catalyst SD-WAN Manager | 6.5 | CWE-22 | June 29, 2026 |
CVE-2025-67038 | Lantronix EDS5000 Code Injection Vulnerability | Lantronix EDS5000 | 9.8 | CWE-94 | June 26, 2026 |
CVE-2026-34910 | Ubiquiti UniFi OS Improper Input Validation Vulnerability | Ubiquiti UniFi OS | 10.0 | CWE-20 | June 26, 2026 |
CVE-2026-34909 | Ubiquiti UniFi OS Path Traversal Vulnerability | Ubiquiti UniFi OS | 10.0 | CWE-22 | June 26, 2026 |
CVE-2026-34908 | Ubiquiti UniFi OS Improper Access Control Vulnerability | Ubiquiti UniFi OS | 10.0 | CWE-284 | June 26, 2026 |
CVE-2026-20253 | Splunk Enterprise Missing Authentication for Critical Function Vulnerability | Splunk Enterprise | 9.8 | CWE-306 | June 21, 2026 |
CVE-2026-48907 | Widget Factory Joomla Content Editor Improper Access Control Vulnerability | Widget Factory Joomla Content Editor | 9.8 | CWE-284 | June 19, 2026 |
CVE-2026-54420 | LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability | LiteSpeed cPanel Plugin | 8.5 | CWE-61 | June 18, 2026 |
CVE-2026-35273 | Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability | Oracle PeopleSoft Enterprise PeopleTools | 9.8 | CWE-306 | June 15, 2026 |
CVE-2026-10520 | Ivanti Sentry OS Command Injection Vulnerability | Ivanti Sentry | 10.0 | CWE-78 | June 14, 2026 |
CVE-2026-11645 | Google Chromium V8 Out-of-Bounds Read and Write Vulnerability | Google Chrome | 8.8 | CWE-125 | June 23, 2026 |
CVE-2026-7473 | Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability | Arista Extensible Operating System | 5.8 | CWE-1023 | June 23, 2026 |
CVE-2026-20245 | Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerability | Cisco Catalyst SD-WAN Manager | 7.8 | CWE-116 | June 23, 2026 |
CVE-2026-42271 | BerriAI LiteLLM Command Injection Vulnerability | BerriAI LiteLLM | 8.8 | CWE-77 | June 22, 2026 |
CVE-2026-50751 | Check Point Security Gateway Improper Authentication Vulnerability | Check Point Security Gateway | 9.3 | CWE-287 | June 11, 2026 |
CVE-2026-28318 | SolarWinds Serv-U Uncontrolled Resource Consumption Vulnerability | SolarWinds Serv-U | 7.5 | CWE-400 | June 19, 2026 |
CVE-2026-45247 | Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability | Mirasvit Full Page Cache Warmer | 9.8 | CWE-502 | June 06, 2026 |
CVE-2022-0492 | Linux Kernel Improper Authentication Vulnerability | Linux Kernel | 7.8 | CWE-862 | June 05, 2026 |
CVE-2025-48595 | Android Framework Integer Overflow Vulnerability | Android Framework | 8.4 | CWE-190 | June 05, 2026 |
CVE-2024-21182 | Oracle WebLogic Server Unspecified Vulnerability | Oracle WebLogic Server | 7.5 | CWE-200 | June 04, 2026 |
| CVE ID | Associated Entity | Type |
|---|---|---|
CVE-2026-48558 | TaskWeaver, Djinn Stealer | Malware |
CVE-2026-35273 | ShinyHunters (aka UNC6240) | Threat Actor |
CVE-2026-20245 | UAT-8616 | Threat Actor |
CVE-2026-50751 | Qilin Ransomware | Ransomware |
Beyond these four confirmed associations, the remaining KEV additions in this month's catalog — including CVE-2026-12569 (PTC Windchill and FlexPLM), CVE-2026-20230 (Cisco Unified Communications Manager), CVE-2025-67038 (Lantronix EDS5000), CVE-2026-34910, CVE-2026-34909, and CVE-2026-34908 (Ubiquiti UniFi OS), CVE-2026-20253 (Splunk Enterprise), CVE-2026-48907 (Widget Factory Joomla Content Editor), CVE-2026-54420 (LiteSpeed cPanel Plugin), CVE-2026-20262 (Cisco Catalyst SD-WAN Manager), CVE-2026-10520 (Ivanti Sentry), CVE-2026-11645 (Google Chrome), CVE-2026-7473 (Arista Extensible Operating System), CVE-2026-42271 (BerriAI LiteLLM), CVE-2026-28318 (SolarWinds Serv-U), CVE-2026-45247 (Mirasvit Full Page Cache Warmer), CVE-2022-0492 (Linux Kernel), CVE-2025-48595 (Android Framework), and CVE-2024-21182 (Oracle WebLogic Server) — have no named threat actor, malware, or ransomware association recorded in this catalog update.
Section 03
Organizations should prioritize the 23 vulnerabilities listed above and promptly apply patches before the stated due date for each CVE, giving immediate attention to entries whose June 2026 due dates have already passed.
Federal agencies must comply with Binding Operational Directive 26-04 issued by the Cybersecurity and Infrastructure Security Agency (CISA), which outlines the minimum cybersecurity standards required to protect against threats posed by cataloged Known Exploited Vulnerabilities.
Use the affected-product list in this KEV catalog update to identify assets running SimpleHelp, PTC Windchill and FlexPLM, Cisco Unified Communications Manager, Cisco Catalyst SD-WAN Manager, Lantronix EDS5000, Ubiquiti UniFi OS, Splunk Enterprise, Oracle PeopleSoft Enterprise PeopleTools, Ivanti Sentry, Google Chrome, Check Point Security Gateway, SolarWinds Serv-U, or the Linux Kernel, even without conducting an active scan, and patch these assets with priority to reduce risk.
Section 04
Section 05