Rce
Oracle E-Business Suite Payments Flaw Under Active Exploitation Before Patch Window Closed
CVE-2026-46817, a CVSS 9.8 unauthenticated takeover flaw in Oracle E-Business Suite's Payments module, is being mass-exploited via the ibytransmit endpoint — patched in May but hit in the wild before any public PoC existed.
Public PoC Drops for Critical libssh2 Heap Overflow — curl, Git, and PHP All Carry the Flaw
A public PoC was released June 29 for CVE-2026-55200, a CVSS 9.2 heap overflow in libssh2 ≤ 1.11.1 that lets a malicious SSH server execute code on any connecting client. curl, Git, PHP, and a long tail of appliances all link the library.
Ubiquiti UniFi OS Server Triple-CVE Chain Enables Unauthenticated Root RCE
Three max-severity CVEs (2026-34908/09/10) in UniFi OS Server chain from an Nginx auth bypass to root command injection — CISA added all three to KEV on June 23 amid Mirai/Gaafgyt botnet exploitation.
CVE-2026-12569: PTC Windchill/FlexPLM Deserialization RCE Exploited in Wild, CISA Deadline Today
A critical unauthenticated deserialization RCE in PTC Windchill and FlexPLM (CVE-2026-12569, CVSS 9.3) is being actively exploited with JSP web shells; CISA federal patch deadline is today.
Two Critical NGINX Flaws Put HTTP/3 and gRPC Proxying One Bug Away From Unauthenticated RCE
F5 patched CVE-2026-42530 and CVE-2026-42055, two CVSS 9.2 unauthenticated memory-corruption bugs in NGINX's HTTP/3 and HTTP/2 paths. Both reach RCE where ASLR can be bypassed, and both touch NGINX Ingress Controller and Gateway Fabric.
Pickle in the Middle: Vertex AI SDK Bucket-Squatting Bug Enabled Cross-Tenant RCE
Unit 42's 'Pickle in the Middle' shows how a predictable staging-bucket name in the Vertex AI Python SDK let an attacker hijack model uploads and run code cross-tenant. Patched in google-cloud-aiplatform 1.148.0.
Jenkins CVE-2026-53435: config.xml Deserialization RCE Exploited Five Days After Disclosure
CVE-2026-53435 (CVSS 9.0) is an unsafe-deserialization RCE in Jenkins' config.xml handling. Disclosed June 10, a public PoC is now driving in-the-wild exploitation against internet-exposed CI/CD servers. Patch to weekly 2.568 or LTS 2.555.3.
Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild — Patch Every Chromium Runtime, Not Just Browsers
Google patched CVE-2026-11645, an actively exploited out-of-bounds read/write in V8. The real blast radius is every Chromium runtime you operate — headless Chrome in CI, Electron apps, and server-side renderers.
Splunk Enterprise CVE-2026-20253: An Unauthenticated Postgres Sidecar Hands Over Pre-Auth RCE
CVE-2026-20253 (CVSS 9.8) is a pre-auth RCE in Splunk Enterprise. An unauthenticated Postgres sidecar endpoint gives an arbitrary file write that escalates to code execution — on the box holding all your logs. Full exploit details are public; patch now.
Veeam VBR CVE-2026-44963: Any Domain User Can Own Your Backup Server
A critical CVSS 9.4 RCE lets any authenticated domain user run code on domain-joined Veeam Backup & Replication servers. Patch to 12.3.2.4854 now.
Proto6: Six protobuf.js Flaws Turn Trusted Schemas Into RCE and DoS Across gRPC, Cloud, and AI Stacks
Cyera's Proto6 research discloses six CVEs in protobuf.js, including a prototype-pollution-to-RCE chain, in a library pulled 50M+ times a week across gRPC, Google Cloud SDKs, vector databases, and CI/CD.
Oracle Ships Out-of-Band Fix for PeopleSoft Zero-Day CVE-2026-35273 as ShinyHunters Loots 100+ Orgs
Oracle pushed an emergency alert for CVE-2026-35273, an unauthenticated CVSS 9.8 RCE in PeopleSoft PeopleTools. Mandiant confirms in-the-wild exploitation, and ShinyHunters claims data theft from 100+ organizations including the University of Nottingham.
Mirasvit Cache Warmer CVE-2026-45247: One Cookie Pops Any Magento Store, No Auth Required
CISA added CVE-2026-45247 to KEV after Imperva confirmed active exploitation. A single crafted CacheWarmer cookie gives unauthenticated RCE on Magento and Adobe Commerce stores running Mirasvit Full Page Cache Warmer below 1.11.12.
Redis CVE-2026-23479: AI-Discovered Use-After-Free Yields RCE on a Database That's Everywhere
An authenticated use-after-free in Redis's blocking-client path (CVE-2026-23479, CVSS 8.8) gives a low-privilege user OS command execution on the host. It sat unnoticed for over two years and was found by an autonomous AI bug-hunting tool.
SSRF to the Model, Model to the Cloud: The Inference Layer Is 2026's Softest Attack Surface
Model gateways and inference servers are repeating two decades of solved web-security mistakes — default-open binds, pickle RCE, pre-auth SQLi, and SSRF straight into cloud credentials. A field guide to the AI control plane's softest links and how to harden them before the next 36-hour exploitation window.
Gogs 0-Day: Argument Injection in Rebase Merging Gives Any User RCE — and There's No Patch
Rapid7 disclosed an unpatched CVSS 9.4 RCE in Gogs. A malicious branch name injects --exec into git rebase during 'Rebase before merging,' giving any registered user code execution on the server. No CVE, no fix — only config-level mitigations.
SharePoint CVE-2026-45659: Site Member Permissions Are Enough to Pop the Farm
Microsoft patched CVE-2026-45659, an 8.8-severity SharePoint deserialization RCE that only requires Site Member permissions — the lowest tier any authenticated user can have.
7-Zip CVE-2026-48095: NTFS Parser Heap Overflow Lets Any Double-Clicked Archive Hijack a vtable
A signed-shift bug in 7-Zip's NTFS handler under-allocates a 1-byte buffer, then writes up to 256 MB of attacker-controlled data straight through the adjacent stream object's vtable pointer. Patched in 26.01.
SEPPmail Secure Email Gateway: Seven Flaws Including CVSS 10.0 Path Traversal to RCE
InfoGuard Labs discloses seven vulnerabilities in SEPPmail Secure E-Mail Gateway, including a CVSS 10.0 path-traversal-to-RCE bug and an unauthenticated Perl eval injection — full appliance takeover and mail-traffic interception.
CloudNativePG CVE-2026-44477: Metrics Exporter Escalates Any DB User to Postgres Superuser and Host RCE
A residual session_user=postgres in CloudNativePG's metrics exporter lets any low-privileged database user RESET ROLE back to superuser and reach OS-level command execution via COPY TO PROGRAM. CVSS 9.4. Patched in 1.28.3 and 1.29.1.