ECV 2026 June

ECV 2026  January(17) February(28) March(23) April(29) May(14) June(29) July(0) August(0) September(0) October(0) November(0) December(0)

DATE

CVE

INFO

NAME

CWE

30.6.26 CVE-2026-48558 SimpleHelp Authentication Bypass Vulnerability: SimpleHelp contains an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication. SimpleHelp | SimpleHelp CWE-347
30.6.26 CVE-2026-20230  Cisco Unified Communications Manager Server-Side Request Forgery (SSRF) Vulnerability: Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) contain a server-side request forgery (SSRF) Vulnerability that could allow an unauthenticated, remote attacker to write files to the underlying operating system that could be used later to elevate to root. Cisco | Unified Communications Manager CWE-918
30.6.26 CVE-2026-12569 PTC Windchill and FlexPLM Improper Input Validation Vulnerability: PTC Windchill and FlexPLM contains an improper input validation vulnerability allowing an unauthenticated, remote attacker to execute arbitrary code by sending a malicious request to the network. PTC | Windchill and FlexPLM CWE-20| CWE-502
30.6.26 CVE-2026-34908 Ubiquiti UniFi OS Improper Access Control Vulnerability: Ubiquiti UniFi OS contains an improper access control vulnerability which could allow a malicious actor with access to the network to make unauthorized changes to the system. Ubiquiti | UniFi OS
 
CWE-284
30.6.26 CVE-2026-34909 Ubiquiti UniFi OS Path Traversal Vulnerability: Ubiquiti UniFi OS contains a path traversal vulnerability which could allow a malicious actor with access to the network to access files on the underlying system that could be manipulated to access an underlying account. Ubiquiti | UniFi OS CWE-22
30.6.26 CVE-2026-34910 Ubiquiti UniFi OS Improper Input Validation Vulnerability: Ubiquiti UniFi OS contains an improper input validation vulnerability which could allow a malicious actor with access to the network to conduct command injection. Ubiquiti | UniFi OS
 
CWE-20
30.6.26 CVE-2025-67038 Lantronix EDS5000 Code Injection Vulnerability: Lantronix EDS5000 contains a code injection vulnerability that could allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges. Lantronix | EDS5000 CWE-78| CWE-94
22.6.26 CVE-2026-20253 Splunk Enterprise Missing Authentication for Critical Function Vulnerability: Splunk Enterprise contains a missing authentication for critical function vulnerability which could allow an unauthenticated user to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. Splunk | Enterprise CWE-306
22.6.26 CVE-2026-48907 Widget Factory Joomla Content Editor Improper Access Control Vulnerability: Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticated users. Widget Factory | Joomla Content Editor CWE-284
22.6.26 CVE-2026-20262 Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability: Cisco Catalyst SD-WAN Manager contains a directory or path traversal vulnerability that could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system. Cisco | Catalyst SD-WAN Manager CWE-22
22.6.26 CVE-2026-54420 LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability: LiteSpeed cPanel plugin contains a UNIX symbolic link (Symlink) following vulnerability that could allow a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS. LiteSpeed | cPanel Plugin CWE-61

13.6.26

CVE-2026-35273 Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability: Oracle PeopleSoft Enterprise PeopleTools contains a missing authentication for critical function vulnerability which could allow an unauthenticated attacker to obtain takeover of PeopleSoft Enterprise PeopleTools. Oracle | PeopleSoft Enterprise PeopleTools CWE-306

13.6.26

CVE-2026-10520 Ivanti Sentry OS Command Injection Vulnerability: Ivanti Sentry (formerly known as MobileIron Sentry) contains an OS command injection vulnerability which could allow a remote unauthenticated user to achieve root-level remote code execution. This vulnerability can be successfully exploited in cases where the Sentry appliance is in an unmanaged state with its endpoints externally reachable. The use of mTLS with EPMM or restricted HTTPS access through Neurons for MDM makes interfaces inaccessible to external actors. Ivanti | Sentry
 
CWE-78

13.6.26

CVE-2026-20245 Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerability: Cisco Catalyst SD-WAN Manager formerly SD-WAN vManage contains an improper encoding or escaping of output vulnerability. This vulnerability could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system. Cisco | Catalyst SD-WAN Manager  CWE-116

13.6.26

CVE-2026-7473 Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability: Arista Extensible Operating System (EOS) contains an incomplete comparison with missing factors vulnerability when the switch incorrectly decapsulate and forwards other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. Arista | Extensible Operating System CWE-1023

13.6.26

CVE-2026-11645 Google Chromium V8 Out-of-Bounds Read and Write Vulnerability: Google Chromium V8 out-of-bounds read and write vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera. Google | Chromium V8  CWE-787| CWE-125

13.6.26

CVE-2026-50751 Check Point Security Gateway Improper Authentication Vulnerability: Check Point Security Gateway contains an improper authentication vulnerability in IKEv1 key exchange that could allow an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password. Check Point | Security Gateway CWE-287

13.6.26

CVE-2026-42271 BerriAI LiteLLM Command Injection Vulnerability: BerriAI LiteLLM contains a command injection vulnerability that could allow any authenticated user, including holders of low-privilege internal-user keys, to run arbitrary commands on the host. BerriAI | LiteLLM  CWE-78| CWE-77
6.6.26 CVE-2026-28318 SolarWinds Serv-U Uncontrolled Resource Consumption Vulnerability: SolarWinds Serv-U contains an uncontrolled resource consumption vulnerability that allows specially crafted POST requests using the Content-Encoding: deflate header to crash the Serv-U service without authentication.
SolarWinds | Serv-U
CWE-400
6.6.26 CVE-2026-45247 Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability: Mirasvit Full Page Cache Warmer contains a deserialization of untrusted data vulnerability that could allow unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie.
Mirasvit | Mirasvit Full Page Cache Warmer
CWE-502
6.6.26 CVE-2025-48595 Android Framework Integer Overflow Vulnerability: Android Framework contains an integer overflow vulnerability that allows for code execution that could allow for local privilege escalation. Android | Framework CWE-190
6.6.26 CVE-2022-0492 Linux Kernel Improper Authentication Vulnerability: Linux Kernel contains an improper authentication vulnerability which could allow for privilege escalation via the cgroups v1 release_agent feature. Linux | Kernel CWE-287| CWE-862
6.6.26 CVE-2024-21182 Oracle WebLogic Server Unspecified Vulnerability: Oracle WebLogic contains an unspecified vulnerability that could allow an unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. Oracle | WebLogic Server
6.6.26 CVE-2026-0257 Palo Alto Networks PAN-OS Authentication Bypass Vulnerability: Palo Alto Networks PAN-OS contains an authentication bypass vulnerability that allows attackers to bypass security restrictions and establish an unauthorized VPN connection. Palo Alto Networks | PAN-OS CWE-565
6.6.26 CVE-2026-8398 Daemon Tools Lite Embedded Malicious Code Vulnerability: Daemon Tools contains an unspecified vulnerability that has a high impact on confidentiality, integrity, and availability. Daemon | Daemon Tools Lite  CWE-506
6.6.26 CVE-2026-45321  TanStack Unspecified Vulnerability: TanStack contains an unspecified vulnerability that allowed malicious versions of the product to be published to the npm registry to publish credential-stealing malware under a trusted identity. TanStack | TanStack
6.6.26 CVE-2026-48027 Nx Console Embedded Malicious Code Vulnerability: Nx Console contains an embedded malicious code vulnerability that allowed a malicious version of Nx Console to be published. The compromised extension fetched an obfuscated payload that could harvested credentials from multiple sources on disk and in memory. Nx | Nx Console CWE-506
6.6.26 CVE-2026-48172 LiteSpeed cPanel Plugin Privilege Escalation Vulnerability: LiteSpeed cPanel Plugin contains privilege escalation vulnerability that is exposed via the user-end cPanel plugin, which can be abused by any cPanel user account to execute arbitrary scripts with root privileges. LiteSpeed | cPanel Plugin CWE-266
6.6.26 CVE-2026-9082 Drupal Core SQL Injection Vulnerability: Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API. Drupal CWE-89