CISA Flags Four Actively Exploited Vulnerabilities: Patch Now
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 21, 2026
cybr.cx Daily Digest — June 21, 2026
Critical Vulnerabilities
No new CVEs meeting the CVSS ≥ 7.0 threshold were published to NVD in the last 24 hours. However, CISA's Known Exploited Vulnerabilities catalogue carries four entries with active exploitation confirmed in the wild — all with remediation deadlines at or past today. Patch these now.
⚠️ Actively exploited — CVE-2026-20253 | Splunk Enterprise
A missing authentication vulnerability in Splunk Enterprise exposes a PostgreSQL sidecar service endpoint to unauthenticated attackers, who can use it to create or truncate arbitrary files on the host. The blast radius is significant: file truncation alone can disable logging pipelines or corrupt indexes, and file creation opens paths to further persistence. CISA's remediation deadline was today, June 21. If you're running Splunk Enterprise and haven't patched, treat this as an emergency change.
⚠️ Actively exploited — CVE-2026-48907 | Widget Factory Joomla Content Editor
An improper access control flaw in the Joomla Content Editor plugin from Widget Factory allows completely unauthenticated users to create new editor profiles and abuse them to upload and execute arbitrary PHP code. That's unauthenticated remote code execution on any Joomla site running this plugin — straightforward to weaponise and already being exploited. CISA's deadline was June 19. Disable or remove the plugin immediately if patching isn't possible.
⚠️ Actively exploited — CVE-2026-54420 | LiteSpeed cPanel Plugin
A symlink-following vulnerability in the LiteSpeed cPanel plugin allows any user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS to escape their container sandbox by following UNIX symlinks to files outside their allowed scope. On shared hosting infrastructure this is a container-escape primitive — one compromised tenant could pivot to others. CISA deadline was June 18. Hosting providers using this stack should audit immediately.
⚠️ Actively exploited — CVE-2026-20262 | Cisco Catalyst SD-WAN Manager
A path traversal vulnerability in Cisco Catalyst SD-WAN Manager allows an authenticated remote attacker to write or overwrite arbitrary files on the underlying filesystem. While authentication is required, SD-WAN Manager credentials are a realistic target given the platform's network-wide visibility. Successful exploitation could corrupt configuration state or plant persistent implants. CISA deadline is June 29 — don't wait for it.
Headline News
AUR Supply Chain Attacks: Arch Linux's Community Repo Under Fire
Arch Linux's Arch User Repository has experienced a wave of malicious package submissions in what's being called "AURpocalypse" — a coordinated effort to push compromised packages to a community of technically sophisticated users who arguably should know better, which makes the attacks more insidious. AUR packages are user-maintained and not vetted by Arch's core team, meaning the trust model depends heavily on community review and the reputation of individual maintainers. The attack patterns observed include typosquatting popular package names, account takeovers of legitimate trusted maintainers, and injecting malicious build scripts into PKGBUILD files that execute during the install process. For defenders, the lesson is uncomfortable: even expert users relying on "review the source yourself" workflows can miss a subtle payload buried in a dependency fetch or a post-install hook. Organisations permitting Arch-based systems in their environments — increasingly common in developer workstation fleets — should audit recently installed AUR packages and consider whether AUR access is appropriate in their threat model.
Microsoft Flags USB-Spreading Crypto Clipper with Tor C2
Microsoft has issued a warning about an active malware campaign targeting cryptocurrency users on Windows, deploying a clipper that monitors the clipboard for wallet addresses and silently substitutes attacker-controlled addresses at the point of transaction. What makes this campaign operationally notable is its propagation mechanism: the malware spreads via USB drives, giving it reach into air-gapped or network-isolated environments where a purely web-delivered payload would stall. Command-and-control traffic is routed through Tor, complicating network-based detection and attribution. The combination of physical propagation and anonymised C2 suggests a threat actor deliberately targeting high-value individuals or environments with tighter network controls — not just casting a wide phishing net. Practitioners supporting users who handle crypto transactions should ensure clipboard monitoring controls are in place and USB autorun is disabled across managed endpoints.
WordPress Plugin Hid a 13-Year Backdoor — and Nobody Noticed
A forensic investigation into a closed WordPress plugin called "My WP Beacon" revealed that a 7 KB file embedded in the plugin had been quietly phoning home and accepting commands for approximately 13 years before the plugin was pulled from the repository. The plugin closure itself was routine — the listing went dark with no public fanfare — but subsequent analysis found persistent backdoor functionality that had survived undetected across countless WordPress updates and security audits. This sits alongside a separate, actively exploited vulnerability in the Gravity SMTP plugin (affecting around 100,000 sites), where an unauthenticated information disclosure bug is being weaponised in the wild right now, with attackers extracting sensitive configuration data. Together these stories underscore a chronic problem in the WordPress ecosystem: the install-and-forget plugin lifecycle creates a long tail of unmaintained, unreviewed code running with broad filesystem access on production servers. WordPress site owners should audit their plugin inventory for anything dormant, deprecated, or unresponsive to security disclosures — the exposure window is measured in years, not days.
Schrödinger's Feed
Three-Node Quantum Entanglement Network Demonstrated with Trapped Ions
Researchers from the Duke Quantum Center and IonQ have successfully generated a Greenberger–Horne–Zeilinger (GHZ) state across a three-node quantum network using individually trapped atomic ions in spatially separated hardware modules — a meaningful step toward distributed quantum computing and quantum networking infrastructure. GHZ states are maximally entangled multi-particle states that underpin key quantum communication protocols, including quantum secret sharing and certain quantum key distribution schemes. Demonstrating this across remote nodes, rather than within a single cryogenic unit, is the harder problem and the one that actually matters for real-world quantum network deployments. Practitioners planning long-term cryptographic infrastructure should note that multi-node entanglement networks are the physical substrate future quantum key distribution systems will run on — the engineering is getting less theoretical.
/dev/random
Someone Built a Hacker News Reader "Around Accessibility" and the Community Loved It
A developer published an open-source native iOS app for reading Hacker News with a core design constraint of accessibility — screen reader support, dynamic type, and reduced-motion considerations baked in from the start rather than bolted on. In a corner of the internet not exactly famous for caring about WCAG compliance or VoiceOver compatibility, this was apparently sufficiently surprising to generate genuine enthusiasm. The app, called Ember, is available on GitHub and notable for doing the opposite of most side projects: shipping something smaller and more considered rather than larger and more broken. No security angle whatsoever — just a small, well-made thing, which feels worth a mention on a Sunday.