CISA Flags Six Exploited Flaws; Splunk Zero-Day Under Attack
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 19, 2026
cybr.cx Daily Digest — June 19, 2026
Critical Vulnerabilities
No new CVEs meeting our threshold were published to NVD in the last 24 hours — but the CISA Known Exploited Vulnerabilities catalogue is carrying six active entries that demand immediate attention. Patch clocks are ticking.
⚠️ Actively exploited — CVE-2026-20253 | Splunk Enterprise
An unauthenticated attacker can create or truncate arbitrary files via a PostgreSQL sidecar service endpoint that requires no authentication. In practice, this means an adversary with network access to your Splunk instance can corrupt or overwrite data on the underlying host without any credentials. CISA's remediation deadline was June 21 — if you haven't patched, you're already in the window. Splunk in SOC environments is a high-value target; treat this as priority zero.
⚠️ Actively exploited — CVE-2026-48907 | Widget Factory Joomla Content Editor
Unauthenticated users can create new editor profiles and use them to upload and execute arbitrary PHP code — effectively a pre-auth remote code execution chain against any Joomla site running this plugin. CISA's remediation deadline was today, June 19. If you're managing Joomla deployments at scale, assume compromise on unpatched instances and audit for webshells immediately.
⚠️ Actively exploited — CVE-2026-54420 | LiteSpeed cPanel Plugin
A symlink-following vulnerability in the LiteSpeed cPanel plugin allows a user with FTP or webshell access on a shared hosting server running CloudLinux/CageFS to escape their sandbox and access files belonging to other tenants. The CISA deadline passed June 18. Shared hosting providers running this stack should treat any customer with FTP access as a potential lateral threat until patched.
⚠️ Actively exploited — CVE-2026-20262 | Cisco Catalyst SD-WAN Manager
An authenticated remote attacker can exploit a path traversal flaw to create or overwrite arbitrary files on the filesystem. While authentication is required, SD-WAN Manager credentials are frequently targeted in initial access campaigns, making the authenticated requirement a thin barrier in practice. CISA deadline is June 29 — don't mistake the longer runway for lower urgency.
⚠️ Actively exploited — CVE-2026-35273 | Oracle PeopleSoft Enterprise PeopleTools
A missing authentication check allows an unauthenticated attacker to achieve full takeover of PeopleSoft PeopleTools — a platform managing HR, finance, and ERP data for large enterprises and government agencies. CISA's deadline of June 15 has already passed. If you're running an exposed PeopleSoft instance and haven't patched, assume the question is when, not if.
⚠️ Actively exploited — CVE-2026-10520 | Ivanti Sentry
An unauthenticated remote OS command injection vulnerability in Ivanti Sentry (formerly MobileIron Sentry) enables root-level RCE against unmanaged appliances. Ivanti products have been persistent targets for nation-state actors throughout 2025–2026, and this fits the same pattern. CISA deadline was June 14 — this one is overdue for remediation across the board.
Headline News
10,000 GitHub Repositories Caught Distributing Trojan Malware
A researcher has documented a campaign operating at significant scale: roughly 10,000 GitHub repositories crafted to distribute trojan malware to developers who clone or download them. The repositories are designed to appear legitimate — mimicking popular open-source tools, game cheats, and developer utilities — with stars, forks, and readme files engineered to build false credibility. The malware targets developer workstations, where credentials, SSH keys, API tokens, and access to CI/CD pipelines make the payload far more valuable than a typical consumer infection. This is a supply chain attack that doesn't require compromising any upstream project — it simply exploits the implicit trust developers place in GitHub search results. Practitioners should enforce strict vetting policies for any third-party code pulled into build environments, and consider tooling that flags newly created or statistically anomalous repositories before execution.
AMD Silently Removes Memory Encryption from Consumer Ryzen CPUs
AMD has quietly removed Secure Memory Encryption (SME) support from consumer Ryzen processors through AGESA firmware updates, without public disclosure or clear communication to users. The feature, which encrypts system RAM to protect against physical memory attacks and cold-boot scenarios, simply disappeared in newer firmware revisions — with AMD engineers declining to explain the change when directly questioned. Users relying on SME for threat models involving physical access (think shared lab environments, edge deployments, or laptops handling sensitive data) may now be operating with a false sense of security, unaware the protection has been silently revoked. The incident raises uncomfortable questions about firmware transparency more broadly: if a hardware security feature can be removed without a changelog entry or advisory, practitioners cannot reliably audit the security posture of deployed endpoints. Until AMD provides a clear explanation and remediation path, assume SME is unavailable on consumer Ryzen and adjust physical-access threat models accordingly.
Schrödinger's Feed
QuSecure — a post-quantum cryptography firm — has announced that Eman Blair, a former CIA Senior Intelligence Service Officer, has joined its Federal Advisory Board, a signal that PQC adoption among US federal agencies is moving from planning into active operational deployment. The hire reflects growing urgency in government circles as NIST's finalised PQC standards push agencies toward concrete migration timelines. Separately, an industry study is now characterising quantum computing as having entered a genuine "capability era," warning that early movers are building advantages that late adopters will struggle to close. Practitioners responsible for long-lived secrets, PKI infrastructure, or federal compliance should be tracking PQC migration roadmaps now — the window for comfortable planning is shortening faster than most enterprise timelines anticipate.
/dev/random
Noam Shazeer — co-inventor of the Transformer architecture, the mechanism underpinning virtually every large language model in production today, and until recently the co-founder of Character.AI — has announced he's joining OpenAI. This is roughly the equivalent of the person who designed the internal combustion engine joining a car company that's actively racing their former employer. The security angle is admittedly thin, but given that LLMs are now deeply embedded in security tooling, code review pipelines, and threat intelligence platforms, the trajectory of whoever is steering the underlying research has a habit of becoming everyone's problem eventually. Watch this space — or don't, and just wait for the CVE.