██████╗██╗   ██╗██████╗ ██████╗     ██████╗██╗  ██╗
 ██╔════╝╚██╗ ██╔╝██╔══██╗██╔══██╗   ██╔════╝╚██╗██╔╝
 ██║      ╚████╔╝ ██████╔╝██████╔╝ ● ██║      ╚███╔╝ 
 ██║       ╚██╔╝  ██╔══██╗██╔══██╗   ██║      ██╔██╗ 
 ╚██████╗   ██║   ██████╔╝██║  ██║   ╚██████╗██╔╝ ██╗
  ╚═════╝   ╚═╝   ╚═════╝ ╚═╝  ╚═╝    ╚═════╝╚═╝  ╚═╝
────────────────────────────────── STAY SHARP ───

CISA: Patch Joomla Flaw Now — Deadline in Two Days

Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 17, 2026

Share

cybr.cx — Daily Digest | June 17, 2026


Critical Vulnerabilities

⚠️ Actively exploited — CVE-2026-48907 | Joomla Content Editor (Widget Factory) | CVSS: N/A
CISA added this one to the KEV catalog yesterday with a remediation deadline of June 19 — that's two days from now. An improper access control flaw lets unauthenticated users create new editor profiles and upload and execute arbitrary PHP code. If you're running Joomla with the Widget Factory Content Editor plugin, treat this as a fire drill.

⚠️ Actively exploited — CVE-2026-54420 | LiteSpeed cPanel Plugin | CVSS: N/A
Remediation was due yesterday. A symlink-following vulnerability on shared hosting environments running CloudLinux/CageFS allows any user with FTP or web shell access to escape their cage and traverse the broader filesystem. Shared hosting providers are the primary risk surface here — if you manage cPanel infrastructure, assume this is being probed right now.

⚠️ Actively exploited — CVE-2026-20262 | Cisco Catalyst SD-WAN Manager | CVSS: N/A
An authenticated remote attacker can exploit a path traversal flaw to create or overwrite arbitrary files on the filesystem. Active exploitation means threat actors already have — or are actively acquiring — credentials to get a foothold. Patch deadline is June 29, but don't wait. A second Cisco SD-WAN Manager bug (CVE-2026-20245) is also KEV-listed, allowing authenticated local attackers to execute arbitrary commands as root via a crafted file.

⚠️ Actively exploited — CVE-2026-35273 | Oracle PeopleSoft Enterprise PeopleTools | CVSS: N/A
Full unauthenticated takeover of PeopleSoft due to a missing authentication check on a critical function. Remediation deadline has already passed (June 15). If you haven't patched, you should assume this is a live incident until proven otherwise.

⚠️ Actively exploited — CVE-2026-10520 | Ivanti Sentry | CVSS: N/A
Unauthenticated OS command injection yielding root-level RCE. Exploitable when the Sentry appliance is in an unmanaged state. Ivanti products continue to be reliable targets for sophisticated threat actors — this one needs emergency attention, especially given the remediation deadline has passed.

⚠️ Actively exploited — CVE-2026-11645 | Google Chromium V8 | CVSS: N/A
An out-of-bounds read/write in the V8 JavaScript engine allows a remote attacker to execute arbitrary code within the sandbox via a crafted HTML page. Affects Chrome, Edge, and any Chromium-derived browser. Push browser updates across your fleet immediately — this is a drive-by risk.

⚠️ Actively exploited — CVE-2026-7473 | Arista EOS | CVSS: N/A
An incomplete comparison flaw causes Arista switches to incorrectly decapsulate and forward unexpected tunneled packets destined for the configured decapsulation IP. Active exploitation of network infrastructure vulnerabilities at this level warrants immediate attention from network operations teams.


CVE-2026-7273 | Zyxel GS1900-48HPv2 | CVSS: 8.8 — HIGH
A stack-based buffer overflow in the CGI program of Zyxel's GS1900-48HPv2 managed switch (firmware through 2.90(ABTQ.1)C0) can be triggered by an unauthenticated attacker on the LAN via a crafted HTTP request, potentially leading to OS command execution. Scope is LAN-limited, but unmanaged switch access in flat network segments makes this realistic.

CVE-2026-6933 | Premmerce Dev Tools (WordPress) | CVSS: 8.8 — HIGH
The generatePluginHandler function processes user-supplied POST data with zero authorization checks, and createFromStub performs unsanitized string substitution — the combination is unauthenticated remote code execution on any WordPress install running Premmerce Dev Tools up to version 2.0. Deactivate or update immediately.

CVE-2026-8443 / CVE-2026-8444 | WP Review Slider Pro (WordPress) | CVSS: 8.8 — HIGH
Two independent SQL injection paths in WP Review Slider Pro ≤12.6.8. CVE-2026-8443 abuses the plugin's mishandling of stripslashes() on JSON input, effectively stripping WordPress's built-in magic quotes sanitization before injecting into a query. CVE-2026-8444 directly concatenates unsanitized POST array elements into a WHERE id IN (...) clause. Both are exploitable via AJAX actions without elevated privileges.

CVE-2026-8442 | WP Review Slider Pro (WordPress) | CVSS: 8.1 — HIGH
Same plugin, different problem: missing authorization on AJAX handlers combined with a weak strpos() path check enables arbitrary file deletion. An attacker who can manipulate stored media URLs can delete files outside the intended directory. Patch or remove WP Review Slider Pro ≤12.6.8 across all environments.

CVE-2026-5416 | Managed Ethernet Switch | CVSS: 8.8 — HIGH
A command injection vulnerability in a name parameter — details sparse, but the impact is full system compromise by a low-privileged remote attacker. The lack of vendor specifics in the disclosure makes this harder to triage; check your managed switch vendor advisories for a matching patch.


Headline News

SimpleHelp Flaw Enables Unauthenticated Rogue Account Creation
A newly disclosed vulnerability in SimpleHelp remote management software allows unauthenticated attackers to create privileged technician accounts on exposed servers — provided those servers are using OpenID Connect (OIDC) for authentication. The flaw means an attacker with network access to a SimpleHelp instance could silently establish a persistent, high-privilege foothold without any credentials. Remote support tools are an especially attractive target because they inherently carry broad access to managed endpoints across entire client fleets. Managed service providers and IT teams relying on SimpleHelp for remote access should audit their OIDC-configured instances immediately and review technician account logs for any unexplained additions. Patches are available and should be treated as urgent given the straightforward exploitability of the flaw.

Security Community Pushes Back on AI Model Ban
Following a US government order to shut down Fable 5 and Mythos 5 — two AI systems with significant use in offensive and defensive security research — around 100 prominent cybersecurity professionals published an open letter demanding the ban be reversed. The core argument is that sophisticated AI tools have become foundational to defenders: automating vulnerability triage, accelerating malware analysis, and enabling faster incident response at scale. Critics of the ban point out that threat actors operate across jurisdictions and won't be constrained by a domestic shutdown, while domestic defenders lose access to the same capabilities. The letter signals a growing tension in policy circles between AI safety concerns and the operational reality of asymmetric cyber conflict. For practitioners, the debate has immediate implications: tooling choices and AI-assisted workflows are increasingly subject to regulatory risk independent of their technical merit.

tmux 3.6b Patches CVE-2026-11623
A security release for tmux — the near-ubiquitous terminal multiplexer — addresses CVE-2026-11623, details of which are under coordinated disclosure but reference a publicly documented proof-of-concept. tmux runs in privileged contexts across developer workstations, CI pipelines, and production server sessions, making even moderate-severity vulnerabilities worth patching promptly. The 3.6b release is available via the project's GitHub; administrators should update and restart active sessions where possible. Given how deeply embedded tmux is in daily practitioner workflows, patch fatigue here is a genuine risk — this one deserves five minutes of attention.


Schrödinger's Feed

Quantum Art has published detailed numerical simulations confirming that its trapped-ion multi-qubit gate architecture meets the fault-tolerance thresholds required for large-scale quantum error correction — a milestone the industry has been chasing for years. Fault-tolerant QEC is the critical bridge between today's noisy, error-prone quantum hardware and systems capable of running Shor's algorithm at cryptographically relevant scale. The simulations don't mean the hardware exists at that scale yet, but they do validate the architectural path, which is meaningful signal for the timeline of post-quantum cryptography urgency. Practitioners planning long-horizon cryptographic migrations should note: the QEC goalposts are moving faster than most enterprise PQC roadmaps assume.


/dev/random

Apple's Hide My Email feature — which generates random relay addresses to shield your real inbox — is apparently about to become significantly less useful, according to a detailed technical breakdown published this week. The issue isn't a bug in the traditional sense: upcoming changes to how Apple handles these relay addresses mean third parties will have new mechanisms to correlate Hide My Email aliases back to real identities, partially defeating the privacy guarantee users signed up for. It's a rare case of a privacy feature being eroded not by a hack, but by a policy and architecture decision made quietly in a product update. The real lesson: privacy features that depend on a single vendor's ongoing goodwill are not the same as privacy features that depend on cryptographic guarantees — and your users probably can't tell the difference.