CISA Warns: Splunk Flaw Actively Exploited in the Wild
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 20, 2026
cybr.cx Daily Digest — June 20, 2026
Critical Vulnerabilities
No new NVD CVEs (CVSS ≥ 7.0) were published in the last 24 hours. The vulnerabilities below are drawn from the CISA Known Exploited Vulnerabilities catalogue — all are confirmed active in the wild and require immediate attention.
⚠️ Actively exploited — CVE-2026-20253 | Splunk Enterprise
A missing authentication flaw in Splunk Enterprise exposes a PostgreSQL sidecar service endpoint, allowing unauthenticated attackers to create or truncate arbitrary files on the host. In a SIEM platform that sits at the heart of most SOC environments, file truncation alone can blind detection pipelines — treat this as critical operational risk, not just a patching checkbox. CISA's remediation deadline was June 21; if you haven't patched, you're already overdue.
⚠️ Actively exploited — CVE-2026-48907 | Widget Factory Joomla Content Editor
An improper access control flaw in the Widget Factory Joomla Content Editor plugin allows unauthenticated users to create new editor profiles and leverage them to upload and execute arbitrary PHP code. Remote code execution without credentials on a CMS plugin is as bad as it sounds — any internet-facing Joomla instance running this plugin should be considered compromised until proven otherwise. Audit your plugin inventory now.
⚠️ Actively exploited — CVE-2026-35273 | Oracle PeopleSoft Enterprise PeopleTools
A missing authentication vulnerability in Oracle PeopleSoft PeopleTools enables unauthenticated remote attackers to achieve full system takeover. PeopleSoft is widely deployed in higher education and large enterprise HR environments, making this a high-value target for data theft and ransomware staging. CISA's due date of June 15 has already passed — escalate patching immediately.
⚠️ Actively exploited — CVE-2026-20262 | Cisco Catalyst SD-WAN Manager
An authenticated path traversal vulnerability in Cisco Catalyst SD-WAN Manager allows a remote attacker to create or overwrite arbitrary files on the underlying filesystem. While authentication is required, SD-WAN credentials are frequently exposed via credential stuffing or phishing, making the practical exploitation barrier lower than it appears. Network teams should patch and audit file integrity on affected appliances.
⚠️ Actively exploited — CVE-2026-54420 | LiteSpeed cPanel Plugin
A symlink-following vulnerability in the LiteSpeed cPanel plugin can be abused by any user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS — the very isolation mechanisms designed to contain multi-tenant risk. Hosting providers are the primary audience here: a single compromised tenant account could be leveraged to escape CageFS containment and access other customers' files. Shared hosting operators should treat this as a priority.
Headline News
Vendor-Signed UEFI Applications Expose Widespread Secure Boot Bypass
CERT/CC has published vulnerability note VU#457458, disclosing that multiple vendor-signed UEFI applications are vulnerable to a Secure Boot bypass via a Bring Your Own Vulnerable Driver (BYOVD)-style technique. If an attacker can place one of these signed-but-vulnerable UEFI binaries on a target system whose firmware trusts the relevant vendor certificate, they can execute unsigned code during the boot process — effectively defeating Secure Boot's fundamental guarantee. The attack is particularly dangerous because the exploited applications carry legitimate signatures, meaning standard allowlist-based defences offer no protection. This follows a familiar and frustrating pattern: the security of Secure Boot depends entirely on vendors maintaining hygiene around their signing infrastructure, and that assumption keeps failing. Enterprises should review CERT/CC's advisory for affected vendor listings and prioritise firmware-level mitigations and UEFI revocation database updates where available.
Langflow AI Orchestration Platform Carries Arbitrary File Write Vulnerability
A file upload flaw in Langflow — a popular open-source platform for building and chaining LLM-based workflows — allows attackers to write files to arbitrary locations on the underlying host system. As AI orchestration tools proliferate across development and production environments, they are becoming an increasingly attractive and under-scrutinised attack surface: many are deployed rapidly, often without the same security review applied to traditional application stacks. An arbitrary file write in a tool that typically runs with significant system permissions can serve as a stepping stone to full remote code execution, persistence, or lateral movement. Security teams should audit all self-hosted AI tooling deployments, restrict network exposure, and apply available patches — the assumption that internal AI infrastructure is low-risk is one attackers are actively betting on.
Apple A12 and A13 Chips Face Unpatchable Hardware Exploit
A newly disclosed exploit targeting Apple's A12 and A13 SoCs — the chips powering iPhone XS through iPhone 11-era devices — has been confirmed as unpatchable via software update due to its location in read-only boot ROM. The vulnerability echoes the checkm8 bootrom exploit disclosed in 2019, which similarly affected earlier Apple silicon and remains unresolved at the hardware level to this day. Devices affected include those that can no longer receive the latest iOS updates, compounding the risk for organisations still running older iPhone hardware in managed fleets or BYOD environments. While exploitation typically requires physical access, the unpatchable nature means any device in the affected range must be treated as permanently at elevated risk — practitioners should accelerate hardware refresh cycles for affected models and review MDM policies accordingly.
Schrödinger's Feed
Sandia National Laboratories and Quantinuum have published peer-reviewed performance data in Nature for Helios, a 98-qubit commercial trapped-ion quantum computer developed under a long-standing cooperative research agreement — a notable milestone because the results carry the independent validation weight of a national security laboratory. Trapped-ion systems have consistently demonstrated superior gate fidelity compared to superconducting alternatives, and a 98-qubit validated system inches the field meaningfully closer to the fault-tolerant thresholds that would make cryptographically relevant attacks plausible. The publication of rigorous, reproducible benchmarks in a peer-reviewed journal is exactly the kind of signal that separates genuine progress from vendor marketing. Practitioners overseeing long-lived PKI infrastructure, key management systems, or data with decade-plus confidentiality requirements should take validated hardware milestones like this as a concrete prompt to accelerate post-quantum cryptography migration timelines.
/dev/random
Amazon has pulled a planned biographical film about OpenAI CEO Sam Altman shortly after announcing a major commercial partnership with OpenAI itself — a sequence of events so on-the-nose it could have been scripted by one of the company's own models. The studio apparently concluded that producing a warts-and-all biopic about your new strategic partner is, at minimum, awkward, and at maximum, a contractual headache. It's a reminder that in the current AI industry landscape, the line between subject, distributor, and infrastructure provider has become genuinely difficult to locate. Somewhere, a content moderation model is carefully not flagging this as a conflict of interest.