Oracle PeopleSoft Flaw Exploited — Patch Deadline Tomorrow
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 14, 2026
cybr.cx | Daily Digest — June 14, 2026
Critical Vulnerabilities
⚠️ Actively exploited — CVE-2026-35273 | Oracle PeopleSoft Enterprise PeopleTools | CVSS: N/A
A missing authentication vulnerability in Oracle PeopleSoft PeopleTools allows unauthenticated attackers to fully take over affected instances. CISA added this on June 12 with a remediation deadline of tomorrow, June 15 — if you're running PeopleSoft in your environment, this should already be patched or mitigated. The attack surface is broad: PeopleSoft is widely deployed across HR, finance, and ERP functions in large enterprises and universities.
⚠️ Actively exploited — CVE-2026-10520 | Ivanti Sentry | CVSS: N/A
Ivanti Sentry (formerly MobileIron Sentry) contains an OS command injection flaw exploitable by unauthenticated remote attackers to achieve root-level RCE. The CISA deadline was today — this is already being hit in the wild. Unmanaged Sentry appliances are particularly exposed. Ivanti continues to feature prominently in CISA's KEV catalog; if your mobile device management stack includes Sentry, treat this as an emergency.
⚠️ Actively exploited — CVE-2026-11645 | Google Chromium V8 | CVSS: N/A
An out-of-bounds read/write in Chromium's V8 JavaScript engine can be triggered via a crafted HTML page, enabling arbitrary code execution inside the sandbox. All Chromium-based browsers are affected — Chrome, Edge, Brave, and others. Drive-by exploitation via malicious web pages is the primary attack vector. Ensure browsers are updated across all managed endpoints; this is a classic threat vector for initial access.
⚠️ Actively exploited — CVE-2026-50751 | Check Point Security Gateway | CVSS: N/A
An improper authentication flaw in IKEv1 key exchange allows unauthenticated remote attackers to bypass user authentication entirely and establish a VPN session without valid credentials. CISA's remediation deadline has already passed (June 11). VPN gateways are perimeter-critical assets — any unauthenticated bypass here is a front-door compromise waiting to happen.
⚠️ Actively exploited — CVE-2026-42271 | BerriAI LiteLLM | CVSS: N/A
Command injection in LiteLLM can be triggered by any authenticated user — including those holding low-privilege internal-user API keys — to execute arbitrary commands on the host. As LiteLLM is widely used as an AI/LLM API proxy in enterprise and developer environments, this is a significant supply chain concern. Patch immediately and audit who holds internal-user keys.
⚠️ Actively exploited — CVE-2026-20245 | Cisco Catalyst SD-WAN Manager | CVSS: N/A
An improper output escaping vulnerability in Cisco Catalyst SD-WAN Manager allows an authenticated local attacker to execute arbitrary commands as root by supplying a crafted file. While local access is required, SD-WAN managers are high-value targets — compromise here can affect routing and segmentation across entire WAN fabrics.
⚠️ Actively exploited — CVE-2026-7473 | Arista Extensible Operating System (EOS) | CVSS: N/A
An incomplete comparison vulnerability in Arista EOS causes switches to incorrectly decapsulate and forward unexpected tunneled packets matching the configured decapsulation IP. Active exploitation in the wild makes this a network-layer integrity concern for data center and campus environments running Arista gear. Review tunnel configurations and apply vendor patches.
CVE-2026-53821 / 53822 / 53828 / 53836 | OpenClaw (multiple) | CVSS: 8.8 — HIGH
A cluster of four critical vulnerabilities in OpenClaw before version 2026.5.18 covers a troubling range of control-plane weaknesses: WebSocket clients can self-declare elevated operator scopes before server authorization is established (53821); a TOCTOU-style command injection allows attackers to rebuild command arguments after allowlist approval (53822); authenticated senders can invoke owner-only commands by triggering a native command handling path that skips access control (53828); and PowerShell encoded-command allowlist checks can be bypassed using abbreviated flag aliases unrecognised by the parser (53836). All four carry CVSS 8.8. Update to 2026.5.18 or later.
CVE-2026-53831 | OpenClaw | CVSS: 8.3 — HIGH
On POSIX nodes, shell metacharacters in commands approved via the system.run safe-bin allowlist can be expanded by the shell at execution time, allowing authenticated operators to read arbitrary node-local files. Sensitive configuration data is the obvious target. Patched in 2026.5.18.
CVE-2026-54228 | abrt-dbus (ABRT) | CVSS: 7.8 — HIGH
A TOCTOU race condition in the abrt-dbus D-Bus service's SetElement method allows any local user to write arbitrary text files into a root-owned crash dump directory between directory creation and post-create event execution. This bypasses package validation and can allow crashes from unpackaged binaries to persist through post-create processing — a useful primitive for local privilege escalation chains on Linux systems running ABRT.
Headline News
Twenty-One Zero-Days in FFmpeg
Researchers have published findings detailing 21 zero-day vulnerabilities in FFmpeg, the ubiquitous open-source multimedia processing library. FFmpeg's attack surface is enormous: it is embedded in video conferencing platforms, streaming infrastructure, content delivery pipelines, browsers, mobile applications, and professional media tooling. The breadth of the vulnerability set — spanning parsing, demuxing, and codec handling — reflects the challenge of auditing a codebase of this scale and age. For defenders, the immediate concern is any internet-facing service that accepts user-supplied media files for transcoding or processing, as these represent direct exploitation paths. Practitioners should identify all FFmpeg dependencies across their software bill of materials, apply patches as they become available, and consider sandboxing FFmpeg processes to limit blast radius.
Arch Linux AUR Malware Incident: Over 1,500 Packages Affected
The Arch Linux project has confirmed that a malware incident affecting the Arch User Repository (AUR) is now considered under control, but not before more than 1,500 packages were compromised. The AUR's community-maintained model — where package build scripts (PKGBUILD files) are submitted and updated by individual maintainers without a formal security review gate — makes it structurally susceptible to this class of supply chain attack. The specific mechanism of compromise has not been fully disclosed, but the scale of affected packages suggests either a coordinated campaign or automated modification of maintainer accounts. Any Arch Linux system that installed or updated AUR packages during the exposure window should be treated as potentially compromised and audited against known-good baselines. This incident is a timely reminder that package repositories without mandatory code signing and review processes represent a persistent supply chain risk, regardless of ecosystem popularity.
Schrödinger's Feed
A new report commissioned by Coinbase and authored by experts in quantum computing, cryptography, and blockchain warns that the cryptocurrency industry needs to stop waiting for a precise "Q-Day" timeline and start implementing post-quantum cryptographic protections now. The report is notable because it comes from an industry where cryptographic key longevity is a core product concern — wallets and signed transactions generated today could, in principle, be retrospectively attacked once sufficiently capable quantum hardware exists. The "harvest now, decrypt later" threat model is particularly acute for long-lived blockchain records. Practitioners building or securing systems with cryptographic assets that must remain confidential or unforgeable for a decade or more should treat this as a call to action, not a distant research problem.
/dev/random
A developer has published a detailed breakdown of running local AI coding assistants at home without incurring cloud API costs — using quantised models, consumer GPU VRAM limits, and inference servers like llama.cpp and ollama to replicate the functionality of commercial tools. The write-up is practically useful, but there's a subtler security angle worth noting: engineers self-hosting LLM inference to avoid sending proprietary code to third-party APIs are making an implicit security trade-off that their organisations probably haven't formally approved. The gap between "I'm not sending code to OpenAI" and "I've audited the model weights I downloaded from HuggingFace" is, shall we say, non-trivial. Shadow AI infrastructure is the new shadow IT — and it's running on the same laptops that access your production environment.