Critical vulnerabilities, curated daily for security professionals
🎯 SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
📊
Today's Security Brief
Friday's disclosures lead with CVE-2026-49257, a CVSS 10 vulnerability in Apache Pinot (via mcp-pinot), the day's most severe issue. Volume fell sharply from the prior day, with critical CVEs dropping to 1 (down 98%) and high-priority CVEs to 41 (down 54%). Five vulnerabilities carry confirmed active exploitation, including CVE-2026-35273 in Oracle PeopleSoft Enterprise PeopleTools, CVE-2026-20253 in Splunk Enterprise and Cloud Platform, and CVE-2026-20262 in Cisco Catalyst SD-WAN Manager. Enterprise data, identity, and network-management platforms dominate the affected systems, with several flaws enabling remote code execution and authentication bypass. No vendor patches were available at disclosure time, so teams should prioritize compensating controls and monitor for vendor fixes.
Apache Pinot (via mcp-pinot) carries CVE-2026-49257 at CVSS 10, the day's maximum-severity vulnerability
Critical CVEs dropped to 1, down 98% from the prior day's 48
High-priority CVEs fell to 41, down 54% from the prior day's 90
Remote code execution and authentication bypass affect enterprise platforms including Oracle PeopleSoft and Cisco Catalyst SD-WAN Manager
Patch availability stands at 0%, requiring compensating controls for Splunk, LiteSpeed cPanel, and Joomla Content Editor exposure
Five vulnerabilities have confirmed active exploitation across Oracle, Splunk, Cisco, LiteSpeed, and Joomla products
Immediate action: Prioritize Apache Pinot deployments exposed via mcp-pinot, along with the actively exploited Oracle PeopleSoft, Splunk, Cisco Catalyst SD-WAN Manager, LiteSpeed cPanel, and Joomla Content Editor installations. No vendor patches were available at disclosure, so apply access restrictions, network segmentation, and exploitation monitoring while tracking advisories for fixes.
💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove
Section Navigation
⚠️
CISA Known Exploited Vulnerabilities
⚠️ CISA KEVURGENT
CVE-2026-35273
9.5📝
OraclePeopleSoft Enterprise PeopleTools
⏰ Federal Deadline:June 14, 2026(-4 days remaining)
An unauthenticated, easily exploitable vulnerability in the PeopleSoft Updates Environment Management component allows for complete system takeover via HTTP.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEVURGENT
CVE-2026-54420
9.5📝
LiteSpeed TechnologiescPanel plugin
⏰ Federal Deadline:June 17, 2026(EXPIRED)
A symlink mishandling vulnerability in the LiteSpeed cPanel plugin allows users with limited access to escalate privileges on shared hosting environments.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2026-48907
9.5📝
Widget FactoryJoomla Content Editor
⏰ Federal Deadline:June 18, 2026
An improper access control vulnerability in the Widget Factory Joomla Content Editor allows unauthorized users to perform restricted actions.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEVURGENT
CVE-2026-20253
9.5📝
SplunkEnterprise and Cloud Platform
⏰ Federal Deadline:June 20, 2026(2 days remaining)
Splunk Enterprise and Cloud Platform contain an authentication bypass vulnerability in a PostgreSQL sidecar service, allowing unauthenticated users to create or truncate arbitrary files.
CVSS Base9.5
→
CRSSelect profile
⚠️ CISA KEV
CVE-2026-20262
9.5📝
CiscoCatalyst SD-WAN Manager
⏰ Federal Deadline:June 28, 2026(10 days remaining)
Cisco Catalyst SD-WAN Manager contains an arbitrary file write vulnerability in its web UI, allowing authenticated remote attackers to escalate privileges to root.
CVSS Base9.5
→
CRSSelect profile
🚨
Critical Vulnerabilities
CVE-2026-49257
10📝
ApachePinot (via mcp-pinot)
The mcp-pinot server defaults to an unauthenticated configuration, allowing any network-adjacent attacker to execute arbitrary SQL and mutate table configurations.
CVSS Base10
→
CRSSelect profile
⚠️
High Priority Updates
CVE-2026-54104
8.8📝
U.S. GAO / CBCAEPDS & CBCA EDS
Authenticated privilege escalation in the U.S. GAO EPDS and CBCA EDS docketing systems via an unverified client-supplied 'epds_role_id' parameter (CWE-602).
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6192
8.8📝
GoogleChrome
A use-after-free vulnerability exists in the Metrics component of Google Chrome, which may allow for arbitrary code execution.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6191
8.8📝
GoogleChrome
An integer overflow vulnerability in the V8 JavaScript engine of Google Chrome may lead to arbitrary code execution.
CVSS Base8.8
→
CRSSelect profile
CVE-2026-12044
8.8📝
PostgreSQLpgAdmin 4
A SQL injection vulnerability exists in pgAdmin 4 within dialog templates that render the "COMMENT ON" command, potentially allowing unauthorized database manipulation.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6102
8.8📝
Wifi-softUniBox Controller
A critical vulnerability has been found in the Wifi-soft UniBox Controller, which could lead to unauthorized system access.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6103
8.8📝
Wifi-softUniBox Controller
A critical security vulnerability has been identified in the Wifi-soft UniBox Controller that may allow for unauthorized system compromise.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6104
8.8📝
Wifi-softUniBox Controller
A critical security vulnerability has been identified in the Wifi-soft UniBox Controller that requires immediate administrative attention to mitigate potential unauthorized access.
CVSS Base8.8
→
CRSSelect profile
CVE-2026-8461
8.8📝
FFmpeglibavcodec
An out-of-bounds write vulnerability in FFmpeg's MagicYUV decoder allows for denial-of-service and potential remote code execution via malicious video files.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6110
8.8📝
TendaFH1201
A critical vulnerability has been identified in the Tenda FH1201 router, potentially allowing unauthorized system impact.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6111
8.8📝
TendaFH1205
A critical vulnerability has been identified in the Tenda FH1205 router, posing a significant security risk to affected network environments.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6112
8.8📝
TendaFH1205
A critical security vulnerability has been identified in the Tenda FH1205 router, which may permit unauthorized system-level actions.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6113
8.8📝
TendaFH1203
A critical vulnerability has been discovered in the Tenda FH1203 router, creating a significant security risk for the device.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6114
8.8📝
D-LinkDIR-619L
A security vulnerability has been identified in the D-Link DIR-619L router, potentially impacting device security and integrity.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6115
8.8📝
D-LinkDIR-619L
A critical security vulnerability has been identified in the D-Link DIR-619L router, potentially allowing for unauthorized system impact.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6158
8.8📝
D-LinkDIR-665
A critical security flaw has been discovered in the D-Link DIR-665 router, which may expose the device to unauthorized exploitation.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6291
8.8📝
D-LinkDIR-825
A critical vulnerability has been identified in the D-Link DIR-825 router, potentially permitting unauthorized system-level actions.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6292
8.8📝
D-LinkDIR-825
A security vulnerability has been identified in the D-Link DIR-825 router, requiring immediate administrative attention to prevent unauthorized access.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6328
8.8📝
D-LinkDIR-815
A security vulnerability has been discovered in the D-Link DIR-815 router, posing a risk of potential unauthorized access.
CVSS Base8.8
→
CRSSelect profile
CVE-2026-55237
8.8📝
AutoGPTWorkflow Automation Platform
AutoGPT is a workflow automation platform for creating and managing continuous artificial intelligence agents.
CVSS Base8.8
→
CRSSelect profile
CVE-2026-56075
8.8📝
PraisonAIPraisonAI
PraisonAI versions before 4.5.128 contain an arbitrary shell command execution vulnerability due to insecure handling of approval modes.
CVSS Base8.8
→
CRSSelect profile
CVE-2026-56078
8.8📝
PraisonAIMultiAgentMonitor
A path traversal vulnerability in PraisonAI's MultiAgentMonitor allows attackers to read, write, or overwrite arbitrary files.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6090
8.8📝
H3CGR-5400AX
A critical vulnerability has been identified in the H3C GR-5400AX router, potentially allowing unauthorized access or control.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6091
8.8📝
H3CGR-3000AX
A security vulnerability has been identified in the H3C GR-3000AX router that may pose a risk to network security.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6128
8.8📝
TOTOLINKEX1200T
A critical vulnerability has been discovered in the TOTOLINK EX1200T range extender, posing a significant risk to network security.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6129
8.8📝
TOTOLINKEX1200T
A critical vulnerability found in the TOTOLINK EX1200T range extender requires immediate remediation to prevent potential unauthorized access.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6130
8.8📝
TOTOLINKEX1200T
A critical vulnerability has been identified in the TOTOLINK EX1200T range extender, necessitating an immediate security review and update.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6137
8.8📝
TOTOLINKT10
A critical vulnerability has been identified in TOTOLINK T10 routers that may allow for unauthorized system compromise.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6138
8.8📝
TOTOLINKT10
A critical vulnerability has been identified in TOTOLINK T10 routers that may allow for unauthorized system compromise.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6143
8.8📝
TOTOLINKEX1200T
A critical vulnerability has been identified in the TOTOLINK EX1200T range extender that may allow for unauthorized system compromise.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6144
8.8📝
TOTOLINKEX1200T
A vulnerability has been identified in the TOTOLINK EX1200T range extender that may allow for unauthorized system compromise.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6145
8.8📝
TOTOLINKEX1200T
A vulnerability has been identified in the TOTOLINK EX1200T range extender that may allow for unauthorized system compromise.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6146
8.8📝
TOTOLINKX15
A critical security vulnerability has been identified in the TOTOLINK X15 router, potentially allowing for unauthorized system impact.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6147
8.8📝
TOTOLINKA702R
A critical security vulnerability has been identified in the TOTOLINK A702R router, potentially allowing for unauthorized system impact.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6148
8.8📝
TOTOLINKA3002RU
A critical security vulnerability has been identified in the TOTOLINK A3002RU router, potentially allowing for unauthorized system impact.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6149
8.8📝
TOTOLINKA3002R
A critical security vulnerability has been identified in the TOTOLINK A3002R router, potentially allowing for unauthorized system impact.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6150
8.8📝
TOTOLINKX15
A critical security vulnerability has been identified in the TOTOLINK X15 router, potentially allowing for unauthorized system impact.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6162
8.8📝
TOTOLINKEX1200T
A critical security vulnerability has been identified in the TOTOLINK EX1200T firmware that may allow for unauthorized system compromise.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6163
8.8📝
TOTOLINKA3002RU
A security vulnerability has been identified in the TOTOLINK A3002RU router firmware that could potentially lead to unauthorized system access.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6164
8.8📝
TOTOLINKA3002R
A security flaw has been discovered in the TOTOLINK A3002R router that may permit unauthorized access or control by an attacker.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6165
8.8📝
TOTOLINKX15
A security vulnerability in the TOTOLINK X15 device firmware may allow for unauthorized access to the system.
CVSS Base8.8
→
CRSSelect profile
CVE-2025-6302
8.8📝
TOTOLINKEX1200T
A critical vulnerability has been identified in the TOTOLINK EX1200T that may lead to unauthorized system-level access.