ScanForge Security Digest 2625-02

June 19, 2026200 items

25 critical52 high10 news

This week's security digest includes 0 actively exploited vulnerabilities (CISA KEV), 25 critical CVEs, and 52 high-severity CVEs. Review the details below and prioritize patching for any affected systems.

Critical

10.0 Two path traversal vulnerabilities in the Network Installation Service (NIS) of Altium Enterprise Se CVE-2026-11420

10.0 A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the CVE-2026-11414

10.0 A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles fo CVE-2026-48907

10.0 May 2026: This security advisory provides the details and fix information for a vulnerability that w CVE-2026-20182

10.0 A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN v CVE-2026-20127

9.8 Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter device firmwa CVE-2026-7786

9.8 A maliciously crafted QPY file can potential execute arbitrary-code embedded in the payload without CVE-2025-2000

9.8 The Realteo - Real Estate Plugin by Purethemes plugin for WordPress, used by the Findeo Theme, is vu CVE-2025-2232

9.8 During login to the web server in "Sante PACS Server.exe", OpenSSL function EVP_DecryptUpdate is cal CVE-2025-2263

9.8 Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Ac CVE-2019-19006

9.6 A flaw was found in assisted-migration-agent. An unauthenticated attacker, located on the same local CVE-2026-53476

9.6 A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerabil CVE-2026-53474

High Severity

8.8 IBM i 7.6, 7.5, 7.4, and 7.3 could allow a user to gain elevated privileges due CVE-2026-7870

8.8 The Frontier X2 device allows unauthenticated BLE read/write access to critical CVE-2026-5768

8.8 Moby is an open source container framework. Prior to version 29.3.1, a security CVE-2026-34040

8.8 The SoundRise Music plugin for WordPress is vulnerable to unauthorized modificat CVE-2025-2103

8.8 Out of bounds read in V8 in Google Chrome prior to 134.0.6998.88 allowed a remot CVE-2025-2137

8.8 Use after free in Inspector in Google Chrome prior to 134.0.6998.88 allowed a re CVE-2025-2136

8.8 Type Confusion in V8 in Google Chrome prior to 134.0.6998.88 allowed a remote at CVE-2025-2135

8.7 AgenticMail gives AI agents real email addresses and phone numbers. Prior to ver CVE-2026-50287

8.7 The Naxclow platform API that returns device relay registration details exposes CVE-2026-50108

8.7 A flaw in Naxclow's platform’s onboarding workflow allows an attacker to replay CVE-2026-42947

+28 more products affected

Security News

NY man charged after harassing college student with AI-generated nudes Bleeping Computer

A New York man faces cyberstalking charges after allegedly sharing AI-generated nude images and fabricated racist messag

Cisco to Acquire WideField Security to Boost Splunk’s Agentic SOC SecurityWeek

WideField will accelerate Agentic SOC capabilities by expanding the lens on threat investigation to include identity, cr

CISA warns Fortinet users to secure devices after FortiBleed leak Bleeping Computer

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged Fortinet customers to secure their devices after

15,000 WordPress Websites Cleaned Up in SocGholish Botnet Takedown SecurityWeek

Law enforcement and private partners took down 106 SocGholish C&C servers and domains as part of Operation Endgame.

Apple Patches Beats Studio Buds Flaw Letting Nearby Attackers Spy via Microphone The Hacker News

Apple has updated its Beats Studio Buds wireless earbuds to patch a high-severity vulnerability that could be exploited

Splunk Enterprise Vulnerability Exploited in Attacks Days After Disclosure SecurityWeek

CISA has given federal agencies only three days to patch CVE-2026-20253, which can be exploited for unauthenticated remo

Gentlemen ransomware uses multiple EDR killers to disable defenses Bleeping Computer

The Gentlemen ransomware-as-a-service (RaaS) is actively developing and maintaining a suite of endpoint detection and re

Novo Nordisk Breach Exposes Software Development Pipeline Risk Dark Reading

A leaked GitHub token underscores what most organizations get wrong: Treating secrets management as a tooling problem ra