ScanForge Security Digest 2626-02

June 25, 2026200 items

79 critical0 high10 news

This week's security digest includes 0 actively exploited vulnerabilities (CISA KEV), 79 critical CVEs, and 0 high-severity CVEs. Review the details below and prioritize patching for any affected systems.

Critical

10.0 Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privile CVE-2026-45480

10.0 In JetBrains Hub 3 CVEs

CVE-2026-50242, CVE-2026-56142, CVE-2026-56141

10.0 mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. I CVE-2026-49257

10.0 Vulnerability in the Oracle WebCenter Portal product of Orac 5 CVEs

CVE-2026-46846, CVE-2026-46847, CVE-2026-46844, CVE-2026-46838, CVE-2026-46845

10.0 A malicious actor with access to the network could exploit a 3 CVEs

CVE-2026-34910, CVE-2026-34909, CVE-2026-34908

10.0 A flaw was found in Samba, in the front-end WINS hook handling: NetBIOS names from registration pack CVE-2025-10230

9.9 Improper access control in Microsoft Dynamics 365 allows an authorized attacker to elevate privilege CVE-2026-47647

9.9 deepstream is a server that allows clients and backend services to sync data, send messages and make CVE-2026-49252

9.9 Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell for VS Code). The suppo CVE-2026-46850

9.9 Vulnerability in the Oracle WebCenter Enterprise Capture pro 6 CVEs

CVE-2026-35285, CVE-2026-35284, CVE-2026-35283, CVE-2026-35282, CVE-2026-35281 +1 more

9.8 Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disc CVE-2026-54130

9.8 Vulnerability in the PeopleSoft Enterprise PT PeopleTools product of Oracle PeopleSoft (component: P CVE-2026-35278

Security News

Bluekit phishing kit adopts browser-in-the-middle for login theft Bleeping Computer

The Bluekit phishing-as-a-service platform continues to evolve with nearly 70 new hostnames identified over the past wee

Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability The Hacker News

An analysis of a popular Google Chrome ad block extension for YouTube has uncovered the ability to execute arbitrary Jav

The Four Elevations of Effective Fraud Prevention Bleeping Computer

Fraudsters don't attack just one transaction. They target accounts, platforms, and entire ecosystems. IPQS explains the

Runlayer Raises $30 Million in Series A Funding SecurityWeek

The startup’s platform functions as a secure control layer, aiming to secure AI tools across enterprises. The post Runla

ThreatsDay Bulletin: Smart TV Proxyware, 24-Year curl Bug, AI Crime Forums + 13 More Stories The Hacker News

It’s dumb out there again. This week has the usual smell of prod on fire and nobody wanting to admit who left the door o

Webinar: Why account takeovers remain one of the hardest threats to stop Bleeping Computer

Account takeover attacks continue to challenge security teams because attackers often operate through legitimate account

Cal Water Finds No Evidence of OT Activity After Hackers Claimed They Could Disrupt Water Supply SecurityWeek

Mandiant has helped the California water utility investigate the cyberattack launched by Iranian hacker group Handala. T

Interesting Paper Exploring Prompt Injection Schneier on Security

This is a fascinating explotation of how LLMs fall for prompt injection attacks. It turns out that they learn to recogni