Do Son 
TL;DR
This weekly CVE report covers 2,060 new vulnerabilities disclosed between June 15 and 21, 2026. Among them, 358 rank as critical and 861 as high severity. Four flaws already see active exploitation and joined the CISA Known Exploited Vulnerabilities catalog.
A week in numbers
This weekly CVE report draws on the full week’s dataset. Of the 2,060 CVEs, 358 are critical and 861 are high severity. Another 554 land in the medium tier. About 1,703 entries carry a CVSS score, averaging 7.50. Notably, 352 of them reach 9.0 or above. In total, 221 flaws hit the 9.8-or-higher band. Unknown-severity entries account for 225 more, pending full analysis.
Why it matters
The volume alone is striking. More than 2,000 fresh CVEs in seven days outpaces most patch cycles. Roughly 1,170 carry a CVSS score of 7.0 or higher. So defenders face a large triage backlog every week. The four actively exploited vulnerabilities demand the fastest action. Each one lets attackers reach systems that organizations rely on daily. Public proof-of-concept code also appears in at least 142 advisories, which lowers the bar for opportunistic attacks. Edge devices and developer tools dominate the critical tier, and attackers favor both.
Actively exploited flaws to patch first
Four bugs stand out because attackers already use them. CVE-2026-20253 hits Splunk Enterprise and scores 9.8. An unauthenticated user can create or truncate files through an exposed PostgreSQL sidecar endpoint. CVE-2026-20262 affects Cisco Catalyst SD-WAN Manager, where an authenticated remote attacker can write or overwrite files. CVE-2026-48907 targets the JCE editor extension for Joomla and enables PHP code upload. CVE-2026-54420 abuses symlink handling in the LiteSpeed cPanel plugin. CISA added all four to its catalog this week. Beyond the catalog, researchers flagged a backdoor in several ShapedPlugin WordPress add-ons. A Jenkins deserialization flaw, CVE-2026-53435, also earned a high score.
The biggest sources this week
Oracle dominates the list. More than 200 CVEs reference Oracle products, consistent with a quarterly patch cycle. Open-source ecosystems feature heavily too. Node.js, PHP, and Python packages appear hundreds of times. WordPress plugins remain a steady risk, with over 200 plugin-related entries. Several reach the maximum 10.0 score. Examples include an Azure AD authentication bypass (CVE-2026-45480) and a ProxySQL flaw (CVE-2026-48772). Container and cloud tooling also appear, including Docker and Kubernetes entries. Browser bugs in Chrome round out the mix.
Patch and mitigation
Start with the four exploited flaws, then work down by severity. Prioritize internet-facing systems and anything in the CISA catalog. Apply Oracle’s quarterly updates across affected products. Audit WordPress plugins and remove unused or abandoned ones. For Splunk, upgrade to the fixed release or disable the PostgreSQL sidecar as a stopgap. You can track the full breakdown of this weekly CVE report on our CVE Watchtower dashboard. Keep an asset inventory current so you can match advisories to real exposure. No single patch covers everything here, so steady, risk-based triage wins. Where vendors confirm exploitation, treat the fix as urgent.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
