Do Son 
TL;DR
This weekly CVE report covers 1,909 new vulnerabilities published between June 22 and 28, 2026. Critical bugs number 173, and 14 carry a maximum CVSS score of 10. CISA added six flaws to its Known Exploited Vulnerabilities catalog.
Why It Matters
Nearly 2,000 new CVEs in seven days is a heavy load for any security team. Most will never see an exploit, yet a few demand fast action. The challenge is triage. You have to find the dangerous few among the many. Volume alone can bury a critical bug under routine noise. A clear weekly view helps teams sort signal from noise. This weekly CVE report aims to surface those priorities. The data comes from our CVE Watchtower tracker, which aggregates fresh disclosures as they land.
By the Numbers
The week brought 173 critical and 653 high-severity CVEs. Medium-rated bugs added another 516, while 62 ranked low. Around 498 arrived without a clear severity rating. The average CVSS score sat near 5.1. Fourteen flaws hit a perfect 10. Another 100 scored 9.8 or higher, and 167 reached 9.0 or above.
Common bug classes spanned the usual range. The set included cross-site scripting, SQL injection, and SSRF. Denial-of-service and path-traversal issues also appeared often. Command injection and unsafe deserialization showed up in dozens of records. Linux kernel reports made up a large share of the total, followed by WordPress plugins and PHP projects. Open-source tools and embedded devices both featured heavily. That spread shows how widely the risk now stretches.
Exploited in the Wild
Exploitation stayed rare across the dataset. Only two new CVEs carried an active-exploitation flag. One was a FOSSBilling template-injection bug. The other was the Cisco flaw noted below. However, CISA added six entries to its KEV catalog this week.
Those six include a Cisco Unified Communications Manager SSRF bug, tracked as CVE-2026-20230. They also cover three UniFi OS flaws, each rated 10. A PTC Windchill deserialization bug, CVE-2026-12569, rounds out the high-impact set. A Lantronix command-injection flaw completes the list. A KEV listing means confirmed real-world abuse, so these jump the patch queue. Federal agencies face deadlines to fix them, and private teams should follow suit.
Notable Critical Flaws
Several perfect-10 bugs stand out this week. WSO2 patched an authentication bypass, CVE-2026-5430, that enables account takeover. Synology fixed an arbitrary file-read flaw in MailPlus Server, CVE-2026-13136. The Kestra orchestration platform drew two separate 10.0 authentication bugs. Budibase, Flowise, Gogs, and IBM Langflow also shipped critical fixes.
Hardware did not escape either. GeoVision’s GV-I/O Box 4E earned four separate 10.0 entries. Many of the top flaws share one trait. They let an unauthenticated attacker reach a sensitive function. A handful of advisories noted that public exploit code already exists, though confirmed in-the-wild use remains limited.
What To Do
Start with the six KEV entries, since attackers already use them. Patch any perfect-10 bug that touches an internet-facing service next. Map your software stack against this week’s critical list. A current asset inventory makes that match far easier. Where no fix exists, restrict network access and watch logs for abuse. Pay special attention to edge devices, routers, and management consoles. This weekly CVE report is a starting point, not a full inventory. No single action covers 1,909 CVEs, so steady triage beats panic.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
