CISA Known Exploited Vulnerabilities

This dashboard displays the latest vulnerabilities published by the Cybersecurity & Infrastructure Security Agency (CISA).

CVE-2026-12569

PTC Windchill and FlexPLM Improper Input Validation Vulnerability

Vendor: PTC

Product: Windchill and FlexPLM

Added: 2026-06-25

Due Date: 2026-06-28

Description:

PTC Windchill and FlexPLM contains an improper input validation vulnerability allowing an unauthenticated, remote attacker to execute arbitrary code by sending a malicious request to the network.

Required Action:

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

CWEs:

CWE-20 CWE-502

CVE-2026-20230

Cisco Unified Communications Manager Server-Side Request Forgery (SSRF) Vulnerability

Vendor: Cisco

Product: Unified Communications Manager

Added: 2026-06-25

Due Date: 2026-06-28

Description:

Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) contain a server-side request forgery (SSRF) Vulnerability that could allow an unauthenticated, remote attacker to write files to the underlying operating system that could be used later to elevate to root.

Required Action:

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

CWEs:

CWE-918

CVE-2025-67038

Lantronix EDS5000 Code Injection Vulnerability

Vendor: Lantronix

Product: EDS5000

Added: 2026-06-23

Due Date: 2026-06-26

Description:

Lantronix EDS5000 contains a code injection vulnerability that could allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.

Required Action:

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

CWEs:

CWE-78 CWE-94

CVE-2026-34910

Ubiquiti UniFi OS Improper Input Validation Vulnerability

Vendor: Ubiquiti

Product: UniFi OS

Added: 2026-06-23

Due Date: 2026-06-26

Description:

Ubiquiti UniFi OS contains an improper input validation vulnerability which could allow a malicious actor with access to the network to conduct command injection.

Required Action:

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

CWEs:

CWE-20

CVE-2026-34909

Ubiquiti UniFi OS Path Traversal Vulnerability

Vendor: Ubiquiti

Product: UniFi OS

Added: 2026-06-23

Due Date: 2026-06-26

Description:

Ubiquiti UniFi OS contains a path traversal vulnerability which could allow a malicious actor with access to the network to access files on the underlying system that could be manipulated to access an underlying account.

Required Action:

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

CWEs:

CWE-22

CVE-2026-34908

Ubiquiti UniFi OS Improper Access Control Vulnerability

Vendor: Ubiquiti

Product: UniFi OS

Added: 2026-06-23

Due Date: 2026-06-26

Description:

Ubiquiti UniFi OS contains an improper access control vulnerability which could allow a malicious actor with access to the network to make unauthorized changes to the system.

Required Action:

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

CWEs:

CWE-284

CVE-2026-20253

Splunk Enterprise Missing Authentication for Critical Function Vulnerability

Vendor: Splunk

Product: Enterprise

Added: 2026-06-18

Due Date: 2026-06-21

Description:

Splunk Enterprise contains a missing authentication for critical function vulnerability which could allow an unauthenticated user to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.

Required Action:

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

CWEs:

CWE-306

CVE-2026-48907

Widget Factory Joomla Content Editor Improper Access Control Vulnerability

Vendor: Widget Factory

Product: Joomla Content Editor

Added: 2026-06-16

Due Date: 2026-06-19

Description:

Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticated users.

Required Action:

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

CWEs:

CWE-284

CVE-2026-54420

LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability

Vendor: LiteSpeed

Product: cPanel Plugin

Added: 2026-06-15

Due Date: 2026-06-18

Description:

LiteSpeed cPanel plugin contains a UNIX symbolic link (Symlink) following vulnerability that could allow a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS.

Required Action:

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

CWEs:

CWE-61

CVE-2026-20262

Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability

Vendor: Cisco

Product: Catalyst SD-WAN Manager

Added: 2026-06-15

Due Date: 2026-06-29

Description:

Cisco Catalyst SD-WAN Manager contains a directory or path traversal vulnerability that could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system.

Required Action:

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

CWEs:

CWE-22

CVE-2026-35273

Ransomware

Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability

Vendor: Oracle

Product: PeopleSoft Enterprise PeopleTools

Added: 2026-06-12

Due Date: 2026-06-15

Description:

Oracle PeopleSoft Enterprise PeopleTools contains a missing authentication for critical function vulnerability which could allow an unauthenticated attacker to obtain takeover of PeopleSoft Enterprise PeopleTools.

Required Action:

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

CWEs:

CWE-306

CVE-2026-10520

Ivanti Sentry OS Command Injection Vulnerability

Vendor: Ivanti

Product: Sentry

Added: 2026-06-11

Due Date: 2026-06-14

Description:

Ivanti Sentry (formerly known as MobileIron Sentry) contains an OS command injection vulnerability which could allow a remote unauthenticated user to achieve root-level remote code execution. This vulnerability can be successfully exploited in cases where the Sentry appliance is in an unmanaged state with its endpoints externally reachable. The use of mTLS with EPMM or restricted HTTPS access through Neurons for MDM makes interfaces inaccessible to external actors.

Required Action:

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

CWEs:

CWE-78

CVE-2026-11645

Google Chromium V8 Out-of-Bounds Read and Write Vulnerability

Vendor: Google

Product: Chromium V8

Added: 2026-06-09

Due Date: 2026-06-23

Description:

Google Chromium V8 out-of-bounds read and write vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-787 CWE-125

CVE-2026-7473

Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability

Vendor: Arista

Product: Extensible Operating System

Added: 2026-06-09

Due Date: 2026-06-23

Description:

Arista Extensible Operating System (EOS) contains an incomplete comparison with missing factors vulnerability when the switch incorrectly decapsulate and forwards other unexpected tunneled packet with a destination IP matching its configured decapsulation IP.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-1023

CVE-2026-20245

Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerability

Vendor: Cisco

Product: Catalyst SD-WAN Manager

Added: 2026-06-09

Due Date: 2026-06-23

Description:

Cisco Catalyst SD-WAN Manager formerly SD-WAN vManage contains an improper encoding or escaping of output vulnerability. This vulnerability could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system.

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CWEs:

CWE-116