Daily briefing · June 24, 2026
Ten CVEs Under Active Exploitation: Joomla, Splunk, PeopleSoft, and VPN Gateways Top the List
All ten vulnerabilities highlighted today carry confirmed in-the-wild exploitation (KEV), spanning web CMS extensions, enterprise SIEM platforms, ERP systems, VPN gateways, and developer toolchains. Although no new disclosures were recorded in the last 24 hours, the active exploitation status across every entry on today's list makes this a high-urgency patch cycle. Organizations running any of the affected products should treat remediation as immediate, not scheduled.
Today’s brief
- All 10 featured CVEs are confirmed under active exploitation — no theoretical risks here.
- Remote, unauthenticated code execution dominates: Joomla JCE, Splunk Enterprise, PeopleSoft PeopleTools, and Magento 2 all allow full server takeover without credentials.
- Supply-chain attack confirmed: a malicious Nx Console VS Code extension was live in public marketplaces for up to 36 minutes, targeting developer workstations.
- Privilege escalation and authentication bypass round out the list, hitting Android devices, Cisco SD-WAN, Check Point VPN, and shared hosting infrastructure.
Critical highlights
1
An unauthenticated attacker can abuse the JCE editor extension for Joomla to create arbitrary editor profiles and ultimately upload and execute PHP code on the server — a complete remote takeover requiring no login. Any public-facing Joomla site with JCE installed is effectively an open shell if unpatched.
2
Splunk Enterprise exposes a PostgreSQL sidecar service endpoint with no authentication, letting any network-reachable user create or truncate arbitrary files. In practice this enables persistent backdoors or destruction of log data — a critical risk for organizations depending on Splunk for security visibility.
3
Oracle PeopleSoft PeopleTools 8.61 and 8.62 allow an unauthenticated attacker to reach the Updates Environment Management component over HTTP and achieve full system takeover. Given how broadly PeopleSoft is deployed in HR and finance environments, successful exploitation can expose highly sensitive organizational data.
4
A logic flaw in deprecated IKEv1 certificate validation on Quantum Security Gateways lets remote attackers establish VPN tunnels without valid credentials, bypassing authentication entirely. This effectively erases the perimeter for organizations relying on these gateways for remote access control.
5
The Mirasvit Full Page Cache Warmer extension for Magento 2 passes a user-controlled cookie directly to PHP's unserialize() function, enabling unauthenticated remote code execution via gadget chains present in Magento's dependency tree. E-commerce platforms running this extension before 1.11.12 are fully exposed to server compromise and payment data theft.
6
A compromised version of the Nx Console VS Code extension (18.95.0) was distributed through Visual Studio Marketplace and OpenVSX for up to 36 minutes before removal, representing a supply-chain attack targeting developer environments. Any developer who installed or auto-updated during that window should treat their workstation as potentially compromised.
7
An out-of-bounds read/write in Chrome's V8 JavaScript engine allows a remote attacker to execute arbitrary code inside the browser sandbox via a crafted HTML page — one step away from a full sandbox escape if chained with another flaw. Users on Chrome versions prior to 149.0.7827.103 are at risk from any malicious or compromised website.
8
The LiteSpeed cPanel plugin mishandles symlinks provided by low-privilege users with FTP or web shell access on CloudLinux/CageFS shared hosting, enabling privilege escalation beyond the sandboxed environment. Hosting providers running affected versions are exposed to cross-tenant compromise, where one customer's account can be leveraged against others.
9
An integer overflow in Android's core code allows local privilege escalation to a higher execution context with no additional permissions and no user interaction required. Devices without the corresponding security patch are vulnerable to silent escalation by any malicious app already installed.
10
An authenticated local attacker on Cisco Catalyst SD-WAN Controller, Manager, or Validator can supply a crafted file to the CLI and execute arbitrary commands as root, due to insufficient input validation. While local access is required, this flaw is critical in SD-WAN environments where compromise of the control plane can redirect or intercept traffic across the entire WAN fabric.
Today’s recommendation: Prioritize immediate patching for all internet-facing systems in this list — particularly Joomla JCE, Splunk Enterprise, PeopleSoft PeopleTools, and Quantum VPN gateways, all of which allow unauthenticated remote compromise. For the Nx Console supply-chain incident, audit developer workstations for the presence of version 18.95.0 and treat any match as an active incident response scenario.
With every entry on today's list confirmed as actively exploited, the most pressing question for any security team is not whether these vulnerabilities are dangerous, but whether your own environment is exposed — making continuous validation of your attack surface more critical than ever.Before an attacker finds it, find it first: run a free initial exposure assessment and see whether your infrastructure is vulnerable to flaws like these.Meet the Autonomous AI Pentest Agent →