Daily briefing · June 23, 2026

FOSSBilling Auth Bypass and Router Hardcoded Keys Headline 9 Critical CVEs on June 23

Automated Vexday summary · sources: NVD, CISA KEV, EPSS

June 23, 2026 brought 68 new vulnerabilities, including 9 rated critical, with no active exploitation confirmed yet — but several flaws carry the kind of severity that makes rapid patching non-negotiable. Two critical bugs in FOSSBilling top the list, including a perfect CVSS 10.0 authentication bypass, while hardcoded encryption keys in NetComm routers and a picklescan sandbox escape round out a day heavy with systemic trust failures. Defenders should treat the absence of KEV flags as a narrow window, not a green light.

Today’s brief
  • FOSSBilling hit with a CVSS 10.0 auth bypass giving unauthenticated attackers full admin API access — patch to 0.8.0 immediately.
  • Two router flaws (Totolink EX1200L and NetComm NF20MESH) allow unauthenticated root-level code execution and admin takeover via hardcoded keys.
  • picklescan's safety scanner can be fully bypassed with crafted pickle files using standard Python modules — any pipeline relying on it alone is exposed.
  • ManageEngine ADSelfService Plus, ADAudit Plus, and related products have predictable SSO tickets enabling unauthenticated account takeover.
68 new9 critical0 actively exploited
Critical highlights
1
CVE-2026-27604CVSS 10affects FOSSBilling
A CVSS 10.0 authorization bypass in FOSSBilling allows completely unauthenticated attackers to invoke privileged admin API methods under the system/cron identity, requiring no credentials, session token, or CSRF token — any internet-exposed instance on versions prior to 0.8.0 should be considered fully compromised until patched.
2
CVE-2026-28496CVSS 9.4affects FOSSBilling
A Server-Side Template Injection in FOSSBilling's Twig rendering engine allows administrators to escalate into arbitrary code execution via email templates, mass mail campaigns, or the string_render API — a significant post-auth escalation risk in multi-tenant or shared hosting environments.
3
CVE-2026-44089CVSS 9.4affects EX1200L
A buffer overflow in the Totolink EX1200L router's login handler in cgi-bin/cstecgi.cgi can be exploited to crash the device or execute arbitrary code as root, with no vendor patch available — network segmentation and disabling remote management are the only mitigations.
4
CVE-2026-56315CVSS 9.3affects picklescan
picklescan before 1.0.4 fails to block at least seven standard Python library modules that expose direct command execution, meaning attackers can craft malicious pickle files that bypass its safety validation entirely — any ML pipeline or data ingestion workflow using picklescan as its primary defense is silently unprotected.
5
CVE-2026-12866CVSS 9.2affects expr-eval
All versions of expr-eval are vulnerable to sandbox escape via the toJSFunction() API, where user-supplied expressions are compiled directly into executable JavaScript using new Function() — any application accepting untrusted input through this API is exposed to full server-side code execution.
6
CVE-2026-35019CVSS 9.2affects NF20MESH
NetComm NF20MESH routers running firmware R6B031 and earlier use a hardcoded AES-256 key to encrypt session cookies, allowing any unauthenticated attacker who knows the key to forge valid sessions and gain administrative control of the device.
7
CVE-2026-56258CVSS 9.2affects Crawl4AI
Crawl4AI before 0.8.8 allows unauthenticated attackers to write arbitrary files outside the intended directory via symlink following and TOCTOU race conditions on the output_path parameter in screenshot and PDF endpoints — successful exploitation can lead to remote code execution on the host.
8
CVE-2026-9733CVSS 9.1affects Mojolicious::Plugin::Web::Auth::OAuth2
Mojolicious::Plugin::Web::Auth::OAuth2 through version 0.17 generates predictable OAuth2 state parameters derived from epoch time leaked via the HTTP Date header and a weak rand() call, enabling CSRF attacks that could result in account takeover or session hijacking.
9
CVE-2026-11374CVSS 9affects manageengine_adaudit_plus
ManageEngine ADSelfService Plus, ADAudit Plus, RecoveryManager Plus, and M365 Manager Plus generate predictable SSO session tickets that unauthenticated attackers can calculate, enabling direct account takeover without credentials — these are high-value identity management products that demand immediate attention.
10
CVE-2026-8163HIGH 8.8PoCaffects Infility Global
The Infility Global WordPress plugin before 2.15.19 is vulnerable to SQL injection exploitable by any authenticated user with Subscriber-level access, meaning low-privilege accounts — including those obtained through free registration — can be leveraged to extract or manipulate database contents.
Today’s recommendation: Organizations should prioritize patching FOSSBilling to 0.8.0, updating affected ManageEngine products, and replacing or isolating Totolink EX1200L and NetComm NF20MESH devices where vendor patches are unavailable; additionally, any pipeline using picklescan as a sole defense against malicious pickle files should be re-evaluated immediately.
Even without confirmed active exploitation today, the breadth of authentication bypass and unauthenticated attack vectors in this batch makes it essential to validate your own external and internal attack surface before these CVEs attract the attention of threat actors.Find out in minutes, with a free exposure assessment, where your organization is truly exposed.Meet the Autonomous AI Pentest Agent →
Previous briefings
June 25, 2026Three CVSS 10.0 Flaws Lead a Heavy Day: Apache Kvrocks, Flowise, and WordPress Under FireJune 24, 2026Ten KEV Vulnerabilities in Active Exploitation Demand Immediate Attention Across Enterprise and Consumer StacksJune 23, 2026FOSSBilling Auth Bypass and Router Hardcoded Keys Headline 9 Critical CVEs on June 23view full archive →