Every week we track what lands in the CISA Known Exploited Vulnerabilities (KEV) catalogue, the list of flaws that attackers are actively using in the wild. These aren’t theoretical risks sitting in a researcher’s notebook. They’re confirmed in-use, which is exactly why they deserve a place at the top of your patching queue.
The week ending 14 June 2026 added seven new entries. That’s a touch above the recent 13-week average of around six per week, so the volume itself is fairly ordinary. The severity mix is not: three Critical, three High and one Medium, with six of the seven rated as actionable and two already linked to known ransomware campaigns. We’ve put the overall risk for the week at Critical.
The headline issues
There’s no single standout this week — there are three, and they sit close enough together that all of them belong at the front of the queue.
CVE-2026-10520 (Ivanti Sentry): This is the one that catches the eye on paper. It’s an OS command injection flaw carrying a CVSS score of 10.0, the maximum, and it sits in the 98th percentile for modelled exploitation likelihood. An unauthenticated, network-based attacker can achieve root-level code execution where the Sentry appliance is in an unmanaged state with its endpoints externally reachable. Using mTLS with EPMM, or restricting HTTPS access through Neurons for MDM, keeps those interfaces out of reach of external actors, but if you’re exposed, this is a drop-everything fix. Its remediation deadline was 14 June, so it is already overdue.
CVE-2026-35273 (Oracle PeopleSoft Enterprise PeopleTools): This is a missing-authentication-for-critical-function flaw, CVSS 9.8, and it’s already being used in active ransomware campaigns. An unauthenticated attacker can take over PeopleTools over the network with low complexity and no user interaction. Its CISA deadline is 15 June 2026.
CVE-2026-50751 (Check Point Security Gateway): This rounds out the critical trio at CVSS 9.3, and it too is tied to ransomware activity. The flaw is an improper authentication issue in IKEv1 key exchange that lets an unauthenticated remote attacker bypass user authentication and stand up a remote-access VPN connection without a valid password. Its deadline was 11 June, putting it four days overdue.
Two confirmed-exploited, ransomware-linked authentication bypasses and a perfect-10 RCE in the same week is not a combination to sit on. If you run any of these, treat them as immediate.
The rest of the watchlist
Four more vulnerabilities rounded out the week — three High and one Medium, all worth your attention:
-
CVE-2026-42271 (BerriAI LiteLLM): A command injection flaw, CVSS 8.8, that lets any authenticated user, including holders of low-privilege internal-user keys run arbitrary commands on the host. Notably, it carries the highest modelled exploitation likelihood of the whole group, sitting in the 98.3rd EPSS percentile. Deadline is 22 June.
-
CVE-2026-11645 (Google Chromium V8): An out-of-bounds read and write that lets a remote attacker run arbitrary code inside the sandbox via crafted HTML. CVSS 8.8. It affects any browser built on Chromium (Chrome, Edge and Opera among them) so the blast radius is wide. Deadline is 23 June.
-
CVE-2026-20245 (Cisco Catalyst SD-WAN Manager): An improper output-encoding flaw (the product was formerly SD-WAN vManage) that lets an authenticated local attacker execute arbitrary commands as root by supplying a crafted file. CVSS 7.8. Deadline is 23 June.
-
CVE-2026-7473 (Arista Extensible Operating System): An incomplete-comparison flaw where the switch incorrectly decapsulates and forwards unexpected tunneled packets whose destination IP matches its configured decapsulation IP. CVSS 5.8, but its 97th-percentile exploitation likelihood is why it earns a place above the noise. Deadline is 23 June.
What to do with this
The pattern this week is a heavy front end. Three criticals, two of them already exploited in ransomware campaigns, one a perfect 10.0, and all three are at or past their CISA deadline. Start there: Ivanti Sentry, Oracle PeopleSoft and Check Point first, in whatever order matches your exposure. The LiteLLM command injection comes next on the strength of its exploitation likelihood, followed by the Chromium, Cisco and Arista issues, which share a 23 June deadline.
A quick caveat worth repeating: the KEV catalogue tells you what’s being exploited, not what’s present in your environment. Absence from this list is not evidence of safety, and the list itself is not a substitute for understanding your own asset inventory. The right move is always to map these CVEs against what you actually run, then patch in priority order.
If you’d like the full breakdown per-vulnerability download the complete report which is available below.
Get the full report
A complete breakdown per-vulnerability exploit mechanics, CVSS and EPSS scoring, remediation deadlines and direct links to every vendor advisory.
No sign-up required
This summary is provided for information purposes and reflects the CISA KEV catalogue as it stood for the period 8–14 June 2026. The threat landscape changes continually, so scores and deadlines may have moved since publication. Always obtain patches and guidance directly from the vendor.
If you are concerned that you may be affected by any of the vulnerabilities in this report and would like independant assurance, you can get in touch with our testing team via the contact form below.