Every week we track what lands in the CISA Known Exploited Vulnerabilities (KEV) catalogue, the list of flaws that attackers are actively using in the wild. These aren’t theoretical risks sitting in a researcher’s notebook. They’re confirmed in-use, which is exactly why they deserve a place at the top of your patching queue.
The week ending 21 June 2026 added four new entries. That’s a little below the recent 13-week average of around 5.7 per week, making it a lighter week by volume. The severity mix is two Critical, one High and one Medium, with three of the four rated as actionable. None are currently tied to ransomware campaigns, but three of the four are already past their CISA remediation deadline, and that is why we’ve still put the overall risk for the week at Critical.
The headline issues
Two Critical flaws carry the week, and both are unauthenticated, network-reachable and already overdue.
CVE-2026-20253 — Splunk Enterprise is the one to lead with. It’s a missing-authentication-for-critical-function flaw carrying a CVSS score of 9.8, and it holds the highest modelled exploitation likelihood of the group, sitting in the 95th EPSS percentile. An unauthenticated attacker can create or truncate arbitrary files on the host through an exposed PostgreSQL sidecar service endpoint; network-accessible, low complexity, no privileges and no user interaction required. Its CISA deadline was 21 June, so it is already a day overdue. Patch to Splunk’s fixed release, or apply the published mitigations if you can’t deploy immediately.
CVE-2026-48907 — Widget Factory Joomla Content Editor is the second Critical, also CVSS 9.8 and three days past its 19 June deadline. The improper-access-control flaw lets an unauthenticated user create new editor profiles and, through them, upload and execute arbitrary PHP code effectively unauthenticated remote code execution on any Joomla site running the affected extension. Given how widely JCE is deployed across Joomla installations, the blast radius here is broad. Update to the patched release without delay.
Two unauthenticated criticals, both already overdue and both trivially exploitable over the network, is where the week’s weight sits. If you run either product, treat them as immediate.
The rest of the watchlist
Two more vulnerabilities rounded out the week, one High and one Medium:
-
CVE-2026-54420 — LiteSpeed cPanel Plugin. A UNIX symbolic-link (symlink) following flaw, CVSS 8.5, that lets a user with FTP or web-shell access on a shared hosting server running CloudLinux/CageFS break out of their confined environment. Attack complexity is high and it needs an existing foothold, but on multi-tenant hosting the impact of one tenant reaching another’s files is serious. It’s four days past its 18 June deadline — the most overdue item on the list.
-
CVE-2026-20262 — Cisco Catalyst SD-WAN Manager. A directory or path traversal flaw, CVSS 6.5, that lets an authenticated remote attacker create a file or overwrite any file on the affected system. It’s the only entry not yet overdue, with a 29 June deadline leaving about a week of runway. Integrity is the exposure here but arbitrary file overwrite as an authenticated user is still a viable route to something bigger.
What to do with this
The pattern this week is less about volume and more about lateness. Three of the four entries are already past their CISA deadline, so the sequencing is mostly a question of how overdue each one is against your own exposure. Start with the two unauthenticated criticals; Splunk first on the strength of its exploitation likelihood, then the Widget Factory Joomla Content Editor. LiteSpeed’s symlink flaw follows, and the Cisco SD-WAN Manager path traversal, the only item with runway left, rounds things out ahead of its 29 June deadline.
A quick caveat worth repeating: the KEV catalogue tells you what’s being exploited, not what’s present in your environment. Absence from this list is not evidence of safety, and the list itself is not a substitute for understanding your own asset inventory. The right move is always to map these CVEs against what you actually run, then patch in priority order.
If you’d like the full breakdown per-vulnerability download the complete report which is available below.
Get the full report
A complete breakdown per-vulnerability exploit mechanics, CVSS and EPSS scoring, remediation deadlines and direct links to every vendor advisory.
No sign-up required
This summary is provided for information purposes and reflects the CISA KEV catalogue as it stood for the period 15–21 June 2026. The threat landscape changes continually, so scores and deadlines may have moved since publication. Always obtain patches and guidance directly from the vendor.
If you are concerned that you may be affected by any of the vulnerabilities in this report and would like independant assurance, you can get in touch with our testing team via the contact form below.