CISA KEV — Last 30 Days · Stack-filtered · Newest first
Catalog total: 1,629
Product cPanel Plugin
Vendor LiteSpeed
Added to KEV 2026-06-15
FCEB Deadline 2026-06-18
LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability
LiteSpeed cPanel plugin contains a UNIX symbolic link (Symlink) following vulnerability that could allow a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS.
Required Action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
Product Chromium V8
Vendor Google
Added to KEV 2026-06-09
FCEB Deadline 2026-06-23
Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
Google Chromium V8 out-of-bounds read and write vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Product Kernel
Vendor Linux
Added to KEV 2026-06-02
FCEB Deadline 2026-06-05
Linux Kernel Improper Authentication Vulnerability
Linux Kernel contains an improper authentication vulnerability which could allow for privilege escalation via the cgroups v1 release_agent feature.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
NVD HIGH / CRITICAL — Last 14 Days · Stack-filtered · Score descending · Max 20
Published 2026-06-26
A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings.
This vulnerability affects all suppo…
Published 2026-06-26
Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preven…
Published 2026-06-19
Url redirection to untrusted site ('open redirect') in Microsoft 365 Copilot's Business Chat allows an unauthorized attacker to elevate privileges over a network.
Published 2026-06-22
The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. Prior to 21.2.4, the client-side Angular Language Service VS Code extension reads the custom Ty…
Published 2026-06-22
http-proxy-middleware is node.js http-proxy middleware. From 0.16.0 until 2.0.10, 3.0.6, and 4.1.0, http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, bu…
Published 2026-06-23
Traefik is an HTTP reverse proxy and load balancer. From 3.7.0-ea.1 until 3.7.5, there is a medium severity vulnerability in Traefik's Kubernetes Ingress NGINX provider that causes affected routes to …
Published 2026-06-23
n8n is an open source workflow automation platform. Prior to 2.24.0, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via the Microsoft SQL …
Published 2026-06-23
n8n is an open source workflow automation platform. Prior to 1.123.48, 2.21.8, and 2.22.4, an authenticated user with permission to create or modify workflows containing a Python Code Node could escap…
Published 2026-06-23
yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, if aria2c is used as an external downloader for a fragmented manifest format (such as an HLS/DASH stream), yt-dlp passes insuffici…
Published 2026-06-24
n8n before version 2.4.0 contains a sql injection vulnerability in MySQL, PostgreSQL, and Microsoft SQL nodes that allows authenticated users to inject arbitrary SQL through unescaped identifier value…
Published 2026-06-17
libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can s…
Published 2026-06-23
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.10, Deno's node:child_process implementation provided an escapeShellArg() helper used when callers passed shell: true to spawn /…
Published 2026-06-16
Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as "RoguePlanet ". We are working to provide a high qual…
Published 2026-06-25
Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed functio…
Published 2026-06-22
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.0, attacker-controlled input included into multipart/payload headers can be used to modify a request to in…
Published 2026-06-22
Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev…
Published 2026-06-22
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, no limit was present on the number of pipelined requests that could be queued. An attacker may be able …
Published 2026-06-22
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, if an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual …
Published 2026-06-22
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, the server_hostname TLS SNI check can be bypassed when an existing connection is reused. If an applicat…
Published 2026-06-22
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, during cleanup it is possible for a compressed request body to be decompressed into memory in one chunk…
Monitored Stack
Infrastructure
Proxmox VE (NUC-Lab)NUC-Lab · 192.168.1.100
Debian 12Pi-Primary (.192), Pi-Secondary (.218)
Linux kernel6.1.21-v7+
Windows 11NUC desktop
Network / DNS
AdGuard Homev0.107.77 · current
Tailscale1.98.4 · 1.98.5 pending
WireGuardall nodes
Services
nginxreverse proxy
OpenSSHall nodes
Cloudflare PagesWorkers / ZT
Python 3.xautomation / build
Node.jstooling
Known Pending Patches
Action Required on Return Home
CVE-2026-31431
Kernel LPE — pending on Pi-Primary (.192) and Pi-Secondary (.218) · patch on return home
Tailscale 1.98.5
One patch ahead on both Pis · update on return home
Notable CVEs (Out-of-Stack, Situational Awareness)
Not in stack — tracking for situational awareness.
CISA KEV — FCEB deadline pending. Not in stack but CVSSv3 10.0 warrants awareness.