Node.js shipped June 2026 security releases across all maintained lines on June 18, patching two HIGH-severity CVEs: a WebCrypto AES integer overflow and a TLS wildcard authentication bypass.
Google shipped Chrome 149.0.7827.155 on June 16 with 33 security fixes, seven Critical, targeting use-after-free bugs across WebShare, WebView, Digital Credentials, and Web Authentication.
A novel npm supply chain campaign embeds malicious code inside binding.gyp files to trigger execution via node-gyp during install — bypassing the preinstall/postinstall hooks that most security tooling watches.
TeamPCP's latest Mini Shai-Hulud variant compromised 96 versions across 32 @redhat-cloud-services npm packages — the fifth time this actor has pulled the same playbook in six weeks, and their first confirmed pivot to GitHub Actions OIDC tokens instead of individual developer credentials.
Three separate credential-stealing campaigns targeted npm, PyPI, and Docker Hub within the same 48-hour window — the Docker Hub incident involved a trojanized Trivy image and picked up CVE-2026-33634.
Among the OpenSSF Community Day North America roundup, the headline artifact is a 1.0.0 Python secure-coding guide developers can actually pin against.
GitHub resumes enforcement of minimum runner version requirements starting June 29, with brownouts from 11 AM–3 PM ET on github.com and full enforcement across GitHub Enterprise Cloud by July 31.
The US government invoked export controls on June 12 to suspend access to Claude Fable 5 and Mythos 5, citing a potential jailbreak with cybersecurity implications.
CISA's May 12 patching deadline for CVE-2026-32202 — an APT28-exploited Windows Shell spoofing flaw enabling zero-click NTLMv2 hash theft — arrives today, requiring the April 2026 cumulative update KB5083769.
CISA confirmed active exploitation of CVE-2026-20253 in the Widget Factory Joomla Content Editor, adding it to the Known Exploited Vulnerabilities catalog with a federal remediation deadline of June 21.
Node.js shipped v22.23.0, v24.17.0, and v26.3.1 on June 18, patching 13 CVEs including a WebCrypto integer overflow and a TLS wildcard-depth authentication bypass, both rated HIGH.
Google shipped Chrome 149.0.7827.155 on June 16 with 33 security fixes, seven Critical, targeting use-after-free bugs across WebShare, WebView, Digital Credentials, and Web Authentication.
CISA added a critical Ivanti Sentry flaw to its Known Exploited Vulnerabilities catalog on June 12, enabling unauthenticated remote attackers to execute commands as root.
CVE-2026-50751, an IKEv1 VPN vulnerability confirmed as actively exploited by Check Point, drew a Dutch NCSC warning about imminent large-scale attacks and a CISA KEV deadline.
CISA formally listed CVE-2026-20245 in its Known Exploited Vulnerabilities catalog on June 9, giving federal agencies until June 23 to remediate — even though Cisco has yet to ship a fix.
CISA added CVE-2026-7473, an incomplete comparison flaw in Arista Extensible Operating System, to the Known Exploited Vulnerabilities catalog on June 9 with a remediation deadline of June 23, 2026.
Chrome 149.0.7827.102/.103 lands an emergency fix for CVE-2026-11645, an out-of-bounds read/write in V8 that is being exploited in the wild — the fifth Chrome zero-day patched this year.
CVE-2026-41091 lets a local attacker escalate to SYSTEM through Defender's Malware Protection Engine, while CVE-2026-45498 kills definition updates — patched together, federal deadline June 3.
CISA added CVE-2022-0492, a Linux Kernel improper authentication flaw first disclosed in 2022, to the Known Exploited Vulnerabilities catalog on June 2 — meaning it is now confirmed to be actively exploited in the wild.
CISA flagged CVE-2025-34291 (Langflow origin validation error) and CVE-2026-34926 (Trend Micro Apex One directory traversal) as actively exploited, requiring federal agencies to patch under BOD 22-01.
Seven vulnerabilities joined the KEV catalog on May 20, mixing two fresh Microsoft Defender CVEs with five bugs from 2008-2010 that are, apparently, still being weaponized.
A CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN is being actively exploited in the wild, with CISA mandating federal agency remediation by May 17, 2026 and no complete workaround available short of upgrading.
CISA's May 10 remediation deadline for an Ivanti Endpoint Manager Mobile improper-input-validation bug enabling authenticated-admin RCE has now lapsed, increasing exposure for federal and enterprise deployments.
Ivanti Endpoint Manager Mobile carries a CVSS 7.2 RCE flaw under active exploitation, and CISA ordered Federal Civilian Executive Branch agencies to apply patches by May 10, 2026.
The CISA May 9 remediation deadline for the actively exploited Palo Alto PAN-OS root-level RCE (CVE-2026-0300) has arrived with official patches still not available, requiring agencies to apply interim mitigations immediately.