Vulnerability Bulletin — June 09, 2026

52 vulnerabilities across 15 products scored HIGH or above on June 09, 2026.

• CRITICAL: 36
• HIGH: 16

[CRITICAL] microsoft/windows

30 CVEs | CVSS 3.1: 9.8 | AAS 15.1

Microsoft has released patches for a critical vulnerability (CVSS 9.8) in Windows HTTP.sys, with CVE-2026-47291 as the lead issue and including 29 additional related CVEs. The integer overflow flaw allows unauthenticated attackers to achieve remote code execution, and the vulnerability is currently exploitable. Windows administrators should immediately apply patches from the Microsoft Security Response Center and assess their infrastructure for exposure.

• CVE-2026-47291 (CVSS 3.1: 9.8)
• CVE-2026-44815 (CVSS 3.1: 9.8)
• CVE-2026-47653 (CVSS 3.1: 8.8)
• CVE-2026-47289 (CVSS 3.1: 8.8)
• CVE-2026-45602 (CVSS 3.1: 9.1)
• CVE-2026-45648 (CVSS 3.1: 8.8)
• CVE-2026-45657 (CVSS 3.1: 9.8)
• CVE-2026-45636 (CVSS 3.1: 7.8)
• CVE-2026-48574 (CVSS 3.1: 7.8)
• CVE-2026-42904 (CVSS 3.1: 9.6)
• CVE-2026-49160 (CVSS 3.1: 7.5)
• CVE-2026-45607 (CVSS 3.1: 8.4)
• CVE-2026-42986 (CVSS 3.1: 7.8)
• CVE-2026-45635 (CVSS 3.1: 8.1)
• CVE-2026-41092 (CVSS 3.1: 7.8)
• CVE-2026-45605 (CVSS 3.1: 7.8)
• CVE-2026-48583 (CVSS 3.1: 7.8)
• CVE-2026-40404 (CVSS 3.1: 7.8)
• CVE-2026-42905 (CVSS 3.1: 7.8)
• CVE-2026-42916 (CVSS 3.1: 7.8)
• CVE-2026-45638 (CVSS 3.1: 7.8)
• CVE-2026-45599 (CVSS 3.1: 8.1)
• CVE-2026-42989 (CVSS 3.1: 7.8)
• CVE-2026-45586 (CVSS 3.1: 7.8)
• CVE-2026-45592 (CVSS 3.1: 7.8)
• CVE-2026-45658 (CVSS 3.1: 7.8)
• CVE-2026-42980 (CVSS 3.1: 7.8)
• CVE-2026-48578 (CVSS 3.1: 7.9)
• CVE-2026-50507 (CVSS 3.1: 6.8)
• CVE-2026-42992 (CVSS 3.1: 7.5)

Vendor Advisory

[CRITICAL] adobe/coldfusion

6 CVEs | CVSS 3.1: 9.6 | AAS 13.1

Adobe has released patches for a critical path traversal vulnerability (CVSS 9.6) affecting ColdFusion 2023.19, 2025.8, and earlier, with CVE-2026-47932 as the lead issue and including 5 additional related CVEs. The vulnerability allows attackers to bypass security features and access unauthorized files and directories, but requires a victim to open a malicious file. ColdFusion administrators should immediately apply available patches from Adobe’s security advisory and implement controls to restrict file execution from untrusted sources.

• CVE-2026-47932 (CVSS 3.1: 8.8)
• CVE-2026-47928 (CVSS 3.1: 9.6)
• CVE-2026-47960 (CVSS 3.1: 7.4)
• CVE-2026-47930 (CVSS 3.1: 8.1)
• CVE-2026-47929 (CVSS 3.1: 8.4)
• CVE-2026-47931 (CVSS 3.1: 8.4)

Vendor Advisory

[HIGH] openssl/openssl

1 CVE | CVSS 3.1: 8.1 | AAS 11.6

OpenSSL has released a patch for a high-severity heap buffer overflow vulnerability (CVSS 8.1) in CVE-2026-7383 affecting the ASN1_mbstring_ncopy() function. A signed integer overflow in Unicode output buffer sizing can lead to a crash or potentially attacker-controlled code execution, and the vulnerability is currently exploitable. Organizations using affected OpenSSL versions should immediately apply the latest security patch from the OpenSSL project.

• CVE-2026-7383 (CVSS 3.1: 8.1)

Vendor Advisory

[HIGH] fortinet/fortisandbox

1 CVE | CVSS 3.1: 9.8 | AAS 11.1

Fortinet has released patches for CVE-2026-25089, a critical OS command injection vulnerability (CVSS 9.8) in FortiSandbox 5.0.0-5.0.5, 4.4.0-4.4.8, 4.2, and FortiSandbox Cloud and PaaS versions 5.0.4-5.0.5. An unauthenticated attacker can execute arbitrary commands through specially crafted HTTP requests, and the vulnerability is currently exploitable. Organizations running affected FortiSandbox versions should immediately apply the latest security updates from Fortinet and restrict access to FortiSandbox management interfaces.

• CVE-2026-25089 (CVSS 3.1: 9.8)

Vendor Advisory

[HIGH] mongodb/mongodb_server

2 CVEs | CVSS 4.0: 8.7 | AAS 10.6

MongoDB has released patches for a high-severity denial-of-service vulnerability (CVSS 8.7) in MongoDB Server, with CVE-2026-9740 as the lead issue and including 1 additional related CVE. The flaw in BSON validation logic allows uncontrolled mutual recursion between validation functions, enabling an unauthenticated attacker to crash the mongod process through specially crafted messages. Organizations running affected MongoDB Server versions should immediately apply the latest security patches from MongoDB and implement network-level restrictions to limit access to MongoDB instances.

• CVE-2026-9740 (CVSS 4.0: 8.7)
• CVE-2026-9742 (CVSS 4.0: 8.2)

Vendor Advisory

[HIGH] logseq/logseq

2 CVEs | CVSS 4.0: 8.7 | AAS 10.5

Logseq has released patches for a high-severity command injection vulnerability (CVSS 8.7) in CVE-2026-9279 and including 1 additional related CVE. An IPC handler in the renderer process allows arbitrary shell command execution by bypassing command allowlists through shell metacharacters, exploitable by attackers with JavaScript execution capability via XSS or malicious plugins. Logseq users should immediately update to the latest version and exercise caution when installing plugins from untrusted sources.

• CVE-2026-9279 (CVSS 4.0: 8.7)
• CVE-2026-47899 (CVSS 4.0: 8.7)

Vendor Advisory

[HIGH] adobe/adobe_campaign_classic_(acc)

2 CVEs | CVSS 3.1: 10.0 | AAS 10.3

Adobe has released patches for a critical authorization bypass vulnerability (CVSS 10.0) in Adobe Campaign Classic 7.4.3 build 9394 and earlier, with CVE-2026-48303 as the lead issue and including 1 additional related CVE. The flaw allows arbitrary code execution in the context of the current user without requiring user interaction, and the vulnerability is currently exploitable. Organizations running affected ACC versions should immediately apply available patches from Adobe’s security advisory.

• CVE-2026-48303 (CVSS 3.1: 10.0)
• CVE-2026-47938 (CVSS 3.1: 10.0)

Vendor Advisory

[HIGH] ivanti/sentry

1 CVE | CVSS 3.1: 10.0 | AAS 10.3

Ivanti has released patches for a critical OS command injection vulnerability (CVSS 10.0) in Sentry CVE-2026-10520 affecting versions prior to R10.5.2, R10.6.2, and R10.7.1. A remote unauthenticated attacker can achieve root-level code execution, and the vulnerability is currently exploitable. Organizations running affected Ivanti Sentry versions should immediately upgrade to the patched releases from Ivanti’s security advisory.

• CVE-2026-10520 (CVSS 3.1: 10.0)

Vendor Advisory

[HIGH] sap_se/sap_netweaver_as_abap_and_abap_platform

1 CVE | CVSS 3.1: 9.8 | AAS 10.1

SAP has released patches for a critical RFC protocol validation vulnerability (CVSS 9.8) in CVE-2026-27671 affecting SAP NetWeaver AS ABAP and ABAP Platform. An unauthenticated attacker can exploit logical errors in memory management through crafted RFC requests, leading to memory corruption and potential compromise of confidentiality, integrity, and availability. Organizations running affected SAP systems should immediately apply the security patches from SAP’s support note and restrict RFC access where possible.

• CVE-2026-27671 (CVSS 3.1: 9.8)

Vendor Advisory

[HIGH] mosk_information_technologies_ltd./cbs_platform

1 CVE | CVSS 3.1: 9.8 | AAS 10.1

MOSK Information Technologies Ltd. CBS Platform versions through 09062026 are affected by a critical SQL injection vulnerability (CVSS 9.8) in CVE-2026-8025 that allows database compromise. The product is no longer supported by the vendor and no patches are available, making the vulnerability particularly severe. Organizations using CBS Platform should immediately evaluate alternative solutions and implement strong database access controls and monitoring to mitigate exposure.

• CVE-2026-8025 (CVSS 3.1: 9.8)

Vendor Advisory

[HIGH] microsoft/nuance_powerscribe_360_4.0

1 CVE | CVSS 3.1: 9.8 | AAS 10.1

Microsoft has released patches for a critical deserialization vulnerability (CVSS 9.8) in Nuance PowerScribe 360 4.0, disclosed as CVE-2026-26142. An unauthorized attacker can execute arbitrary code over the network by exploiting improper deserialization of untrusted data, and the vulnerability is currently exploitable. Organizations running Nuance PowerScribe 360 4.0 should immediately apply available patches from Microsoft’s security advisory and segment PowerScribe systems from untrusted networks.

• CVE-2026-26142 (CVSS 3.1: 9.8)

Vendor Advisory

[HIGH] netcad_software_inc./e-i̇mar

1 CVE | CVSS 3.1: 9.8 | AAS 10.1

Netcad Software Inc. E-İmar versions 2.10.1.0 through 3.0.1 are affected by a critical SQL injection vulnerability (CVSS 9.8) in CVE-2026-7486 that allows database compromise. An attacker can inject malicious SQL commands to access, modify, or delete sensitive data, and the vulnerability is currently exploitable. Organizations running affected E-İmar versions should immediately upgrade to version 3.0.2 or later and implement database access controls to prevent unauthorized queries.

• CVE-2026-7486 (CVSS 3.1: 9.8)

Vendor Advisory

[HIGH] microsoft/visual_studio_code

1 CVE | CVSS 3.1: 9.6 | AAS 9.9

Microsoft has released patches for a high-severity privilege escalation vulnerability (CVSS 9.6) in Visual Studio Code, disclosed as CVE-2026-47281. Improper input validation allows an unauthorized attacker to escalate privileges over a network, and the vulnerability is currently exploitable. Developers and organizations using Visual Studio Code should immediately update to the latest version from Microsoft’s security advisory.

• CVE-2026-47281 (CVSS 3.1: 9.6)

Vendor Advisory

[HIGH] adobe/adobe_experience_manager_forms_jee

1 CVE | CVSS 3.1: 9.3 | AAS 9.6

Adobe has released patches for a high-severity stored cross-site scripting vulnerability (CVSS 9.3) in Adobe Experience Manager Forms JEE LTS SP1, 6.5.24.0 and earlier, disclosed as CVE-2026-34691. An attacker can inject malicious scripts into vulnerable form fields that execute in victims’ browsers, potentially leading to account compromise or session hijacking. Organizations running affected AEM Forms JEE versions should immediately apply the available patches from Adobe’s security advisory.

• CVE-2026-34691 (CVSS 3.1: 9.3)

Vendor Advisory

[HIGH] npm/shell-quote

1 CVE | CVSS 4.0: 9.2 | AAS 9.5

The npm shell-quote package is vulnerable to command injection (CVSS 9.2) in CVE-2026-9277 due to improper escaping of line terminators in the quote() function’s .op field. An attacker can inject shell commands by including unescaped newlines that the POSIX shell interprets as command separators, allowing arbitrary command execution. Developers using shell-quote should immediately update to the latest patched version from npm and review any code that processes untrusted input through the quote() function.

• CVE-2026-9277 (CVSS 4.0: 9.2)

Vendor Advisory