Vulnerability Bulletin — June 10, 2026

28 vulnerabilities across 15 products scored HIGH or above on June 10, 2026.

• CRITICAL: 2
• HIGH: 26

[CRITICAL] splunk/splunk_enterprise

1 CVE | CVSS 3.1: 9.8 | AAS 12.6

• cpe:2.3:a:splunk:splunk_enterprise:*:*:*:*:*:*:*:* (< 10.0.7)
• cpe:2.3:a:splunk:splunk_enterprise:*:*:*:*:*:*:*:* (< 10.2.4)
• cpe:2.3:a:splunk:splunk_enterprise:*:*:*:*:*:*:*:* (< 10.2.2510.14)
• cpe:2.3:a:splunk:splunk_enterprise:*:*:*:*:*:*:*:* (< 10.4.2604.3)

Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14 are vulnerable to unauthenticated arbitrary file creation and truncation (CVE-2026-20253, CVSS 9.8 CRITICAL) through an unprotected PostgreSQL sidecar endpoint. Proof-of-concept code is publicly available, allowing any network-reachable user to perform file operations without authentication credentials. Organizations operating affected Splunk deployments should immediately apply vendor patches or restrict network access to the sidecar service endpoint as a temporary mitigation until updates are deployed.

• CVE-2026-20253 (CVSS 3.1: 9.8)

Vendor Advisory

[CRITICAL] pi-hole/ftl

1 CVE | CVSS 3.1: 8.8 | AAS 12.6

• cpe:2.3:a:pi-hole:ftl:*:*:*:*:*:*:*:* (>= 6.0, < 6.6.1)

Pi-hole FTL versions prior to 6.6.1 contain an exploitable race condition in HTTP session management (CVE-2026-44693, CVSS 8.8 CRITICAL) introduced during the v6.0 web server rewrite. This vulnerability affects all Pi-hole deployments using the core FTL filtering engine for network-level advertisement and tracker blocking. Users should upgrade to FTL version 6.6.1 or later immediately to remediate this critical flaw.

• CVE-2026-44693 (CVSS 3.1: 8.8)

Vendor Advisory

[HIGH] erlang/otp

1 CVE | CVSS 4.0: 8.8 | AAS 11.7

• cpe:2.3:a:erlang:otp:*:*:*:*:*:*:*:*

Erlang OTP contains a stack-based buffer overflow vulnerability in the SCTP ERROR chunk handler (CVE-2026-49759, CVSS 8.8 HIGH) that allows remote attackers to crash the BEAM virtual machine. An unauthenticated attacker who can reach an SCTP listening port can send a specially crafted SCTP ERROR chunk to trigger the overflow and cause a denial of service. Organizations running Erlang OTP with SCTP enabled should consult the vendor advisory and apply available patches to remediate this exploitable vulnerability.

• CVE-2026-49759 (CVSS 4.0: 8.8)

Vendor Advisory

[HIGH] boxlite-ai/boxlite

2 CVEs | CVSS 3.1: 10.0 | AAS 11.3

• cpe:2.3:a:boxlite-ai:boxlite:*:*:*:*:*:*:*:* (< 0.9.0)

Boxlite versions prior to 0.9.0 contain multiple vulnerabilities including at least one that allows malicious code to bypass read-only directory restrictions (CVE-2026-46695, CVE-2026-46703; CVSS 10.0). The sandbox service fails to restrict kernel capabilities inside containers, permitting untrusted code to remount read-only directories in read-write mode and perform arbitrary writes to protected locations. Organizations deploying Boxlite for running untrusted code should immediately upgrade to version 0.9.0 or later to remediate these critical sandbox escape vulnerabilities.

• CVE-2026-46695 (CVSS 3.1: 10.0)
• CVE-2026-46703 (CVSS 3.1: 9.6)

Vendor Advisory

[HIGH] amentotech/doctreat_core

1 CVE | CVSS 3.1: 9.8 | AAS 11.1

• cpe:2.3:a:amentotech:doctreat_core:*:*:*:*:*:*:*:*

The Doctreat Core WordPress plugin through version 1.6.8 contains a privilege escalation vulnerability (CVE-2025-6254, CVSS 9.8 HIGH) that allows unauthenticated attackers to register user accounts with administrator privileges. The vulnerable registration function fails to properly validate user roles during account creation, enabling attackers to bypass authentication and gain full administrative access without credentials. WordPress sites using Doctreat Core should update to the latest patched version immediately to prevent unauthorized administrative access.

• CVE-2025-6254 (CVSS 3.1: 9.8)

Vendor Advisory

[HIGH] fission/fission

7 CVEs | CVSS 3.1: 9.9 | AAS 11.1

• cpe:2.3:a:fission:fission:*:*:*:*:*:*:*:* (< 1.23.0)
• cpe:2.3:a:fission:fission:*:*:*:*:*:*:*:* (< 1.24.0)

Fission versions prior to 1.23.0 contain seven vulnerabilities including multiple that expose internal function routes on the user-accessible router port (CVSS 9.9 HIGH). The Kubernetes-native serverless framework registers internal routes for all Function objects on the same listener as user-defined HTTPTriggers, allowing attackers to invoke functions that should not be directly accessible. Organizations deploying Fission should immediately upgrade to version 1.23.0 or later to remediate these exploitable vulnerabilities.

• CVE-2026-46614 (CVSS 3.1: 9.8)
• CVE-2026-50566 (CVSS 3.1: 9.9)
• CVE-2026-50563 (CVSS 3.1: 9.9)
• CVE-2026-50545 (CVSS 3.1: 9.9)
• CVE-2026-50564 (CVSS 3.1: 9.9)
• CVE-2026-46617 (CVSS 4.0: 8.7)
• CVE-2026-46612 (CVSS 3.1: 8.8)

Vendor Advisory

[HIGH] redhat/enterprise_linux

1 CVE | CVSS 3.1: 8.8 | AAS 11.1

• cpe:2.3:a:redhat:enterprise_linux:*:*:*:*:*:*:*:*

Red Hat Enterprise Linux systems using dracut’s legacy DHCP path are vulnerable to remote command injection (CVE-2026-6893, CVSS 8.8 HIGH) through specially crafted DHCP options such as malicious hostnames. An attacker on the adjacent network can exploit improper input handling to achieve root code execution within the initramfs, potentially compromising the system at boot time before normal security controls are active. Organizations should consult the Red Hat security advisory and apply patches to systems running affected versions of dracut.

• CVE-2026-6893 (CVSS 3.1: 8.8)

Vendor Advisory

[HIGH] spring/spring_data_rest

1 CVE | CVSS 3.1: 8.1 | AAS 10.9

• cpe:2.3:a:spring:spring_data_rest:*:*:*:*:*:*:*:* (>= 3.7.0, < 3.7.20)
• cpe:2.3:a:spring:spring_data_rest:*:*:*:*:*:*:*:* (>= 4.3.0, < 4.3.17)
• cpe:2.3:a:spring:spring_data_rest:*:*:*:*:*:*:*:* (>= 4.4.0, < 4.4.15)
• cpe:2.3:a:spring:spring_data_rest:*:*:*:*:*:*:*:* (>= 4.5.0, < 4.5.12)
• cpe:2.3:a:spring:spring_data_rest:*:*:*:*:*:*:*:* (>= 5.0.0, < 5.0.6)

Spring Data REST versions 3.7.0 through 3.7.19, 4.3.0 through 4.3.16, 4.4.0 through 4.4.14, 4.5.0 through 4.5.11, and 5.0.0 through 5.0.5 are vulnerable to Spring Expression Language injection (CVE-2026-41729, CVSS 8.1 HIGH) through JSON Patch requests targeting Map-typed properties. Attackers can inject arbitrary SpEL expressions through unsanitized JSON Pointer path segments used as map keys, potentially achieving remote code execution. Applications using affected versions of Spring Data REST should immediately update to patched versions available from the Spring project.

• CVE-2026-41729 (CVSS 3.1: 8.1)

Vendor Advisory

[HIGH] imagemagick/imagemagick

1 CVE | CVSS 3.1: 7.5 | AAS 10.8

• cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:* (< 6.9.13-50)
• cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:* (>= 7.0.0-0, < 7.1.2-25)

ImageMagick versions prior to 6.9.13-50 and 7.1.2-25 contain an out of bounds heap write vulnerability in the ICON decoder (CVE-2026-53461, CVSS 7.5 HIGH) that can be triggered by processing specially crafted ICON files. An incorrect loop in the decoder writes beyond heap boundaries, resulting in application crashes and potential memory corruption. Organizations using ImageMagick should update to version 6.9.13-50 or 7.1.2-25 or later to remediate this exploitable vulnerability.

• CVE-2026-53461 (CVSS 3.1: 7.5)

Vendor Advisory

[HIGH] npm/baileys

1 CVE | CVSS 3.1: 9.5 | AAS 10.8

• cpe:2.3:a:npm:baileys:*:*:*:*:*:*:*:* (< 6.7.22)

The baileys npm package versions prior to 7.0.0-rc12 and 6.7.22 are vulnerable to message spoofing and app state corruption (CVE-2026-48063, CVSS 9.5 HIGH) through malicious payloads sent via placeholderResendMessage. Attackers can forge fake message keys and payloads, corrupt the app state sync system, and spoof history sync data to inject false messages and context into active sessions. Applications using affected versions of baileys should immediately update to version 7.0.0-rc12 or 6.7.22 or later to prevent exploitation.

• CVE-2026-48063 (CVSS 3.1: 9.5)

Vendor Advisory

[HIGH] cloud-hypervisor/cloud-hypervisor

1 CVE | CVSS 4.0: 8.9 | AAS 10.2

• cpe:2.3:a:cloud-hypervisor:cloud-hypervisor:*:*:*:*:*:*:*:* (>= 21.0, < 51.2)

Cloud Hypervisor versions 21.0 through before 51.2 contain a use-after-free vulnerability in virtio-block handling (CVE-2026-45782, CVSS 8.9 HIGH) that allows guest VMs to corrupt the hypervisor process when asynchronous block I/O is enabled. A guest can submit duplicate virtio-block descriptor chains that reuse the same head index, causing the hypervisor to free a bounce buffer while the kernel is still actively reading from or writing to it. Organizations deploying Cloud Hypervisor should immediately upgrade to version 51.2 or later to remediate this exploitable vulnerability.

• CVE-2026-45782 (CVSS 4.0: 8.9)

Vendor Advisory

[HIGH] roxy-wi/roxy-wi

6 CVEs | CVSS 3.1: 9.9 | AAS 10.2

• cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:* (< 8.2.6.5)

Roxy-WI versions 8.2.6.4 and prior contain six vulnerabilities including multiple that allow arbitrary file writes through path traversal in the WAF rule endpoint (CVSS 9.9 HIGH). The POST /waf//<server_ip>/rule/<rule_id>/save endpoint fails to properly validate the config_file_name parameter, allowing attackers to bypass path restrictions and write files to arbitrary locations on the server. Organizations running Roxy-WI should immediately upgrade to the latest patched version to prevent exploitation.

• CVE-2026-45556 (CVSS 3.1: 9.9)
• CVE-2026-45558 (CVSS 3.1: 9.9)
• CVE-2026-45552 (CVSS 3.1: 9.9)
• CVE-2026-45567 (CVSS 3.1: 8.3)
• CVE-2026-45550 (CVSS 3.1: 9.1)
• CVE-2026-45564 (CVSS 3.1: 8.8)

Vendor Advisory

[HIGH] jelmer/dulwich

2 CVEs | CVSS 3.1: 8.8 | AAS 10.1

• cpe:2.3:a:jelmer:dulwich:*:*:*:*:*:*:*:* (>= 0.10.0, < 1.2.5)
• cpe:2.3:a:jelmer:dulwich:*:*:*:*:*:*:*:* (>= 0.24.0, < 1.2.5)

Dulwich versions 0.10.0 through before 1.2.5 contain multiple vulnerabilities including at least one that allows arbitrary file writes and remote code execution on Windows systems (CVE-2026-42305, CVE-2026-42563; CVSS 8.8 HIGH) when cloning or checking out malicious Git repositories. The path-element validator improperly accepts tree entries with filenames containing bytes that Windows interprets as structural path syntax, allowing attackers to write files to unintended locations. Users of Dulwich on Windows should immediately upgrade to version 1.2.5 or later to prevent exploitation when accessing untrusted Git repositories.

• CVE-2026-42305 (CVSS 3.1: 8.8)
• CVE-2026-42563 (CVSS 4.0: 7.7)

Vendor Advisory

[HIGH] qnap/qts

1 CVE | CVSS 4.0: 9.2 | AAS 10.0

• cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:* (>= 4.3.0, < 5.2.7.3256)

QNAP QTS versions prior to 5.2.7.3256 build 20250913 are affected by a high-severity vulnerability (CVE-2025-66276, CVSS 9.2 HIGH) that does not impact QuTS hero systems. The vulnerability has been patched in QTS 5.2.7.3256 build 20250913 and later. Organizations running QNAP QTS should update to the patched build or consult the vendor advisory for additional technical details and mitigation guidance.

• CVE-2025-66276 (CVSS 4.0: 9.2)

Vendor Advisory

[HIGH] simplesamlphp/simplesamlphp-module-casserver

1 CVE | CVSS 3.1: 8.6 | AAS 9.9

• cpe:2.3:a:simplesamlphp:simplesamlphp-module-casserver:*:*:*:*:*:*:*:* (< 7.0.3)

SimpleSAMLphp-module-casserver versions prior to 7.0.3 contain a path traversal vulnerability (CVE-2026-46491, CVSS 8.6 HIGH) in the file-based CAS ticket store that allows remote attackers to read or write arbitrary files. The vulnerability exists in public CAS validation and proxy endpoints that pass attacker-controlled ticket and PGT identifiers directly into file path construction without sanitization. Organizations using SimpleSAMLphp with the CAS server module and FileSystemTicketStore should immediately upgrade to version 7.0.3 or later.

• CVE-2026-46491 (CVSS 3.1: 8.6)

Vendor Advisory