Vulnerability Bulletin — June 25, 2026

2 vulnerabilities across 1 product scored HIGH or above on June 25, 2026.

• 🟠 HIGH: 2

Exploit Status Upgrades

The following CVEs from previous bulletins have been upgraded based on new exploit intelligence:

• [UPGRADED] CVE-2026-48721 (warpdotdev/warp) — F1: exploitable → functional, AAS: 10.4 → 12.4 (HIGH → CRITICAL). Originally in 2026-06-24 bulletin.
  • X trend: 4 exploit mentions in 9 tweets
• [UPGRADED] CVE-2026-48725 (warpdotdev/warp) — F1: exploitable → functional, AAS: 9.9 → 11.9 (HIGH → HIGH). Originally in 2026-06-24 bulletin.
  • X trend: 4 exploit mentions in 9 tweets
• [UPGRADED] CVE-2026-48720 (warpdotdev/warp) — F1: theoretical → functional, AAS: 9.6 → 12.6 (HIGH → CRITICAL). Originally in 2026-06-24 bulletin.
  • X trend: 4 exploit mentions in 9 tweets
• [UPGRADED] CVE-2026-48719 (warpdotdev/warp) — F1: exploitable → functional, AAS: 9.3 → 11.3 (HIGH → HIGH). Originally in 2026-06-24 bulletin.
  • X trend: 4 exploit mentions in 6 tweets
• [UPGRADED] CVE-2026-49980 (rclone/rclone) — F1: exploitable → functional, AAS: 11.1 → 12.9 (HIGH → CRITICAL). Originally in 2026-06-24 bulletin.
  • X trend: 3 exploit mentions in 5 tweets
• [UPGRADED] CVE-2026-49851 (lepture/mistune) — F1: exploitable → functional, AAS: 9.1 → 11.1 (HIGH → HIGH). Originally in 2026-06-24 bulletin.
  • X trend: 4 exploit mentions in 9 tweets
• [UPGRADED] CVE-2026-49247 (jellyfin/jellyfin) — F1: theoretical → functional, AAS: 9.1 → 12.1 (HIGH → CRITICAL). Originally in 2026-06-24 bulletin.
  • X trend: 4 exploit mentions in 6 tweets
• [UPGRADED] CVE-2026-54010 (open-webui/open-webui) — F1: exploitable → functional, AAS: 10.1 → 12.1 (HIGH → CRITICAL). Originally in 2026-06-23 bulletin.
  • X trend: 3 exploit mentions in 5 tweets
• [UPGRADED] CVE-2025-58048 (paymenter/paymenter) — F1: exploitable → functional, AAS: 10.2 → 12.2 (HIGH → CRITICAL). Originally in 2026-06-22 bulletin.
  • X trend: 3 exploit mentions in 4 tweets
• [UPGRADED] CVE-2026-48909 (joomshaper.net/sp_lms_extension_for_joomla) — F1: exploitable → functional, AAS: 9.8 → 11.8 (HIGH → HIGH). Originally in 2026-06-20 bulletin.
  • X trend: 1 exploit mentions in 2 tweets
• [UPGRADED] CVE-2026-54005 (getkirby/cms) — F1: exploitable → functional, AAS: 9.3 → 11.3 (HIGH → HIGH). Originally in 2026-06-18 bulletin.
  • X trend: 3 exploit mentions in 3 tweets

🟠 [HIGH] gitlab/gitlab

2 CVEs | CVSS 3.1: 8.7 | AAS 10.0

• cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:* (>= 16.4, < 18.11.6)
• cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:* (>= 19.0, < 19.0.3)
• cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:* (>= 19.1, < 19.1.1)

GitLab has disclosed 2 vulnerabilities affecting GitLab EE across a wide range of versions, from 16.4 through 19.1, including at least one high-severity stored XSS flaw (CVSS 8.7) that allows an authenticated user with developer permissions to execute arbitrary code in another user’s browser session through improper input sanitization. Organizations running self-managed GitLab EE instances should treat this as a priority patch cycle, as the broad version range and low privilege requirement make exploitation practical in most enterprise environments.

Administrators should upgrade immediately to GitLab 18.11.6, 19.0.3, or 19.1.1, depending on their current release track, and review the vendor advisory at docs.gitlab.com for full details on both fixes.

• 🟠 CVE-2026-10086 (CVSS 3.1: 8.7)
• 🟠 CVE-2026-12053 (CVSS 3.1: 8.6)

Vendor Advisory