2 vulnerabilities across 2 products scored HIGH or above on June 28, 2026.
- ๐ HIGH: 2
Exploit Status Upgrades
The following CVEs from previous bulletins have been upgraded based on new exploit intelligence:
- [UPGRADED] CVE-2026-50189 (appsmith/appsmith) โ F1: exploitable โ functional, AAS: 9.7 โ 10.8 (HIGH โ HIGH). Originally in 2026-06-24 bulletin.
- [UPGRADED] CVE-2026-54067 (siyuan-note/siyuan) โ F1: exploitable โ functional, AAS: 9.2 โ 11.2 (HIGH โ HIGH). Originally in 2026-06-24 bulletin.
๐ [HIGH] ffmpeg/ffmpeg
1 CVE | CVSS 4.0: 8.8 | AAS 10.2
cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*(>= 4.2)
FFmpeg โ HIGH Severity (CVSS 8.8)
One vulnerability has been disclosed in FFmpeg’s RASC video decoder. CVE-2026-58049 is a heap-based out-of-bounds write and read in the decode_dlta function within libavcodec/rasc.c, where insufficient boundary checks on DLTA run processing allow a crafted media stream to corrupt memory. Because the flaw is triggered simply by decoding a malicious video file, any application or service that uses FFmpeg’s libavcodec for media processing is potentially affected, including transcoding pipelines, media servers, and video players.
Security teams running FFmpeg in any capacity should treat this as a priority. The vulnerability is considered exploitable through attacker-supplied media files, which makes it particularly dangerous in environments that process untrusted video content. Administrators should monitor the FFmpeg project for a patched release, restrict processing of untrusted media where possible, and update FFmpeg as soon as a fix is available.
- ๐ CVE-2026-58049 (CVSS 4.0: 8.8)
๐ [HIGH] zephyrproject/zephyr
1 CVE | CVSS 3.1: 8.7 | AAS 9.5
cpe:2.3:a:zephyrproject:zephyr:*:*:*:*:*:*:*:*(< 3.7.0)
Zephyr RTOS โ HIGH Severity (CVSS 8.7)
One vulnerability has been disclosed in the Zephyr real-time operating system. CVE-2026-10643 is a buffer overflow in the IP socket recvmsg() implementation, where the ancillary data buffer length check omits the cmsg header size, allowing a write past the end of a user-supplied control buffer. This enables memory corruption when processing incoming network packets with ancillary data such as IP_PKTINFO, and the flaw is considered exploitable.
Teams deploying Zephyr-based firmware on IoT devices, embedded systems, and connected hardware should prioritize remediation. A fix is available in the upstream Zephyr repository. Administrators should update to a patched version of Zephyr as soon as possible, and where immediate patching is not feasible, consider disabling IP_PKTINFO socket options or restricting network exposure of affected devices.
- ๐ CVE-2026-10643 (CVSS 3.1: 8.7)