Overdue: Web Platforms and Data Infrastructure Failures

Two entries in this batch have already passed their patch deadlines, meaning covered organizations are out of compliance as of today.

CVE-2026-48907 in the Widget Factory Joomla Content Editor carried a deadline of June 19, 2026 — five days ago. The vulnerability permits unauthenticated users to create new editor profiles and upload and execute arbitrary PHP code. This is effectively unauthenticated remote code execution on any internet-facing Joomla installation running the affected plugin. Web shells, lateral movement, and data exfiltration are the immediate downstream risks. If your organization has not patched, assume the affected host is compromised: pull it from production, conduct forensic review of file system changes and new user profiles created in the past 30 days, and rotate all credentials stored or accessible on that host.

CVE-2026-20253 in Splunk Enterprise had a deadline of June 21, 2026 — also now overdue. A missing authentication vulnerability exposes a PostgreSQL sidecar service endpoint to unauthenticated file creation and truncation. For Splunk deployments, this is particularly consequential: arbitrary file writes can be used to corrupt index configurations, plant backdoors in search scripts, or disable logging integrity — directly undermining the security monitoring function Splunk is deployed to provide. Splunk administrators should verify endpoint exposure, apply the patch immediately, and audit recent file system activity on the Splunk host for anomalous writes.

Managed Infrastructure: Shared Hosting and SD-WAN Exposure

The final two KEV entries target managed hosting and enterprise WAN infrastructure — environments that often receive less aggressive patch scrutiny because they sit beneath abstraction layers.

CVE-2026-54420 in the LiteSpeed cPanel Plugin (deadline: June 18, 2026, now overdue) exploits a UNIX symlink-following vulnerability in shared hosting environments running CloudLinux/CageFS. An attacker with FTP or web shell access can escape the CageFS container boundary — precisely the isolation mechanism these environments rely on to separate tenants. For managed hosting providers, this represents a cross-tenant compromise risk. Hosting operators should prioritize patching and audit CageFS integrity, reviewing symlink configurations and any accounts with recent FTP or shell activity.

CVE-2026-20262 in Cisco Catalyst SD-WAN Manager has the most generous deadline in this batch — June 29, 2026 — but warrants immediate attention. An authenticated remote attacker can leverage a path traversal flaw to create or overwrite arbitrary files on the filesystem. In SD-WAN environments, file overwrites can manipulate routing policy, VPN configurations, or logging, with enterprise-wide network consequences. While the authentication requirement raises the bar slightly, compromised credentials — a routine occurrence — eliminate that barrier entirely. Cisco SD-WAN operators should apply patches before June 29, enforce strict MFA on management interfaces, and review filesystem integrity logs for unexpected file modifications.

Summary Posture

| CVE | Product | Deadline | Status | |---|---|---|---| | CVE-2026-54420 | LiteSpeed cPanel Plugin | June 18 | Overdue | | CVE-2026-48907 | Joomla Content Editor | June 19 | Overdue | | CVE-2026-20253 | Splunk Enterprise | June 21 | Overdue | | CVE-2026-20262 | Cisco Catalyst SD-WAN Manager | June 29 | Imminent | | CVE-2025-67038 | Lantronix EDS5000 | June 26 | 48 hrs | | CVE-2026-34908/09/10 | Ubiquiti UniFi OS | June 26 | 48 hrs |

All eight CVEs carry BOD 26-04 obligations for federal agencies and covered contractors. Organizations that cannot patch within deadlines must document compensating controls, assess internet exposure of each affected asset, and satisfy CISA's forensic triage requirements.

Sources: CISA KEV Catalog · CISA BOD 26-04 · Cisco Security Advisories · Ubiquiti Security Advisory Portal · Splunk Security Advisories · Lantronix Support · LiteSpeed Security Notices