A roundup of notable cyber security developments from roughly the trailing 48 hours (June 15–17, 2026). Every item below was traced to a primary source — a vendor advisory, the CVE record, the CISA KEV catalog, or the original research writeup.

Microsoft confirms unpatched “RoguePlanet” zero-day in Defender (CVE-2026-50656)

Microsoft MSRC · June 17, 2026

Microsoft published an advisory acknowledging a publicly disclosed elevation-of-privilege flaw in the Microsoft Malware Protection Engine used by Microsoft Defender, tracked as CVE-2026-50656 (CVSS 7.8) and nicknamed “RoguePlanet.” A public proof-of-concept from researcher “Nightmare Eclipse” abuses a race condition to spawn a command prompt with SYSTEM privileges, and reportedly works whether or not Defender’s real-time protection is enabled. No patch is available yet; Microsoft says one is in progress.

“Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as ‘RoguePlanet’… We are working to provide a high-quality security update that addresses this vulnerability.” — Microsoft

Source: Microsoft MSRC advisory (CVE-2026-50656) · SecurityWeek

CISA adds a maximum-severity Joomla Content Editor flaw to its KEV catalog (CVE-2026-48907)

CISA · June 16, 2026

CISA added CVE-2026-48907 — a critical (CVSS 10.0) improper-access-control flaw in the Widget Factory Joomla Content Editor (JCE) extension — to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. The flaw can let unauthenticated attackers upload and execute PHP code by creating new editor profiles, and the KEV listing sets a federal remediation deadline under the current directive.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” — CISA

Source: CISA alert (June 16, 2026) · KEV catalog

Supply-chain attack hijacks a contributor account to poison 140+ Mastra npm packages

Socket / The Hacker News · June 17, 2026

In a roughly 80-minute window early on June 17 (UTC), attackers used a hijacked legitimate former-contributor account (“ehindero”) to publish malicious versions of more than 140 packages in the @mastra/* npm scope — the popular open-source AI-agent framework. Per Socket’s analysis, the compromised packages themselves were unmodified; the malware was delivered through an injected typosquatted dependency (easy-day-js) carrying an obfuscated postinstall payload that runs automatically on npm install. Affected packages include @mastra/core, which sees hundreds of thousands of weekly downloads.

Source: Socket research · The Hacker News

Still developing: Oracle PeopleSoft zero-day fuels ShinyHunters extortion of universities (CVE-2026-35273)

Oracle / Mandiant · disclosed June 10, 2026 (ongoing)

The ShinyHunters group has been exploiting CVE-2026-35273, an unauthenticated remote-code-execution flaw in Oracle PeopleSoft PeopleTools, in attacks dating to at least late May. Google/Mandiant say 100+ organizations — about two-thirds in higher education — were notified, and the University of Nottingham confirmed student data was stolen. Oracle issued an out-of-band advisory with mitigations but, as of reporting, no full patch.

“This campaign is still active. We have observed ShinyHunters sending extortions as recently as today.” — Charles Carmakal, CTO, Mandiant Consulting

Source: Oracle security alert · Google Threat Intelligence · CyberScoop

This brief covers the trailing ~48 hours (June 15–17, 2026).

Primary sources: msrc.microsoft.com · cisa.gov · socket.dev · oracle.com