This brief covers the trailing ~48 hours (June 18–20, 2026). No new vulnerabilities, advisories, or KEV entries surfaced from authoritative primary sources inside that window — a quiet stretch following last week’s heavy Patch Tuesday cycle. Rather than pad with unverified or stale items, the section below tracks the most significant campaigns from the preceding days that remain active, each presented with its true disclosure date and traced to its primary source.
Still developing
Oracle PeopleSoft zero-day exploited for unauthenticated RCE (CVE-2026-35273)
Oracle Security Alert · June 11, 2026
Oracle issued an out-of-cycle Security Alert for CVE-2026-35273, a critical flaw in PeopleSoft Enterprise PeopleTools (versions 8.61 and 8.62) carrying a CVSS base score of 9.8. The bug is remotely exploitable without authentication and can result in remote code execution. It was exploited as a zero-day in ShinyHunters data-theft attacks; Mandiant (Google Threat Intelligence) confirmed exploitation and notified more than 100 organizations, 68% of them in the higher-education sector. Oracle released emergency mitigations with a full patch to follow. Not yet listed in CISA KEV at the time of writing.
“This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution.” — Oracle Security Alert advisory
Source: Oracle Security Alert (CPU187) · Mandiant / Google Threat Intelligence · BleepingComputer
Microsoft June Patch Tuesday: Exchange Server zero-day exploited in the wild (CVE-2026-42897)
Microsoft (MSRC) · June 9, 2026
Microsoft’s June 2026 Patch Tuesday addressed 200 flaws, including six zero-days — five publicly disclosed and one exploited in attacks. The actively exploited issue is CVE-2026-42897, a Microsoft Exchange Server spoofing vulnerability affecting Exchange 2016, 2019, and Subscription Edition that lets an attacker execute JavaScript in a target’s browser via Outlook Web Access. The publicly disclosed zero-days include BitLocker bypasses (“YellowKey,” “bitskrieg”) and the “GreenPlasma” and “Mini-Plasma” elevation-of-privilege flaws. Administrators should prioritize the Exchange update.
“Today is Microsoft’s June 2026 Patch Tuesday, with security updates for 200 flaws, including five publicly disclosed zero-day vulnerabilities and one actively exploited in attacks.” — BleepingComputer
Source: Microsoft MSRC advisory (CVE-2026-42897) · BleepingComputer
Microsoft Defender “RoguePlanet” PoC grants SYSTEM on fully patched Windows (no patch)
BleepingComputer / Nightmare Eclipse · June 9, 2026
Hours after Patch Tuesday, the researcher known as Nightmare Eclipse released a proof-of-concept exploit dubbed “RoguePlanet” targeting a Microsoft Defender race-condition flaw. It spawns a command prompt with SYSTEM privileges on fully patched Windows 10 and Windows 11 systems. No CVE has been assigned and no patch was available at disclosure; Microsoft says it is investigating. Cybersecurity firm ThreatLocker independently reproduced the exploit against fully patched Windows 11 (build with KB5094126). Application allowlisting is cited as an effective mitigation.
“Our initial analysis confirms that the RoguePlanet exploit is viable and performs as described. Organizations using application allowlisting can prevent the exploit from executing, providing an effective layer of protection against this attack.” — Danny Jenkins, CEO, ThreatLocker
Source: BleepingComputer
CISA adds Joomla Content Editor flaw to KEV (CVE-2026-48907)
CISA · June 16, 2026
CISA added CVE-2026-48907, an improper access control vulnerability in the Widget Factory Joomla Content Editor (JCE) extension, to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The addition sets a remediation deadline for federal civilian agencies under BOD 22-01 and is a strong signal for any organization running the affected Joomla extension to patch or mitigate. KEV status: listed.
Source: CISA alert · CISA KEV catalog
This brief covers the trailing ~48 hours (June 18–20, 2026).
Primary sources: