What you need to know today.

CISA adds a LiteSpeed cPanel plugin symlink flaw and a Microsoft Exchange Server XSS bug to KEV, both under active exploitation. CVE-2026-54420 affects the LiteSpeed cPanel plugin before version 2.4.8 (distributed in LiteSpeed WHM PlugIn before 5.3.2.0) on shared hosting servers running CloudLinux/CageFS. An attacker with FTP or web shell access can abuse mishandled symlinks to escalate privileges to root. As BleepingComputer reported, this is the latest in a string of cPanel plugin flaws exploited in the wild. Separately, CVE-2026-42897 is a cross-site scripting vulnerability in Microsoft Exchange Server that allows an unauthenticated attacker to perform spoofing over a network. SecurityWeek noted that Microsoft shipped a patch during its June 2026 Patch Tuesday, which addressed six zero-days and over 200 total flaws. Both CVEs carry a risk score of 0.65 or higher and should be prioritized for immediate patching.

A critical authentication bypass in SimpleHelp remote monitoring and management software (CVE-2026-48558) exposes roughly 14,000 internet-facing servers to full compromise. Versions 5.5.15 and prior, plus 6.0 pre-release builds, accept OIDC identity tokens without proper validation, letting an attacker forge tokens and create rogue remote support accounts. As Help Net Security explained, this gives attackers the same level of access as a legitimate technician — full remote control over managed endpoints. BleepingComputer added that the bug can be exploited without any user interaction. With a CVSS score of 10.0 and no EPSS data yet, organizations running SimpleHelp should treat this as an emergency patch.

A wave of 25 WordPress plugin CVEs was disclosed in a single day, with 11 rated critical and several enabling unauthenticated remote code execution. Among the most severe are CVE-2026-48836 (Easy Invoice <= 2.1.19, unauthenticated RCE), CVE-2026-40772 (GeekyBot <= 1.2.2, arbitrary file upload), and CVE-2026-52704 (WooCommerce PDF Invoice Builder <= 2.0.8, code injection). A cluster of PHP object injection flaws affects popular integration plugins: CVE-2026-9691 (ActiveCampaign/CF7/WPForms/Elementor/Ninja Forms integration <= 1.1.1), CVE-2026-49765 (Mailchimp integration <= 1.1.8), CVE-2026-49763 (HubSpot integration <= 1.3.7), and CVE-2026-49109 (Salesforce integration <= 1.4.3). As Vypr Intelligence detailed, many of these plugins have thousands of active installations, making this a broad supply-chain risk for WordPress site owners.

A critical vulnerability in the UDS Identity Config project (CVE-2026-46389) could allow privilege escalation in Keycloak deployments used by UDS Core. Versions 0.11.0 through 0.26.0 contain a logic error in the client-kubernetes-secret Keycloak client configuration that can be exploited by an attacker with network access to the Keycloak admin interface. The flaw carries a CVSS score of 10.0 and a risk score of 0.65. UDS Identity Config is maintained by Defense Unicorns and is used to build Keycloak configuration images consumed by UDS Core's identity deployment. Organizations using UDS Core should update to the latest patched version immediately.

A critical Spring Data Commons property binder vulnerability (CVE-2018-1273) resurfaces with a risk score of 0.82, the highest in today's window, and remains on the KEV list. Versions prior to 1.13.11 and 2.0.6 are affected by improper neutralization of special elements, allowing unauthenticated remote code execution. Despite being disclosed in 2018, the vulnerability carries an EPSS score of 0.96, indicating near-certain exploitation. This serves as a reminder that aged CVEs on KEV continue to pose significant risk, especially in environments with legacy Spring Data Commons deployments that may have been overlooked during past patch cycles.

Additional WordPress plugin critical flaws include unrestricted file upload in Kids Online Store (CVE-2026-40750, CVSS 9.9), code injection in RD Station (CVE-2026-49774, CVSS 9.9), and broken authentication in RegistrationMagic (CVE-2026-49764, CVSS 9.8). CVE-2026-49766 allows subscriber-level arbitrary file deletion in WP User Manager <= 2.9.16. The Wordfence weekly report covers the full batch, noting that many of these plugins lack automatic updates, leaving site administrators responsible for manual patching. Given the unauthenticated nature of most of these flaws, attackers can weaponize them at scale through automated scanning.