CISA expanded its Known Exploited Vulnerabilities catalog in a series of June updates, adding four newly exploited issues across enterprise and software platforms. The agency first listed CVE-2026-45247 in Mirasvit Full Page Cache Warmer, a deserialization flaw that can enable unauthenticated remote code execution through a crafted serialized PHP object in the CacheWarmer cookie. It then added CVE-2026-42271 in BerriAI LiteLLM, a command injection bug that can let any authenticated user, including low-privilege internal-user key holders, execute arbitrary commands on the host. CISA directed organizations to apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable.
CISA later added three more exploited vulnerabilities: a Google Chromium V8 out-of-bounds read/write flaw that could allow sandboxed remote code execution via a crafted HTML page, an Arista EOS packet decapsulation vulnerability, and a Cisco Catalyst SD-WAN Manager flaw that could allow an authenticated local attacker to execute arbitrary commands as root. The KEV catalog count rose from 1,610 to 1,617 across the updates, and CISA assigned remediation deadlines ranging from 2026-06-06 to 2026-06-23. Separate GitHub commits also showed Rack maintainers fixing multipart parsing denial-of-service issues tracked as CVE-2025-61770, CVE-2025-61771, and CVE-2025-61772, but those fixes were not part of the KEV additions described in the June catalog changes.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
On 2026-06-15, CISA updated its Known Exploited Vulnerabilities Catalog, increasing the total listed vulnerabilities from 1619 to 1621. The newly added entries were CVE-2026-54420 affecting the LiteSpeed cPanel Plugin and CVE-2026-20262 affecting Cisco Catalyst SD-WAN Manager, with CISA directing organizations to apply mitigations under BOD 26-04 guidance.
On 2026-06-09, CISA updated the KEV Catalog and added three vulnerabilities affecting Google Chromium V8, Arista EOS, and Cisco Catalyst SD-WAN Manager. CISA directed organizations to apply mitigations or discontinue use if mitigations were unavailable, with a remediation due date of 2026-06-23.
On 2026-06-08, CISA updated the KEV Catalog to include CVE-2026-42271 in BerriAI LiteLLM. The vulnerability could allow any authenticated user, including low-privilege internal-user key holders, to execute arbitrary commands on the host, with remediation due by 2026-06-22.
On 2026-06-03, CISA updated its Known Exploited Vulnerabilities Catalog and added CVE-2026-45247 affecting Mirasvit Full Page Cache Warmer. The deserialization flaw could allow unauthenticated remote code execution, and CISA set a remediation due date of 2026-06-06.
On 2025-10-07, the Rack project released security fixes for multipart parsing denial-of-service issues, including CVE-2025-61770, CVE-2025-61771, and CVE-2025-61772. The changes added limits for multipart boundary scanning, MIME header sizes, and handling of large non-file fields, with tests verifying oversized inputs are rejected.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
6 references tracked. Mallory keeps watching after this page renders.
github.com
Open sourcegithub.com
Open sourcegithub.com
Open sourcegithub.com
Open sourcegithub.com
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.