June 9, 2026 · Applied Cybernetics Group
Morning Brief — June 9, 2026
Morning Brief — 2026-06-09
2 federal patching priority, 10 emerging critical cves, 10 supply chain, 31 ransomware activity, and 69 ioc volume. Sections with no signal are still rendered with an explicit “none in this window” note so absence is visible alongside presence.
Material Breach Disclosures
No new Item 1.05 8-K filings in this window.
Federal Patching Priority
CVE-2026-42271 — BerriAI LiteLLM
BerriAI LiteLLM Command Injection Vulnerability
- Added: 2026-06-08 · Federal due: 2026-06-22 · EPSS 88.8th pct (score 0.041)
- ransomware use: Unknown
BerriAI LiteLLM contains a command injection vulnerability that could allow any authenticated user, including holders of low-privilege internal-user keys, to run arbitrary commands on the host.
CVE-2026-50751 — Check Point Security Gateway
Check Point Security Gateway Improper Authentication Vulnerability
- Added: 2026-06-08 · Federal due: 2026-06-11 · EPSS 1.2th pct (score 0.000)
- ransomware use: Unknown
Check Point Security Gateway contains an improper authentication vulnerability in IKEv1 key exchange that could allow an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password.
Exploit Probability Movers
No CVEs with ≥0.20 EPSS movement in this window.
Emerging Critical CVEs
CVE-2026-44748· CRITICAL (9.9) · 2026-06-09 — SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in…CVE-2026-27671· CRITICAL (9.8) · 2026-06-09 — Due to improper RFC protocol validation in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP Platform, an unauthenticated attacker can send a crafted RFC request that exploits logical errors in…CVE-2026-52778· CRITICAL (9.8) · 2026-06-08 — YesWiki is a wiki system written in PHP. Prior to version 4.6.6, an unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki. The application attempts to sanitize user-defined m…CVE-2026-39910· CRITICAL (9.8) · 2026-06-08 — STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to…CVE-2026-25555· CRITICAL (9.8) · 2026-06-08 — OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header…CVE-2026-44631· CRITICAL (9.8) · 2026-06-08 — Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration.
This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.
Users are recommended to upgrade to version 2…
CVE-2026-11499· CRITICAL (9.8) · 2026-06-08 — A vulnerability was determined in Tenda HG7HG9 and HG10 300001138_en_xpon. This affects the function formDOMAINBLK of the file /boaform/formDOMAINBLK. Executing a manipulation of the argument blkDomain can lead to stack-…CVE-2026-11671· CRITICAL (9.6) · 2026-06-09 — Use after free in Navigation in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)CVE-2026-11651· CRITICAL (9.6) · 2026-06-09 — Use after free in Network in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)CVE-2026-11638· CRITICAL (9.6) · 2026-06-09 — Use after free in Printing in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Supply Chain
GHSA-2vqw-3mp8-cgmx · CVE-2026-47737 (rubygems)
- HIGH · CVSS 7.5 · 2026-06-09
- Affected:
puma,puma - https://github.com/advisories/GHSA-2vqw-3mp8-cgmx
Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections
GHSA-qpgp-93vx-g8v8 · CVE-2026-47736 (rubygems)
- HIGH · CVSS 7.5 · 2026-06-08
- Affected:
puma,puma - https://github.com/advisories/GHSA-qpgp-93vx-g8v8
Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion
GHSA-p2j4-c4g6-rpf5 · CVE-2026-47735 (go)
- HIGH · 2026-06-08
- Affected:
github.com/basekick-labs/arc - https://github.com/advisories/GHSA-p2j4-c4g6-rpf5
Arc has an authenticated arbitrary local-file read via DuckDB I/O functions that bypasses RBAC table-level checks
GHSA-qm33-p5p9-f8vg · CVE-2026-47726 (go)
- HIGH · 2026-06-08
- Affected:
github.com/juev/nebula-mesh - https://github.com/advisories/GHSA-qm33-p5p9-f8vg
nebula-mesh: GET /api/v1/audit-log discloses all entries to any operator
GHSA-273q-qgh5-wrj6 · CVE-2026-47725 (go)
- HIGH · 2026-06-08
- Affected:
github.com/juev/nebula-mesh - https://github.com/advisories/GHSA-273q-qgh5-wrj6
nebula-mesh’s web UI lacks CSRF tokens on /ui/* mutating endpoints
GHSA-598g-h2vc-h5vg · CVE-2026-47724 (go)
- CRITICAL · CVSS 9.9 · 2026-06-08
- Affected:
github.com/juev/nebula-mesh - https://github.com/advisories/GHSA-598g-h2vc-h5vg
nebula-mesh: API endpoints lack ownership checks, enabling cross-operator privilege escalation
GHSA-w7w5-5gcp-38rw · CVE-2026-47723 (go)
- HIGH · 2026-06-08
- Affected:
github.com/juev/nebula-mesh - https://github.com/advisories/GHSA-w7w5-5gcp-38rw
nebula-mesh: Web UI and API responses lack security headers (CSP, X-Frame-Options, HSTS, etc.)
GHSA-7hp6-g3pq-3pc3 · CVE-2026-47722 (go)
- HIGH · 2026-06-08
- Affected:
github.com/juev/nebula-mesh - https://github.com/advisories/GHSA-7hp6-g3pq-3pc3
nebula-mesh: Host advanced overrides allow YAML injection into agent config.yml
GHSA-w86f-rf9w-h3x6 · CVE-2026-47719 (npm)
- HIGH · CVSS 8.2 · 2026-06-08
- Affected:
fuxa-server - https://github.com/advisories/GHSA-w86f-rf9w-h3x6
FUXA: Unauthenticated SSRF via Socket.IO DEVICE_WEBAPI_REQUEST and DEVICE_PROPERTY with response reading
GHSA-hrj8-hjv8-mgwc · CVE-2026-47252 (go)
- CRITICAL · CVSS 9.0 · 2026-06-08
- Affected:
github.com/julien040/anyquery/plugins/chrome,github.com/julien040/anyquery/plugins/brave,github.com/julien040/anyquery/plugins/edge - https://github.com/advisories/GHSA-hrj8-hjv8-mgwc
Anyquery: AppleScript/JXA Code Injection via Unescaped URL in macOS Chrome Plugin
Ransomware Activity
31 new victim postings across 7 groups.
| Group | Victims | Sample |
|---|---|---|
thegentlemen | 15 | IP Rings, Central Arkansas Pediatrics, Metroply, Tress, Institucion Cervantes, E… |
qilin | 6 | The Banyans Health and Wellness, Kinetic Education, SatCom CX, Isuzu Motors, Ope… |
nightspire | 4 | GRIP Outreach For Youth, Unique Litho, Inc, A*** G*** AS, ASIA STRATEGIC |
ransomhouse | 2 | Aegle Aviation, Ma Pak Leung Company Limited |
termite | 2 | Wiese USA, Roland Machinery |
akira | 1 | HRC Sicherheitsdienste |
morpheus | 1 | 3I INFOTECH |
IOC Volume
69 new IOCs in this window. Top families:
| Family | Count |
|---|---|
| elf | 43 |
| ClearFake | 12 |
| Mozi | 7 |
| arm | 4 |
| (unfamilied) | 1 |
| mirai | 1 |
| sh | 1 |
Cross-Reference
No recent SEC filings to cross-reference.
Pipeline Health
All feeds healthy.
Sources: SEC EDGAR (public domain), CISA Known Exploited Vulnerabilities (public domain), FIRST.org EPSS (per ToS), NIST NVD (public domain), GitHub Security Advisories (per ToS), abuse.ch URLhaus (CC0, attribution), ransomware.live (per ToS), MITRE ATT&CK (CC BY 4.0).
Published by Applied Cybernetics Group via thrunt.me. Heuristic cross-references are labelled as such; verify before action.