(TLP:CLEAR) Weekly Vulnerabilities to Prioritize – June 18, 2026

Author: Chase Snow

Created: Thursday, June 18, 2026 - 14:59

Categories: Cybersecurity, Security Preparedness

The below vulnerabilities have been identified by WaterISAC analysts as important for water and wastewater utilities to prioritize in their vulnerability management efforts. WaterISAC shares critical vulnerabilities that affect widely used products and may be under active exploitation. WaterISAC draws additional awareness in alerts and advisories when vulnerabilities are confirmed to be impacting, or have a high likelihood of impacting, water and wastewater utilities. Members are encouraged to regularly review these vulnerabilities, many of which are often included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

Fortinet FortiSandbox Vulnerabilities
CVSS 3.1: 9.1, 9.1
CVEs: CVE-2026-39808, CVE-2026-39813
Description: Attackers are actively exploiting two critical Fortinet FortiSandbox vulnerabilities disclosed and patched in April. CVE-2026-39808 is a improper neutralization of special elements used in an os command (‘os command injection’) vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here>. CVE-2026-39813 is a path traversal: ‘../filedir’ vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8 may allow attacker to escalation of privilege via specially crafted HTTP requests.
Sources:

Additional Reading:

Attackers hit pair of critical Fortinet vulnerabilities the vendor disclosed in April

Ivanti Sentry OS Command Injection Vulnerability
CVSS v3.1: 10.0
CVE: CVE-2026-10520
Description: An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution. CISA added this vulnerabilities to its Known Exploited Vulnerability Catalog.
Source: https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523?language=en_US

Splunk Enterprise Missing Authentication for Critical Function Vulnerability
CVSS v3.1: 9.8
CVE: CVE-2026-20253
Description: In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service. CISA added this vulnerability to its Known Exploited Vulnerabilities Catalog.
Source: https://advisory.splunk.com/advisories/SVD-2026-0603

Widget Factory Joomla Content Editor Improper Access Control Vulnerability
CVSS 3.1: 10.0
CVEs: CVE-2026-48907
Description: A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution. CISA added this vulnerabilities to its Known Exploited Vulnerability Catalog.
Original Source: https://www.joomlacontenteditor.net/

Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability
CVSS v3.1: 9.8
CVE: CVE-2026-35273
Description: Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CISA added this vulnerabilities to its Known Exploited Vulnerability Catalog.
Source: https://www.oracle.com/security-alerts/alert-cve-2026-35273.html

Cisco Catalyst SD-WAN Manager Arbitrary File Write Vulnerability
CVSS 3.1: 6.5
CVEs: CVE-2026-20262
Description: A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system. This vulnerability exists because the affected software does not properly validate user-supplied input during a file upload process. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint of the affected system. A successful exploit could allow the attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root. To exploit this vulnerability, the attacker must have valid credentials with at least a lower-privileged, single-task user account. CISA added this vulnerabilities to its Known Exploited Vulnerability Catalog.
Original Source: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-arbfw-c2rZvQ