Skip to content
July 10, 2026 4:34:33 PM
CRITICAL 3 HIGH 12 MEDIUM 45 ADVISORIES TRACKED 15 CRITICAL 3 HIGH 12 MEDIUM 45 ADVISORIES TRACKED 15
[//]

Cyber Threat Hub

Stay ahead of cyber threats with real-time news on data breaches, vulnerabilities, and security updates. Your hub for the latest cybersecurity intelligence.

Vulnerabilities · July 2, 2026 · Admin

June 2026 Top Common Vulnerabilities and Exposures Recap

cve recap

June 2026 delivered hundreds of high-scoring patches, with Microsoft alone shipping close to 200-210 CVEs (depending on which vendor’s count you follow), Adobe patching 123 flaws, and Chrome/Edge fixing over 500 issues between them. Analysts widely attributed the surge to accelerated AI-assisted vulnerability discovery research on both the offensive and defensive sides. Below are ten of the month’s most significant CVEs, spanning zero-days, actively exploited flaws, and maximum-severity bugs across the enterprise stack.


1. CVE-2026-50507 — Windows BitLocker Security Feature Bypass (“YellowKey”)

Link: https://www.cve.org/CVERecord?id=CVE-2026-50507

A publicly disclosed zero-day affecting BitLocker, nicknamed “YellowKey” by the researcher who released proof-of-concept code in May. It carries a CVSS score of 6.8 and requires physical access to exploit, but Microsoft flagged it as “Exploitation More Likely.” A second related BitLocker bypass, CVE-2026-45585, forced baseline updates for hotpatch-enrolled Windows 11 Enterprise systems this month.

2. CVE-2026-49160 — Windows HTTP Protocol Stack Denial of Service

Link: https://www.cve.org/CVERecord?id=CVE-2026-49160

A CVSS 7.8 denial-of-service zero-day in the Windows HTTP Protocol Stack, used by numerous core Windows services. Notably, Microsoft credited OpenAI’s Codex with reporting this vulnerability, making it one of the first widely publicized examples of an AI coding tool surfacing a real-world Windows zero-day.

3. CVE-2026-45586 — CTFMON Elevation of Privilege

Link: https://www.cve.org/CVERecord?id=CVE-2026-45586

One of three zero-days disclosed in Microsoft’s June release, this privilege escalation flaw in CTFMON (the Windows text input/IME service) was publicly disclosed by the researcher known as Nightmare Eclipse before a patch was available.

4. CVE-2026-42897 — Microsoft Exchange Server Remote Code Execution

Link: https://www.cve.org/CVERecord?id=CVE-2026-42897

Originally disclosed in May, this Exchange Server RCE flaw was confirmed under active exploitation in the wild going into June. Organizations that hadn’t yet patched Exchange were urged to prioritize it immediately alongside the June cumulative update.

5. CVE-2026-47288 — Active Directory Kerberos Remote Code Execution

Link: https://www.cve.org/CVERecord?id=CVE-2026-47288

A critical RCE affecting the core Kerberos authentication component of Active Directory. Given Kerberos’s central role in domain authentication, this vulnerability drew particular attention from enterprises running on-premises Active Directory infrastructure.

6. CVE-2026-45648 — Active Directory Domain Services Vulnerability

Link: https://www.cve.org/CVERecord?id=CVE-2026-45648

Rated CVSS 8.8, this flaw affects Active Directory Domain Services (AD DS) and was called out alongside the Kerberos RCE above as a high-priority patch for any organization running on-prem domain controllers.

7. CVE-2026-48567 — Azure HorizonDB Elevation of Privilege

Link: https://www.cve.org/CVERecord?id=CVE-2026-48567

A maximum-severity CVSS 10.0 elevation-of-privilege flaw in Azure HorizonDB. Microsoft had already remediated this on the service side before publishing the advisory, so it’s documented for transparency rather than requiring customer action — but its perfect severity score made it one of the month’s most eye-catching entries.

8. CVE-2026-27671 — SAP NetWeaver ABAP Memory Corruption

Link: https://www.cve.org/CVERecord?id=CVE-2026-27671

A CVSS 9.8 memory corruption vulnerability in SAP Application Server ABAP and the ABAP Platform, part of SAP’s June Security Patch Day haul of 15 fixes. It requires no authentication and can affect confidentiality, integrity, and availability simultaneously, making it one of the most severe enterprise vulnerabilities of the month.

9. CVE-2026-11645 — Google Chrome Zero-Day

Link: https://www.cve.org/CVERecord?id=CVE-2026-11645

A zero-day exploit patched in a Chrome update that resolved 74 CVEs, coming on the heels of an even larger Chrome release earlier in June that fixed 429 issues. Microsoft Edge, built on Chromium, required the same fix, making browser patching a top priority across the industry this month.

10. CVE-2026-41091 — Microsoft Defender Elevation of Privilege (“RedSun”)

Link: https://www.cve.org/CVERecord?id=CVE-2026-41091

An actively exploited, weaponized, and publicly known EoP vulnerability in Microsoft Defender, tracked under the name “RedSun.” An unprivileged attacker can trick Defender into writing a malicious file back to a privileged location, gaining SYSTEM-level access. Its combination of active exploitation and weaponized tooling made it one of the most urgent patches of the month.