Introduction
This report is generated using Velma (Vulnerability Enhanced Learning Machine AI) – Rootshell’s exploit intelligence engine.
Velma focuses on one thing: understanding when vulnerabilities actually become a problem.
There’s no shortage of vulnerability data out there, and most of it is driven by static scores. But risk isn’t static. A vulnerability can sit there for months with little real-world relevance, then overnight become critical when exploit code is released or it starts being used in the wild.
Velma tracks that shift.
By analysing exploit availability, attacker activity, and how vulnerabilities are being used in real-world scenarios, Velma highlights what’s genuinely worth paying attention to – not just what’s highly scored, but what’s actually exploitable.
This report provides a current view of the threat landscape, prioritizing vulnerabilities that are actively being weaponised or realistically used in attack paths.
For most organizations, the challenge isn’t a lack of vulnerabilities – it’s knowing which ones actually matter.
Jump to:
Velma Threat Prioritization Matrix - June 26
Priority | Threat | CVE | Likelihood | Impact | Exploit Maturity | Velma Risk Score |
1 | Ivanti Sentry Pre-Auth Compromise | CVE-2026-10520 / 10523 | Very High | Very High | High | 10.0 (Critical) |
2 | Joomla Unauthenticated RCE | CVE-2026-48907 | Very High | Very High | High | 9.9 (Critical) |
3 | Splunk Arbitrary File Creation | CVE-2026-20253 | Very High | Very High | High | 9.8 (Critical) |
4 | WP Maps Pro Admin Takeover | CVE-2026-8732 | Very High | Very High | High | 9.8 (Critical) |
5 | Magento Unauthenticated PHP RCE | CVE-2026-45247 | Very High | Very High | High | 9.8 (Critical) |
6 | Fortinet FortiSandbox Command Injection | CVE-2026-25089 / 39808 | Very High | Very High | High | 9.7 (Critical) |
7 | Ghost CMS SQL Injection | CVE-2026-26980 | Very High | High | High | 9.5 (Critical) |
8 | Veeam Backup & Replication RCE | CVE-2026-44963 | High | Very High | High | 9.4 (Critical) |
9 | Chrome V8 Exploited Vulnerability | CVE-2026-11645 | Very High | High | High | 9.3 (Critical) |
10 | Cisco Unified Communications Manager | CVE-2026-20230 | High | Very High | High | 9.2 (Critical) |
11 | FortiSandbox Authentication Bypass | CVE-2026-39813 | High | Very High | High | 9.1 (Critical) |
12 | Drupal SQL Injection | CVE-2026-9082 | High | High | High | 9.0 (Critical) |
13 | LiteLLM Command Injection (KEV) | CVE-2026-42271 | High | High | High | 8.9 (High) |
14 | Redis Command Execution | CVE-2026-23479 | Medium | High | Medium | 8.7 (High) |
15 | Cisco SD-WAN File Overwrite | CVE-2026-20262 | Medium | High | Medium | 8.5 (High) |
16 | Exchange Active Exploitation | CVE-2026-42897 | Medium | High | High | 8.4 (High) |
17 | KnowledgeDeliver RCE | CVE-2026-5426 | Medium | High | High | 8.3 (High) |
18 | Linux Kernel Container Escape | CVE-2026-23111 | Medium | High | Medium | 8.2 (High) |
19 | Linux Kernel Fragnesia LPE | CVE-2026-46300 | Medium | High | Medium | 8.1 (High) |
20 | LiteSpeed cPanel Plugin | CVE-2026-54420 | Medium | Medium | High | 7.8 (Medium) |
21 | SolarWinds Serv-U DoS | CVE-2026-28318 | Medium | Medium | Medium | 7.4 (Medium) |
22 | Defender DoS | CVE-2026-45498 | Low | Medium | Low | 6.5 (Medium) |
23 | Trend Micro | CVE-2026-34926 | Unknown | Medium | Unknown | 6.0 (Medium) |
Executive Summary
Velma assesses that immediate remediation should focus on internet-facing systems capable of unauthenticated compromise, particularly Ivanti, Joomla, Splunk, Fortinet, WordPress, Magento, Ghost CMS and Veeam environments.
Priority should then shift to:
- Browser and endpoint attack surface reduction (Chrome)
- AI platform security (LiteLLM)
- Network and infrastructure hardening (Cisco SD-WAN)
- Kernel privilege escalation mitigation across Linux estates
Failure to address these vulnerabilities leaves a credible attack path from initial compromise through to root-level control, backup compromise, infrastructure takeover and ransomware deployment.
🔴 Velma Priority Group: Critical Risks
1. Ivanti Sentry – Full Administrative Compromise
CVE-2026-10520 / CVE-2026-10523
Velma assesses this as the most severe issue in the dataset due to the combination of:
- Authentication bypass
- OS command injection
- Full administrative compromise
- Root-level execution
⚠️ Business Impact
- Complete takeover of mobile device management infrastructure
- Enterprise-wide device compromise
- Credential theft and persistence
2. Joomla – Unauthenticated Remote Code Execution
CVE-2026-48907
A CVSS 10.0 vulnerability enabling unauthenticated PHP code execution remains one of the highest-risk classes of vulnerability observed.
⚠️ Business Impact
- Website compromise
- Malware deployment
- Hosting environment compromise
3. Splunk Enterprise – Arbitrary File Creation
CVE-2026-20253
Splunk often sits at the centre of security operations environments. Compromise of logging infrastructure creates significant visibility and integrity risks.
4. WordPress WP Maps Pro
CVE-2026-8732
Active exploitation attempts have already been observed with attackers creating administrator accounts and taking ownership of affected WordPress installations.
5. Magento Plugin Deserialization RCE
CVE-2026-45247
Unauthenticated PHP object deserialization remains one of the most reliable paths to full web application compromise.
6. Fortinet FortiSandbox
CVE-2026-25089 / CVE-2026-39808
Internet-facing security appliances continue to be aggressively targeted by:
- Ransomware affiliates
- Initial Access Brokers
- State-aligned threat actors
7. Ghost CMS SQL Injection
CVE-2026-26980
Velma has identified confirmed exploitation activity involving JavaScript injection campaigns and ClickFix delivery techniques.
8. Veeam Backup & Replication
CVE-2026-44963
Backup infrastructure remains a priority target for ransomware operators seeking to disable recovery capabilities.
9. Chrome V8 Active Exploitation
CVE-2026-11645
Browser vulnerabilities continue to represent one of the most effective initial access vectors due to their enormous attack surface.
10. Cisco Unified Communications Manager
CVE-2026-20230
Public proof-of-concept code is available, significantly increasing exploitation likelihood.
🟠 Velma Priority Group: High Risks
LiteLLM Command Injection (KEV)
CVE-2026-42271
CISA has added this vulnerability to the KEV catalogue due to active exploitation. AI infrastructure is becoming an increasingly attractive target for attackers.
Redis Arbitrary Command Execution
CVE-2026-23479
Notable because the vulnerability was discovered by an autonomous AI security research system and remained hidden in production code for more than two years.
Drupal SQL Injection
CVE-2026-9082
Anonymous exploitation combined with SQL injection capability significantly elevates risk beyond its nominal CVSS score.
Exchange Active Exploitation
CVE-2026-42897
Exchange vulnerabilities historically attract rapid weaponisation due to their prevalence within enterprise environments.
Cisco SD-WAN
CVE-2026-20262
Represents a valuable post-compromise escalation path into network infrastructure.
Linux Kernel LPE Cluster
CVE-2026-23111 / CVE-2026-46300
Both vulnerabilities enable attackers to move from low-privilege access to root-level control and container escape scenarios.
🟡 Velma Priority Group: Medium Risks
LiteSpeed cPanel Plugin
CVE-2026-54420
Exploited in the wild but requires existing FTP or shell access.
SolarWinds Serv-U
CVE-2026-28318
Primarily availability-focused rather than compromise-focused.
Microsoft Defender DoS
CVE-2026-45498
Potential operational impact but limited direct compromise potential.
Trend Micro
CVE-2026-34926
Insufficient technical detail currently available for elevated prioritisation.
Velma Correlated Threat View
Velma identifies several likely attack pathways:
[ Internet-Facing Applications ]
↓
Joomla / Drupal / Ghost / Magento / WP Maps
↓
[ Initial Access ]
↓
Chrome / Exchange / LiteLLM
↓
[ Privilege Escalation ]
↓
Linux Kernel LPE
↓
[ Infrastructure Control ]
↓
Cisco SD-WAN / Splunk / Veeam
↓
[ Operational Impact ]
↓
Ransomware / Data Exfiltration / Service Disruption
Velma Composite Risk Posture
- Critical Risks: 12
- High Risks: 7
- Medium Risks: 4
Overall Assessment: 🔴 CRITICAL
Velma assesses that this month’s watchlist contains an unusually high concentration of:
- Unauthenticated remote code execution vulnerabilities
- Active exploitation campaigns
- Public proof-of-concept availability
- Critical infrastructure and security platform targets
