This briefing covers the 24-hour period from June 11-12, 2026, revealing a critical security landscape dominated by browser vulnerabilities and widespread botnet activity. The period saw one actively exploited vulnerability added to CISA's Known Exploited Vulnerabilities catalog—CVE-2026-10520, an Ivanti Sentry OS command injection flaw enabling unauthenticated remote code execution. Google Chrome released emergency patches addressing 27 vulnerabilities, including multiple critical sandbox escape flaws that could allow attackers to break out of Chrome's security boundaries and execute code at the system level.
The National Vulnerability Database published 30 new CVEs during this period, with five rated critical severity. Notable threats include multiple command injection and SQL injection vulnerabilities in ClipBucket video platform, WordPress plugins, and various web applications. Netty framework vulnerabilities pose denial-of-service risks, while Chrome's vulnerabilities span multiple attack vectors including GPU exploitation, use-after-free conditions, and privilege escalation paths.
Threat actor infrastructure activity shows sustained Mirai botnet distribution campaigns, with 50 malicious URLs identified distributing ELF binaries targeting IoT devices across multiple architectures. The dekma-gay[.]ru domain infrastructure is actively serving Mirai variants branded as "titanjr" alongside ClearFake malware distribution. Organizations should immediately prioritize patching Ivanti Sentry and Chrome deployments while monitoring for Mirai botnet scanning activity targeting vulnerable IoT devices.
One KEV entry and 30 NVD entries published, featuring critical command injection, SQL injection, and browser sandbox escape vulnerabilities requiring immediate attention.
Ivanti Sentry (formerly MobileIron Sentry) contains an OS command injection vulnerability allowing remote unauthenticated attackers to achieve root-level remote code execution on unmanaged appliances. Added to CISA KEV catalog indicating active exploitation in the wild.
Critical use-after-free vulnerability in WebMIDI on Windows enables remote attackers who have compromised the renderer process to escape Chrome's sandbox and execute arbitrary code at system level. CVSS 8.3.
Critical heap buffer overflow in GPU component on Android allows remote attackers with compromised renderer to perform sandbox escape via crafted HTML. Part of Chrome 149.0.7827.115 security update. CVSS 8.3.
Insufficient input validation in Accessibility component on Mac enables sandbox escape after renderer compromise. Critical severity requiring immediate Chrome update. CVSS 8.3.
ClipBucket v5 (prior to 5.5.3 #140) Remote Play feature allows authenticated users to inject shell commands through external URL parameters, achieving remote code execution. CVSS 9.8.
Unauthenticated blind SQL injection in actions/progress_video.php endpoint allows attackers to execute arbitrary SQL queries and exfiltrate sensitive data through the vulnerable ids parameter. CVSS 9.8.
SQL injection vulnerability in JoomSport plugin (versions through 5.7.7) enables blind SQL injection attacks for data exfiltration. CVSS 9.3.
WordPress Product Filter plugin (through 3.1.2) contains blind SQL injection vulnerability allowing unauthorized database access. CVSS 9.3.
Chrome 149.0.7827.115 addresses 27 vulnerabilities including use-after-free flaws in GPU (CVE-2026-12028, CVE-2026-12023), Video (CVE-2026-12029), Cast (CVE-2026-12014), and DigitalCredentials (CVE-2026-12008) components across Windows, Mac, Android, and Linux platforms.
Inappropriate implementation in Mojo allows local attackers to perform OS-level privilege escalation via malicious files on Windows systems. CVSS 8.8.
Sustained Mirai botnet campaign distributing multi-architecture ELF binaries through dekma-gay[.]ru infrastructure, alongside ClearFake malware delivery targeting browser users.
50 malicious URLs identified across subdomains (grafana.bot, node.bot, node-tls, poland) distributing Mirai ELF binaries branded as 'titanjr' targeting 16 different architectures (x86_64, x86_32, ARM variants, MIPS, PPC, m68k, sh4, arc, spc) for IoT device compromise.
Three shell scripts (all.sh) hosted on poland.dekma-gay[.]ru, node.bot.dekma-gay[.]ru, and node-tls.dekma-gay[.]ru serve as downloaders for multi-architecture Mirai payloads, indicating automated infection capabilities.
Two ClearFake malware distribution URLs identified using randomly generated subdomains (02y48l3v.asibshenasiyahya[.]shop and ghdre2hy.geotechnictahuni[.]store) with unique session identifiers, suggesting active campaign targeting browser users through social engineering.
Multiple exploitation techniques observed including command injection, SQL injection, sandbox escapes, use-after-free exploitation, and privilege escalation across web applications and browsers.
Multiple vulnerabilities (CVE-2026-10520 Ivanti Sentry, CVE-2026-42846 ClipBucket) demonstrate OS command injection as a primary attack vector, particularly in network appliances and video platforms that process user-supplied URLs or file parameters.
27 Chrome vulnerabilities demonstrate advanced sandbox escape techniques leveraging use-after-free conditions, heap overflows, and insufficient input validation across GPU, Mojo, Accessibility, and media processing components to break out of renderer process isolation.
Arbitrary code execution in OpenClaw skill installation allows attackers with workspace access to override Homebrew executable selection via .env files, enabling supply chain compromise. CVSS 8.8.
Secondary high-severity vulnerabilities requiring attention in Netty framework, WordPress plugins, and various web applications.
WooCommerce mobile app plugin contains incorrect privilege assignment vulnerability allowing privilege escalation attacks. CVSS 9.8.
Netty-codec-redis (prior to 4.1.135.Final and 4.2.15.Final) vulnerable to DoS attacks using crafted Redis payloads without proper line terminators, exhausting server memory. CVSS 7.5.
Attackers can exhaust server memory by sending deeply nested Redis arrays, forcing massive memory allocation in Netty applications. CVSS 7.5.
Incorrect masking operation in IpSubnetFilterRule.compareTo() allows attackers to bypass IPv6 subnet filtering rules, potentially exposing internal services. CVSS 8.1.
Stored cross-site scripting in ClipBucket subtitle functionality allows authenticated video uploaders to inject malicious scripts. CVSS 8.8.