CVE digest: six KEV additions hit Oracle, Ivanti, Cisco and Chrome

Six vulnerabilities reached CISA’s Known Exploited Vulnerabilities catalog in the week ending June 15, 2026, and the list reads like an inventory of a typical enterprise edge: an Oracle ERP component, an Ivanti gateway, a Cisco SD-WAN controller, an Arista switch family, the Chrome browser, and the LiteLLM AI proxy. Two of them carry an EPSS score near the top of the distribution. The other four sit close to the floor. That split is the whole reason to read both signals instead of one.

Three acronyms run through this digest. CVSS scores how damaging a flaw would be if someone exploited it, on a 0 to 10 scale. EPSS estimates the chance it gets exploited in the next 30 days, shown here as a percentage. KEV is CISA’s catalog of flaws with confirmed real-world attacks. Severity and likelihood are not the same thing. The full method is in our CVSS vs EPSS vs KEV breakdown.

What landed on KEV this week

All six entries below appear in the CISA KEV feed with a dateAdded inside the last seven days, which is the only reason they are in this digest. The scores quoted are NVD’s CVSS v3.1 base scores and the EPSS values FIRST returned on June 15, 2026. KEV membership is a binary fact: CISA lists these as exploited. EPSS is a separate, probabilistic read, and the chart below shows how far the two can diverge in a single week.

Two flaws EPSS also rates highly

These two sit in the 99th percentile of the EPSS distribution. Below the 0.8 probability line that we would call a true mover, but high enough that the model and the catalog point the same way. When both signals agree, the queue decision is not a judgment call.

CVE-2026-10520: Ivanti Sentry

CVSS base score: 10.0 (Critical). EPSS: 60% (99th percentile).

CVE-2026-10520 is an OS command injection in Ivanti Standalone Sentry that lets a remote, unauthenticated user reach root-level remote code execution. NVD lists the affected builds as Sentry before 10.5.2, the 10.6.0 to 10.6.1 range before 10.6.2, and 10.7.0 before 10.7.1. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C) describes the worst combination for a perimeter device: network-reachable, no privileges, no user interaction, and a scope change. CISA added it to KEV on June 11, 2026. An unauthenticated root RCE that is reachable over the network rarely stays contained to one host.

CVE-2026-42271: BerriAI LiteLLM

CVSS base score: 8.8 (High). EPSS: 54% (99th percentile).

CVE-2026-42271 is a command injection in LiteLLM’s MCP server preview endpoints (POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list). Per the NVD record, those endpoints accepted server configurations that could spawn arbitrary subprocesses, so any authenticated user, including a holder of a low-privilege internal-user key, could run arbitrary commands on the host. Affected versions run from 1.74.2 up to before 1.83.7. CISA added it to KEV on June 8, 2026. Because a low-privilege key is enough, treat every LiteLLM key holder as a potential local command runner until you are on a fixed build.

Four KEV additions EPSS still rates low

The next four are listed as exploited too, but their EPSS scores sit under 1.5%. That gap is not a contradiction. KEV reflects observed use; EPSS reflects how broadly the model expects exploitation to spread in the near term. A low EPSS on a KEV-listed CVE is a reminder that EPSS lags fresh additions, not a reason to deprioritize.

CVE-2026-35273: Oracle PeopleSoft Enterprise PeopleTools

CVSS base score: 9.8 (Critical). EPSS: 0.7% (49th percentile).

CVE-2026-35273 is a missing-authentication flaw (CWE-306) in the Updates Environment Management component of PeopleSoft Enterprise PeopleTools. NVD describes an unauthenticated network attacker achieving complete system compromise over HTTP, and lists PeopleTools 8.61 and 8.62 as affected. CISA added it to KEV on June 12, 2026. The 0.7% EPSS reads low for a 9.8, which is the case for matching against your inventory first: this matters only if you run PeopleSoft, and matters a lot if you do.

CVE-2026-11645: Google Chrome (V8)

CVSS base score: 8.8 (High). EPSS: 0.7% (49th percentile).

CVE-2026-11645 is an out-of-bounds read and write in the V8 JavaScript engine. Per NVD, a remote attacker could execute arbitrary code inside the sandbox via a crafted HTML page, in Chrome builds before 149.0.7827.103 on macOS, Linux, and Windows. The vector requires user interaction (UI:R), which fits a drive-by page. CISA added it to KEV on June 9, 2026. Browser patches roll out through auto-update, so the work here is verifying that fleet machines actually restarted onto the fixed build rather than assuming they did.

CVE-2026-20245: Cisco Catalyst SD-WAN Manager

CVSS base score: 7.8 (High). EPSS: 1.0% (57th percentile).

CVE-2026-20245 is an output-encoding flaw in the CLI of Cisco Catalyst SD-WAN products. NVD describes an authenticated local attacker with netadmin privileges executing arbitrary commands as root by supplying a crafted file, which turns an admin account into root on the controller. The affected range spans SD-WAN Manager (vManage), Controller (vSmart), and Validator (vBond) across several version trains below the fixed builds. CISA added it to KEV on June 9, 2026. The local, authenticated prerequisite explains the modest EPSS, but on a management plane that reach is the point.

CVE-2026-7473: Arista EOS

CVSS base score: 5.8 (Medium). EPSS: 0.4% (29th percentile).

CVE-2026-7473 is the low-severity outlier of the week, an incomplete-comparison flaw in Arista EOS tunnel decapsulation. Per NVD, a switch configured for VXLAN, decap-groups, or GRE will incorrectly decapsulate and forward unexpected tunneled packets whose destination IP matches its configured decapsulation address. NVD lists a CVSS v3.1 base of 5.8 (a CVSS v4.0 base of 6.9 is also recorded), and the impact is limited to integrity, not full compromise. It only applies where tunnel decapsulation is configured. CISA added it to KEV on June 9, 2026. It earns a place on the schedule, not the top of it.

What to change in your queue this week

The honest read of this week is that four of the six would slip down a CVSS-sorted or EPSS-sorted queue, even though CISA lists all six as exploited. KEV is the signal that pulls them back up. Three concrete moves:

1. Filter to what you run, then sort by KEV. Oracle PeopleSoft and Cisco SD-WAN are narrow footprints; Chrome is on nearly every endpoint. The same KEV status means very different work depending on your inventory.
2. Do not let a low EPSS override KEV on a fresh addition. EPSS trails new catalog entries, so a 0.4% or 0.7% on a CVE CISA flagged this week is a timing artifact, not an all-clear.
3. Re-test the perimeter fixes. The Ivanti Sentry and Oracle PeopleSoft flaws are both unauthenticated and network-reachable. A reboot or a config note is not a closed finding until you have confirmed the path is gone.

If you only have time for two this week, start with the two that are both KEV-listed and high-EPSS: Ivanti Sentry and LiteLLM. Then work the rest against your asset list.