CVE digest: Splunk, Joomla JCE and LiteSpeed exploited in the wild

Three vulnerabilities are now confirmed exploited in the wild, each added to CISA’s Known Exploited Vulnerabilities (KEV) catalog in the week ending June 22, 2026: a missing-authentication flaw in Splunk Enterprise, an access-control flaw in the JCE editor for Joomla, and a symlink-following bug in the LiteSpeed cPanel plugin. Two of the three score 9.8 and the third sits at 8.5, yet every one of them carries an EPSS score well under the 0.8 probability line that would mark a true mover. That gap, high severity next to a modest near-term likelihood, is the reason to read both numbers instead of one.

Three acronyms run through this digest. CVSS scores how damaging a flaw would be if someone exploited it, on a 0 to 10 scale. EPSS estimates the chance it gets exploited in the next 30 days, shown here as a percentage. KEV is CISA’s catalog of flaws with confirmed real-world attacks. Severity and likelihood are not the same thing. The full method is in our CVSS vs EPSS vs KEV breakdown.

What’s now confirmed exploited this week

All three entries below appear in the CISA KEV feed with a dateAdded inside the last seven days, which is the only reason they are in this digest. The CVSS figures are NVD’s v3.1 base scores; the EPSS values are what FIRST returned on June 21, 2026. KEV membership is a binary fact: CISA lists these as exploited. EPSS is a separate, probabilistic read, and the chart shows how low that read stays even on confirmed-exploited flaws.

Three flaws confirmed exploited, all now on KEV

The order below runs by EPSS, highest first, but the point of the section is that all three share the same KEV status. The model disagrees on how fast each will spread; CISA does not disagree on whether they have been used.

CVE-2026-20253: Splunk Enterprise

CVSS base score: 9.8 (Critical). EPSS: 10% (95th percentile).

CVE-2026-20253 is a missing-authentication-for-critical-function flaw (CWE-306) in Splunk Enterprise. NVD describes an unauthenticated user creating or truncating arbitrary files through a PostgreSQL sidecar service endpoint, with the affected builds listed as 10.0.0 up to before 10.0.7 and 10.2.0 up to before 10.2.4. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) is the network-reachable, no-auth, no-interaction profile that justifies patching on sight. CISA added it to KEV on June 18, 2026. The ability to truncate arbitrary files on a logging and detection platform is its own problem: the system you rely on to see an attack is the one exposed.

Go deeper: how the unauthenticated file write works and the exact builds to patch.

CVE-2026-48907: Widget Factory JCE (Joomla Content Editor)

CVSS base score: 9.8 (Critical). EPSS: 6.9% (93rd percentile).

CVE-2026-48907 is an improper-access-control flaw (CWE-284) in the JCE editor extension for Joomla. Per NVD, the flaw allows the creation of new editor profiles for unauthenticated users, which ends in the upload and execution of PHP code on the server. NVD lists every JCE build before 2.9.99.5 as affected, records a v3.1 base of 9.8, and a secondary v4.0 base of 10.0. CISA added it to KEV on June 16, 2026. Unauthenticated PHP execution on a public CMS is the well-worn path to a web shell, so an internet-facing Joomla install running JCE belongs near the top of the queue.

Go deeper: the webshell path through the JCE editor and which versions close it.

CVE-2026-54420: LiteSpeed cPanel plugin

CVSS base score: 8.5 (High). EPSS: 0.7% (46th percentile).

CVE-2026-54420 is a UNIX symbolic-link-following flaw (CWE-61) in the LiteSpeed cPanel plugin. NVD describes the plugin mishandling symlinks supplied by a user who already has FTP or web shell access on a shared hosting server running CloudLinux/CageFS, and the record notes it as exploited in the wild in May 2026. The affected builds are the LiteSpeed cPanel plugin before 2.4.8, as distributed in the LiteSpeed WHM plugin before 5.3.2.0. The CVSS vector (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) reflects the prerequisites: an attacker needs an existing low-privilege foothold and the attack complexity is high, which is why EPSS reads it low. On shared hosting, the scope change (S:C) is the danger, since one tenant breaking out of CageFS reaches the others.

Go deeper: the CageFS breakout on shared hosting and the patched plugin version.

What to change in your queue this week

The pattern this week is three confirmed-exploited flaws that an EPSS-sorted queue would push down the list. Splunk and JCE both score 9.8, but their EPSS sits at 10% and 6.9%; LiteSpeed reads 0.7%. KEV is the signal that keeps them near the top. Three moves:

1. Filter to what you run, then sort by KEV. Splunk Enterprise and a Joomla CMS are narrow, specific footprints; a shared-hosting LiteSpeed stack is narrower still. The same KEV status means very different work depending on your inventory.
2. Do not let a low EPSS override a fresh KEV listing. EPSS lags new catalog entries, so a 0.7% on a CVE CISA flagged this week is a timing artifact, not an all-clear.
3. Re-test the two unauthenticated network flaws. Splunk’s file write and JCE’s PHP upload are both reachable without credentials. A version bump is not a closed finding until you have confirmed the path is gone.

If you only have time for one this week, start with whichever of Splunk Enterprise or JCE you actually run: both are unauthenticated, network-reachable, and rated 9.8. Then work LiteSpeed against your hosting footprint.