CISA updated its Known Exploited Vulnerabilities catalog with six CVEs in June.
The agency announced three separate additions. On June 2, it listed CVE‑2022‑0492, a Linux kernel authentication flaw, and CVE‑2025‑48595, an Android framework integer overflow. A week later, CISA added CVE‑2026‑42271, a command‑injection issue in BerriAI LiteLLM, and CVE‑2026‑50751, an improper authentication bug in Check Point Security Gateway. The final batch on June 15 included CVE‑2026‑20262, a path‑traversal defect in Cisco Catalyst SD‑WAN Manager, and CVE‑2026‑54420, a symlink vulnerability in LiteSpeed’s cPanel plugin.
Each entry meets CISA’s criteria: a CVE identifier, public evidence of active exploitation, and clear mitigation steps. Federal agencies must treat these as high‑priority fixes under Binding Operational Directive 22‑01, which mandates remediation by a set deadline, and under the newer BOD 26‑04 for agencies that adopt risk‑based patching. CISA also urges private firms to follow the same fast‑track approach.
In short, the six June CVEs span networking gear, cloud‑hosted software, AI tooling, and mobile platforms. Because they are known to be exploited in the wild, they force both government and commercial vulnerability managers to push patches now rather than later, reducing the attack surface that threat actors can weaponize.