Medium Severity Threats

Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress versions up to 5.0.3 contains an authorization bypass vulnerability due to missing ownership validation on user-controlled order ID keys in multiple AJAX handlers. Authenticated users with vendor-level access can manipulate arbitrary orders by changing order status, adding or deleting order notes, injecting shipping tracking info, and modifying download permissions. Nonce validation does not prevent exploitation because attackers can reuse valid nonces generated from their own orders against others. This vulnerability is classified as CWE-639 and has a CVSS score of 4.3 (medium severity).

The ISC Stormcast for June 18th, 2026, is a general threat intelligence update published by the SANS Internet Storm Center. No specific vulnerability details, technical descriptions, or exploitation information are provided in the source content.

Over a nearly 100-day period in early 2026, a SANS Internet Storm Center honeypot recorded over 20 million SSH brute force attempts. Analysis revealed coordinated global botnet activity with scanning patterns linked to geopolitical events and cybersecurity advisories. The attacks showed signs of automation, quota assignment, and use of a common attack toolkit identified by unique HASSH fingerprints. The majority of attempts targeted the 'root' user, highlighting common weak points. While no specific software vulnerability is identified, the persistent and adaptive nature of these brute force campaigns underscores the importance of SSH security best practices such as disabling root login, enforcing multi-factor authentication, and using protected private keys.

OpenAI is reportedly testing a new subscription service called ChatGPT for Science, aimed at scientific research use cases. This subscription appears to be designed for verified scientific institutions and universities, potentially offering specialized capabilities grounded in scientific discoveries. There is no indication of a security vulnerability or exploit associated with this testing. The service is currently in active testing with no confirmed release date.

ThreatFox IOCs for 2026-06-17

Steeltoe.Configuration.Abstractions versions 4.0.0 through 4.1.0 improperly store TLS client credentials from MySQL or PostgreSQL service bindings in temporary files with world-readable permissions on Linux systems. These temporary files are not deleted, exposing sensitive information. Version 4.2.0 addresses this issue by patching the insecure file handling. Until upgraded, restricting access to the container's /tmp directory by other users is recommended.

Steeltoe.Security.Authentication.CloudFoundryBase and related Steeltoe authentication libraries prior to specified versions have a vulnerability where the JWT signing key cache uses the 'kid' value as the sole cache key without differentiating by authority. This can cause tokens from one identity provider to be validated by keys from another in multi-scheme deployments. Additionally, cached keys do not expire, so revoked or rotated keys remain trusted until the application restarts. Fixed versions are available that address this issue.

CVE-2026-50201 is a privilege management vulnerability in Steeltoe.Management.Endpoint and Steeltoe.Management.EndpointCore prior to versions 4.2.0 and 3.4.0 respectively. Sensitive actuator endpoints such as heap dump, environment, and thread dump are incorrectly assigned a lower permission level that maps to Cloud Foundry's read_basic_data permission, rather than the more restrictive read_sensitive_data permission. This misconfiguration allows users with lower-trust roles to access sensitive data that should be protected. The issue is patched in Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0. Until upgrading, users can mitigate by explicitly setting the required permissions to EndpointPermissions.Full for sensitive endpoints or by limiting actuator registration to only necessary endpoints.

LiquidJS, a JavaScript template engine, has a vulnerability in versions 10.25.7 and below where the Context.spawn() method used by the {% render %} tag does not correctly propagate the parent context's ownPropertyOnly setting. This causes a silent bypass allowing prototype-chain properties to leak when rendering untrusted templates, even if ownPropertyOnly is set to true at render time. The issue is fixed in version 10.26.0.

LiquidJS versions 10.25.7 and below contain a vulnerability where the renderLimit option intended to limit rendering time can be bypassed by using an empty {% for %} or {% tablerow %} loop body. This allows an attacker to cause uncontrolled resource consumption by iterating large collections without triggering the time limit, potentially stalling the Node.js event loop and impacting availability. The issue has been fixed in version 10.26.0.