Skip to dossier
fruition.net
just verified
The Perimeter · Issue 06-26-2026

Drupal core PHP object injection, Mastra npm scope hijack, and a week of KEV adds

Two themes drive this week. First, the WordPress and Drupal ecosystem absorbed a wave of serious bugs: a critical PHP object injection in Drupal core (SA-CORE-2026-005), an unauthenticated arbitrary file deletion in Avada Builder with one million installs, an unauthenticated auth bypass in UpdraftPlus, and active exploitation of a Gravity SMTP information disclosure. Second, the npm supply chain took another direct hit — a dormant contributor account was used to republish the entire @mastra scope with a malicious easy-day-js dependency that drops a cross-platform crypto stealer. CISA also added a notable batch to KEV, including Splunk Enterprise's unauthenticated file write via a PostgreSQL sidecar, Cisco Catalyst SD-WAN Manager path traversal, and an Oracle PeopleSoft auth-missing takeover. Meanwhile a credential-harvesting operation has compiled working logins for 30,000+ Fortinet devices. If you run WordPress, Drupal, or any JS toolchain that pulled @mastra/* in the last two weeks, recalculate this week's patch and IR priorities now.
Published
Friday, June 26, 2026
Entries
12
Cadence
Weekly · Sundays
Curator
Brad Anderson
Wire
cisa.gov New addition to the Known Exploited Vulnerabilities catalog ·
github.com GHSA: critical npm package compromise affecting CI pipelines ·
wordfence.com WordPress plugin vulnerability with active exploitation ·
drupal.org Highly critical core security advisory published ·
aws.amazon.com AWS security bulletin: IAM policy evaluation update ·
unit42.paloaltonetworks.com Threat actor expands toolkit targeting public-facing PHP apps ·
krebsonsecurity.com Breach disclosure with named victim and confirmed initial vector ·
snyk.io Composer dependency advisory affecting production framework versions ·
cisa.gov New addition to the Known Exploited Vulnerabilities catalog ·
github.com GHSA: critical npm package compromise affecting CI pipelines ·
wordfence.com WordPress plugin vulnerability with active exploitation ·
drupal.org Highly critical core security advisory published ·
aws.amazon.com AWS security bulletin: IAM policy evaluation update ·
unit42.paloaltonetworks.com Threat actor expands toolkit targeting public-facing PHP apps ·
krebsonsecurity.com Breach disclosure with named victim and confirmed initial vector ·
snyk.io Composer dependency advisory affecting production framework versions ·
01

Web Application

frameworks · browsers · authentication flows

no entries this week

02

Supply Chain

packages · build systems · dependency attacks

snyk.io this week
▲ headline

Mastra npm scope hijacked via dormant maintainer account, drops crypto stealer

A dormant contributor account on the @mastra npm scope was used on June 17 to republish packages across the scope, each injecting a single dependency — easy-day-js — that runs a postinstall script fetching a cross-platform crypto stealer. Sonatype tracks it as sonatype-2026-003926. Any workstation, CI runner, or build agent that installed an affected @mastra/* version should be treated as compromised, not just cleaned.

@mastra/* npm packages easy-day-js
Fruition take

Grep your lockfiles for @mastra/* and easy-day-js across all repos and CI now. If anything installed in the window, rotate developer credentials, npm tokens, and any keys reachable from those hosts — postinstall stealers do not respect your secret-store boundaries.

github.com 1d CVSS 7.8

Symfony UX Toolkit ux:install path traversal allows arbitrary file write

CVE-2026-55878: the symfony/ux-toolkit `ux:install` console command copies files from a recipe kit using only `Path::isRelative()` as a guard, which accepts `../` segments. A crafted or compromised kit can write arbitrary files on a developer machine or CI runner, overwriting controllers, git hooks, or `.env` for code execution. Update ux-toolkit.

CVE-2026-55878 symfony/ux-toolkit
Fruition take

If your Laravel/Symfony developers run ux:install from arbitrary kits, treat that as untrusted code execution until patched. Pin ux-toolkit in composer.lock and review CI jobs that fetch external recipes.

03

Infrastructure

kubernetes · cloud · network · ingress

unit42.paloaltonetworks.com this week

Vertex AI SDK bucket-squatting allows cross-tenant RCE on model uploads

Unit 42 disclosed a vulnerability in the Google Vertex AI Python SDK where attacker-controlled GCS buckets could intercept model uploads, leading to remote code execution across tenants when models are loaded. Exploitation pattern is classic dependency/bucket squatting applied to ML pipelines. Update the SDK.

Google Vertex AI Python SDK
Fruition take

If any client pipeline pushes models via the Vertex AI Python SDK, pin the patched version and verify the staging bucket names are owned, not name-squat targets. Same review applies to S3-backed ML staging patterns.

04

PHP & CMS

wordpress · drupal · plugins · php frameworks

drupal.org 3d
▲ headline

Drupal core critical: PHP object injection via JSON:API write path

SA-CORE-2026-005 (CVE-2026-55803) extends an earlier 2019 fix that wasn't complete for JSON:API. An attacker with JSON:API write permission on an entity reference field storing a serialized property can inject a malicious payload, enabling PHP object injection. Fixed in Drupal 11.3.12, 11.2.14, 10.6.11, and 10.5.x updates. Drupal also patched an oEmbed SSRF (SA-CORE-2026-008), image-field MIME validation (SA-CORE-2026-009), a rebuild.php host header cache poisoning, and a gadget chain.

CVE-2026-55803 CVE-2026-55804 CVE-2026-55806 +2 more Drupal core 10.5/10.6 Drupal core 11.2/11.3 JSON:API module Media oEmbed
Fruition take

Patch Drupal core this week — these are stacked advisories and the gadget chain plus PHP object injection combination is exactly what gets chained post-disclosure. Audit any custom modules that store serialized data on entity reference fields.

wordfence.com 2d

Avada Builder: unauthenticated arbitrary file deletion across 1M installs

Wordfence disclosed a critical unauthenticated arbitrary file deletion in the Avada Builder premium WordPress plugin (~1M installs). Exploitation requires a published Avada form that saves entries to the database, but where present, attackers can delete server files including wp-config.php, leading to remote code execution. Update immediately.

Avada Builder WordPress plugin
Fruition take

If you manage WordPress sites running Avada, push the patch this week — wp-config.php deletion to RCE is well-trodden territory and the trigger is a published form, which most Avada sites have. Check form configurations for DB-saved entries while you're in there.

wordfence.com 3d

Gravity SMTP information exposure under active exploitation

Wordfence reports active exploitation of a sensitive information exposure flaw in Gravity SMTP (~100K installs) disclosed March 30. Unauthenticated attackers retrieve plugin configuration plus API keys, secrets, and OAuth tokens used for the plugin's email integrations — material useful for follow-on takeover of connected provider accounts.

Gravity SMTP WordPress plugin
Fruition take

If Gravity SMTP is on any site you operate, patch and immediately rotate any provider credentials it held — SendGrid, Mailgun, SES, OAuth tokens. Treat those credentials as already exfiltrated.

wordfence.com this week

ShapedPlugin supply chain compromise: backdoored Pro plugins via official channels

Wordfence was notified June 11 of a supply chain compromise affecting ShapedPlugin, a WordPress plugin vendor whose free plugins have 400,000+ active installations. Backdoored Pro plugin builds were distributed through official channels. Wordfence already had signatures for the backdoor used.

ShapedPlugin Pro WordPress plugins
Fruition take

If you license any ShapedPlugin Pro products, verify the build hash of installed versions and re-download from current official packages. Treat any site that installed a Pro update during the window as needing IR.

wordfence.com 1w

UpdraftPlus: unauthenticated auth bypass on UpdraftCentral-linked sites

Wordfence patched a critical unauthenticated authentication bypass in UpdraftPlus (3M+ installs). Exploitation is limited to sites previously connected to UpdraftCentral, the plugin's remote management dashboard, but on those sites it enables full account takeover. Update to the patched release.

UpdraftPlus UpdraftCentral
Fruition take

Inventory which managed sites have ever connected to UpdraftCentral — that's your real exposure list. Patch those first, then verify no rogue administrator accounts were created.

05

Identity & Auth

oauth · saml · iam · session attacks

no entries this week

06

Threat Intel

active exploitation · breaches · ransomware

therecord.media 1d

International operation disrupts SocGholish botnet tied to Evil Corp

An international law enforcement operation disrupted infrastructure behind SocGholish, the fake-browser-update malware delivery framework long attributed to Russia-based Evil Corp. SocGholish is a major initial access vector for ransomware affiliates via compromised WordPress and CMS sites that inject the fake-update lure.

SocGholish Evil Corp
Fruition take

Disruption doesn't mean dead. Re-audit your WordPress and Drupal estate for injected JavaScript loaders and fake-update redirects, and confirm your CSP and SRI policies block third-party script execution from unexpected domains.

nvd.nist.gov 3d KEV

CISA KEV: Splunk Enterprise unauthenticated file write via PostgreSQL sidecar

CISA added CVE-2026-20253 to KEV: Splunk Enterprise has a missing-authentication vulnerability in a PostgreSQL sidecar service endpoint that lets unauthenticated users create or truncate arbitrary files. BOD 26-04 requires federal remediation, and exploitation is observed. Apply Splunk's patches.

CVE-2026-20253 Splunk Enterprise
Fruition take

If Splunk Enterprise is exposed beyond your internal network, fix or block this week. Arbitrary file truncation against a SIEM has obvious anti-forensic value to attackers already inside.

darkreading.com 3d

Credential harvesting campaign compiles 30K+ working Fortinet device logins

Researchers report an active campaign targeting Fortinet devices across nearly 200 countries that has already accumulated tens of thousands of confirmed working credential pairs. The collection now functions as an initial-access broker inventory against firewalls and VPN appliances across multiple sectors.

Fortinet FortiGate Fortinet SSL VPN
Fruition take

Inventory every Fortinet appliance with an externally reachable management or VPN interface. Force credential rotation, enable MFA on every admin and VPN account, and check logs for anomalous geo/ASN logins over the past 30 days.

nvd.nist.gov this week KEV

CISA KEV: Cisco Catalyst SD-WAN Manager path traversal

CISA added CVE-2026-20262 — an authenticated path traversal in Cisco Catalyst SD-WAN Manager that lets a remote attacker create or overwrite any file on the filesystem. A related authenticated RCE in the same product (CVE-2026-20245) was also added to KEV this week. Patch per Cisco guidance.

CVE-2026-20262 CVE-2026-20245 Cisco Catalyst SD-WAN Manager
Fruition take

Cisco SD-WAN Manager is rarely something a web team touches, but if your hosting or carrier partners run it on your behalf, ask them what their patch status is — KEV deadlines apply.