Security Advisory - Published 2026-06-18 - Application Platforms

June 18 platform CVEs: check exposed apps, workers, and admin extensions

This batch groups application platforms that do not fit one product family: JimuReport, Python StateMachine, Rocket.Chat, TypeBot, Network-AI, Android, and Splunk AI Toolkit. The common task is the same: confirm version state, limit exposure, preserve logs, and rotate secrets if suspicious behavior appears.

Defensive scope: this page is for owned systems and approved repair. The checks stay at inventory, patch state, exposure, logs, secrets, and recovery actions.

Affected platforms

CVEProductFixed or affected markerReviewCVSS
CVE-2026-28587AndroidAndroid10.0
CVE-2026-47103Python StateMachine3.2.0SCXML9.8
CVE-2026-48616Rocket.ChatLivechat9.3
CVE-2026-48768TypeBot3.17.0Upload9.3
CVE-2026-36418JimuReport<= 2.3.4Report9.1
CVE-2026-48814Network-AI5.7.29.1
CVE-2026-20266Splunk AI Toolkit5.7.4Splunk9.1

Owner self-check

  • For JimuReport: patch 2.3.4 and below, restrict report execution APIs, and review report templates.
  • For Python StateMachine: upgrade to 3.2.0 or newer and review services that import untrusted SCXML.
  • For Rocket.Chat: patch the fixed branch and review Livechat protected file downloads.
  • For TypeBot: upgrade to 3.17.0 or newer and review object storage uploads and generated upload URLs.
  • For Network-AI: upgrade to 5.7.2 or newer and review MCP SSE exposure and tool invocation logs.
  • For Android fleets: apply the relevant Android security bulletin update on managed devices.
  • For Splunk AI Toolkit: upgrade to 5.7.4 or newer and review admin activity plus host process logs.

Safe fix path

  1. Patch internet-facing apps first, then internal admin tools with stored credentials.
  2. Move admin endpoints behind SSO, VPN, IP allow-listing, or a private network path.
  3. Preserve application, reverse proxy, worker, storage, and host process logs.
  4. Rotate tokens, upload credentials, API keys, and admin passwords if logs show suspicious use.

Repair help

Use Ping7 CVE Repair when a public app handled uploads, AI tools, chat files, admin extensions, or automation workers during the exposure window. Send the product, version, hosting model, and first suspicious timestamp.

References