Security Advisory - Published 2026-06-18 - Application Platforms
June 18 platform CVEs: check exposed apps, workers, and admin extensions
This batch groups application platforms that do not fit one product family: JimuReport, Python StateMachine, Rocket.Chat, TypeBot, Network-AI, Android, and Splunk AI Toolkit. The common task is the same: confirm version state, limit exposure, preserve logs, and rotate secrets if suspicious behavior appears.
Affected platforms
| CVE | Product | Fixed or affected marker | Review | CVSS |
|---|---|---|---|---|
| CVE-2026-28587 | Android | Android | 10.0 | |
| CVE-2026-47103 | Python StateMachine | 3.2.0 | SCXML | 9.8 |
| CVE-2026-48616 | Rocket.Chat | Livechat | 9.3 | |
| CVE-2026-48768 | TypeBot | 3.17.0 | Upload | 9.3 |
| CVE-2026-36418 | JimuReport | <= 2.3.4 | Report | 9.1 |
| CVE-2026-48814 | Network-AI | 5.7.2 | 9.1 | |
| CVE-2026-20266 | Splunk AI Toolkit | 5.7.4 | Splunk | 9.1 |
Owner self-check
- For JimuReport: patch 2.3.4 and below, restrict report execution APIs, and review report templates.
- For Python StateMachine: upgrade to 3.2.0 or newer and review services that import untrusted SCXML.
- For Rocket.Chat: patch the fixed branch and review Livechat protected file downloads.
- For TypeBot: upgrade to 3.17.0 or newer and review object storage uploads and generated upload URLs.
- For Network-AI: upgrade to 5.7.2 or newer and review MCP SSE exposure and tool invocation logs.
- For Android fleets: apply the relevant Android security bulletin update on managed devices.
- For Splunk AI Toolkit: upgrade to 5.7.4 or newer and review admin activity plus host process logs.
Safe fix path
- Patch internet-facing apps first, then internal admin tools with stored credentials.
- Move admin endpoints behind SSO, VPN, IP allow-listing, or a private network path.
- Preserve application, reverse proxy, worker, storage, and host process logs.
- Rotate tokens, upload credentials, API keys, and admin passwords if logs show suspicious use.
Repair help
Use Ping7 CVE Repair when a public app handled uploads, AI tools, chat files, admin extensions, or automation workers during the exposure window. Send the product, version, hosting model, and first suspicious timestamp.