The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after confirming that they have been actively exploited in attacks. The vulnerabilities are CVE-2026-42271 in BerriAI LiteLLM, a Command Injection flaw with a CVSS score of 8.7, and CVE-2026-50751 in Check Point Security Gateway, a Critical Improper Authentication vulnerability with a CVSS score of 9.3. The addition of these vulnerabilities to the KEV Catalog indicates active exploitation, and organizations should promptly review any affected systems.
CVE-2026-42271 in LiteLLM is a vulnerability that could lead to privilege escalation and command execution. It affects versions 1.74.2 through 1.83.6. The issue stems from two MCP Server testing endpoints that allow authenticated users to define their own server configuration, including commands and environment variables. However, the system executes those commands as subprocesses on the host machine without properly enforcing Role-Based Access Control. As a result, even low-privileged users with a valid API key could potentially execute commands on the server. The vulnerability has been fixed in LiteLLM version 1.83.7.
CVE-2026-50751 in Check Point Security Gateway is an authentication bypass vulnerability affecting Check Point VPN, Mobile Access, and Spark Firewalls. The issue is related to the use of the IKEv1 key exchange protocol, an outdated protocol that is no longer recommended for use. The vulnerability could allow unauthenticated attackers to establish Remote VPN connections without valid credentials. Check Point stated that exploitation of this vulnerability has been observed since May 2026 and increased in early June, affecting dozens of targeted organizations. U.S. federal agencies are required to remediate the Check Point Security Gateway vulnerability by June 11, 2026, and the BerriAI LiteLLM vulnerability by June 22, 2026.