[Verse 1] June twenty-eight, twenty-twenty-six, four CVEs you need to memorize quick BerriAI litellm, up through version one-fifty-nine-point-eight The UserAPIKeyAuth function left the back door wide — rated seven-point-three on the scale The MCP server auth path, experimental and frail Someone slips past the key check, proxy access on a silver plate [Chorus] Patch the weakness before the breach drops in CVE numbers tell you where the cracks begin CVSS score climbing, severity real Four vulnerabilities, four systems to heal IBM and ImageMagick, litellm too The scoreboard is updated — what are you gonna do? [Verse 2] ImageMagick reading PSB format, PSD version two Integer overflow in the RLE decode — the heap reads memory it was never meant to view coders slash psd dot c, the function ReadPSDChannelRLE Versions before seven-one-two-fifteen, six-nine-thirteen-forty — you're in the danger zone today Score three-point-seven, lower threat but the read goes out of bounds anyway [Chorus] Patch the weakness before the breach drops in CVE numbers tell you where the cracks begin CVSS score climbing, severity real Four vulnerabilities, four systems to heal IBM and WebSphere watching its own blind side Smuggled HTTP requests sliding inside [Bridge] CVE-2026-8646, WebSphere nine-point-oh and eight-point-five Liberty seventeen through twenty-six — the smuggler's craft is alive A remote actor shapes the packet headers with surgical precision Forces the server into a forked decision — seven-point-four collision Then CVE-2026-9006, same WebSphere version stack Ajax Proxy misconfigured, SSRF waiting at the back The attacker uses your own server as the messenger pigeon Sends unauthorized calls outbound — your system their religion Seven-point-four again, the score identical, the method distinct [Verse 3] Four CVEs delivered, the pattern is linked External trust too easy, internal filters unsynchronized Proxies need authentication, boundaries supervised litellm gets a gate, ImageMagick gets a bounds-check installed WebSphere needs the HTTP parsing wall, SSRF proxy gets recalled [Chorus] Patch the weakness before the breach drops in CVE numbers tell you where the cracks begin CVSS score climbing, severity real Four vulnerabilities, four systems to heal IBM and ImageMagick, litellm too The scoreboard is updated — the patch queue is due [Outro] Twenty-twenty-six-twelve-seven-seven-three — litellm, authenticate Twenty-twenty-six-fifty-six-three-six-seven — ImageMagick, calculate Twenty-twenty-six-eight-six-four-six — WebSphere, don't smuggle through Twenty-twenty-six-nine-zero-zero-six — SSRF, restrict your view The NVD logged it, the score is assigned Check your versions, check your configs — stay aligned
← Critical CVEs (2 of 3) — June 28, 2026 | IT Security News — June 28, 2026 →