Top 10 Cybersecurity News (June 8, 2026): HTTP/2 Bomb Crashes Web Servers In Seconds, World Food Programme Breach Exposes Gaza Households, and More

WEEKLY TOP TEN: June 8, 2026, 16:00 GMT

1. DentaQuest Vault Leak Hits 2.6 Million Accounts
   
   The personal information of roughly 2.6 million accounts was included in data allegedly stolen and leaked from dental benefits administrator DentaQuest. The ShinyHunters extortion group published over 230 gigabytes of data after listing DentaQuest on its leak site and claiming negotiations failed. DentaQuest, a Sun Life subsidiary serving an estimated 35 million customers across all 50 states, confirmed the breach involved unauthorized access to a limited portion of its network. Have I Been Pwned analyzed the dataset and found exposed email addresses and full names. Security teams should watch for phishing and credential-stuffing risks tied to the exposed records.
2. HTTP/2 Bomb Crashes Web Servers In Seconds
   
   The default HTTP/2 configuration of major web servers is vulnerable to an attack chain combining a compression bomb and a Slowloris-style hold, affecting NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. The security firm Calif says the attack potentially affects over 880,000 websites running default configurations, and a home computer on a 100Mbps connection can render a vulnerable server inaccessible within seconds, holding 32GB of memory against Apache and Envoy in about 20 seconds. NGINX resolved the issue, and Apache issued CVE-2026-49975, while administrators unable to patch should disable HTTP/2 or enforce hard header limits.
3. Everest Forms Pro Flaw Enables WordPress Takeover
   
   Hackers are actively exploiting CVE-2026-3300 in the Everest Forms Pro plugin to take complete control of a WordPress website. The remote code execution bug carries a CVSS score of 9.8 and impacts all versions up to and including 1.9.12 of the commercial WPEverest form builder, which has about 4,000 installations. The flaw lives in the Complex Calculation feature, which passes form input into PHP’s eval() without proper escaping. A patch arrived in version 1.9.13, but exploitation began on April 13, with the firewall blocking over 29,300 attempts and attackers creating rogue administrator accounts.
4. Cisco Catalyst SD-WAN Manager Zero-Day Grants Root
   
   Cisco warned of a high-severity, unpatched zero-day in Cisco Catalyst SD-WAN Manager, tracked as CVE-2026-20245, that is actively exploited to gain root privilege escalation. The flaw lets an authenticated, local attacker execute arbitrary commands as root by supplying a crafted file, and Cisco observed limited cases where exploitation pushed configuration changes to edge devices. It affects all deployment types, including on-prem, Cloud-Pro, Cisco-managed cloud, and FedRAMP environments. No patch exists yet; customers are advised to apply fixes released for CVE-2026-20182. This marks Cisco’s seventh SD-WAN zero-day of the year, raising urgency for organizations running the platform. 
5. Google Patches Exploited Android Framework Zero-Day
   
   Google released the June 2026 Android security patches addressing 124 vulnerabilities, including one zero-day exploited in targeted attacks. Local attackers can exploit the high-severity Android Framework vulnerability, tracked as CVE-2025-48595, to gain code execution and escalate privileges on devices running Android 14 or later. CISA added CVE-2025-48595 to its Known Exploited Vulnerabilities catalog with a remediation due date of June 5 for federal civilian agencies. The flaw requires no user interaction beyond running a malicious application, a pattern often tied to commercial spyware. Enterprises should push the update through device-management platforms and tighten app provenance controls.
6. World Food Programme Breach Exposes Gaza Households
   
   The World Food Programme said one of its systems was breached, and around 600,000 Gazan households receiving aid had their details improperly accessed. The incident involved the self-registration application Gazans use to register for assistance, with names, ID numbers, phone numbers, and location information among the data accessed. The agency temporarily suspended the registration platform to urgently apply security improvements. WFP detected the attack on May 14 and confirmed the scale at roughly 600,000 households, in what may be the largest known breach of humanitarian beneficiary data. Aid recipients were warned to watch for phishing.
7. FIFA World Cup Fraud Targets Fans And Firms
   
   Researchers and the FBI warn that a wave of FIFA-themed fraud is hitting World Cup 2026 fans, including thousands of lookalike FIFA domains, banking malware hidden in pirate streaming apps, and an operation that copies FIFA’s login page to take over accounts. Group-IB tracked more than 4,300 fraudulent FIFA domains registered since August 2025, centered on a phishing operation it calls GHOST STADIUM. ThreatFabric observed malicious streaming apps tied to Android banking trojans named Massiv and Perseus. Organizations in travel, hospitality, and payments face heightened phishing and ransomware exposure ahead of kickoff.
8. Kirki Plugin Flaw Hijacks WordPress Admins
   
   Hackers are exploiting a critical privilege escalation vulnerability, CVE-2026-8206, in the Kirki plugin for WordPress to take over any user account, including administrators. The Defiant team’s Wordfence firewall blocked over 222 attempts in 24 hours. The full plugin is Kirki – Freeform Page Builder, Website Builder and Customizer, active on more than 500,000 websites, with the flaw impacting versions up to 6.0.6. It carries a CVSS score of 9.8 and abuses a password-reset handler that accepts an attacker-supplied email address. Administrators should upgrade to version 6.0.7 or disable the plugin.
9. Acer Wave 7 Routers Hit By Max-Severity Flaws
   
   Acer is working to address two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh routers. The first, CVE-2026-49200, is a broken access control flaw letting unauthenticated attackers read plaintext credentials from log archives, while the second, CVE-2026-49201, stems from a hardcoded AES encryption key in the backup-processing binary, allowing remote attackers to decrypt, modify, and re-encrypt system backups for persistent backdoor injection. Both are rated CVSS 10, affecting routers up to firmware T7c_GBL_1.01.000055. No patches exist yet, with fixes targeted for the end of June 2026; users should disable remote management meanwhile.
10. Cisco Unified CM SSRF Opens Path To Root
    
    Cisco patched a Unified Communications Manager bug that lets an unauthenticated attacker on the network write files to the system and escalate to root, tracked as CVE-2026-20230, with proof-of-concept exploit code already public. The server-side request forgery flaw causes the server to write arbitrary files onto the underlying OS, which can be used to reach root. Cisco rated the advisory Critical despite a CVSS base of 8.6, and the flaw only works when the WebDialer service, off by default, is enabled. Patching to 14SU6 or disabling WebDialer is the fix.