UpdateStar Vulnerability Index · June 2026

Monthly severity snapshot for widely-installed consumer software

78
Overall Score

SEVERE

June 2026 is one of the worst months of the year so far. Two zero-days are confirmed exploited in the wild, both on CISA KEV. A third has a public proof-of-concept. Microsoft shipped its largest-ever Patch Tuesday.

2 × KEV Listed In-the-Wild Exploitation 1 × Public PoC 208 MS CVEs

Top 5 — Consumer App Severity

#1
Google Chrome CVE-2026-11645
V8 out-of-bounds RW · 3.83B users · 5th Chrome zero-day of 2026
CISA KEV Exploited ITW Patched 149.0.7827.102
8.8
CVSS HIGH
#2
Adobe Acrobat Reader CVE-2026-34621
Prototype pollution RCE · Exploited since Dec 2025 · Patch bypassed once
CISA KEV Exploited ITW Patched 26.001.21662
8.6
CVSS HIGH
#3
7-Zip CVE-2026-48095
Heap overflow in NTFS handler · No auto-update · Public PoC available
Public PoC Patched 26.01
8.8
CVSS HIGH
#4
WinRAR CVE-2025-8088
Path traversal → Startup folder · Nation-state exploitation ongoing · Patched Jul 2025 but no auto-update
CISA KEV APT Active (RomCom, Sandworm…) Patched 7.13
8.4
CVSS HIGH
#5
Mozilla Firefox MFSA 2026-57/58/59
WebGPU buffer overflow + JIT UAF · Auto-update reliable · No confirmed exploitation
Patched Firefox 152
7.5
CVSS HIGH

CVSS Score Comparison

Chrome 8.8
Acrobat Reader 8.6
7-Zip 8.8
WinRAR 8.4
Firefox 7.5
MS CVE-2026-45657 9.8

Key Stats — June 2026

3
CVEs confirmed exploited in the wild
−7
Days mean time-to-exploit (Mandiant M-Trends 2026)
43
Days median KEV remediation time (Verizon DBIR 2026)
208
Microsoft CVEs patched in a single Patch Tuesday (record)
26%
of CISA KEV flaws fully remediated by organizations
5
Chrome zero-days exploited in the wild so far in 2026

Patch Lag — Days Since Disclosure vs. Update Status

Chrome (CVE-2026-11645) 16 d
Fixed Jun 8 · ~16 days lag
Adobe Acrobat Reader (CVE-2026-34621) 180+ d
Exploited ~6 months before patch
7-Zip (CVE-2026-48095) 58 d
Fixed Apr 27 · ~58 days since patch
WinRAR (CVE-2025-8088) 330+ d
Patched Jul 2025 · still exploited ~330 days later
Firefox (MFSA 2026-57/58/59) <7 d
Auto-updated · low risk
Data sources: NVD · CISA KEV · Mandiant M-Trends 2026 · Verizon DBIR 2026 · vendor advisories
Check and update all software at updatestar.com · Download the UpdateStar Client for Windows

June 2026 Highlights

  • KEV2 CVEs on CISA Known Exploited Vulnerabilities list
  • ITW3 CVEs with confirmed in-the-wild exploitation
  • PoC1 CVE with public proof-of-concept code
  • MS208 Microsoft CVEs in a single Patch Tuesday — a record

Overall Severity Score

Index Score 78 / 100
Rating SEVERE

App Quick Reference

  • CRIT Chrome 8.8
  • CRIT Acrobat Reader 8.6
  • HIGH 7-Zip 8.8
  • HIGH WinRAR 8.4
  • MED Firefox 7.5

Patch Status

  • Chrome — patched (auto-update)
  • Acrobat Reader — patched
  • 7-Zip — patched but no auto-update
  • WinRAR — patched but still exploited
  • Firefox — patched (auto-update)

Data Sources

  • NVD (National Vulnerability Database)
  • CISA Known Exploited Vulnerabilities
  • Mandiant M-Trends 2026
  • Verizon DBIR 2026
  • Vendor security advisories