Security Advisory - Published 2026-06-20 - Mixed App / Gateway / Legacy Desktop

Mixed June CVEs: check gateways, self-hosted apps, and old updater services

This small batch covers different environments: Apache APISIX gateway authentication, Mercator server-side fetch behavior, Slopsmith file access, and legacy Comodo browser updater services on Windows. The common fix path is exposure reduction first, then logs and installed-service cleanup.

Defensive scope: this guide is for inventory, patching, log review, and cleanup on systems you own or are approved to review.

Affected systems

CVEProductAffectedReviewCVSS
CVE-2016-20088Comodo Chromodo Browser<= 52.15.25.664Windows services, old browser installs, and updater paths8.5
CVE-2016-20090Comodo Dragon Browser<= 52.15.25.663Windows services, old browser installs, and updater paths8.5
CVE-2026-49290Slopsmithbefore 0.2.9-alpha.5media library paths, container mounts, and access logs7.6
CVE-2026-39999Apache APISIXvendor advisorygateway routes, authentication plugins, and unusual upstream access7.0
CVE-2026-49345Mercatorbefore 2025.05.19outbound requests, Redis/internal access, and web logs5.3

Owner self-check

apisix version 2>/dev/null
grep -Rni 'auth\\|jwt\\|openid\\|consumer\\|route' /usr/local/apisix /etc/apisix 2>/dev/null
find . -type f -mtime -10 | egrep 'slopsmith|mercator|config|\\.log$|\\.php$|\\.py$|\\.js$'
powershell -NoProfile -Command "Get-CimInstance Win32_Service | Where-Object {$_.Name -match 'Dragon|Chromodo|Comodo'} | Select-Object Name,State,StartName,PathName"

What to review

  • APISIX routes and authentication plugins that protect internal or administrative upstreams.
  • Mercator outbound requests, internal host access, Redis/internal service access, and web logs.
  • Slopsmith media paths, container mounts, and files accessed outside normal music-library folders.
  • Old Comodo browser updater services still installed on Windows workstations or jump boxes.

Safe fix path

  1. Patch the affected product where a vendor fix exists. Remove legacy software that is no longer needed.
  2. Restrict gateway and self-hosted app exposure while logs are reviewed.
  3. For Windows updater services, remove old browsers and verify service paths after uninstall.
  4. Rotate secrets if gateway logs, SSRF indicators, or unexpected file access suggest compromise.

Repair help

Use Ping7 CVE Repair when a gateway was exposed, internal services may have been reached, old Windows services remain installed, or app logs need a second pass.

References

Author: Ping7 security team - Published: 2026-06-20 - Mixed app and gateway CVE batch - Defensive self-check only.