CTI Daily Brief — 2026-06-16

Typedaily

Date2026-06-16

GeneratorClaude Opus 4.8 (`claude-opus-4-8`)

ClassificationTLP:CLEAR

LanguageEnglish

Promptv2.60

Items11

CVEs11

On this page

0. TL;DR
1. Active Threats, Trending Actors, Notable Incidents & Disclosures
2. Trending Vulnerabilities
3. Research & Investigative Reporting
4. Updates to Prior Coverage
5. Deep Dive — Cisco Catalyst SD-WAN Manager CVE-2026-20262: authenticated arbitrary file write to root RCE
6. Action Items
7. Verification Notes

References (27)

0. TL;DR

Cisco Catalyst SD-WAN Manager actively exploited — CVE-2026-20262 (authenticated arbitrary file write → root RCE) added to the CISA KEV catalog on 2026-06-15; patch to the fixed train and review appserver upload logs. Full deep dive in § 5. (BleepingComputer, 2026-06-15)
Council of Europe breached via the Oracle PeopleSoft zero-day (CVE-2026-35273) — ShinyHunters claims 297 GB / ~429,000 files and set a 16 June leak deadline; the first European intergovernmental victim named in the 100+-organisation PeopleSoft campaign (§ 4 update). (SecurityWeek, 2026-06-15)
PRC actor UNC6508 ran year-plus espionage through internet-facing REDCap research servers and abused a Google Workspace content-compliance rule to silently BCC research/defence email to attacker Gmail — REDCap is widely run at Swiss/EU academic medical centres. (Google GTIG, 2026-06-15)
WordPress supply-chain compromise via Awesome Motive's shared CDN tampered OptinMonster / TrustPulse / PushEngage scripts on ~1.2M sites to auto-create rogue admins and a self-hiding backdoor plugin — "update your plugins" did not protect the exposure window. (Sansec, 2026-06-13)
LiteSpeed cPanel/WHM plugin CVE-2026-54420 in CISA KEV — symlink-following on CloudLinux/CageFS shared hosting, exploited in the wild since May (LiteSpeed, 2026-06-01); added to CISA KEV on 2026-06-15 (CISA, 2026-06-15). Patch to WHM PlugIn 5.3.2.1.

1. Active Threats, Trending Actors, Notable Incidents & Disclosures

PRC UNC6508 ran year-plus espionage through internet-facing REDCap servers and a Google Workspace BCC rule

Google's Threat Intelligence Group attributes a September 2023 – November 2025 espionage campaign to UNC6508, a PRC-nexus cluster that compromised North American academic, medical and military-health organisations by exploiting externally-facing REDCap (Research Electronic Data Capture) servers, then dropping a bespoke PHP implant tracked as INFINITERED (Google GTIG, 2026-06-15). INFINITERED trojanises REDCap's own upgrade mechanism to survive platform updates, harvests credentials from the REDCap login page, and exposes a cookie-gated backdoor for shell, file, SQL and credential operations (Help Net Security, 2026-06-15). The exfiltration tradecraft is the notable part: after pivoting to a Workspace admin account, the actor created a Google Workspace content-compliance rule named "Patroit" that silently BCC-forwarded any message matching ~150 research/defence keywords to an attacker-controlled Gmail address — abusing a legitimate administrative feature rather than dropping exfiltration malware (T1114.003 Email Forwarding Rule), which evades most DLP that watches for new tooling (SecurityWeek, 2026-06-15). Initial access mapped to T1190; web-shell persistence to T1505.003; admin credential reuse to T1078.

Why it matters to us: REDCap is deployed across Swiss and EU university hospitals, cantonal research bodies and clinical-trial coordinators, and the Workspace BCC-rule technique is tenant-agnostic. Hunt now: Google Workspace admin audit logs for content-compliance/BCC rule creation by non-IT-admin accounts (especially rules with external Gmail recipients), and file-integrity-monitor the REDCap upgrade-staging directory and login handlers — standard web-root scanning misses the upgrade-path implant.

WordPress supply-chain compromise via Awesome Motive's CDN backdoors ~1.2M sites

Sansec Forensics found malicious JavaScript appended to the CDN-served api.min.js files shared by three Awesome Motive WordPress plugins — OptinMonster (1.2M+ installs), TrustPulse and PushEngage — injected on 12 June and served from CDN edges into 13 June (Sansec, 2026-06-13). The vendor confirmed the entry point was exploitation of an UpdraftPlus vulnerability on its own marketing server, which leaked the BunnyNet CDN API key used to tamper the scripts (OptinMonster, 2026-06-14). Because the tampering was at the CDN layer and not in the WordPress.org repository, "update your plugins" gave false assurance for the exposure window. The payload waited for a logged-in administrator, then created a hidden admin account and installed a self-hiding backdoor plugin masquerading as "Content Delivery Helper" or "Database Optimizer", concealed from the plugin list, update checks and API responses, beaconing harvested credentials to a tidio.cc lookalike domain (Patchstack, 2026-06-15). Mapped to T1195.002, T1136.001 (create account) and T1027.005 (indicator removal).

DPRK UNK_DeadDrop weaponises VS Code / Cursor auto-run to hit developers, including EU targets

Proofpoint details UNK_DeadDrop, a North-Korea-aligned cluster (related to but distinct from Contagious Interview / Famous Chollima) that sent 250+ recruitment-themed phishing emails to ~100 finance, crypto, education and technology organisations over April–May 2026 (Proofpoint, 2026-06-15); the targeted geographies are a US majority followed by the UK, Australia, France, Germany and the Netherlands, among others (The Hacker News, 2026-06-16). The lure links to attacker-controlled GitHub/GitLab repositories carrying a .vscode/tasks.json with runOn: folderOpen; VS Code shows a workspace-trust prompt, but Cursor IDE executes the task silently with no prompt, dropping the open-source Overlord Go C2 that steals browser credentials and crypto wallets (The Hacker News, 2026-06-16). Mapped to T1566.002, T1195.001, T1059.004 and T1555.003.

Why it matters to us: public-sector and fintech development teams that have adopted Cursor are exposed to silent execution on repository open. Hunt for editor processes (code, cursor) spawning shell/script interpreters outside build directories (Sysmon EID 1 parent-image filter); enforce workspace-trust policy and restrict VSIX installation to an approved-publisher allowlist via enterprise policy.

Cardiac-monitoring medtech firm iRhythm filed an SEC Form 8-K Item 1.05 on 2026-06-15 reporting that a threat actor used social engineering against business applications hosted by a third party, exfiltrated PHI, PII and proprietary data, and sent a ransom demand on 9 June; the company made its materiality determination on 10 June (SEC EDGAR, 2026-06-15). iRhythm states clinical and device-monitoring systems were unaffected. [SINGLE-SOURCE] — only the SEC primary is available; no independent corroboration yet.

2. Trending Vulnerabilities

CVE-2026-20262 — Cisco Catalyst SD-WAN Manager: authenticated arbitrary file write to root RCE (CISA KEV)

A path-traversal weakness in the web UI of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) lets an authenticated, remote attacker create or overwrite any file on the underlying OS because the file-upload handler fails to validate the supplied filename (NVD CVSS 6.5; Cisco PSIRT, 2026-06-15). Writing a JSP/WAR into the Tomcat deploy path yields a web shell and root-level execution, so the modest 6.5 base score understates impact on an exposed network-management plane. Cisco confirms active exploitation and CISA added it to the KEV catalog on 2026-06-15 (BleepingComputer, 2026-06-15). Patch to 20.9.9.2 / 20.12.7.2 / 20.15.4.5 / 20.15.5.3 / 20.18.3.1 / 26.1.1.2. Full kill-chain, hunt and hardening detail in § 5.

CVE-2026-54420 — LiteSpeed cPanel/WHM plugin: symlink-following on shared hosting, exploited in the wild (CISA KEV)

The LiteSpeed cPanel plugin before 2.4.8 (fixed in the LiteSpeed WHM PlugIn version 5.3.2.1) mishandles symlinks supplied by a user with FTP or web-shell access on a CloudLinux/CageFS shared-hosting server, enabling cross-account file access and privilege escalation; NVD records exploitation in the wild in May 2026 (NVD CVSS 8.5). CISA added it to the Known Exploited Vulnerabilities catalog on 2026-06-15 (CISA, 2026-06-15). The exposure is most acute for hosting providers and any public-sector tenant on shared CloudLinux infrastructure. Patch to WHM PlugIn 5.3.2.1 / cPanel plugin 2.4.8.

CVE-2026-48611 / CVE-2026-48612 — phpBB: unauthenticated authentication bypass to admin, one HTTP request

Pentest-Tools.com disclosed two authentication flaws in phpBB, the open-source forum software common across European universities, municipalities and community portals (Pentest-Tools.com, 2026-06-08). CVE-2026-48611 (NVD CVSS 9.8) is an improper-authentication flaw in the OAuth implementation that allows account hijacking — including admin accounts — even when OAuth is not configured, reachable by a single unauthenticated request given only a target username (publicly visible via the member list) (NVD). CVE-2026-48612 (CVSS 8.0) chains improper OAuth state verification with CSRF to hijack a logged-in session on OAuth-enabled boards. Both affect phpBB 3.1.0 through 3.3.16 (a 10-year release span) and 4.0.0-alpha, and are fixed in phpBB 3.3.17 (phpBB, 2026-06-06). The disclosing source does not publish exploit code, and no in-the-wild exploitation is reported yet. Upgrade immediately for any internet-reachable instance; if upgrade is delayed, disable the OAuth integration even if unused.

CVE Summary Table

CVE	Product	CVSS	EPSS	KEV	Exploited	Patch	Source
CVE-2026-20262	Cisco Catalyst SD-WAN Manager	6.5	n/a	Yes	Yes (ITW)	20.9.9.2 / 20.12.7.2 / 20.15.4.5 / 20.15.5.3 / 20.18.3.1 / 26.1.1.2	Cisco PSIRT
CVE-2026-54420	LiteSpeed cPanel/WHM plugin	8.5	n/a	Yes	Yes (ITW, May 2026)	WHM PlugIn version 5.3.2.1 / plugin 2.4.8	LiteSpeed
CVE-2026-48611	phpBB 3.1.0–3.3.16, 4.0.0-alpha	9.8	n/a	No	No	phpBB 3.3.17	Pentest-Tools.com
CVE-2026-48612	phpBB (OAuth-enabled)	8.0	n/a	No	No	phpBB 3.3.17	Pentest-Tools.com

3. Research & Investigative Reporting

Obsidian Security: a three-CVE chain turns any LiteLLM user into root on the AI gateway

Obsidian Security published a privilege-escalation-to-RCE chain in LiteLLM (BerriAI), the widely self-hosted AI gateway that proxies 100+ LLM providers behind one OpenAI-compatible API (Obsidian Security, 2026-06-15; The Hacker News, 2026-06-15). The chain: CVE-2026-47101 (authorization bypass) — the key-generation endpoint accepts a caller-supplied allowed_routes without checking the caller's role, so an internal_user can mint a key reaching admin routes; CVE-2026-47102 (privilege escalation) — /user/update lacks field-level authorization, letting any authenticated user set their own user_role to proxy_admin; CVE-2026-40217 (RCE) — the Custom Code Guardrails feature runs attacker-supplied Python via exec() with __builtins__ available, giving arbitrary code execution. VulnCheck scores CVE-2026-47102 at CVSS 8.8 (3.1), and Obsidian rates the chained impact CVSS 9.9; chained, a default low-privilege account reaches the master key, the salt key decrypting stored secrets, the database URL and every configured provider API key — and can rewrite responses delivered to downstream AI agents ("man-in-the-gateway"). Fixed in v1.83.14-stable, but Obsidian reports broad under-deployment of the fix. Mapped to T1078, T1548 and T1059.006.

Why it matters to us: Swiss/EU public-sector and research bodies increasingly centralise AI workflows on a gateway proxy; a compromised LiteLLM is both a credential-theft and an agent-manipulation vector. Pin LiteLLM to ≥1.83.14, keep admin endpoints off the internet, store provider keys in a secrets manager, and rotate all provider keys if any pre-1.83.14 instance was reachable by untrusted users.

Varonis "SearchLeak" (CVE-2026-42824): one-click M365 Copilot data exfiltration, now patched

Varonis Threat Labs disclosed SearchLeak, a three-stage chain in Microsoft 365 Copilot Enterprise Search that Microsoft patched server-side as CVE-2026-42824 (command-injection / information-disclosure, NVD CVSS 6.5) (Varonis, 2026-06-15; Microsoft MSRC). Stage 1: the q URL parameter is passed to Copilot as an executable instruction rather than a sanitised query (parameter-to-prompt injection). Stage 2: an injected <img> tag fires during a streaming-render race before the output sanitiser runs. Stage 3: the exfiltration request is relayed through Bing's server-side image-search fetch — *.bing.com is allowlisted in Copilot's CSP — bypassing the browser CSP and carrying mailbox content, calendar entries, SharePoint/OneDrive files and emailed MFA/OTP codes to an attacker domain, all from a single click on a genuine microsoft.com link (The Hacker News, 2026-06-15). No customer action is required for patched tenants and no in-the-wild exploitation was observed. Mapped to T1566.002 and T1071.001.

Why it matters to us: M365 Copilot Enterprise is in active Swiss-federal and EU public-sector rollouts. The vulnerability class — prompt injection via URL parameter, streaming-render race, and SSRF-relay CSP bypass — will recur in other AI-augmented enterprise apps; build CASB/DLP detection for Copilot search URLs carrying HTML-encoded payloads in the q parameter and for Copilot sessions fetching to non-Microsoft domains.

4. Updates to Prior Coverage

UPDATE: Council of Europe named as a victim of the Oracle PeopleSoft (CVE-2026-35273) campaign

UPDATE (originally covered 2026-06-12/2026-06-13): ShinyHunters listed the Council of Europe — the 46-member Strasbourg human-rights body, of which Switzerland is a member — claiming 297 GB across ~429,000 files taken via the Oracle PeopleSoft Environment Management Hub zero-day CVE-2026-35273, and set a 16 June leak deadline (SecurityWeek, 2026-06-15). This is the first European intergovernmental institution named in the 100+-organisation PeopleSoft campaign previously covered as an education-sector wave.

The claimed dataset spans payroll for 10,000+ current and former staff (2011–2026), 14,000+ CVs, and HR records with names, dates of birth, addresses, bank-account, tax/social-security and medical data. The Council of Europe confirmed it "is currently investigating the matter and assessing the situation" and has not confirmed exfiltration (The Register, 2026-06-15; BleepingComputer, 2026-06-15). The vector — unauthenticated HTTP to the /PSEMHUB/hub servlet (T1190) — is unchanged; treat any externally-reachable PeopleSoft Environment Management Hub as compromised pending forensic review and block perimeter access to /PSEMHUB/*. Confidence on the victim claim is MEDIUM pending Council of Europe confirmation (extortion-site claim).

Changes since first coverage(4 prior appearances)

2026-06-142026-W24
2026-06-142026-06-14
2026-06-132026-06-13
2026-06-122026-06-12

UPDATE: Novo Nordisk clarifies stolen-data scope — non-pseudonymised HCP data in play

UPDATE (originally covered 2026-06-13): Novo Nordisk published an incident update on 2026-06-15 clarifying the scope of the theft: clinical-trial data taken was pseudonymised (limited direct re-identification risk for trial subjects) (Novo Nordisk, 2026-06-15), but separately stolen healthcare-professional (HCP) data was non-pseudonymised — names, registration numbers and contact details (Security Affairs, 2026-06-15).

The non-pseudonymised HCP records bring the incident within GDPR Article 33 breach-notification obligations and raise targeted-phishing risk against named medical professionals (Security Affairs, 2026-06-15). Healthcare and pharma defenders should expect HCP-impersonation and credential-phishing lures referencing the breach.

5. Deep Dive — Cisco Catalyst SD-WAN Manager CVE-2026-20262: authenticated arbitrary file write to root RCE

Vulnerable component. The flaw lives in the web UI of Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage), the centralised controller/management plane that pushes policy and configuration to every WAN-edge router in an SD-WAN fabric. The file-upload path in the management UI does not validate the user-supplied filename, so an authenticated request can traverse out of the intended directory and create or overwrite an arbitrary file on the appliance OS (NVD, CVSS 6.5; Cisco PSIRT, 2026-06-15). The vulnerability affects on-premises, Cloud-hosted and FedRAMP deployment models. The 6.5 base score reflects the authentication requirement (a low-privilege/single-task account), but the consequence — arbitrary write into a path the application server reads — is what makes it a root-RCE primitive rather than a simple integrity bug.

Exploitation chain. Reporting describes the practical path as: (1) Initial access with valid low-privilege SD-WAN Manager credentials — obtained through prior phishing, credential reuse, or chaining an earlier auth-affecting SD-WAN bug (T1078.004 Valid Accounts: Cloud Accounts); (2) Execution by abusing the upload endpoint to write a .jsp/.war artefact into the Tomcat deployment directory, turning the file-write into a web shell (T1190 Exploit Public-Facing Application for the upload primitive, T1505.003 Server Software Component: Web Shell for the planted shell); (3) Privilege escalation / impact because the SD-WAN Manager application services run with high privilege, the web shell yields root-equivalent control of the management plane (T1059 Command and Scripting Interpreter). Control of SD-WAN Manager is control of every managed edge device's configuration — a single-pivot path to the entire WAN. Cisco Talos tracks a highly capable cluster it designates UAT-8616 behind a 2026 wave of Cisco Catalyst SD-WAN exploitation (notably CVE-2026-20127, with software-downgrade post-compromise tradecraft) (Cisco Talos, 2026); whether or not that cluster is behind CVE-2026-20262 specifically, the pattern means defenders should treat any SD-WAN Manager as a high-value target even where they believe an earlier intrusion was contained.

Affected and patched versions. Cisco has released fixed trains 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1 and 26.1.1.2; consult the PSIRT advisory for the exact mapping of your running train to its fixed build (Cisco PSIRT, 2026-06-15). CISA added CVE-2026-20262 to the Known Exploited Vulnerabilities catalog on 2026-06-15, confirming exploitation in the wild (BleepingComputer, 2026-06-15).

Hunt and detection concepts. Because exploitation is authenticated and post-foothold, the highest-value telemetry is on the appliance itself, not the perimeter. Review the SD-WAN Manager appserver and service-proxy logs for HTTP uploads referencing index.jsp, *.jsp or *.war filenames or path-traversal sequences, and for newly written files in the Tomcat webapps/deploy directories that do not correspond to a vendor update. Correlate file-write events with the authenticating account — single-task/low-privilege accounts performing uploads are anomalous. Watch for unexpected outbound connections from the SD-WAN Manager host (a web shell beaconing) and for new processes spawned by the application-server user. Because the attacker needs valid credentials first, surface authentication anomalies for management-plane accounts: logins from new source ranges, off-hours admin activity, and use of service/automation accounts interactively. No IOCs are reproduced here — hunt on the behaviour.

Hardening / mitigation. Patch to the fixed train as the only durable fix. Until patched: restrict management-plane reachability so SD-WAN Manager's web UI is never internet-exposed and is reachable only from a hardened management network or jump host; enforce MFA on all SD-WAN Manager accounts and prune low-privilege/single-task accounts that retain upload capability; rotate credentials for any account that could authenticate during the exposure window; and validate the integrity of the Tomcat deploy directory against a known-good baseline before returning a controller to service. Given the management plane's blast radius across the WAN fabric, treat a suspected compromise of SD-WAN Manager as a fabric-wide event and review pushed configurations for tampering.

6. Action Items

Patch Cisco Catalyst SD-WAN Manager now (CVE-2026-20262) — actively exploited, CISA KEV. Move to a fixed train (20.9.9.2 / 20.12.7.2 / 20.15.4.5 / 20.15.5.3 / 20.18.3.1 / 26.1.1.2), take the management UI off the internet, enforce MFA, and review appserver upload/deploy logs and the Tomcat deploy directory for planted .jsp/.war web shells. See § 5 and § 2.
Patch the LiteSpeed cPanel/WHM plugin (CVE-2026-54420) to WHM PlugIn version 5.3.2.1 / plugin 2.4.8 — exploited in the wild on shared CloudLinux/CageFS hosting since May. Prioritise any public-sector tenant on shared hosting. See § 2.
Upgrade phpBB to 3.3.17 (CVE-2026-48611 / CVE-2026-48612) on any internet-reachable forum, especially university and municipal deployments; if upgrade is delayed, disable the OAuth integration even when unused. See § 2.
Pin LiteLLM to version ≥ 1.83.14 and keep admin endpoints off the internet (CVE-2026-47101/-47102/-40217) — rotate all provider API keys if any pre-1.83.14 instance was reachable by untrusted users; move keys into a secrets manager. See § 3.
Audit WordPress sites running OptinMonster / TrustPulse / PushEngage active during 12–13 June UTC — hunt for unexpected admin accounts and for plugins present on disk but hidden from the admin list; pin external CDN scripts to Subresource Integrity hashes. See § 1.
Hunt Google Workspace for rogue content-compliance / BCC rules with external Gmail recipients created by non-IT-admin accounts, and file-integrity-monitor the REDCap upgrade-staging directory and login handlers (UNC6508). See § 1.
Hunt editor-spawned shells — code/cursor processes launching shell or script interpreters outside build directories — and enforce VS Code workspace-trust + VSIX allowlist policy (UNK_DeadDrop). See § 1.
Confirm M365 Copilot tenants are on the patched build (CVE-2026-42824) and add CASB/DLP detection for Copilot search URLs carrying HTML-encoded q parameters or fetching to non-Microsoft domains. See § 3.
Block perimeter access to /PSEMHUB/* on Oracle PeopleSoft and treat any externally-reachable Environment Management Hub as compromised pending forensic review (CVE-2026-35273). See § 4.

7. Verification Notes

Items dropped:
- CVE-2026-20251 — Splunk Secure Gateway jsonpickle deserialization RCE (CVSS 8.8): did not clear a § 2 inclusion gate — no in-the-wild exploitation, post-auth/low-privilege, surfaced only via an NCSC-NL advisory. Holding for a future brief if exploitation emerges.
- Velvet Ant "Operation Highland" (Sygnia, 2026-06-08): already covered in the 2026-W24 weekly summary (long-running campaigns) with the 2026-06-13 daily deep dive on the related Linux-authentication-stack subversion; no in-window (14–16 June) delta, so excluded per PD-8.
- FileFix / KongTuke MotW-bypass transition (Intel 471, 2026-06-03): outside the 36 h recency window; the underlying FileFix research predates June 2026. Not pursued.
- Astral (Russia) service disruption; Mackay Sugar (AU) incident; Grafana breach claim; Infinite Campus 137k school-staff breach: lower Swiss/EU public-sector relevance; not pursued this run.
Single-source items: iRhythm Holdings breach (§ 1) — SEC Form 8-K Item 1.05 primary only; no independent corroboration yet (national-disclosure carve-out does not apply; flagged inline).
Reduced-confidence items: Council of Europe breach (§ 4) — extortion-site (ShinyHunters) claim; the Council confirms an investigation but not exfiltration. Confidence MEDIUM pending victim confirmation; the 16 June leak deadline should resolve it by the next cycle.
Contradictions: phpBB CVE-2026-48611 CVSS — Pentest-Tools.com rated it 9.4; NVD assigns 9.8. Brief reports the NVD value. LiteLLM fix timing — sources gave differing fix dates (25 April vs 2 May 2026); brief cites the fixed version (v1.83.14-stable), not a date, to avoid the discrepancy. LiteSpeed CVE-2026-54420 fixed-version — NVD describes the vulnerable range as "before WHM PlugIn 5.3.2.0", while the LiteSpeed vendor advisory states the fix shipped in WHM PlugIn 5.3.2.1 (bundled with cPanel plugin 2.4.8); the brief uses the vendor's 5.3.2.1 as the safe patch target. CVE-2026-48612 CVSS — NVD has not yet scored it; the 8.0 used here is a third-party (HackerOne) score (Pentest-Tools.com assigned 8.3).
Sub-agents: all four research sub-agents (S1–S4, Claude Sonnet 4.6) returned within the wall-clock cap. S2 and S3 completed their research but their findings-YAML writes did not persist on first return; the main agent recovered both files verbatim from the sub-agent transcripts and the run's URL-liveness ledger before composition (no content was fabricated). Verifier: 4 iterations with model rotation (iterations 1 and 3 Claude Opus 4.8; iterations 2 and 4 Claude Sonnet 4.6); verdict CLEAN at iteration 4 after three remediation rounds (phpBB PoC claim, LiteLLM per-CVE CVSS phrasing, LiteSpeed fixed-version 5.3.2.1, UAT-8616 Talos citation, LiteSpeed KEV citation, DPRK targeted-geography attribution, Novo Nordisk HCP-clause citation).
Coverage gaps: inside-it-ch (bridge 403 — no unique in-window content); databreaches-net (bridge returned no output); ncsc-ch-weekly-week24 (HTTP 404 — Week 24 report not yet published as of run time); anssi-fr-actu (CERT-FR actualité feed stale, no 2026 bulletins); sophos-xops (no new X-Ops research post in-window); rapid7-research (RSS feed returned empty); cnil-fr (no in-window enforcement notices).