June 16 began as the AI-development stack's mass-disclosure day — pre-auth RCE in Crawl4AI and Langflow, a vLLM auth bypass, an ~18-CVE n8n batch, and Aikido's catch of 15+ JetBrains plugins quietly exfiltrating the AI keys developers paste into them — and the 18:00 synthesis closed on that shape.
Late escalation at 21:00 ET: a second wave hit self-hosted infrastructure after the synthesis locked. Rclone's remote-control server (`rcd --rc-serve`) takes unauthenticated RCE through inline remote config, bypassing the earlier CVE-2026-41179 fix (CVE-2026-49980, CVSS 9.8). The LiteLLM proxy can be reached on its management routes without auth via a Host-header trick (CVE-2026-49468) — the same URL-reconstruction class as the morning's vLLM bypass. n8n's security release kept expanding: a CVSS-10 unauthenticated browser-control exposure in `@n8n/mcp-browser` (CVE-2026-54309) and a cross-tenant credential takeover via the Dynamic-Credentials EE endpoints (CVE-2026-54305, CVSS 9.9). And the self-hosted forges piled on — Gitea shipped a 'maintainer-edit' authorization bypass that lets read-access users push arbitrary commits plus two token-scope bypasses (Basic-vs-Bearer mirror images of each other), and Gogs disclosed an authenticated path-traversal file-overwrite. yt-dlp's `--exec` metadata command injection rounds out the wave.
→ Operational priority for the night get any reachable Rclone `rcd --rc-serve` and n8n MCP-browser HTTP endpoint off the network now — both are unauthenticated code/control execution — then patch LiteLLM and the morning's Crawl4AI / Langflow / vLLM instances, upgrade Gitea and Gogs and re-issue every scoped forge token (scoping is unenforceable until you do), and finish rotating the AI provider keys exposed to third-party IDE plugins ahead of the June 19 Joomla/JCE KEV deadline.