The Day Nobody Had a Patch
On June 24-25, 2026, thirty critical-severity CVEs were disclosed across web-facing infrastructure. The patch availability rate at disclosure: 0%. Not some. Not most. Zero of the thirty had vendor-issued fixes when the vulnerabilities became public knowledge. This represents a 76% spike from the 17 critical CVEs in the prior period — and a structural deterioration in the disclosure-to-patch timeline.
The affected software reads like a list of enterprise infrastructure: Rocket.Chat (used by organizations that need self-hosted messaging), Cacti (used by network teams for infrastructure monitoring), Gogs (used by development teams for self-hosted Git), and Chrome (used by everyone).
The Casualties
Rocket.Chat: four separate authentication bypass vulnerabilities. Apple OAuth JWT forgery (CVE-2026-55666, CVSS 9.3), SAML signature bypass (CVE-2026-46423, CVSS 9.3), MongoDB injection (CVSS 9.1), and NoSQL CAS bypass (CVSS 9.1). Four different ways to walk past the front door of a self-hosted messaging platform. Organizations that chose Rocket.Chat for security and data sovereignty now have four unpatched auth bypasses.
Cacti: four unauthenticated SQL injection and local file inclusion flaws (CVSS 9.3-9.8), all reachable pre-authentication via graph_view.php. Gogs: path traversal to RCE via Git hooks (CVSS 10.0) and branch-name RCE (CVSS 9.9). Chrome Android: two WebGL use-after-free sandbox escapes (CVSS 9.6). Five additional CVEs were simultaneously added to CISA's KEV catalog with confirmed active exploitation.
Self-Hosted Means Self-Patched
The pattern in this disclosure batch is consistent: every critically affected product is self-hosted infrastructure. Rocket.Chat, Cacti, Gogs — these are tools organizations deploy specifically because they want control over their own data and infrastructure. The tradeoff is clear: you own the data, but you also own the patching. When the vendor has no patch at disclosure, you have no options. You cannot update. You can only mitigate, monitor, or take the service offline.
Managed platforms — GitHub instead of Gogs, Slack instead of Rocket.Chat, cloud monitoring instead of Cacti — transfer this patching burden to the vendor. The security tradeoff of self-hosting is real and quantifiable: when thirty critical CVEs drop with zero patches, self-hosted infrastructure is exposed with no remediation path. For CISOs: the cost of self-hosting is not just infrastructure. It is the 0% patch rate on the day it matters most.
