Vulnerabilities

Attackers exploit CVE-2026-26980 to steal admin API keys and inject malicious scripts across 700+ Ghost CMS sites, including Harvard and Oxford. Patch now.

CVE-2026-34926 lets attackers inject malicious code into Apex One servers and deploy it to all connected endpoint agents. CISA confirms active exploitation with June 4 federal deadline.

CISA adds CVE-2025-34291 to KEV after Iranian APT MuddyWater weaponizes the CORS/CSRF chain for account takeover and RCE. CVSS 9.4 flaw requires only a malicious link click.

CVE-2026-9082 exploitation began within hours of patch release. Imperva tracked 15,000+ attacks against PostgreSQL-backed Drupal sites across 65 countries in the first two days.

CVE-2026-23918 in Apache HTTP Server 2.4.66 lets attackers crash workers trivially or achieve remote code execution through a double-free in mod_http2. Upgrade to 2.4.67 immediately.

Ubiquiti releases emergency patches for three maximum-severity vulnerabilities in UniFi OS that allow unauthenticated remote attackers to take full control of network appliances. 100,000 devices exposed.

Cisco patches CVE-2026-20223, a maximum-severity REST API vulnerability in Secure Workload enabling unauthenticated attackers to gain Site Admin privileges across tenants.

A Chromium bug reported in 2022 that turns browsers into silent botnets was accidentally exposed on Google's issue tracker. No patch exists despite 'fixed' status.

CISA's May 20 KEV update includes two actively exploited Microsoft Defender vulnerabilities and five legacy flaws from 2008-2010. Federal agencies have until June 3 to patch.

Security researchers disclose nginx-poolslip, an unpatched zero-day in NGINX 1.31.0 that defeats ASLR protection. Millions of servers at risk with no CVE or fix available yet.

Drupal releases patches for a highly critical vulnerability (severity 20/25) affecting all supported versions. Exploits may emerge within hours—administrators should update between 5-9pm UTC today.

Seven vulnerabilities including CVE-2026-2743 (CVSS 10.0) allow unauthenticated attackers to compromise SEPPMail secure email gateways, read all traffic, and establish persistent access. Patch to 15.0.4 immediately.

DEVCORE claims Master of Pwn with $505K across three days. VMware ESXi and SharePoint exploits highlight Day 3 as Pwn2Own Berlin 2026 awards $1.29M total.

Chaotic Eclipse drops working exploit for Windows Cloud Filter driver flaw allegedly patched in 2020. Race condition in cldflt.sys spawns SYSTEM shell on Windows 11.

Critical CVE-2026-7482 vulnerability in Ollama's GGUF model loader lets remote attackers extract API keys, prompts, and conversation data from 300,000+ exposed servers.

Cyera discloses four chainable OpenClaw vulnerabilities (CVE-2026-44112 through 44118) exposing 245,000 servers to credential theft, privilege escalation, and persistent access.

Day two of Pwn2Own Berlin 2026 yields 15 new zero-days worth $385,750. Orange Tsai chains three bugs for SYSTEM-level Exchange RCE, earning the event's largest payout.

Microsoft confirms active exploitation of CVE-2026-42897, an XSS flaw in Exchange OWA that executes JavaScript via malicious emails. No patch available yet.

Google's May 2026 Chrome update addresses 79 security issues with 14 rated critical. Memory corruption bugs dominate—update immediately to version 148.0.7778.167.

CVE-2026-46300 exploits a logic bug in the XFRM ESP-in-TCP subsystem to corrupt page cache and gain root. Kernel patches rolling out now—mitigation available.

CVE-2026-42945 is a critical heap buffer overflow in NGINX's rewrite module that went undetected since 2008. CVSS 9.2 with public PoC available—patch now.

CVE-2026-20182 allows unauthenticated attackers to gain admin access to Cisco Catalyst SD-WAN controllers. CISA added it to the KEV catalog after confirmed exploitation.

Security researchers exploited Windows 11, Microsoft Edge, Red Hat Linux, and multiple AI platforms on the first day of Pwn2Own Berlin 2026, earning $523,000 for 24 unique zero-day vulnerabilities.

SAP's May 2026 security update addresses 15 vulnerabilities, including CVE-2026-34260 SQL injection in S/4HANA and CVE-2026-34263 unauthenticated RCE in Commerce Cloud.

A disgruntled researcher released two unpatched Windows zero-days: YellowKey bypasses BitLocker encryption via USB, while GreenPlasma grants SYSTEM privileges. No patches available yet.

CVE-2026-45185 is a critical use-after-free vulnerability in Exim mail servers using GnuTLS. XBOW researchers call it one of the highest-caliber bugs found in Exim.

Microsoft's May 2026 Patch Tuesday addresses 120 vulnerabilities including 17 critical RCE flaws. No zero-days, but Word preview pane attacks and Netlogon bugs demand immediate attention.

Fortinet discloses CVE-2026-44277 and CVE-2026-26083, unauthenticated RCE flaws affecting FortiSandbox and FortiAuthenticator. Patch now before attackers weaponize these.

CVE-2026-44211 (CVSS 9.7) allowed malicious websites to hijack Cline's Kanban WebSocket server, exfiltrate workspace data, and execute arbitrary commands through the AI agent. Patched in v0.1.66.

CVE-2026-42208, a CVSS 9.3 pre-auth SQL injection in the LiteLLM LLM gateway, was weaponized within 36 hours of disclosure. CISA added it to KEV with a May 11 federal deadline.

cPanel releases emergency fixes for CVE-2026-29201, 29202, and 29203—including file read, code execution, and privilege escalation flaws. Comes days after 44,000 servers were hit by ransomware.

Two vulnerabilities in AzuraCast radio automation software enable authenticated RCE via path traversal and unauthenticated account takeover through password reset poisoning. Upgrade to 0.23.6 now.

CVE-2026-26129, CVE-2026-26164, and CVE-2026-33111 allowed information disclosure via injection attacks in Microsoft 365 Copilot. No admin action required.

CVE-2026-42354 (CVSS 9.1) allows attackers to take over any Sentry user account via malicious SAML IdP. Patch to version 26.4.1 immediately.

A new Linux kernel flaw dubbed Dirty Frag (CVE-2026-43284) enables instant root on all major distros. No patches exist after embargo collapsed.

Security researchers disclosed 12 sandbox escape vulnerabilities in vm2, including three with CVSS 10.0 scores. The popular JavaScript isolation library can no longer be trusted to contain untrusted code.

CVE-2026-6973 lets attackers achieve RCE on Ivanti Endpoint Manager Mobile with admin credentials. CISA added it to KEV with a two-day patch deadline for federal agencies.

CVE-2026-27960 in OpenCTI 6.6.0-6.9.12 allows unauthenticated API access as any user, including admin. Upgrade to 6.9.13 or disable the default admin account.

CVE-2026-23918 in Apache 2.4.66 lets attackers crash servers or achieve code execution with just two HTTP/2 frames. Upgrade to 2.4.67 immediately.

CVE-2026-0300 allows unauthenticated attackers to execute code as root on PA-Series and VM-Series firewalls. Patches coming May 13—here's how to mitigate now.

Progress patches CVE-2026-4670, a critical authentication bypass in MOVEit Automation that could give attackers admin control. No workarounds available.

CVE-2026-31431 lets attackers gain root on every major Linux distro since 2017 with a 732-byte Python script. Here's how it works and what to do.

CVE-2026-3854 allowed authenticated attackers to execute code on GitHub servers via a single git push. 88% of Enterprise Server instances remain unpatched.

CVE-2026-41386 allows attackers to manipulate bootstrap setup codes during device pairing, bypassing role restrictions and gaining elevated privileges in OpenClaw.

Critical CVSS 9.8 flaw in cPanel/WHM allowed attackers to bypass authentication via CRLF injection. Exploits confirmed in the wild before emergency patches.