Vulnerabilities

Cyera discloses four chainable OpenClaw vulnerabilities (CVE-2026-44112 through 44118) exposing 245,000 servers to credential theft, privilege escalation, and persistent access.

Day two of Pwn2Own Berlin 2026 yields 15 new zero-days worth $385,750. Orange Tsai chains three bugs for SYSTEM-level Exchange RCE, earning the event's largest payout.

Microsoft confirms active exploitation of CVE-2026-42897, an XSS flaw in Exchange OWA that executes JavaScript via malicious emails. No patch available yet.

Google's May 2026 Chrome update addresses 79 security issues with 14 rated critical. Memory corruption bugs dominate—update immediately to version 148.0.7778.167.

CVE-2026-46300 exploits a logic bug in the XFRM ESP-in-TCP subsystem to corrupt page cache and gain root. Kernel patches rolling out now—mitigation available.

CVE-2026-42945 is a critical heap buffer overflow in NGINX's rewrite module that went undetected since 2008. CVSS 9.2 with public PoC available—patch now.

CVE-2026-20182 allows unauthenticated attackers to gain admin access to Cisco Catalyst SD-WAN controllers. CISA added it to the KEV catalog after confirmed exploitation.

Security researchers exploited Windows 11, Microsoft Edge, Red Hat Linux, and multiple AI platforms on the first day of Pwn2Own Berlin 2026, earning $523,000 for 24 unique zero-day vulnerabilities.

SAP's May 2026 security update addresses 15 vulnerabilities, including CVE-2026-34260 SQL injection in S/4HANA and CVE-2026-34263 unauthenticated RCE in Commerce Cloud.

A disgruntled researcher released two unpatched Windows zero-days: YellowKey bypasses BitLocker encryption via USB, while GreenPlasma grants SYSTEM privileges. No patches available yet.

CVE-2026-45185 is a critical use-after-free vulnerability in Exim mail servers using GnuTLS. XBOW researchers call it one of the highest-caliber bugs found in Exim.

Microsoft's May 2026 Patch Tuesday addresses 120 vulnerabilities including 17 critical RCE flaws. No zero-days, but Word preview pane attacks and Netlogon bugs demand immediate attention.

Fortinet discloses CVE-2026-44277 and CVE-2026-26083, unauthenticated RCE flaws affecting FortiSandbox and FortiAuthenticator. Patch now before attackers weaponize these.

CVE-2026-44211 (CVSS 9.7) allowed malicious websites to hijack Cline's Kanban WebSocket server, exfiltrate workspace data, and execute arbitrary commands through the AI agent. Patched in v0.1.66.

CVE-2026-42208, a CVSS 9.3 pre-auth SQL injection in the LiteLLM LLM gateway, was weaponized within 36 hours of disclosure. CISA added it to KEV with a May 11 federal deadline.

cPanel releases emergency fixes for CVE-2026-29201, 29202, and 29203—including file read, code execution, and privilege escalation flaws. Comes days after 44,000 servers were hit by ransomware.

Two vulnerabilities in AzuraCast radio automation software enable authenticated RCE via path traversal and unauthenticated account takeover through password reset poisoning. Upgrade to 0.23.6 now.

CVE-2026-26129, CVE-2026-26164, and CVE-2026-33111 allowed information disclosure via injection attacks in Microsoft 365 Copilot. No admin action required.

CVE-2026-42354 (CVSS 9.1) allows attackers to take over any Sentry user account via malicious SAML IdP. Patch to version 26.4.1 immediately.

A new Linux kernel flaw dubbed Dirty Frag (CVE-2026-43284) enables instant root on all major distros. No patches exist after embargo collapsed.

Security researchers disclosed 12 sandbox escape vulnerabilities in vm2, including three with CVSS 10.0 scores. The popular JavaScript isolation library can no longer be trusted to contain untrusted code.

CVE-2026-6973 lets attackers achieve RCE on Ivanti Endpoint Manager Mobile with admin credentials. CISA added it to KEV with a two-day patch deadline for federal agencies.

CVE-2026-27960 in OpenCTI 6.6.0-6.9.12 allows unauthenticated API access as any user, including admin. Upgrade to 6.9.13 or disable the default admin account.

CVE-2026-23918 in Apache 2.4.66 lets attackers crash servers or achieve code execution with just two HTTP/2 frames. Upgrade to 2.4.67 immediately.

CVE-2026-0300 allows unauthenticated attackers to execute code as root on PA-Series and VM-Series firewalls. Patches coming May 13—here's how to mitigate now.

Progress patches CVE-2026-4670, a critical authentication bypass in MOVEit Automation that could give attackers admin control. No workarounds available.

CVE-2026-31431 lets attackers gain root on every major Linux distro since 2017 with a 732-byte Python script. Here's how it works and what to do.

CVE-2026-3854 allowed authenticated attackers to execute code on GitHub servers via a single git push. 88% of Enterprise Server instances remain unpatched.

CVE-2026-41386 allows attackers to manipulate bootstrap setup codes during device pairing, bypassing role restrictions and gaining elevated privileges in OpenClaw.

Critical CVSS 9.8 flaw in cPanel/WHM allowed attackers to bypass authentication via CRLF injection. Exploits confirmed in the wild before emergency patches.

CVE-2026-42208 lets attackers steal API keys and forge admin sessions in LiteLLM without authentication. Exploitation began within 36 hours of public disclosure.

Russian state hackers weaponize CVE-2026-32202, an incomplete patch for Windows Shell that enables zero-click NTLM hash theft. Microsoft confirms active exploitation after Akamai discovers the bypass.

Silverfort researchers discover Microsoft's AI agent management role could be abused to take over arbitrary service principals in Entra ID tenants. Microsoft patched the privilege escalation flaw on April 9.

Microsoft releases emergency patch for CVE-2026-40372 (CVSS 9.1), a critical ASP.NET Core flaw allowing attackers to forge authentication cookies and gain SYSTEM privileges on Linux and macOS servers.

Kaspersky discloses PhantomRPC, an architectural Windows RPC vulnerability enabling SYSTEM-level privilege escalation across all Windows versions. Microsoft declined to patch despite five exploitation paths.

CVE-2026-42363 exposes admin credentials in GeoVision GV-IP Device Utility 9.0.5 via UDP broadcast packets. CVSS 9.3 critical flaw lets LAN attackers decrypt device passwords.

Security researcher Valentin Lobstein discovers CVSS 9.8 pickle deserialization vulnerabilities in LeRobot, ktransformers, and LightLLM. ML frameworks using pickle for network serialization create widespread attack surface.

Critical CVE-2026-5760 in SGLang enables unauthenticated RCE through poisoned GGUF model files. Attackers can weaponize Hugging Face models to compromise inference servers.

Oracle's April 2026 CPU addresses 450 CVEs across 28 product families. Over 300 flaws are remotely exploitable without authentication, with Communications leading at 139 patches.

Four actively exploited vulnerabilities added to CISA's KEV catalog on April 24. Federal agencies face May 8 deadline—here's what's being targeted.

CVE-2026-41248 in Clerk's JavaScript libraries allows crafted requests to bypass authentication middleware. CVSS 9.1—patch your Next.js, Nuxt, and Astro apps now.

CVE-2026-40050 exposes CrowdStrike LogScale servers to unauthenticated file access via path traversal. CVSS 9.8—here's who's affected and how to patch.

CVE-2026-41651 lets any local user gain root privileges on Ubuntu, Debian, and Fedora via a TOCTOU race in PackageKit. Patch to version 1.3.5 immediately.

CVE-2026-33626 in LMDeploy AI toolkit was weaponized within 12 hours of publication, targeting AWS credentials and internal services. Patch to v0.12.3 immediately.

Huntress confirms hands-on-keyboard exploitation of all three Windows Defender zero-days. Microsoft patched BlueHammer, but RedSun and UnDefend remain unpatched as attackers chain them for SYSTEM access.