Entities

114 CVEs, actors, campaigns, incidents, tools, advisories, and reports tracked across briefs. The badge marks items covered in more than one brief — these are the "stories that unfolded".

• Groupe 3R (Réseau Radiologique Romand) — Akira ransomware, 48 GB claimed, Swiss medical imaging
  incidentincident:groupe-3r-akira-2026last covered 2026-05-10
• Braintrust AI evaluation platform — AWS account breach exposes customer org-level LLM provider keys
  incidentincident:braintrust-aws-breach-2026last covered 2026-05-10
• JDownloader official site compromised — Windows/Linux installers swapped for Python RAT (~48 h window)
  incidentincident:jdownloader-supply-chain-2026last covered 2026-05-10
• Microsoft Semantic Kernel Python SDK — prompt-injection-to-RCE via InMemoryVectorStore filter (CVSS 9.9)
  cveCVE-2026-26030last covered 2026-05-10
• Microsoft Semantic Kernel .NET SDK — unintended [KernelFunction] on SessionsPythonPlugin Download/UploadFileAsync → sandbox escape (CVSS 9.9)
  cveCVE-2026-25592last covered 2026-05-10
• PCPJack — modular cloud-credential-theft worm chaining 5 public CVEs; evicts TeamPCP
  toolresearch:pcpjack-cloud-worm-2026last covered 2026-05-10
• Bauman University 'Department No. 4' — leaked GRU cyber-operator training pipeline (joint The Insider / Guardian / Le Monde / Spiegel investigation)
  campaignresearch:bauman-gru-pipeline-investigation-2026last covered 2026-05-10
• Beagle backdoor distributed via fake Claude AI site (claude-pro[.]com) — DonutLoader + DLL sideloading on signed G DATA AV updater (Sophos STAC4713)
  toolresearch:beagle-fake-claude-stac4713-2026last covered 2026-05-10
• ClickFix expands to macOS — Macsync / Shub Stealer / AMOS via Base64 Terminal-paste lures bypass Gatekeeper (Microsoft research)
  campaigncampaign:clickfix-macos-2026last covered 2026-05-10
• DENIC .de DNSSEC outage — technical post-mortem confirms three private keys with keytag 33834, only one DNSKEY published
  incidentincident:denic-dnssec-outage-2026-postmortemlast covered 2026-05-10
• cPanel/WHM unsafe symlink handling — chmod abuse on arbitrary files (CVSS 8.8, second emergency TSR)
  cveCVE-2026-29203last covered 2026-05-10×2 appearances
• Ivanti EPMM remote authenticated → administrative-access via improper access control (CVSS 8.8, May 2026 update)
  cveCVE-2026-5786last covered 2026-05-10
• Ivanti EPMM unauthenticated arbitrary method invocation (CVSS 7.0, May 2026 update)
  cveCVE-2026-5788last covered 2026-05-10
• Ivanti EPMM — fourth companion CVE in May 2026 EPMM update (high-severity per BleepingComputer / SecurityWeek)
  cveCVE-2026-7821last covered 2026-05-10
• Next.js middleware authorisation bypass via crafted header — weaponised by PCPJack worm
  cveCVE-2025-29927last covered 2026-05-10
• React/Next.js Server Actions deserialisation ("React2Shell") — weaponised by PCPJack worm
  cveCVE-2025-55182last covered 2026-05-10
• WPVivid Backup unauthenticated file upload — weaponised by PCPJack worm
  cveCVE-2026-1357last covered 2026-05-10
• W3 Total Cache PHP injection via mfunc comment processor — weaponised by PCPJack worm
  cveCVE-2025-9501last covered 2026-05-10
• CentOS Web Panel FileManager shell injection — weaponised by PCPJack worm
  cveCVE-2025-48703last covered 2026-05-10
• Cisco Unity Connection authenticated RCE in management API (CVSS 8.8, NATO NCSC discovery; logged § 7 — dropped from § 2, gate not cleared)
  cveCVE-2026-20034last covered 2026-05-10
• Cisco Unity Connection unauthenticated SSRF in default-enabled Web Inbox (CVSS 7.2; logged § 7 — dropped from § 2, gate not cleared)
  cveCVE-2026-20035last covered 2026-05-10
• Copy Fail — Linux kernel algif_aead LPE (ITW, KEV deadline 2026-05-15)
  cveCVE-2026-31431last covered 2026-05-09×3 appearances
• Palo Alto PAN-OS Captive Portal — unauthenticated root RCE (CVSS 9.3, ITW, KEV deadline 2026-05-09)
  cveCVE-2026-0300last covered 2026-05-09×3 appearances
• Instructure (Canvas LMS) data breach — student and educator data
  incidentincident:instructure-canvas-2026last covered 2026-05-09×4 appearances
• Ivanti EPMM on-prem — pre-auth certificate impersonation (CVSS 9.1, ITW, KEV chain with CVE-2026-6973)
  cveCVE-2026-5787last covered 2026-05-09×2 appearances
• Ivanti EPMM on-prem — admin API improper input validation → RCE (CVSS 7.2, ITW, KEV deadline 2026-05-10)
  cveCVE-2026-6973last covered 2026-05-09×2 appearances
• Pro-Russian hacktivist OT intrusion at five Polish water treatment facilities — pump settings modified
  incidentincident:polish-water-ot-2026last covered 2026-05-09×2 appearances
• DAEMON Tools Lite supply chain — QUIC RAT, EU governments targeted
  incidentincident:daemon-tools-supply-chain-2026last covered 2026-05-09
• Inditex (Zara) — ShinyHunters third-party analytics breach, 197,400 EU customers
  incidentincident:inditex-zara-breach-2026last covered 2026-05-09
• DENIC .de DNSSEC outage — HSM integration defect, 3.5 h disruption
  incidentincident:denic-dnssec-outage-2026last covered 2026-05-09
• PamDOORa — malicious PAM module with credential harvesting and log scrubbing, sold on Rehub
  toolresearch:pamdoora-pam-backdoor-2026last covered 2026-05-09
• Dirty Frag — Linux kernel xfrm-ESP page-cache write primitive, LPE (ITW, PoC public)
  cveCVE-2026-43284last covered 2026-05-09
• Dirty Frag — Linux kernel RxRPC page-cache write primitive, LPE chain (ITW, patch pending)
  cveCVE-2026-43500last covered 2026-05-09
• LiteLLM Proxy pre-auth SQL injection — all upstream LLM API keys at risk (CVSS 9.3, KEV deadline 2026-05-11)
  cveCVE-2026-42208last covered 2026-05-09×2 appearances
• SEPPmail Secure Email Gateway — unauthenticated RCE via exposed GINAv2 test endpoints (CVSS 9.3)
  cveCVE-2026-44128last covered 2026-05-09
• SEPPmail GINAv2 — missing authentication in admin REST API (CVSS 9.3)
  cveCVE-2026-44125last covered 2026-05-09
• SEPPmail GINAv2 — insecure deserialisation via session cookie → RCE (CVSS 9.2)
  cveCVE-2026-44126last covered 2026-05-09
• SEPPmail appliance management — LFI and arbitrary file deletion (CVSS 8.8)
  cveCVE-2026-44127last covered 2026-05-09
• SEPPmail GINAv2 — server-side template injection via Freemarker (CVSS 8.3)
  cveCVE-2026-44129last covered 2026-05-09
• SEPPmail appliance management — information disclosure (CVSS 6.9)
  cveCVE-2026-7864last covered 2026-05-09
• Spring Cloud Config Server pre-auth directory traversal (CVSS 9.8)
  cveCVE-2026-40982last covered 2026-05-09
• Spring Cloud Config Server Google Secrets Manager backend flaw (HIGH)
  cveCVE-2026-40981last covered 2026-05-09
• Spring Cloud Config Server companion CVE (HIGH)
  cveCVE-2026-41002last covered 2026-05-09
• Spring Cloud Config Server companion CVE (MEDIUM)
  cveCVE-2026-41004last covered 2026-05-09
• xrdp pre-authentication stack buffer overflow → RCE
  cveCVE-2025-68670last covered 2026-05-09
• Ivanti EPMM January 2026 critical — historical precedent cited in 2026-05-09 Ivanti UPDATE
  cveCVE-2026-1281last covered 2026-05-09×2 appearances
• Ivanti EPMM January 2026 critical companion — historical precedent cited in 2026-05-09 Ivanti UPDATE
  cveCVE-2026-1340last covered 2026-05-09×2 appearances
• Apache CloudStack post-auth authentication token flaw — dropped from § 3 (gate not cleared)
  cveCVE-2026-25077last covered 2026-05-09
• cPanel/WHM CVE cluster — dropped from § 3 (embargoed, gate not cleared)
  cveCVE-2026-29201last covered 2026-05-09×2 appearances
• cPanel/WHM CVE cluster — dropped from § 3 (embargoed, gate not cleared)
  cveCVE-2026-29202last covered 2026-05-09×2 appearances
• Windows Shell protection mechanism failure — NTLM coercion / spoofing (CVSS 4.3, APT28 ITW, KEV deadline 2026-05-12)
  cveCVE-2026-32202last covered 2026-05-08
• GLPI < 10.0.25 / 11.0.7 — SSRF (CERTFR-2026-AVI-0551)
  cveCVE-2026-32312last covered 2026-05-08
• GLPI < 10.0.25 / 11.0.7 — data integrity compromise (CERTFR-2026-AVI-0551)
  cveCVE-2026-40108last covered 2026-05-08
• GLPI < 10.0.25 / 11.0.7 — stored/reflected XSS (CERTFR-2026-AVI-0551)
  cveCVE-2026-42317last covered 2026-05-08
• GLPI < 10.0.25 / 11.0.7 — XSS (CERTFR-2026-AVI-0551)
  cveCVE-2026-42318last covered 2026-05-08
• GLPI < 10.0.25 / 11.0.7 — XSS (CERTFR-2026-AVI-0551)
  cveCVE-2026-42320last covered 2026-05-08
• GLPI < 10.0.25 / 11.0.7 — XSS (CERTFR-2026-AVI-0551)
  cveCVE-2026-42321last covered 2026-05-08
• GLPI < 10.0.25 / 11.0.7 — security policy bypass / auth bypass (CERTFR-2026-AVI-0551)
  cveCVE-2026-5385last covered 2026-05-08
• MuddyWater (Iran/MOIS) Chaos ransomware false-flag + Teams credential harvesting — Europe/Middle East
  campaigncampaign:muddywater-chaos-2026last covered 2026-05-08
• Die Linke (Germany) — Qilin ransomware, 1.5 TB claimed, DPA notified (April 2026)
  incidentincident:die-linke-qilin-2026last covered 2026-05-08
• Eurail breach (December 2025) — 308 777 travellers notified April 2026; Dutch DPA and EDPS reviewing delayed notification
  incidentincident:eurail-breach-2026last covered 2026-05-08
• CERT-FR CERTFR-2026-ACT-016 — Agentic AI tool risks: prompt injection, MCP supply chain, sandboxing
  campaignadvisory:certfr-2026-act-016last covered 2026-05-08
• Dragos 2025 OT Cybersecurity Year in Review — Frontlines IR Edition
  annual-reportannual-report:dragos-2025-ot-frontlineslast covered 2026-05-08
• Kaspersky Q1 2026 Exploits and Vulnerabilities Report
  annual-reportannual-report:kaspersky-q1-2026-exploitslast covered 2026-05-08
• Amazon SES abuse for authenticated BEC/phishing (Kaspersky, 2026-05-04)
  campaigntechnique:amazon-ses-bec-2026last covered 2026-05-08
• Ivanti EPMM pre-auth API access (2023, exploited by APT29; cited as historical precedent in 2026-05-08 deep dive)
  cveCVE-2023-35078last covered 2026-05-08
• Ivanti EPMM critical (January 2025, state-actor exploitation; cited as historical precedent in 2026-05-08 deep dive)
  cveCVE-2025-0283last covered 2026-05-08
• Microsoft Office Protected View bypass — security feature bypass (CVSS 7.8, KEV deadline 2026-02-16 already passed; deferred from §4)
  cveCVE-2026-21509last covered 2026-05-08
• Microsoft Office Protected View chain CVE (deferred from §4; see CVE-2026-21509 series)
  cveCVE-2026-21513last covered 2026-05-08
• Microsoft Office Protected View chain CVE (deferred from §4; see CVE-2026-21509 series)
  cveCVE-2026-21514last covered 2026-05-08
• Apache HTTP Server 2.4.x — mod_proxy_ajp heap buffer overflow (RCE via AJP backend)
  cveCVE-2026-28780last covered 2026-05-07
• SimpleHelp RMM — missing authorisation privilege escalation (CVSS 9.9, ITW DragonForce/Medusa, KEV deadline 2026-05-08)
  cveCVE-2024-57726last covered 2026-05-07
• SimpleHelp RMM — path traversal / zip-slip code execution (CVSS 7.2, ITW, KEV deadline 2026-05-08)
  cveCVE-2024-57728last covered 2026-05-07
• Samsung MagicINFO 9 Server — unauthenticated path traversal / file write (CVSS 9.8, Mirai, KEV deadline 2026-05-08)
  cveCVE-2024-7399last covered 2026-05-07
• Progress Telerik UI for ASP.NET AJAX — RadFilter deserialization RCE (CVSS 9.8)
  cveCVE-2026-6023last covered 2026-05-07SINGLE-SOURCE-NATIONAL-CERT
• Progress Telerik UI for ASP.NET AJAX — RadAsyncUpload resource exhaustion DoS (CVSS 7.5)
  cveCVE-2026-6022last covered 2026-05-07SINGLE-SOURCE-NATIONAL-CERT
• Zabbix monitoring platform — XSS / data confidentiality flaw (CERT-FR)
  cveCVE-2026-23926last covered 2026-05-07SINGLE-SOURCE-NATIONAL-CERT
• Zabbix monitoring platform — XSS / data confidentiality flaw (CERT-FR)
  cveCVE-2026-23927last covered 2026-05-07SINGLE-SOURCE-NATIONAL-CERT
• Zabbix monitoring platform — XSS / data confidentiality flaw (CERT-FR)
  cveCVE-2026-23928last covered 2026-05-07SINGLE-SOURCE-NATIONAL-CERT
• Metabase Enterprise — serialization import RCE (CVSS 7.2, public PoC)
  cveCVE-2026-33725last covered 2026-05-07
• France ANTS government identity agency breach — 11.7M citizen records confirmed
  incidentincident:france-ants-breach-2026last covered 2026-05-07×2 appearances
• DAEMON Tools supply chain compromise — China-nexus QUIC RAT via signed installers
  incidentincident:daemon-tools-supply-chain-2026last covered 2026-05-07
• ChipSoft (Netherlands) healthcare software vendor — Embargo ransomware, 66 Dutch DPA notifications
  incidentincident:chipsoft-embargo-2026last covered 2026-05-07
• Vimeo data breach via Anodot third-party SaaS compromise — 119,200 accounts
  incidentincident:vimeo-anodot-2026last covered 2026-05-07
• Europol shadow IT systems — decade of unregulated data processing outside EU oversight
  incidentincident:europol-shadow-it-2026last covered 2026-05-07
• Mandiant M-Trends 2026 — Annual Threat Intelligence Report
  annual-reportannual-report:mtrends-2026last covered 2026-05-07
• DragonForce — ransomware-as-a-service operator exploiting SimpleHelp RMM
  actoractor:DragonForcelast covered 2026-05-07
• Embargo — ransomware group; responsible for ChipSoft Netherlands attack
  actoractor:Embargolast covered 2026-05-07
• OceanLotus (APT32) — Vietnam-nexus APT; PyPI supply chain campaign
  actoractor:OceanLotuslast covered 2026-05-07
• CL-STA-1132 — likely state-sponsored exploitation cluster for CVE-2026-0300 (PAN-OS)
  campaigncampaign:CL-STA-1132last covered 2026-05-07
• QLNX (Quasar Linux) — developer-targeting Linux RAT with eBPF rootkit and PAM backdoor
  tooltool:QLNXlast covered 2026-05-07
• ZiChatBot — OceanLotus PyPI supply chain backdoor using Zulip API C2
  tooltool:ZiChatBotlast covered 2026-05-07
• Amatera — InstallFix campaign infostealer targeting browser credentials and e-wallets
  tooltool:Amateralast covered 2026-05-07
• InstallFix — malvertising campaign distributing Amatera infostealer via fake AI tool install pages
  campaigncampaign:installfixlast covered 2026-05-07
• CVE-2026-29168
  cveCVE-2026-29168last covered 2026-05-07×2 appearances
• CVE-2026-29169
  cveCVE-2026-29169last covered 2026-05-07×2 appearances
• cPanel/WHM authentication bypass — mass exploitation ongoing (KEV deadline 2026-05-21)
  cveCVE-2026-41940last covered 2026-05-06
• Progress MOVEit Automation — unauthenticated auth bypass (CVSS 9.8)
  cveCVE-2026-4670last covered 2026-05-06
• Progress MOVEit Automation — authenticated privilege escalation (CVSS 8.8)
  cveCVE-2026-5174last covered 2026-05-06
• Apache HTTP Server 2.4.66 — HTTP/2 double-free RCE (CVSS 8.8)
  cveCVE-2026-23918last covered 2026-05-06
• Traefik proxy — mTLS bypass via fragmented TLS ClientHello
  cveCVE-2026-32305last covered 2026-05-06
• ScarCruft (APT37 / Reaper) — North Korea-aligned APT
  actoractor:ScarCruftlast covered 2026-05-06
• BirdCall — ScarCruft Android/Windows backdoor
  tooltool:BirdCalllast covered 2026-05-06
• ShinyHunters — financially motivated data-theft group
  actoractor:ShinyHunterslast covered 2026-05-06
• TeamPCP — threat actor targeting software supply chains
  actoractor:TeamPCPlast covered 2026-05-06
• Mini Shai-Hulud — TeamPCP SAP CAP npm supply-chain worm
  campaigncampaign:mini-shai-huludlast covered 2026-05-06
• UAT-8302 — China-nexus APT targeting government entities in South America and southeastern Europe
  actoractor:UAT-8302last covered 2026-05-06
• World Leaks — rebranded Hunters International; data-theft extortion without encryption
  actoractor:WorldLeakslast covered 2026-05-06
• DigiCert support portal compromise — 60 fraudulent EV code-signing certificates
  incidentincident:digicert-support-portal-2026last covered 2026-05-06
• Trellix source code repository breach
  incidentincident:trellix-source-code-2026last covered 2026-05-06
• ADT Inc. cloud environment breach — customer PII (SEC 8-K 2026-04-24)
  incidentincident:adt-cloud-breach-2026last covered 2026-05-06
• Mediaworks Kft (Hungary) — World Leaks data-theft extortion
  incidentincident:mediaworks-hungary-2026last covered 2026-05-06
• Europol IOCTA 2026 — Internet Organised Crime Threat Assessment
  annual-reportannual-report:iocta-2026last covered 2026-05-06
• CVE-2026-24072
  cveCVE-2026-24072last covered 2026-05-06