Entities
750 CVEs, actors, campaigns, incidents, tools, advisories, and reports tracked across briefs. The badge marks items covered in more than one brief — these are the "stories that unfolded".
Total entities
750
8 types
Recent (30 d)
444
entities with new coverage in window
Distinct sources
387
hosts cited at least once
Total appearances
1195
brief-section attributions
Co-occurrence links
2849
entity ↔ entity in same item
By type
- cve441 (59%)
- campaign118 (16%)
- incident102 (14%)
- vulnerability-trend27 (4%)
- actor24 (3%)
- annual-report17 (2%)
- tool16 (2%)
- policy5 (1%)
Recent coverage
Aggregate mentions per ISO week, last 8 weeks.
By year
- 20131
- 20161
- 20172
- 20181
- 20191
- 20203
- 20214
- 20225
- 20237
- 202411
- 202524
- 2026376
- Cisco Unified CM unauth SSRF → OS-root file write
- FortiBleed — 73,932 FortiGate device credentials exposed; active Russian-speaking brute-force/AD-lateral campaign
- Icarus extortion: dormant Klue credential → harvested OAuth tokens → bulk Salesforce CRM theft
- Ubiquiti UniFi OS improper access control (chain to unauth root)
- Ubiquiti UniFi OS path traversal (chain to unauth root)
- Ubiquiti UniFi OS command injection to root (actively exploited)
- Lantronix EDS5000 OS command injection to root (BRIDGE:BREAK)
- PostCSS npm typosquats deliver Nuitka Python RAT (abdrizak)
- WhatsApp VBScript installs ManageEngine RMM for LotL remote control
- Xsolis healthcare-AI vendor breach exposes 1.4M patients (7 US health systems)
- Unit 42: malicious OpenClaw ClawHub skills deliver AMOS + agentic fraud
- Unit 42: cloud-bucket hijacking via global-namespace reuse
- macOS ClickFix uses hdiutil -nobrowse to mount DMG invisibly, drops AMOS
- Swiss Post Cybersecurity inaugural Swiss Threat Landscape Report
- ShapedPlugin WordPress Pro supply-chain backdoor (CVE-2026-10735)
- Transport for London 2024 intrusion — Scattered Spider members plead guilty
- Gitea Docker reverse-proxy trust-all auth bypass
- ILIAS 11.0 SQL injection (ilTrQuery), no patch, PoC public
- Squidbleed — Squid FTP-gateway heap over-read
- Elastic AAD Graph Activity Logs detection for Entra enumeration tooling
- SonicWall SonicOS access control — Akira/Fog post-patch ransomware on-ramp
- Gitea protected-branch enforcement race (single-push batch)
- Gitea TOTP 2FA bypass (web TOCTOU + X-Gitea-OTP replay)
- Gitea SSRF in webhook / repo-migration subsystems
- ShapedPlugin WordPress Pro supply-chain backdoor (build/EDD pipeline compromise)
- FortiGate credential-reuse vector referenced in FortiBleed campaign
- FortiGate credential-reuse vector referenced in FortiBleed campaign
- FortiGate credential-reuse vector referenced in FortiBleed campaign
- DifyTap — Dify AI platform cross-tenant authorization bypass (evaluated, dropped § 7: authenticated, no ITW, aggregator-only primary)
- Microsoft 365 Copilot Business Chat open redirect (BSI WID-SEC-2026-2020; server-side mitigated, dropped § 7)
- ShapedPlugin supply-chain backdoor — duplicate CVE submission for CVE-2026-10735 (noted § 7)
- Microsoft 365 Copilot missing-authentication info disclosure (BSI WID-SEC-2026-2020; server-side mitigated, dropped § 7)
- EFK audit: federal cyber-governance split leaves SEPOS/FS BIS without complete incident picture
- Brazil national Cell Broadcast emergency-alert platform hijacked; ~30M fake Extreme Alerts
- eBanking phishing using IPv4-mapped IPv6 URL notation to bypass regex URL scanners
- AryStinger botnet — reconnaissance/proxy network on EoL D-Link routers + QNAP NAS
- Linksys/D-Link RTL819X command-injection RCE — initial-access vector for the AryStinger botnet
- D-Link DIR-850L HTTP-service stack buffer overflow RCE — AryStinger botnet access vector
- QNAP Malware Remover code injection (fixed 6.6.8.20251023) — AryStinger NAS access vector
- RoguePlanet: TOCTOU race in Microsoft Defender scan engine -> SYSTEM LPE, PoC, no CVE/patch
- ShinyHunters Oracle PeopleSoft data-theft campaign (100+ orgs, ~300 instances, education-heavy; Univ. of Nottingham confirmed)
- The Gentlemen ransomware (Storm-2697 / Phantom Mantis): self-propagating Go encryptor
- Splunk Enterprise pre-auth RCE via unauthenticated PostgreSQL sidecar REST API proxied by web tier, CVSS 9.8
- Mastra npm namespace backdoored via easy-day-js (dormant contributor account)
- Operation Endgame expands to SocGholish/TA569 — 106 C2 servers, 14,971 WordPress sites
- Gentlemen RaaS — operator-maintained GentleKiller EDR-killer framework (BYOVD, 48 vendors)
- RoguePlanet Defender LPE (CVE-2026-50656) — Nightmare/Chaotic Eclipse wave, public PoC, no patch
- PTC Windchill/FlexPLM CVE-2026-12569 — unauth Java deserialization RCE (CVSS 10.0), actively exploited
- Kodak confirms breach after ShinyHunters leak-site listing; June 18 deadline passed without publication
- Gravity SMTP WordPress plugin unauthenticated credential-dump (CVE-2026-4020)
- Prinz Eugen — Go-based ransomware, recent-files-first, no ransom note
- Popa residential-proxy botnet (Vo1d plugin) tied to Alarum/NetNut by Krebs/Qurium
- UK ICO Commissioner John Edwards resigns with immediate effect
- HCRG Care Group notifies patients 16 months after Feb-2025 Medusa breach
- Texas Parks & Wildlife 3.08M licence holders exposed via third-party vendor
- One Medical (Amazon) legacy-storage breach; ShinyHunters 8.8TB claim unverified
- Oracle PeopleSoft PeopleTools PSEMHUB pre-auth RCE (CVSS 9.8), zero-day exploited by UNC6240/ShinyHunters
- Windows Boot Manager Secure Boot bypass (BlackLotus-class) — possible FishMonger SprySOCKS UEFI component (unconfirmed)
- Oracle PeopleSoft PeopleTools 8.61/8.62 Performance Monitor — missing-auth RCE (CVSS 9.8)
- Rockwell 1794-AENTR/AENTRXT FLEX I/O — CIP-handling denial-of-service (CVSS 7.5)
- Rockwell CompactLogix/ControlLogix 5370/5570 — CIP message major non-recoverable fault DoS (CVSS 7.5)
- Rockwell FactoryTalk Historian Site Edition — authentication bypass (CVSS 7.7)
- NGINX — heap overflow in ngx_http_proxy_v2_module/ngx_http_grpc_module (CVSS v4 9.2)
- Drupal core — deserialization gadget chain (SA-CORE-2026-006)
- AVer PTC-series conference cameras CVE-2026-40624 — unauth RCE (CVSS 9.8), CISA ICS advisory
- Gogs self-hosted Git server CVE-2026-52806 — argument injection to OS command execution (CVSSv4 9.4), BSI critical batch
- Nintendo employee data stolen from third-party HR-survey SaaS TinyPulse (Shadowbyt3$ extortion)
- usbliter8 — permanent unpatchable SecureROM boot-chain exploit for Apple A12/A13 silicon (checkm8 successor)
- AutoJack — single-web-page host RCE via AI agent's local MCP WebSocket (AutoGen Studio dev builds)
- UK ICO criminal caution — London Clinic insider accessed Princess of Wales medical records
- CryptoBandits — USB-LNK worm + Tor hidden-service C2 driving a clipboard hijacker
- Cisco ISE CVE-2026-20181/20190 — unauth credential read chaining to authenticated root RCE
- Cisco ISE CVE-2026-20190 — unauthenticated read of hashed admin credentials (CVSS 7.5)
- pgAdmin 4 critical CVEs (CVE-2026-12046/12045/12048) patched in v9.16
- NGINX HTTP/3 QUIC UAF (CVE-2026-42530) + HTTP/2-proxy heap overflow (CVE-2026-42055)
- Drupal core June 2026 advisories — JSON:API PHP object-injection chain (CVE-2026-55803/55804)
- Sophos X-Ops — cautious-but-concrete AI adoption in the cybercrime underground
- pgAdmin 4 — AI Assistant read-only-transaction bypass to RCE via COPY TO PROGRAM (CVSS v4 9.4)
- pgAdmin 4 — stored XSS via unsanitised PostgreSQL error/EXPLAIN content (CVSS v4 9.3)
- Drupal core — rebuild.php trusted-host bypass (SA-CORE-2026-007)
- Drupal core — Media module oEmbed SSRF (SA-CORE-2026-008)
- Drupal core — JSON:API/REST image-upload MIME-validation gap (SA-CORE-2026-009)
- ScarCruft (APT37) NarwhalRAT — fake Microsoft OTP lures, compiled-Python RAT, pCloud dead-drop C2
- China arrests 67 Silver Fox (Winos/ValleyRAT) cybercrime operators
- Oracle June 2026 CSPU — Solaris RAD CVSS 10.0 (CVE-2026-46978) + PeopleSoft 9.8 (CVE-2026-35278)
- Rockwell FLEX I/O unauth password reset (9.4) + Logix CIP DoS cluster — NCSC-CH flagged
- Zammad 7.1 — 13 vulns incl admin privesc/SSRF, BSI WID-SEC-2026-1981, DACH public-sector helpdesk
- 15 malicious JetBrains Marketplace plugins exfiltrate AI provider API keys (Aikido)
- Rust crypto clipboard-hijacker abusing VirusTotal community reputation (Check Point)
- PAN-OS GlobalProtect pre-auth authentication bypass
- Check Point IKEv1 VPN authentication bypass (CVE-2026-50751)
- Fortinet FortiSandbox unauthenticated OS command injection
- Novo Nordisk discloses theft of clinical-trial and HCP data
- Joomla Content Editor (JCE) CVE-2026-48907 — unauthenticated profile-import PHP RCE, CISA KEV, automated exploitation
- Munich LHM-Services GmbH — ~120,000 student records suspected on darknet, suspected insider threat, Bavarian DPA notified
- FishMonger (I-SOON) ports SprySOCKS backdoor to Windows (WIN_DRV/WIN_PLUS) with kernel-driver rootkit; government targets
- Google Vertex AI SDK 'Pickle in the Middle' (CVE-2026-2473) — predictable staging-bucket cross-tenant pickle RCE; patched
- ErrTraffic — ClickFix MaaS distribution framework with EtherHiding/Polygon C2 resolution; EU WordPress targeting
- Potemkin loader + RMMProject RAT via ClickFix — Chromium App-Bound Encryption bypass, EtherRAT
- Rokarolla Android banking trojan — 217 banking/crypto apps, 137 commands, default call/SMS handler hijack
- DragonForce intrusion — first ITW Microsoft Teams TURN-relay C2 (Backdoor.Turn) + four-driver BYOVD chain
- FortiSandbox triple active exploitation (CVE-2026-39808/39813/25089) — simultaneous in-the-wild exploitation
- Fortinet FortiSandbox CVE-2026-39808 — actively exploited (Defused Cyber)
- Fortinet FortiSandbox CVE-2026-39813 — actively exploited (Defused Cyber)
- React/Next.js Server Actions deserialisation ("React2Shell") — weaponised by PCPJack worm
- WP File Manager pre-auth RCE — used as fallback vector in the ErrTraffic ClickFix framework
- Topaz Antifraud wsftprm.sys vulnerable kernel driver — DragonForce BYOVD chain
- Tower of Fantasy GameDriverx64.sys vulnerable kernel driver — DragonForce BYOVD chain
- K7 Security K7RKScan.sys vulnerable kernel driver — DragonForce BYOVD chain
- UNC6508 (PRC) — INFINITERED implant on internet-facing REDCap servers + Google Workspace BCC content-compliance rule for covert research/defence email exfiltration
- Awesome Motive CDN supply-chain attack — OptinMonster/TrustPulse/PushEngage scripts tampered on ~1.2M WordPress sites; rogue admins + hidden backdoor plugin (via CVE-2026-10795)
- DPRK UNK_DeadDrop (rel. Contagious Interview) — VS Code/Cursor tasks.json runOn:folderOpen auto-exec delivering Overlord Go C2 to developers; EU targets FR/DE/NL
- iRhythm Holdings (cardiac MedTech) — SEC 8-K Item 1.05: social engineering of third-party-hosted apps; PHI/PII/proprietary data theft + ransom demand
- Cisco Catalyst SD-WAN Manager authenticated arbitrary file write to root RCE (CVE-2026-20262); CISA KEV; deep dive
- LiteSpeed cPanel/WHM plugin symlink-following on shared hosting (CVE-2026-54420); exploited ITW; CISA KEV
- phpBB unauthenticated OAuth auth-bypass to admin (CVE-2026-48611, CVSS 9.8) + CSRF CVE-2026-48612; fixed 3.3.17
- LiteLLM AI-gateway three-CVE chain (CVE-2026-47101/-47102/-40217) low-priv to proxy_admin to RCE; all provider keys exposed; fixed v1.83.14
- Microsoft 365 Copilot 'SearchLeak' (CVE-2026-42824) one-click email/file/MFA exfil via prompt injection + Bing SSRF CSP bypass; patched
- phpBB OAuth improper state verification + CSRF session hijack; CVSS 8.0; fixed 3.3.17
- LiteLLM privilege escalation — self-promote to proxy_admin via /user/update; CVSS 8.8; fixed v1.83.14
- LiteLLM Custom Code Guardrails sandbox escape to RCE via exec()/bytecode; CVSS 8.8; fixed v1.83.14
- Splunk Secure Gateway jsonpickle deserialization RCE (CVSS 8.8) — assessed, no §2 gate (no ITW, post-auth); NCSC-NL advisory
- Google lawsuit vs China-based "Outsider" PhaaS weaponising Gemini to generate phishing pages
- Handala (Void Manticore) breaches California Water Service via internet-exposed RTKBase NTRIP/GNSS caster; billing PII pivot, no OT access
- Adobe ColdFusion unauthenticated no-interaction RCE (CVSS 9.6, APSB26-64; scope change S:C; fixed 2023 Update 20 / 2025 Update 9)
- Adobe ColdFusion path-traversal security-feature bypass (CVSS 8.8, APSB26-64) — co-disclosed; assessed, not promoted
- OpenSSL CMS AuthEnvelopedData integrity bypass (moderate) — assessed, out-of-window, not promoted
- Traefik v3.x security-policy bypass (GHSA-3g6v-2r68-prfc) — assessed, no §2 gate, out-of-window
- GitLab EE Analytics Dashboard stored XSS (CVSS 8.7) — assessed, no §2 gate
- GitLab CE/EE Grape API unauthenticated DoS (CVSS 7.5) — assessed, no §2 gate
- GitLab CE/EE Gitaly repository-import SSRF (CVSS 5.3) — assessed, no §2 gate
- Mini Shai-Hulud — TeamPCP SAP CAP npm supply-chain worm
- Windows Netlogon stack-buffer overflow — unauthenticated remote RCE on domain controllers (CVSS 9.8, May 2026 Patch Tuesday)
- UPDATE: Chaotic Eclipse Windows zero-days — MiniPlasma is third PoC (cldflt.sys CfAbortHydration, claimed CVE-2020-17103 regression on fully patched Win11)
- Rapid7 publishes unpatched Gogs argument-injection RCE with Metasploit module
- NCSC-CH pre-event cyber advisory for the G7 Évian summit (DDoS/intel-collection/mobile targeting)
- VerdantBamboo (UNC5221/WARP PANDA) — China-nexus; BRICKSTORM on edge devices, MSP supply-chain, M365 CA bypass, AGENTPSD/PLENET
- Ivanti Sentry pre-auth OS command injection to root (CVSS 10.0); watchTowr public PoC; companion CVE-2026-10523 auth bypass
- Maine AG breach portal abused for fraudulent VRChat/Discord filings
- MariaDB Galera wsrep_notify_cmd shell injection (CVSS 10.0)
- "Atomic Arch" AUR supply-chain — 400+ hijacked packages drop Rust stealer + eBPF rootkit
- Velvet Ant "Operation Highland" — decade-long Linux PAM/sshd auth-stack subversion (China-nexus)
- UpdraftPlus WordPress plugin unauthenticated auth-bypass to RCE (all-zero AES key on failed RSA decrypt), CVSS 8.1
- APT28 (GRU Unit 26165) tradecraft evolution — LameHug LLM-driven stealer, BeardShell cloud C2, FrostArmada router DNS hijack (Sekoia)
- Cyber Europe 2026 — first EU-wide test of 2025 EU Cyber Blueprint and first live activation of the EU Cybersecurity Reserve
- Conti loader developer Oleksii Lytvynenko pleads guilty in US federal court after extradition from Ireland
- Kyushu Electric subsidiary loses unencrypted SSD with 10.9M customer records — reportedly Japan's largest personal-data breach
- European Commission refers France and Spain to the CJEU over NIS2 non-transposition
- Germany Bundestag first reading of CRA domestic-implementation bill (Drucksache 21/6134)
- ENISA SBOM Adoption State of Play 2026 — first EU-wide SBOM baseline
- Windows Cloud Filter driver cldflt.sys privilege escalation (MiniPlasma PoC)
- WinRAR path-traversal (referenced as initial-access exploit in Gamaredon GammaPhish/GammaWorm campaign, Sekoia 2026-06-01)
- Ivanti Sentry authentication bypass (CWE-288), companion to CVE-2026-10520
- Windows CTFMON elevation of privilege (June 2026 Patch Tuesday); referenced in § 7 GreenPlasma cross-source discrepancy note
- Acer Wave-7 mesh router hardcoded AES key in upload.cgi backup handler — persistent backdoor injection (CVSS 10.0, no patch until ~end-June 2026)
- LangGraph SQLite checkpointer SQL injection in get_state_history() (CVSS 7.3; fixed langgraph-checkpoint-sqlite 3.0.1)
- LangGraph unsafe msgpack deserialization on checkpoint load, chains with SQLi to RCE (CVSS 6.8; fixed langgraph 1.0.10)
- vm2 Node.js sandbox escape via WebAssembly JSPI Promise-species bypass, CVSS 9.8 (dropped from brief — out-of-window, no ITW)
- BUK TS-G gas-station automation unauthenticated admin bypass, CVSS 9.8 (dropped from brief — aggregator-only sourcing)
- Windows Print Spooler privilege escalation weaponised by APT28 GooseEgg (cited as historical context in Sekoia APT28 retrospective)
- South Korea PIPC record fine on Coupang over unrevoked former-employee signing key
- SimpleHelp RMM unauthenticated OIDC auth bypass (CVSS 9.5)
- Check Point LangGraph checkpointer SQLi->RCE chain (CVE-2025-67644 + CVE-2026-28277 + CVE-2026-27022)
- "Agentjacking" — MCP injection of AI coding agents via forged Sentry error events (Tenet Security)
- LangGraph Redis checkpointer RediSearch query injection (CVSS 6.5; fixed @langchain/langgraph-checkpoint-redis 1.0.1)
- GitLab EE Group SAML identity API improper authorization, Group Owner account takeover (CVSS 8.7; fixed 19.0.2/18.11.5/18.10.8) — did not clear daily section-2 gate
- OpenSSL PKCS7_verify heap use-after-free on empty SignedData.digestAlgorithms (High; fixed 4.0.1/3.6.3/3.5.7/3.4.6/3.0.21) — out-of-window drop this run
- AudiA6 ransomware crypto-laundering service dismantled (US/Europol, CH participating)
- GreatXML: Nightmare Eclipse unpatched BitLocker/WinRE bypass, public PoC
- CISA BOD 26-04 — risk-tiered federal remediation, supersedes BOD 22-01/19-02
- June 2026 Patch Tuesday criticals (Windows kernel TCP/IP RCE + PowerScribe + Azure Stack Edge + Exchange Online)
- CVE-2026-26142 (June 2026 Patch Tuesday critical)
- CVE-2026-47643 (June 2026 Patch Tuesday critical)
- CVE-2026-48579 (June 2026 Patch Tuesday critical)
- OpenClaw AI agent: indirect prompt injection (Imperva) + agent phishing (Varonis)
- OceanLotus/APT32 SPECTRALVIPER via FireAnt MetaKit update-server supply-chain compromise
- npm v12 disables install lifecycle scripts by default (July 2026)
- MariaDB Galera wsrep parameter-injection (companion fix to CVE-2026-49261)
- MariaDB Galera wsrep parameter-injection (companion fix to CVE-2026-49261)
- ServiceNow unauthenticated REST endpoint (/api/now/related_list_edit/create) queried customer instance tables
- EDPB adopts harmonised GDPR Art. 33 breach-notification template; consultation to 5 Aug 2026
- Langflow path-traversal arbitrary file write (POST /api/v2/files), pre-auth via auto-login, exploited ITW
- JDY botnet (Volt Typhoon-linked) expands to 1,500+ SOHO/IoT devices; sub-24h post-disclosure scanning
- CrowdStrike 2026 Technology Threat Landscape Report
- Windows BitLocker physical-access bypass, publicly disclosed, June 2026 Patch Tuesday
- Tchap French government Matrix messenger breached via account takeover; 73,467 civil servants' metadata exposed, CNIL notified
- Ghost-Sender: Exchange Online inbound spoofing bypassing SPF/DKIM/DMARC on third-party-MX tenants (no patch)
- NCSC-CH Week 23: coordinated job-seeker targeting (fake interviews, reshipping ID theft, LinkedIn-to-GitHub infostealer)
- Meta Instagram AI support tool (High Touch Support) logic flaw: 20,225 account takeovers; Maine AG notified
- Windows HTTP.sys pre-auth integer-overflow RCE (CVSS 9.8), June 2026 Patch Tuesday headline
- SAP NetWeaver AS ABAP SAML XML Signature Wrapping (CVSS 9.9), SAP June Patch Day
- strongSwan libstrongswan identity-clone double-free, unauth RCE over EAP; fixed 6.0.7
- Veeam Backup & Replication 12.x authenticated domain-user deserialization RCE (CVSS 9.4); fixed 12.3.2.4854
- Google Chrome V8 OOB read/write, exploited ITW, CISA KEV; fixed 149.0.7827.103
- Arista EOS tunnel-decapsulation logic flaw bypasses VXLAN segmentation; CISA KEV, exploited
- TYPO3 Core June 2026 (SA-2026-006) — XSS bypassing HTML Sanitizer; lead CVE of 13-advisory batch (CVE-2026-11607 et al. across SA-006…019)
- GIFTEDCROOK via UAC-0226 and Earth Dahu still exploiting WinRAR CVE-2025-8088 against Ukraine (Trend Micro)
- Unit 42 cloud-logging defense-evasion taxonomy across AWS CloudTrail and Google Cloud Logging
- Red Canary: Microsoft Entra Agent ID OBO OAuth abuse turns compromised AI agent into delegated phishing sender
- Check Point: TDS-gated ecosystem impersonating Ghidra/dnSpy/ILSpy delivers SessionGate, RemusStealer, AnimateClipper
- EU Cyber Resilience Act — first hard deadline (notifying-authority designation, 11 June 2026)
- Dragos Q1 2026 Industrial Ransomware Analysis — 1,020 incidents; The Gentleman 4x vs Romanian energy; IT-adjacent pattern
- SAP Commerce Cloud / Data Hub missing HTTP security headers via Spring Security (CVSS 9.1)
- SAP NetWeaver/ABAP RFC kernel memory corruption, unauthenticated (CVSS 9.8)
- SAP NetWeaver AS Java Web Container path traversal (CVSS 9.0)
- Windows DHCP Client Service RCE (CVSS 9.8), June 2026 Patch Tuesday
- Visual Studio Code EoP to SYSTEM via malicious .code-workspace (CVSS 9.6)
- Windows HTTP.sys HTTP/2 compression-bomb DoS (IIS analogue of CVE-2026-49975); MaxHeadersCount mitigation
- BerriAI LiteLLM command injection to host RCE (CVE-2026-42271)
- Linux kernel nf_tables UAF local-root + container escape (CVE-2026-23111)
- Oxford University CareerConnect (Group GTI) SaaS breach
- Meta contempt complaint vs NSO Group over new WhatsApp spyware phishing
- Microsoft Teams external-chat phishing (APT29/Cloaked Ursa, UNC6692)
- AI-brand impersonation malware delivery (Storm-3075, Fox Tempest)
- TeamPCP Mini Shai-Hulud framework open-sourced; Phantom Gyp derivative
- Progress Kemp LoadMaster WAF bypass — companion to CVE-2026-8037 (June 2026 critical bulletin)
- Check Point IKEv1 site-to-site VPN MitM via certificate validation weakness (CVSS 7.4) — no observed exploitation
- Progress Kemp LoadMaster management API unauthenticated command injection (CVSS 9.3) — BSI WID-SEC-2026-1812; no observed exploitation
- EU Cybersecurity Package 2026 — NIS2 amendment COM(2026) 13 + Cybersecurity Act 2; PQC Article 7(2)(k) explicit obligation; CRA Single Reporting Platform 11 September 2026
- EU 20th Russia sanctions package — managed-security-services prohibition (eff. 25 May 2026); Switzerland adopted most measures 22 May
- Germany's federal cabinet approves Cybersicherheitsstärkungsgesetz — BKA, BSI and Federal Police gain authority to redirect attacker traffic and disable infrastructure
- FBI FLASH CSA 260526 — Silent Ransom Group / Luna Moth / UNC3753 sends operatives physically into US law-firm offices to insert USB exfiltration devices when remote social engineering fails
- Ghost Stadium PhaaS — 300+ FIFA domain clones targeting EU fans
- Miasma worm backdoors 32 @redhat-cloud-services npm packages (TeamPCP / Mini Shai-Hulud variant)
- Gamaredon GammaPhish/GammaWorm — NTFS-ADS USB+network worm (Sekoia)
- Sophos 2026 Active Adversary Report — identity-dominant root causes; Impacket/AnyDesk
- HTTP/2 Bomb single-connection memory-exhaustion DoS
- NCSC-CH: Booking.com breach feeds WhatsApp hotel-booking phishing (TWINT/bank spoof + booking-channel ATO)
- Shared booking-SaaS breach exposes guests at 100+ Dutch/Belgian/Irish hotels; phishing wave
- TA4922 — China-nexus financially-motivated cluster; Atlas RAT/RomulusLoader/SilentRunLoader, expands to DE/UK/IT
- DentaQuest — ShinyHunters extortion victim; 234 GB leaked, 2.6M dental-benefit records
- Five Eyes joint bulletin 'Safeguarding Our Secrets' — China military intel recruiting via LinkedIn/job platforms
- IronWorm — Rust npm supply-chain worm with eBPF kernel rootkit, Tor C2, cloud/AI-key sweep
- Cisco Catalyst SD-WAN Manager command-injection to root (actively exploited, no patch)
- MISP critical mass-assignment account-takeover (CVSS 9.0)
- Keycloak token-exchange privilege escalation (silent subject_token removal); Keycloak 26.6.3 16-CVE release
- ENISA NIS360 2026 — public-sector receives 63% of EU hacktivist attacks; seven sectors in risk zone
- FIFA World Cup 2026 pre-event threat cluster — GHOST STADIUM phishing-domain layer, Massiv/Perseus Android banking trojans via Zombinder in pirated streaming apps, 13,000+ malicious domains
- ICO secures £118,852 Proceeds of Crime Act confiscation from two former RAC employees who sold ~30,000 customer records (insider data theft)
- Everest Forms Pro (WordPress) unauthenticated eval() RCE — actively exploited at scale
- Acer Wave-7 mesh router zero-days (CVE-2026-49200 cleartext cred log + CVE-2026-49201 hardcoded backup key) — CVSS 10.0, no patch
- C0XMO — cross-platform Gafgyt DDoS botnet variant propagating via DD-WRT UPnP flaw (FortiGuard)
- DD-WRT UPnP/SSDP parser stack buffer overflow — FortiGuard-attributed propagation vector for C0XMO/Gafgyt botnet; DOES NOT RESOLVE ON NVD/MITRE (flagged 2026-06-08, vendor-attributed/unverified)
- Hijacked polyfill[.]io domain reactivates with HTTP 401 credential prompts
- Magecart skimmer hosted in Stripe customer metadata, exfiltrates via api.stripe.com
- Google Chrome ANGLE graphics engine OOB read/write sandbox escape (CVSS 9.6); Chrome 149 record 429-patch release
- Autonomous AI agent finds 21 FFmpeg zero-days for ~$1,000 (CVE-2026-39210–39218)
- SANS ISC: WeTransfer JS → steganographic JPEG loader on Cloudflare Workers/R2
- Keycloak CORS ACAO reflected from unverified JWT azp claim on UMA endpoint (fixed 26.6.3)
- FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream)
- FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream)
- FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream)
- FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream)
- FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream)
- FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream)
- FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream)
- FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream)
- FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream)
- Keycloak SSRF via OIDC token endpoint manipulation (fixed 26.6.3)
- Keycloak missing server-side WebAuthn credential-registration validation (fixed 26.6.3)
- Keycloak ROPC grant bypass of client-policy enforcement (fixed 26.6.3)
- Keycloak refresh-token replay window after server restart resets startupTime (fixed 26.6.3)
- SolarWinds Serv-U unauthenticated DoS (CISA KEV)
- OP-512 — China-linked cluster, cryptographically-unique self-reporting IIS web-shell framework
- MISP access-control bypass exposing private galaxy metadata to non-admin org users (CVSS 5.3)
- Cisco Catalyst SD-WAN Manager pre-auth RCE (UAT-8616 prior exploitation, Feb 2026)
- ShinyHunters — financially motivated data-theft group
- Operation FlutterBridge (CL-CRI-1089) — notarized macOS FlutterShell backdoor via Google Ads malvertising
- UK National Federation of Subpostmasters ransomware via cPanel flaw
- Simple SA Wirtualna Uczelnia unauthenticated SSTI→RCE (CVE-2026-34906/-34907); EU public-sector education
- Redis use-after-free→GOT-overwrite RCE; public PoC chain, 85% cloud Redis passwordless
- claude-code-action [bot]-actor bypass + prompt injection → repo hijack / action poisoning (fixed v1.0.94)
- U-Toronto/Vector Institute adaptive AI worm PoC — open-weight LLM on compromised hosts synthesises per-target exploits
- Simple SA Wirtualna Uczelnia reflected XSS (locale parameter)
- OpenStack Mistral policy-enforcement bypass → authenticated arbitrary code execution (OSSA-2026-020; evaluated and dropped — see brief §7)
- Mirasvit Cache Warmer (Magento 2) unauth object-injection RCE — CISA KEV
- Kirki WordPress plugin unauth admin takeover (password-reset hijack)
- Burst Statistics WordPress plugin unauth REST auth-bypass
- MISP OTP bypass (LDAP mixed-auth + require_otp)
- UN WFP Palestine Self-Registration breach — ~600k Gaza households' IDs/locations exposed
- OFAC sanctions Nobitex + 3 Iranian exchanges as IRGC-affiliated ransomware proceeds conduit
- DesckVB RAT malspam laundering via Google DoubleClick; AMSI/ETW patching; DACH lures
- Unpatched Windows search: URI handler NTLMv2 leak; Microsoft declined to patch
- M365 Android debug flag (setIsDebugMode) enables silent OAuth-token theft across 6 apps
- One-click github.dev webview OAuth-token theft (postMessage origin flaw), unpatched + PoC
- Symantec: 5-month mailbox espionage vs global stock exchange; Aspose OST stealer, Dropbox/OneDrive exfil
- Windows Snipping Tool ms-screensketch: URI handler NTLM hash leak — patched April 2026; cited as structural predecessor of unpatched search: URI variant
- Microsoft 365 Copilot for Android OAuth-token theft via production debug flag (CVSS 4.4); patched 2026-05-12
- Microsoft Word for Android OAuth-token theft via production debug flag (CVSS 7.1); patched 2026-05-12
- Microsoft PowerPoint for Android OAuth-token theft via production debug flag (CVSS 7.1); patched 2026-05-12
- Microsoft Excel for Android OAuth-token theft via setIsDebugMode(true) debug flag left in production (CVSS 7.7); patched 2026-05-12
- Progress Sitefinity CMS web-services improper input validation (CWE-20); BSI WID-SEC-2026-1783
- Progress Sitefinity CMS OData improper input validation (CVSS 9.8, CWE-20), affects 15.4.8623-15.4.8629; BSI WID-SEC-2026-1783
- Progress Sitefinity CMS ServiceStack web-services credential exposure (CVSS 8.8, CWE-522); BSI WID-SEC-2026-1783
- Progress Sitefinity CMS — CWE-522 Insufficiently Protected Credentials (Sitefinity Insight credential disclosure, gated on Insight integration/non-default config); CVSS 10.0 per NVD; BSI WID-SEC-2026-1783; evaluated 2026-06-04, dropped to §7 (no fetchable vendor primary, no ITW)
- Progress Sitefinity CMS legacy-branch flaw (CVSS 8.7), affects v8.0-13.3; BSI WID-SEC-2026-1783
- Devolutions Server LDAP coercion exposing PAM credentials (DEVO-2026-0013, CVSS 7.1); evaluated 2026-06-04, dropped to §7 (no ITW, below §2 gate)
- Devolutions Server MFA bypass via improper factor-key state handling (DEVO-2026-0013, CVSS 7.5); evaluated 2026-06-04, dropped to §7 (no ITW, below §2 gate)
- Dashlane TOTP brute-force — encrypted vaults of <20 personal-plan users downloaded
- Oracle WebLogic unauth T3/IIOP data access — CISA KEV 2026-06-01 on active exploitation
- Android Framework integer-overflow LPE — actively exploited (limited/targeted), June 2026 bulletin
- Linux cgroup v1 release_agent container escape — re-enters CISA KEV 2026-06-02
- Attacker-built AI-orchestrated EDR-evasion testing lab (Sophos X-Ops)
- SVG phishing wave using application/ecmascript MIME to evade WAF/email pattern-matching (SANS ISC)
- Operation XENOFISCAL — SideCopy/APT36 XenoRAT via mshta/HTA vs Afghan provincial treasuries
- ZeroLogon — Netlogon privilege escalation; chained by Cl0p in South Staffordshire Water 2020-2022 intrusion (cited in ICO 2026-05-11 enforcement)
- Windows Hyper-V UAF guest-to-host escape (May 2026 Patch Tuesday); evaluated 2026-06-03, not covered (out-of-window)
- ShinyHunters lists Charter Communications (Spectrum), claims 42M records; Charter denies sensitive PI/CPNI exfil
- Spain arrests doxer publishing data on INCIBE/AG/Civil Guard staff (Police-ESP-Doxed)
- KS-SOMED healthcare supply-chain hardcoded FTP creds (CERT-PL)
- Meta AI support chatbot social-engineered into resetting Instagram passwords (pro-Iranian)
- WP Maps Pro unauthenticated admin-account creation (actively exploited)
- Disig Web Signer eIDAS qualified-signature client RCE
- Apache Solr hardcoded BasicAuth template credentials (no patch)
- WordPress malware abuses Steam profile comments as Unicode-steganography C2 (GoDaddy)
- Operation Dragon Weave — China-nexus espionage (Czech/Taiwan) with Azure Blob dead-drop C2
- CIFSwitch — Linux kernel CIFS/SMB-client LPE to root via forged cifs.spnego key requests (19-year-old bug; RHEL9/SLES15/Mint/Kali); dropped from 2026-06-02 brief as out-of-window + no Section 2 gate
- PostHog AWS exploit — researcher-confirmed; EU/US cloud credential rotation and outage
- npm dependency-confusion campaigns targeting internal corporate namespaces (Microsoft 33 pkgs / Sonatype 176 pkgs)
- SmartApeSG ClickFix stages unnamed RAT pivoting to weaponised NetSupport Manager
- Italy's low-cost commercial spyware economy — Morpheus (IPS Intelligence) and Spyrtacus (SIO) Android Accessibility-API abuse
- Oracle E-Business Suite (Public Sector Financials Intl) — May 2026 CPU, unauth network vector (referenced in §7, dropped: out-of-window/no gate)
- Oracle E-Business Suite — May 2026 CPU critical (referenced in §7, dropped)
- Oracle E-Business Suite — May 2026 CPU critical (referenced in §7, dropped)
- Oracle E-Business Suite — May 2026 CPU critical (referenced in §7, dropped)
- Oracle E-Business Suite — May 2026 CPU critical (referenced in §7, dropped)
- TeamPCP — threat actor targeting software supply chains
- MuddyWater (Iran/MOIS) Chaos ransomware false-flag + Teams credential harvesting — Europe/Middle East
- The Gentlemen — RaaS surged Q1 2026 (192 attacks, 588% QoQ); 32% of victims European; FortiGate CVE-2024-55591 initial-access funnel
- Nightmare Eclipse Windows zero-day drops: YellowKey (BitLocker) and GreenPlasma (CTFMON LPE), public PoC
- UNC6671 / BlackFile — vishing-driven AiTM extortion with programmatic SharePoint exfiltration (GTIG 2026-05-15)
- Screening Serpens (UNC1549 / Smoke Sandstorm / Nimbus Manticore) — Iranian APT operationalising AppDomainManager hijacking; six new RAT variants MiniUpdate/MiniJunk V2 deployed Feb–Apr 2026
- GlassWorm developer-targeting botnet — all four C2 channels (Solana / BitTorrent DHT / Google Calendar / VPS) severed simultaneously by CrowdStrike / Google / Shadowserver
- Carnival Corporation confirms 5.99M-record ShinyHunters breach — Princess/Holland/Cunard/Costa
- Grandoreiro 2026 Iberian campaign — Delphi DLL side-loading, WebSocket/STUN C2; parallel ESET BTMOB Android RAT MaaS
- GREYVIBE — Russia-nexus AI-assisted threat cluster (Ukraine)
- Kimsuky HTTPSpy + HelloDoor with VS Code/Cloudflare tunnel C2
- Mautic 7.1.2/6.0.9 — seven authenticated flaws (Focus SSRF CVE-2026-9557, API SQLi CVE-2026-4776)
- 'Signal Support' impersonation phishing harvesting cloud-backup recovery keys
- California AG sues former 23andMe (Chrome Holding Co.) over 2023 genetic-data breach
- Cisco Talos — DICOM-format heap OOB-write attack surface against Orthanc PACS (pydicom/GDCM)
- Delta Electronics DIAView SCADA — unauthenticated remote database access (predecessor to CVE-2026-9642 mitigation bypass)
- Veeam Agent for Microsoft Windows — local privilege escalation enabling arbitrary command execution / lateral movement (CVSS 7.3)
- Veeam Software Appliance (Linux) — authenticated Backup Administrator can write arbitrary files (CVSS 8.6)
- QuickCMS (OpenSolution) session fixation — CERT-PL; dropped (niche, CVSS 4.8)
- QuickCMS (OpenSolution) MITM-XSS via HTTP plugin fetch — CERT-PL; dropped (niche, CVSS 2.3)
- SUSE Rancher — project-owner role can flip namespace PSA labels to privileged, enabling container-to-host escape (CVSS 8.4)
- SUSE Rancher GitHub App auth — group principals granted for every team in GitHub org to any team-belonging user (CVSS 8.8)
- Samba SAMR RPC server — unauthenticated shell injection via %u substitution in check password script (CVSS 10.0)
- Samba print-command subsystem — unauthenticated shell injection via %J substitution; raw/classic printing only (CVSS 10.0)
- Portainer CE — Docker plugin endpoints not registered in proxy authorization handler; non-admin can install/enable plugins → root host execution (CVSS 9.4)
- Portainer CE Docker Swarm service API — EndpointSecuritySettings restrictions not enforced; non-admin escapes to host via privileged containers (CVSS 9.4)
- SUSE Rancher cluster-import endpoint — command injection via URL-encoded newline in authImage YAML field; control-plane node RCE (CVSS 9.6)
- Mautic API contact-filtering SQL injection (post-auth)
- GitLab CE/EE Duo AI integration — improper user identity resolution allows authenticated user to impersonate another user when triggering Duo AI workflows (CVSS 8.2)
- IBM HTTP Server / WebSphere Application Server — pre-auth RCE via improper input validation in HTTP request parser (CVSS 9.8); NCSC.ch flagged 2026-05-28
- Mautic Focus component SSRF (post-auth; reaches internal/cloud-metadata)
- Mautic stored XSS (post-auth)
- Mautic stored XSS / JS injection (post-auth)
- Mautic file inclusion / path traversal (post-auth)
- Mautic path traversal / file manipulation (post-auth)
- Mautic JavaScript code injection (post-auth)
- YellowKey BitLocker / WinRE bypass — CVE formally assigned 2026-05-19; MSRC WinRE BootExecute mitigation; no patch
- CNIL fines IQVIA €5M for health data warehouse security failures
- LLMShare malvertising via ChatGPT share links (Beagle infostealer)
- Starlette/FastAPI BadHost host-header authentication bypass
- ESET APT Activity Report Q4 2025–Q1 2026
- Sysdig first observed LLM-agent-driven intrusion via CVE-2026-39987
- ChatGPhish — ChatGPT Markdown renderer trusts third-party image URLs
- Red Canary Entra Agent ID priv-esc via AgentIdentityBlueprint.AddRemoveCreds.All
- Nightmare Eclipse: Microsoft DCU threat, GreenPlasma/MiniPlasma unpatched, July 14 deadline
- Ivanti Secure Access Client local privilege escalation
- Marimo notebook pre-auth RCE (Sysdig LLM-agent intrusion)
- TheGentlemen RaaS lists Czech University of Finance and Administration (VSFS) and Swiss DEVO-Tech AG on leak site
- FortiClient EMS CVE-2026-35616 actively exploited to push EKZ Infostealer via fake Fortinet patch
- Apereo CAS 7.3.7.1 patches an OIDC-provider flaw reported by Coop Switzerland; CERT-FR issues advisory
- Dutch Police + NCSC dismantle Asocks residential-proxy botnet — 17M devices, 200 NL-hosted servers seized
- UK Visa Portal lookalike (ukvisaportal.com) — 100K passport scans/selfies exposed via misconfigured S3 bucket
- JINX-0164 — financially motivated cluster targeting crypto orgs via LinkedIn recruiter lures, AUDIOFIX macOS infostealer, MINIRAT npm pivot into CI/CD
- Gogs prior argument-injection variant (referenced in Rapid7 2026-05-29 disclosure as same-class predecessor)
- GitLab CE/EE — Wiki DoS via insufficient validation of malformed markup (CVSS 6.5)
- GitLab EE — Developer-role users can access deployment data (pipeline environment variables, deployment keys) via missing authorization checks (CVSS 4.3)
- Gogs argument-injection RCE (CVE id claimed by S3 sub-agent — unverified against authoritative NVD entry; Rapid7 publication states no CVE assigned at disclosure; deferred to next-run verification)
- GitLab CE/EE — seventh CVE in 19.0.1 / 18.11.4 / 18.10.7 patch release (defender-relevance not enumerated; left to vendor page)
- GitLab EE — Developer-role users can bypass group-level flow restrictions when foundational flows enabled (CVSS 4.3)
- GitLab CE/EE — unauthenticated enumeration of private project paths via API (CVSS 5.3)
- GitLab CE/EE — Authenticated users can access CI data from unintended reference types via incorrect reference resolution (CVSS 4.3)
- IBM HTTP Server Administration Server — heap-based buffer overflow (CVSS 8.0)
- IBM HTTP Server mod_ibm_upload — DoS via NULL pointer dereference (CVSS 7.5)
- IBM HTTP Server mod_mem_cache — DoS via expired pointer dereference (CVSS 7.5)
- IBM HTTP Server — RCE in TLS mutual-authentication configurations (CVSS 8.1)
- IBM HTTP Server — DoS via uncontrolled resource consumption (CVSS 7.7)
- NGINX Rift — 18-year-old heap buffer overflow in ngx_http_rewrite_module (CVSS 9.2, PoC public)
- ILIAS LMS — nine fixes shipped 2026-05-27; critical access-control gaps (CVSS 9.8 + 9.3); NCSC.ch flags SOAP interface as primary unauthenticated attack surface
- Dutch National Police arrest 35-year-old from Buren over AFC Ajax breach — 300k+ fan accounts and 42k+ season tickets exposed via misconfigured API access-control and shared keys
- Iran MOIS attributed to LACMTA destructive breach via 'Ababil of Minab' hacktivist front — 700 GB exfiltrated, VMs and backups deliberately destroyed
- Roundcube Webmail pre-auth SQL injection in virtuser_query plugin (preg_replace backslash escape bypass)
- Roundcube Webmail CSS sanitisation failure via SVG animate attributeName=style — info disclosure / SSRF in HTML email rendering
- Roundcube Webmail code injection via LDAP autovalues option — arbitrary PHP eval
- Roundcube Webmail HTML sanitisation bypass via SVG document permitting CSS injection
- Slican PBX administrative protocol authentication bypass via specific command
- Slican PBX deterministic secure-key generation from publicly-obtainable system properties
- Slican PBX PSTN modem interface hardcoded caller-ID admin auth bypass (temporarily re-enables remote management)
- MuddyWater / Seedworm Q1 2026 — Symantec documents DLL side-loading via signed Fortemedia / SentinelOne binaries; ChromElevator ABE bypass; Node.js orchestration
- Microsoft Defender Experts — AI-chatbot search-poisoning extends SEO lure; GPU-utility lookalikes drop ScreenConnect, then process-hollowed miners (gminer/lolMiner/SRBMiner-MULTI) under signed Microsoft binary
- SANS ISC — Akira ransomware kill chain reconstructed entirely from SSLVPN syslog and Windows EVTX, no EDR
- Nx Console v18.95.0 VS Code extension supply-chain compromise — credential-stealing payload harvested 1Password, Claude Code config, npm, GitHub PAT, AWS creds; published via stolen TanStack-leaked GitHub CLI OAuth token
- TanStack Router npm credential-stealing payload — exfiltrated Nx contributor's GitHub CLI OAuth token (precursor to CVE-2026-48027)
- DAEMON Tools Lite signed-build trojanisation (12.5.0.2421-12.5.0.2434) via Disc Soft Limited build infrastructure compromise — six-week distribution window 2026-04-08 → 2026-05-05
- Gitea container registry unauthenticated private-image pull (~30,000+ deployments, 4-year exposure window); Forgejo confirmed affected
- NGINX ngx_http_rewrite_module heap buffer overflow (2nd of two May 2026 disclosures); exploitation attempts per NCSC-NL
- Microsoft SharePoint Server CWE-502 deserialization RCE — Site Member (PR:L) authenticated attacker; CVSS 8.8; NCSC.ch flagged
- Tycoon2FA PhaaS post-March-2026-takedown — OAuth Device Authorization Grant abuse on Microsoft 365
- Lithuania Centre of Registers breach — ~600,000 property/legal-entity records exfiltrated via abused institutional API credentials; foreign-state actor suspected; agency head resigned
- GitHub Enterprise Server < 3.22 — unauthenticated SSRF via upload-endpoint path traversal (CVSS 4.0 = 9.2)
- Delta Electronics DIAView SCADA — incomplete fix / mitigation bypass of CVE-2025-62582 unauthenticated remote DB access (CVSS 9.8) [SINGLE-SOURCE]
- yoda-digital mcp-gitlab-server < 0.6.0 — no-auth SSE RPC endpoint bound to 0.0.0.0 with wildcard CORS exposes operator GitLab PAT (CVSS 4.0 = 9.2; GHSA-8jr5-6gvj-rfpf); noted in § 7 (niche package)
- TrapDoor cross-ecosystem supply-chain campaign (npm/PyPI/Crates.io); AI-assistant config poisoning
- ACR Stealer distributed via counterfeit Claude AI download pages + malicious search ads
- Szafir SDK (KIR) improper cert-verification auth bypass — Polish qualified e-signature SDK
- Digital Knowledge KnowledgeDeliver LMS pre-shared ASP.NET machineKey ViewState deserialization RCE
- GTIG: Chinese-language PhaaS ecosystem — real-time OTP relay over RCS/iMessage defeats TOTP/SMS MFA
- Lazarus RemotePE — three-stage memory-only RAT (DPAPILoader/RemotePELoader/RemotePE); HellsGate+ETW patch
- Palo Alto PAN-OS Captive Portal — unauthenticated root RCE (CVSS 9.3, ITW, KEV deadline 2026-05-09)
- Microsoft Defender Engine link-following EoP — CWE-59; actively exploited; Engine ≤ 1.1.26030.3008 vulnerable
- Trend Micro Apex One On-Premise directory traversal — fleet-wide code injection via management server update mechanism
- Langflow AI Platform CORS misconfiguration + SameSite=None refresh token cross-origin token theft
- Cisco Secure Workload CVSS 10.0 zero-auth REST API Site Admin access
- LiteSpeed User-End cPanel plugin lsws.redisAble privilege escalation to root (CVSS 10.0, actively exploited)
- Ghost CMS Content API unauthenticated SQLi (CVE-2026-26980) mass-exploited in ClickFix campaign
- Underminr - multi-tenant-CDN domain-fronting variant defeating DNS-layer filtering (ADAMnetworks)
- SonicWall Gen6 SSL-VPN MFA bypass via UPN vs SAM account-name split; Akira-linked actors exploited Feb-Mar 2026; firmware update insufficient without 6-step LDAP reconfiguration
- FortiOS / FortiProxy authentication bypass — weaponised by 'The Gentlemen' RaaS initial access
- Erlang SSH RCE (Cisco context) — confirmed by Check Point Research as initial-access CVE for The Gentlemen RaaS
- Sparx Pro Cloud Server — authenticated SQL injection via database API endpoint; PCS ≤ 6.1
- Sparx Pro Cloud Server — pre-auth bypass via model-parameter omission in POST binary blob → unauthenticated SQL query execution; CVSS4 9.3
- Sparx Enterprise Architect ≤ 17.1 — client-side RBAC bypass via EA client binary patch (CWE-603); CVSS4 8.7
- Sparx Pro Cloud Server WebEA — race condition in /data_api/dl_internal_artifact.php → RCE in web-server context (CWE-362); CVSS4 7.7
- Sparx Pro Cloud Server — malformed SQL crash (DoS); CWE-835
- Microsoft Azure Local Disconnected Operations (ALDO) — CVSS 10.0 unauthenticated network elevation-of-privilege; MSRC Exploitation More Likely
- Microsoft Defender Antivirus local DoS — exploited alongside CVE-2026-41091 in combined out-of-band engine update 4.18.26040.7
- ChromaDB Python FastAPI server pre-auth RCE via embedding-function model loading before auth check (CVSS 4.0 = 10.0; v1.5.9 unpatched at disclosure)
- Keycloak OIDC login flow session fixation enabling account takeover (Keycloak 26.6.2; BSI WID-SEC-2026-1612 HIGH)
- Drupal core highly-critical pre-auth SQL injection in database abstraction API on PostgreSQL backends; CISA KEV-listed 2026-05-22 (SA-CORE-2026-004)
- THORChain GG20 Threshold Signature Scheme vault drain — ~$11M across nine chains (Switzerland-based)
- ARWINI (Lower Saxony statutory-prescription audit body) — data exfiltration confirmed by LKA
- BigBlueButton bbb-web — three CVEs (sessionToken, checksum bypass, SSRF) on EU edu/gov virtual-classroom platform
- CISA / Nightwing contractor — AWS GovCloud admin keys + plaintext creds + Artifactory exposed in public GitHub for ~6 months
- 7-Eleven confirms ShinyHunters breach of 600K+ Salesforce franchise-application records (campaign same as Instructure / Vimeo / Wynn / Vercel / Medtronic)
- INTERPOL Operation Ramz — first MENA-region cybercrime sweep: 201 arrests, 53 servers, first Algerian PhaaS takedown (Oct 2025–Feb 2026)
- n8n CVE-2026-42231 et al. — five chained CVSS 9.4 prototype-pollution + injection + Git-SSH RCE chain (CCB Belgium emergency advisory)
- UPDATE: TeamPCP / Shai-Hulud — first copycat wave (OX Security npm packages w/ Phantom Bot + SSH/cloud stealers); Checkmarx Jenkins plugin trojanised (third in three months); SentinelLabs PCPJack rival worm
- UPDATE: Grafana Labs CoinbaseCartel — victim confirms source-code-only theft via Pwn-Request, no customer data, ransom rejected on FBI guidance
- Drupal core highly critical pre-patch warning — PSA-2026-05-18, patch window today 17:00-21:00 UTC; pre-auth, unauthenticated, full-site compromise; no CVE yet
- Microsoft DCU disrupts Fox Tempest MSaaS — 1,000+ Artifact Signing certs revoked; SDNY court order; downstream Rhysida, INC, Qilin, Akira + Vanilla Tempest, Storm-0501 / 2561 / 0249
- Fox Tempest — financially motivated MSaaS operator; signspace[.]cloud seized 2026-05-19
- Sparx Enterprise Architect / Pro Cloud Server — five-CVE chain (CVE-2026-42096 to 42100); pre-auth SQL injection + WebEA race-condition RCE; CVSSv4 10.0 chained; PoC public; no vendor patch
- actions-cool/issues-helper GitHub Action compromised — 53 tags moved to imposter commit 1c9e803 reading Runner.Worker /proc/PID/mem for secrets; Mini Shai-Hulud cluster link
- Nx Console VS Code extension 18.95.0 compromised — stolen publisher credentials; 11-minute window 2026-05-18 12:36-12:47 UTC; multi-channel stealer + macOS Python backdoor
- Huawei VRP enterprise-router zero-day caused POST Luxembourg nationwide telecom outage (23 July 2025); no CVE assigned 10 months later
- Microsoft Defender Engine network RCE — heap buffer overflow; CVSS 8.1; same Engine update closes both this and CVE-2026-41091
- DirtyDecrypt — Linux kernel RxGK rxgk_decrypt_skb() page-cache write; affects Fedora / Arch / openSUSE Tumbleweed; PoC released 2026-05-19
- vm2 sandbox escape via BaseHandler.getPrototypeOf — host-object access; CVSS 10.0; patched 3.11.0
- SEPPmail LFT pre-auth path traversal → arbitrary file write as nobody → RCE via syslog.conf overwrite; CVSS 10.0; addressed by v15.0.4
- Drupal core SA-CORE-2026-004 / CVE-2026-9082 — pre-auth SQL injection on PostgreSQL backends; UPDATE on 2026-05-20 PSA pre-warning
- Webworm (China-aligned; FishMonger / Aquatic Panda / SixLittleMonkeys / Space Pirates) — ESET documents 2025 EU pivot with EchoCreep (Discord C2) and GraphWorm (MS Graph / OneDrive C2) backdoors against Belgian / Italian / Serbian / Polish government targets
- SonicWall Gen6 SSL-VPN CVE-2024-12802 — Akira-linked actors brute-force MFA via UPN vs SAM account-name split Feb-Mar 2026; firmware update insufficient without 6-step LDAP reconfig; Gen6 EoL 2026-04-16
- Verizon 2026 DBIR — vulnerability exploitation overtakes credentials as primary breach vector first time in 19 years (31% vs 13%); only 26% KEV remediation (down from 38%); median patch time 43d (from 32d); supply-chain breaches +60% YoY now 48% of all breaches
- Keycloak 26.6.2 — 16 CVEs across identity/auth/authz: OIDC session fixation (CVE-2026-7507), WebAuthn execute-actions replay (CVE-2026-37982), introspection audience bypass (CVE-2026-37979), cross-realm IDOR in Authz Services (CVE-2026-4630); BSI WID-SEC-2026-1612 HIGH
- Microsoft Azure Local Disconnected Operations (ALDO) CVE-2026-42822 — CVSS 10.0 unauthenticated network EoP; MSRC Exploitation More Likely; only air-gapped Azure Local stacks need action
- ChromaDB Python FastAPI server CVE-2026-45829 — pre-auth RCE via embedding-function model loading before auth check (CVSS 4.0 = 10.0); v1.5.9 unpatched at disclosure; Hadrian/HiddenLayer PoC public
- Operation Saffron: First VPN criminal anonymisation service dismantled; Switzerland JIT participant; Phobos RaaS link confirmed
- Calypso/Red Lamassu (Bronze Medley): Showboat (Linux) + JFMBackdoor (Windows) telco espionage campaign
- Netherlands FIOD arrests two over EU sanctions evasion for Stark Industries / WorkTitans bulletproof hosting; 800 servers seized; NoName057(16) DDoS infrastructure dismantled
- Kimwolf / 'Dort' DDoS-for-hire operator (Jacob Butler, 23, Ottawa) arrested; AISURU variant; 30+ Tbps peak; >25,000 attack commands; DoD-range targeting
- Megalodon mass-poisoned 5,561 GitHub repos in 6-hour window; SysDiag + Optimize-Build workflows exfiltrate cloud credentials, SSH keys, OIDC tokens
- Rhysida claims Landeshauptstadt Stuttgart (Baden-Württemberg state capital) municipal-data theft for 5 BTC; city denies confirmed incident
- ANSSI / CERT-FR CERTFR-2026-AVI-0635 on SPIP < 4.4.15 security-policy bypass; dominant French public-administration CMS, EU/CH Francophone government deployment
- ROADtools weaponised by Midnight Blizzard (APT29), Curious Serpens (APT33) and UTA0355 for Entra ID device registration, token theft and tenant enumeration
- Rapid7 Q1 2026 Threat Landscape Report — vulnerability exploitation overtakes social engineering as top initial-access vector (38% vs 24%); KEV median time 8.5→5.0 days
- Check Point Research March-April 2026 AI Threat Landscape Digest — single operator runs two AI platforms in parallel to breach nine Mexican government agencies; EvilTokens jailbreak-as-a-service
- CVE-2026-46333 ssh-keysign-pwn — 9-year ptrace race in Linux kernel __ptrace_may_access() (since v4.10-rc1, Nov 2016); four public Qualys exploits read /etc/shadow, exfiltrate SSH host keys, give root on default major distros
- Breach at billing processor Unimed exfiltrates ~97,600+ patient records from six German university hospitals (attribution open)
- NLnet Labs Unbound DNSSEC validator use-after-free (CVSS 9.8, pre-auth potential RCE), fixed 1.25.1
- NLnet Labs Unbound heap overflow via NSID/Cookie/EDNS-Padding options (CVSS 8.6, default-config), fixed 1.25.1
- ISC BIND 9 DoH/HTTP-2 use-after-free (CVSS 7.4), fixed 9.20.23
- ISC BIND 9 non-Internet CLASS DoS crashing named (CVSS 7.5), fixed 9.18.49/9.20.23
- Deleted Google Cloud API keys keep authenticating up to 23 minutes (GCP IAM eventual consistency)
- Atos TRC: hardware-gated Windows drivers made BYOVD-exploitable in software (PnP AddDevice / filter restacking / registry)
- npm 2FA-gated staged publishing GA + install-source restriction flags (supply-chain hardening)
- Packagist supply-chain wave: Laravel-Lang autoloader backdoor + 8-package cross-ecosystem postinstall strand
- Stormshield SNS remote DoS (CERTFR-2026-AVI-0631); dropped from §2, mentioned in §7
- Keycloak OIDC token introspection endpoint does not enforce audience restriction; lightweight access tokens leak claims cross-client (Keycloak 26.6.2)
- Keycloak execute-actions token replay enabling unauthorised WebAuthn / FIDO2 credential enrollment on victim account (Keycloak 26.6.2)
- Keycloak Authorization Services Protection API cross-realm IDOR allowing realm-A authenticated attacker to access realm-B resources (Keycloak 26.6.2)
- FrostyNeighbor/Ghostwriter/UNC1151 March-May 2026 campaign: Poland, Lithuania, Ukraine
- FBI PSA260521 warns on Kali365 — Telegram-distributed PhaaS exploiting OAuth device-code flow for persistent M365 token capture bypassing MFA
- Linux kernel ptrace credential-window LPE (Jann Horn, 2019) — historical predecessor cited as background in 2026-05-23 CVE-2026-46333 deep dive
- PwnKit — polkit pkexec local root (Qualys, 2022) — historical reference cited in 2026-05-23 CVE-2026-46333 deep dive as functional-equivalent outcome
- Looney Tunables — glibc ld.so local privilege escalation (Qualys, 2023) — historical reference cited in 2026-05-23 CVE-2026-46333 deep dive as disclosure-pattern precedent
- ICO POCA confiscation £355,880: Markerstudy Insurance insider accessed 32K+ records off-hours and sold data
- Microsoft Azure CVSS 10.0 cluster — server-side mitigated, no customer action required (MSRC May 2026)
- Microsoft Azure CVSS 10.0 cluster — server-side mitigated, no customer action required (MSRC May 2026)
- Microsoft Azure CVSS 10.0 cluster — server-side mitigated, no customer action required (MSRC May 2026)
- Microsoft Entra ID / Azure CVSS 10.0 cluster — server-side mitigated, no customer action required (MSRC May 2026)
- Microsoft Entra ID / Azure CVSS 10.0 cluster — server-side mitigated, no customer action required (MSRC May 2026)
- B1ack-s Stash carding marketplace publicly releases 4.6M stolen payment card records — third free-release wave (after 1M Apr 2024 and 4M Feb 2025); SOCRadar attributes collection to e-skimming and phishing
- PinTheft — Linux kernel RDS zerocopy double-free + io_uring fixed-buffer page-cache overwrite LPE; PoC public; no CVE assigned; Arch Linux default-loaded (not Ubuntu/Debian/Fedora/RHEL/SUSE)
- SquirrelMail post-auth RCE — used by Webworm against Serbian government targets per ESET 2026-05-20 (initial-access probe after credential theft)
- Keycloak admin evaluate-scopes endpoint cross-role PII leakage bypassing user-view permissions (Keycloak 26.6.2)
- Keycloak WebAuthn packed self-attestation acceptable-AAGUID policy bypass enabling enrolment of hardware tokens outside policy (Keycloak 26.6.2)
- Storm-2949 SSPR-to-Key-Vault Azure kill chain — voice-phishing SSPR → Entra ID → M365 Graph → App Service Kudu → Key Vault → SQL → Storage → Azure VM, no malware
- Storm-2949 — financially motivated, no nation-state attribution; SSPR voice-phishing → multi-resource Azure abuse
- Cisco Talos — demo.pdb BadIIS commodity MaaS ISAPI backdoor; lwxat developer alias; builder tool recovered; UAT-8099 / DragonRank link; 1,800+ IIS servers compromised globally
- vm2 Node.js sandbox — symbol-to-string coercion TypeError sandbox bypass; patched 3.10.5
- vm2 NodeVM allow-list bypass — Module._load() reachable when child_process is explicitly permitted → OS command execution; CVSS 9.9
- vm2 prototype pollution via attacker-controlled JS; CVSS 10.0; affects 3.9.6 – 3.10.5; patched 3.11.0
- vm2 code injection via BaseHandler.getPrototypeOf; CVSS 10.0; patched 3.11.0
- vm2 null-proto exception exploitation; CVSS 9.8; affects ≤ 3.11.1; patched 3.11.2
- vm2 neutralizeArraySpeciesBatch() bypass via null-proto exception; CVSS 9.8; affects ≤ 3.11.1; patched 3.11.2
- SEPPmail Secure Email Gateway — unauthenticated RCE via exposed GINAv2 test endpoints (CVSS 9.3)
- Fast16 — Symantec/Carbon Black confirm contemporaneous-with-Stuxnet nuclear-simulation sabotage; LS-DYNA/AUTODYN hook engine targeting 30 g/cm³ density threshold; Zetter corrects 'pre-Stuxnet' framing
- VMware Fusion 25H2 (macOS) — TOCTOU SETUID race condition LPE (CVSS 7.8); dropped from § 2 in 2026-05-19 brief (did not clear inclusion gates)
- n8n HTTP Request Node injection — companion amplifier to CVE-2026-42231 prototype-pollution chain
- n8n XML Node injection — companion amplifier to CVE-2026-42231 prototype-pollution chain
- n8n Git node SSH chain — terminal sink of CVE-2026-42231 prototype-pollution to RCE
- n8n XML Node injection — companion amplifier to CVE-2026-42231 prototype-pollution chain
- BigBlueButton bbb-web < 3.0.21 — insecure sessionToken generation (CWE-330) enables session hijack
- BigBlueButton bbb-web < 3.0.21 — presentationUploadExternalUrl API checksum bypass (CWE-284)
- BigBlueButton bbb-web < 3.0.23 — SSRF in presentation URL validation (CWE-918)
- Instructure (Canvas LMS) data breach — student and educator data
- ENISA expands CVE Numbering Authority Root — 4 new CNAs, 7 migrated from MITRE; ~90 European CNAs eligible for transfer
- Germany KRITIS-DachG (CER Directive transposition) in force March 2026 — public administration first time in CI scope; registration deadline 17 July 2026
- West Pharmaceutical Services SEC 8-K Item 1.05 — data exfiltrated, systems encrypted, global operations partially restarted (2026-05-11)
- Škoda Auto Deutschland online-shop breach exposes customer PII and password hashes; logging gap prevents exfiltration confirmation (2026-05-11)
- Foxconn confirms Nitrogen ransomware crippled North-American manufacturing sites — 8 TB/11M files claimed, ESXi decryptor mathematically broken
- BWH Hotels (Best Western / WorldHotels / Sure Hotels) — 181-day dwell in guest-reservation web app, EEA guests in scope
- Clinical Diagnostics LCPL / NMDL (NL) — Dutch IGJ ruling: failed NEN 7510 information-security standard at time of July 2025 Nova ransomware breach; ~941,000 patients incl. cervical-cancer screening
- Cisco Catalyst SD-WAN Controller/Manager pre-auth authentication bypass (CVSS 10.0, actively exploited)
- UAT-8616 — Sophisticated actor exploiting Cisco SD-WAN infrastructure since 2023
- CVE-2026-42897 — Microsoft Exchange Server 2016/2019/SE: OWA stored XSS (CISA KEV 2026-05-15, actively exploited, no permanent patch; EEMS Mitigation M2 / EOMT)
- Secret Blizzard / Turla / FSB Centre 16 — Kazuar P2P botnet anatomy (Microsoft Threat Intelligence 2026-05-14)
- Kimsuky (Ruby Sleet / APT43) PebbleDash toolkit evolution — Rust-based HelloDoor variant + TryCloudflare quick-tunnel C2 (Kaspersky GReAT analysis); South Korea primary, Germany spillover
- Fireblocks GG18/GG20 Paillier missing-ZK-proof flaw (TSSHOCK class; cited as background-class for THORChain 2026-05-15 GG20 TSS exploit)
- AMD-SB-7052 — Zen 2 µop-cache corruption / SoC isolation LPE (CVSS 7.3 CVSS 4.0)
- DHTMLX Diagram export module — path traversal (CVSS 4.0 score 9.2)
- Copy Fail — Linux kernel algif_aead LPE (ITW, KEV deadline 2026-05-15)
- Progress MOVEit Automation — unauthenticated auth bypass (CVSS 9.8)
- PHP SOAP extension use-after-free in SOAP_GLOBAL(ref_map) via apache:Map duplicate-key insertion (CVSS 9.5, pre-auth, all 8.x, fixed 2026-05-07)
- Dirty Frag — Linux kernel xfrm-ESP page-cache write primitive, LPE (ITW confirmed 2026-05-08, PoC public, patches landing)
- Dirty Frag — Linux kernel RxRPC page-cache write primitive, LPE chain (ITW confirmed 2026-05-08, PoC public, patch pending)
- Fortinet FortiAuthenticator unauthenticated RCE (CWE-284, CVSS 9.8) — pre-auth, fixed in 6.5.7 / 6.6.9 / 8.0.3
- Fortinet FortiSandbox unauthenticated RCE in Web UI (CWE-862, CVSS 9.1 vendor / 9.8 NVD) — pre-auth, fixed in 4.4.9 / 5.0.2 / Cloud 5.0.6
- SAP Commerce Cloud unauthenticated arbitrary code execution via Spring Security misordering (CVSS 9.6, SAP Note 3733064)
- SAP S/4HANA Enterprise Search ABAP SQL injection (CVSS 9.6) — SAP_BASIS 751-758/816
- Fragnesia — Linux kernel xfrm ESP-in-TCP local privilege escalation (PoC public)
- KIR SzafirHost — JAR zip-polyglot signature-verification bypass enables RCE in Polish qualified e-signature browser helper (CERT-PL coordinated disclosure)
- FunnelKit Funnel Builder for WooCommerce — unauthenticated checkout-endpoint injection, active Magecart skimmer on 40,000+ stores (no CVE assigned)
- F5 BIG-IP / BIG-IQ iControl REST Manager-role authenticated RCE — lead bug of the May 2026 Quarterly Security Notification (43 CVEs)
- DHTMLX PDF Export Module — unauthenticated server-side JavaScript injection RCE (CVSS 4.0 score 10.0); CERT-PL coordinated disclosure with CVE-2026-41552 and CVE-2026-7182
- Pwn2Own Berlin 2026 (May 14–16) — 47 zero-days, $1,298,250 awarded; DEVCORE Exchange three-bug SYSTEM RCE chain, STARLabs ESXi escape, every AI agent target fell; Compass Security Swiss participation
- WinRAR file-extension spoofing arbitrary code execution (cited as veteran exploit by Kaspersky Q1 2026 report)
- Roundcube XSS — exploited by FrostyNeighbor / Ghostwriter (UNC1151) for Polish-targeting credential harvesting
- RelayKing NTLM relay — post-access primitive used by The Gentlemen RaaS
- Cisco Catalyst SD-WAN companion CVE (exploited since March 2026)
- Cisco Catalyst SD-WAN companion CVE (exploited since March 2026)
- Cisco Catalyst SD-WAN companion CVE (exploited since March 2026)
- F5 BIG-IP privilege escalation via misconfigured permissions (May 2026 Quarterly, CVSS 8.7)
- F5 BIG-IP privilege escalation via misconfigured permissions (May 2026 Quarterly, CVSS 8.7)
- F5 BIG-IP privilege escalation via misconfigured permissions (May 2026 Quarterly, CVSS 8.7)
- F5 BIG-IP SSH password exposure in iControl REST audit logs (May 2026 Quarterly, CVSS 8.7)
- DHTMLX PDF Export Module — path traversal via src attribute (CVSS 4.0 score 9.2)
- F5 BIG-IP iControl REST command injection (May 2026 Quarterly, CVSS 8.7)
- F5 BIG-IP iControl REST command injection (May 2026 Quarterly, CVSS 8.7)
- F5 BIG-IP iControl REST command injection (May 2026 Quarterly, CVSS 8.7)
- F5 BIG-IP iControl REST command injection (May 2026 Quarterly, CVSS 8.7)
- OpenClaw / Clawdbot — TOCTOU read escape / file disclosure (CVSS 7.7, Claw Chain)
- OpenClaw / Clawdbot — command-parser allowlist bypass (CVSS 8.8, Claw Chain)
- OpenClaw / Clawdbot — MCP loopback senderIsOwner privilege escalation (CVSS 7.8, Claw Chain)
- GitLab CE/EE — stored XSS in analytics dashboards (CVSS 8.7); cited as dropped from § 2
- PHP SOAP companion to CVE-2026-6722; patched 2026-05-08
- PHP SOAP companion to CVE-2026-6722; patched 2026-05-08
- GitLab CE/EE — stored XSS in container registry virtual registry upstreams (CVSS 8.7); cited as dropped from § 2
- GitLab CE/EE — stored XSS in Jira integration (CVSS 8.7); cited as dropped from § 2
- node-ipc npm package backdoored via expired-domain account takeover (versions 9.1.6 / 9.2.3 / 12.0.1)
- Dream Market lead admin Owe Martin Andresen arrested in Germany (BKA + US multi-agency)
- OpenClaw Claw Chain — CVE-2026-44112 sandbox TOCTOU write escape (CVSS 9.6) + 44113/44115/44118 chain
- AMD-SB-7052 — Zen 2 µop-cache corruption / SoC isolation LPE (May 2026 Windows CU / Xen XSA-490)
- Gremlin Stealer evolved — Unit 42 documents .NET XOR resource-section obfuscation, crypto-clipper, WebSocket browser-process session hijack
- SentinelOne — Living Off the Pipeline CI/CD subversion taxonomy with three case studies (TeamCity / GitLab service-account / Contagious Interview)
- Microsoft Exchange Server SSRF (ProxyLogon) — cited in 2026-05-16 § 5 deep dive Background as precedent for on-prem Exchange exploitation pattern
- Microsoft Exchange Server pre-auth RCE (ProxyShell) — cited in 2026-05-16 § 5 deep dive Background
- JetBrains TeamCity authentication bypass — cited in 2026-05-16 § 3 SentinelOne CI/CD subversion case study
- PHP Composer GitHub Actions token disclosure in error messages (supply chain risk)
- Nextcloud Server/Enterprise: 2FA bypass via WebDAV session token reuse
- OpenAI named as TeamPCP/Mini Shai-Hulud victim; code-signing certificate rotation enforced
- Datadog Shai-Hulud open-source static analysis framework for CI/CD pipeline security
- Sophos State of Identity Security 2026: Switzerland highest breach incidence globally
- Cisco SD-WAN local privilege escalation (UAT-8616 version-downgrade re-exploitation technique)
- BlueHammer — Windows zero-day by Nightmare Eclipse (confirmed ITW by Huntress, April 2026)
- Nextcloud Server SQL injection in column-type parameter (Moderate)
- Google Chrome CVE (mentioned in recency-dropped items, 2026-05-12)
- Google Chrome CVE (mentioned in recency-dropped items, 2026-05-12)
- Ivanti Xtraction external file control (CWE-73, CVSS 9.6) — May 2026 Ivanti multi-product advisory; auth required
- GemStuffer — RubyGems registry weaponised as one-way exfiltration channel scraping UK local-authority ModernGov portals; new abuse pattern exploiting CI/CD inbound-monitoring blind spot
- FamousSparrow (UAT-9244) three-wave intrusion of Azerbaijani oil & gas operator Dec 2025 – Feb 2026; ProxyNotShell re-exploit + novel two-stage export-gated DLL sideloading
- Microsoft Exchange Server SSRF (ProxyNotShell) — cited as initial-access vector in 2026-05-14 FamousSparrow deep dive; chained with CVE-2022-41082
- Microsoft Exchange Server PowerShell remoting deserialization RCE (ProxyNotShell) — cited as initial-access vector in 2026-05-14 FamousSparrow deep dive; chained with CVE-2022-41040
- HPE ArubaOS AOS-10 stored XSS in web management interface (CVSS 8.8) — referenced in 2026-05-14 § 7 drop note (gate not cleared)
- Cline kanban npm package cross-origin WebSocket hijack (CVSS 9.6) — referenced in 2026-05-14 § 7 drop note (out-of-window)
- Exim Dead.Letter — BDAT/CHUNKING UAF on GnuTLS builds, pre-auth RCE (CVSS 9.8, ENISA critical); fixed in Exim 4.99.3
- Windows DNS Client heap-buffer overflow — RCE via malicious DNS response (CVSS 9.8)
- Microsoft SSO Plugin for Jira/Confluence — Entra ID credential forgery (CVSS 9.1, Exploitation More Likely)
- Microsoft Dynamics 365 On-Premises — authenticated code injection with scope change (CVSS 9.9)
- CERTFR-2026-AVI-0564 — SPIP < 4.4.14 multiple RCEs (public + private area)
- CERTFR-2026-AVI-0572 — Centreon Infra Monitoring April 2026 bulletin (RCE / SQLi / XSS cluster)
- Microsoft MDASH — multi-model agentic vulnerability-discovery harness, 16 Windows CVEs found in network-stack kernel components
- TrickMo "TrickMo C" — Android banking trojan migrated C2 to The Open Network blockchain, adds SOCKS5/SSH device-as-pivot; FR/IT/AT campaigns
- NCSC-UK "10 questions to ask when using AI models to find vulnerabilities" — operational checklist
- SAP Forecasting & Replenishment — authenticated OS-command injection (CVSS 8.2, SAP May 2026 patch day)
- Microsoft Word Preview Pane RCE (CVSS 8.4, More Likely exploitation, May 2026 Patch Tuesday)
- Microsoft Word Preview Pane RCE (CVSS 8.4, More Likely exploitation, May 2026 Patch Tuesday)
- Microsoft Word Preview Pane RCE (CVSS 8.4, May 2026 Patch Tuesday)
- Microsoft Word Preview Pane RCE (CVSS 8.4, May 2026 Patch Tuesday)
- Earlier Thymeleaf CVE referenced in § 7 disambiguating the dropped Thymeleaf item; CSO Online article 2026-04-17 covered this CVE rather than CVE-2026-41901
- Thymeleaf SSTI sandbox bypass — referenced in § 7 explaining out-of-window drop (GHSA published 2026-04-29)
- ICO fines South Staffordshire Water £963,900 — Cl0p ZeroLogon 20-month dwell, 5% SOC coverage (UK NIS2/CER precedent)
- BKA + ZIT dismantle relaunched Crimenetwork darknet marketplace; German operator arrested in Mallorca on European Arrest Warrant (2026-05-08)
- Google Threat Intelligence Group AI Threat Tracker (May 2026) — first AI-generated zero-day exploit ITW; AI-augmented malware (CANFAIL, LONGSTREAM, PROMPTFLUX, HONESTCUE); state-actor Gemini abuse (UNC2814, APT45, APT27, UNC5673)
- TeamPCP backdoors Checkmarx Jenkins AST plugin version 2026.5.09; SANDCLOCK exfiltrates CI/CD secrets (2026-05-09 to 2026-05-10)
- Checkmarx Jenkins AST plugin backdoor — TeamPCP/UNC6780 supply-chain compromise (CVSS 9.4, ITW, SANDCLOCK stealer)
- ConnectWise ScreenConnect path traversal — chained with CVE-2024-1709 by Kimsuky/Storm-1175; KEV deadline 2026-05-12 (out-of-window per § 7 of 2026-05-12 brief)
- ConnectWise ScreenConnect authentication bypass (CVSS 10.0) — chained with CVE-2024-1708; cited as 2026-05-12 drop
- Android adbd wireless ADB authentication bypass (CVSS 8.8, adjacent-network, public PoC 2026-05-11) — § 2 gate not cleared
- Netgate pfSense CE 2.8.0 — XMLRPC pfsense.exec_php executes arbitrary PHP as root with Basic Auth (CVSS 9.9, no-patch posture)
- Netgate pfSense CE 2.7.2 — unsafe deserialization in backup/restore yields authenticated root RCE (CVSS 8.8, no-patch posture)
- SMS-blaster smishing establishing itself in Switzerland — portable IMSI-catchers force 2G downgrade, bypass operator SMS filtering
- cPanel/WHM authentication bypass — mass exploitation ongoing (KEV deadline 2026-05-21)
- Progress MOVEit Automation — authenticated privilege escalation (CVSS 8.8)
- Apache HTTP Server 2.4.66 — HTTP/2 double-free RCE (CVSS 8.8)
- Traefik proxy — mTLS bypass via fragmented TLS ClientHello
- Apache HTTP Server 2.4.x — mod_proxy_ajp heap buffer overflow (RCE via AJP backend)
- SimpleHelp RMM — missing authorisation privilege escalation (CVSS 9.9, ITW DragonForce/Medusa, KEV deadline 2026-05-08)
- SimpleHelp RMM — path traversal / zip-slip code execution (CVSS 7.2, ITW, KEV deadline 2026-05-08)
- Samsung MagicINFO 9 Server — unauthenticated path traversal / file write (CVSS 9.8, Mirai, KEV deadline 2026-05-08)
- Progress Telerik UI for ASP.NET AJAX — RadFilter deserialization RCE (CVSS 9.8)
- Progress Telerik UI for ASP.NET AJAX — RadAsyncUpload resource exhaustion DoS (CVSS 7.5)
- Zabbix monitoring platform — XSS / data confidentiality flaw (CERT-FR)
- Zabbix monitoring platform — XSS / data confidentiality flaw (CERT-FR)
- Zabbix monitoring platform — XSS / data confidentiality flaw (CERT-FR)
- UAT-8302 — China-nexus APT targeting government entities in South America and southeastern Europe
- World Leaks — rebranded Hunters International; data-theft extortion without encryption
- France ANTS government identity agency breach — 11.7M citizen records confirmed
- DigiCert support portal compromise — 60 fraudulent EV code-signing certificates
- Trellix source code repository breach
- ADT Inc. cloud environment breach — customer PII (SEC 8-K 2026-04-24)
- Mediaworks Kft (Hungary) — World Leaks data-theft extortion
- Europol IOCTA 2026 — Internet Organised Crime Threat Assessment
- DAEMON Tools Lite supply chain — QUIC RAT, EU governments targeted
- ChipSoft (Netherlands) healthcare software vendor — Embargo ransomware, 66 Dutch DPA notifications
- Vimeo data breach via Anodot third-party SaaS compromise — 119,200 accounts
- Europol shadow IT systems — decade of unregulated data processing outside EU oversight
- Mandiant M-Trends 2026 — Annual Threat Intelligence Report
- DragonForce — ransomware-as-a-service operator exploiting SimpleHelp RMM
- Embargo — ransomware group; responsible for ChipSoft Netherlands attack
- OceanLotus (APT32) — Vietnam-nexus APT; PyPI supply chain campaign
- CL-STA-1132 — likely state-sponsored exploitation cluster for CVE-2026-0300 (PAN-OS)
- Ivanti EPMM on-prem — pre-auth certificate impersonation (CVSS 9.1, ITW, KEV chain with CVE-2026-6973)
- Ivanti EPMM on-prem — admin API improper input validation → RCE (CVSS 7.2, ITW, KEV deadline 2026-05-10)
- Windows Shell protection mechanism failure — NTLM coercion / spoofing (CVSS 4.3, APT28 ITW, KEV deadline 2026-05-12)
- GLPI < 10.0.25 / 11.0.7 — SSRF (CERTFR-2026-AVI-0551)
- GLPI < 10.0.25 / 11.0.7 — data integrity compromise (CERTFR-2026-AVI-0551)
- GLPI < 10.0.25 / 11.0.7 — stored/reflected XSS (CERTFR-2026-AVI-0551)
- GLPI < 10.0.25 / 11.0.7 — XSS (CERTFR-2026-AVI-0551)
- GLPI < 10.0.25 / 11.0.7 — XSS (CERTFR-2026-AVI-0551)
- GLPI < 10.0.25 / 11.0.7 — XSS (CERTFR-2026-AVI-0551)
- GLPI < 10.0.25 / 11.0.7 — security policy bypass / auth bypass (CERTFR-2026-AVI-0551)
- Pro-Russian hacktivist OT intrusion at five Polish water treatment facilities — pump settings modified
- Die Linke (Germany) — Qilin ransomware, 1.5 TB claimed, DPA notified (April 2026)
- Eurail breach (December 2025) — 308 777 travellers notified April 2026; Dutch DPA and EDPS reviewing delayed notification
- CERT-FR CERTFR-2026-ACT-016 — Agentic AI tool risks: prompt injection, MCP supply chain, sandboxing
- Dragos 2025 OT Cybersecurity Year in Review — Frontlines IR Edition
- Kaspersky Q1 2026 Exploits and Vulnerabilities Report
- Inditex (Zara) — ShinyHunters third-party analytics breach, 197,400 EU customers
- DENIC .de DNSSEC outage — HSM integration defect, 3.5 h disruption
- Groupe 3R (Réseau Radiologique Romand) — Akira ransomware, 48 GB claimed, Swiss medical imaging
- Braintrust AI evaluation platform — AWS account breach exposes customer org-level LLM provider keys
- JDownloader official site compromised — Windows/Linux installers swapped for Python RAT (~48 h window)
- Microsoft Semantic Kernel Python SDK — prompt-injection-to-RCE via InMemoryVectorStore filter (CVSS 9.9)
- Microsoft Semantic Kernel .NET SDK — unintended [KernelFunction] on SessionsPythonPlugin Download/UploadFileAsync → sandbox escape (CVSS 9.9)
- PCPJack — modular cloud-credential-theft worm chaining 5 public CVEs; evicts TeamPCP
- Bauman University 'Department No. 4' — leaked GRU cyber-operator training pipeline (joint The Insider / Guardian / Le Monde / Spiegel investigation)
- Beagle backdoor distributed via fake Claude AI site (claude-pro[.]com) — DonutLoader + DLL sideloading on signed G DATA AV updater (Sophos STAC4713)
- ClickFix expands to macOS — Macsync / Shub Stealer / AMOS via Base64 Terminal-paste lures bypass Gatekeeper (Microsoft research)
- DENIC .de DNSSEC outage — technical post-mortem confirms three private keys with keytag 33834, only one DNSKEY published
- Akira — ransomware operator targeting EU healthcare and SME via edge-device CVE chains and intermittent-encryption EDR evasion
- Qilin / Agenda — Rust-based ransomware-as-a-service; Q3 2025 German operational tempo tripled (GTIG); 23 Q1 2026 healthcare claims
- Q1 2026 ransomware quarterly synthesis — Emsisoft / ReliaQuest / ZeroFox / Comparitech convergence
- Google Threat Intelligence Group — Europe Data Leak Landscape 2025 (Germany dominant, 96% of victims <5,000 employees)
- LG Berlin II Apobank ruling — bank liable €218K phishing loss; PSD2 IP-analytics obligation clarified as case law
- EDPB Coordinated Enforcement Framework 2026 — 25 DPAs target GDPR Articles 12-14 transparency obligations
- NCSC Switzerland BACS assessment on AI in vulnerability management — defenders warned against over-reliance on AI detection
- Poland NIS2 transposition (UKSC amendment) in force 3 April 2026 — water-sector essential-entity status
- MEPs demand Europol expansion pause after shadow-IT disclosure; EDPS sanctioning toolkit identified as binary
- Microsoft Office Equation Editor RCE (cited as veteran exploit by Kaspersky Q1 2026 exploit report)
- Microsoft Office Equation Editor RCE (cited as largest-share detected exploit by Kaspersky Q1 2026 report)
- Ivanti EPMM pre-auth API access (2023, exploited by APT29; cited as historical precedent in 2026-05-08 deep dive)
- Ivanti EPMM critical (January 2025, state-actor exploitation; cited as historical precedent in 2026-05-08 deep dive)
- Next.js middleware authorisation bypass via crafted header — weaponised by PCPJack worm
- CentOS Web Panel FileManager shell injection — weaponised by PCPJack worm
- xrdp pre-authentication stack buffer overflow → RCE
- W3 Total Cache PHP injection via mfunc comment processor — weaponised by PCPJack worm
- Ivanti EPMM January 2026 critical — historical precedent cited in 2026-05-09 Ivanti UPDATE
- Ivanti EPMM January 2026 critical companion — historical precedent cited in 2026-05-09 Ivanti UPDATE
- WPVivid Backup unauthenticated file upload — weaponised by PCPJack worm
- Cisco Unity Connection authenticated RCE in management API (CVSS 8.8, NATO NCSC discovery; logged § 7 — dropped from § 2, gate not cleared)
- Cisco Unity Connection unauthenticated SSRF in default-enabled Web Inbox (CVSS 7.2; logged § 7 — dropped from § 2, gate not cleared)
- Windows Shell LNK exploit predecessor — APT28 weaponised against Ukraine and EU; February 2026 patch left CVE-2026-32202 residual
- cPanel/WHM CVE cluster — dropped from § 3 (embargoed, gate not cleared)
- cPanel/WHM CVE cluster — dropped from § 3 (embargoed, gate not cleared)
- cPanel/WHM unsafe symlink handling — chmod abuse on arbitrary files (CVSS 8.8, second emergency TSR)
- Spring Cloud Config Server Google Secrets Manager backend flaw (HIGH)
- Spring Cloud Config Server pre-auth directory traversal (CVSS 9.8)
- Spring Cloud Config Server companion CVE (HIGH)
- Spring Cloud Config Server companion CVE (MEDIUM)
- LiteLLM Proxy pre-auth SQL injection — all upstream LLM API keys at risk (CVSS 9.3, KEV deadline 2026-05-11)
- SEPPmail GINAv2 — missing authentication in admin REST API (CVSS 9.3)
- SEPPmail GINAv2 — insecure deserialisation via session cookie → RCE (CVSS 9.2)
- SEPPmail appliance management — LFI and arbitrary file deletion (CVSS 8.8)
- SEPPmail GINAv2 — server-side template injection via Freemarker (CVSS 8.3)
- SEPPmail appliance management — information disclosure (CVSS 6.9)
- PamDOORa — malicious PAM module with credential harvesting and log scrubbing, sold on Rehub
- Apache CloudStack post-auth authentication token flaw — dropped from § 3 (gate not cleared)
- Amazon SES abuse for authenticated BEC/phishing (Kaspersky, 2026-05-04)
- Ivanti EPMM authenticated → administrative-access via improper access control (CVSS 8.8, May 2026 chain)
- Ivanti EPMM unauthenticated arbitrary method invocation (CVSS 7.0, May 2026 chain)
- Ivanti EPMM unauthenticated device-registration enabling sensitive data access (May 2026 chain)
- Microsoft Office Protected View bypass — security feature bypass (CVSS 7.8, KEV deadline 2026-02-16 already passed; deferred from §4)
- Microsoft Office Protected View chain CVE (deferred from §4; see CVE-2026-21509 series)
- Microsoft Office Protected View chain CVE (deferred from §4; see CVE-2026-21509 series)
- Metabase Enterprise — serialization import RCE (CVSS 7.2, public PoC)
- QLNX (Quasar Linux) — developer-targeting Linux RAT with eBPF rootkit and PAM backdoor
- ZiChatBot — OceanLotus PyPI supply chain backdoor using Zulip API C2
- Amatera — InstallFix campaign infostealer targeting browser credentials and e-wallets
- InstallFix — malvertising campaign distributing Amatera infostealer via fake AI tool install pages
- CVE-2026-29168
- CVE-2026-29169
- ScarCruft (APT37 / Reaper) — North Korea-aligned APT
- BirdCall — ScarCruft Android/Windows backdoor
- CVE-2026-24072