Tag: vulnerabilities
All items tagged vulnerabilities.
- CVE-2026-20253 — Splunk Enterprise pre-auth RCE flips to confirmed exploitation and CISA KEV
- CVE-2026-12569 — PTC Windchill / FlexPLM pre-auth deserialization RCE, exploited, BSI calling admins at 02:30
- CVE-2026-0257 — Palo Alto Networks PAN-OS GlobalProtect: authentication bypass under active exploitation
- CVE-2026-20262 — Cisco Catalyst SD-WAN Manager: authenticated arbitrary file write to root, exploited as a zero-day (CISA KEV)
- CVE-2026-48907 — Joomla Content Editor (JCE): unauthenticated profile-import to PHP RCE (CVSS 4.0 10.0, CISA KEV)
- CVE-2026-54420 — LiteSpeed cPanel/WHM plugin: symlink-following on shared hosting, exploited (CISA KEV)
- CVE-2026-25089 / CVE-2026-39808 / CVE-2026-39813 — FortiSandbox: three critical flaws exploited in one 24-hour window
- CVE-2026-4020 — Gravity SMTP WordPress plugin: unauthenticated credential dump, mass-exploited
- CVE-2026-50751 — Check Point Security Gateway IKEv1 VPN authentication bypass: public PoC, Qilin affiliate use
- CVE-2026-46978 / CVE-2026-35278 — Oracle June 2026 CSPU: unauthenticated Solaris RAD flaw (10.0) and PeopleSoft RCE (9.8)
- CVE-2026-20181 / CVE-2026-20190 — Cisco Identity Services Engine: unauthenticated credential read chaining to root command execution
- CVE-2026-0647 et al. — Rockwell Automation FLEX I/O unauthenticated password reset (9.4) and Logix CIP DoS, flagged by NCSC-CH
- CVE-2026-55803 / CVE-2026-55804 — Drupal core: PHP object-injection chain in JSON:API, BSI-rated critical
- Education — exposed CMS and forum software stack a structural risk
- Research: the AI agent and toolchain control plane became a concrete attack-surface class this week
- Research: usbliter8 — an unpatchable SecureROM boot-chain exploit for Apple A12/A13 silicon
- Chaotic Eclipse / Nightmare Eclipse zero-day wave — RoguePlanet (CVE-2026-50656) still unpatched, PoC works on June builds
- CRA reporting obligation lands 11 September — ENISA Single Reporting Platform access manual due, dry-runs before go-live
- CVE-2026-4020 — Gravity SMTP WordPress plugin: unauthenticated config-dump of email-connector credentials, mass-exploited
- CVE-2026-40624 — AVer PTC-series conference cameras: unauthenticated RCE via the management web interface
- CVE-2026-52806 — Gogs self-hosted Git server: argument injection to OS command execution (BSI critical batch)
- usbliter8 — a permanent SecureROM boot-chain exploit for Apple A12/A13 silicon
- AutoJack — Microsoft shows a single web page can drive host RCE through an AI agent's local MCP server
- UPDATE: Splunk CVE-2026-20253 now under confirmed limited targeted exploitation
- CVE-2026-20181 / CVE-2026-20190 — Cisco Identity Services Engine: unauthenticated credential read chaining to authenticated root command execution
- CVE-2026-12046 / CVE-2026-12045 / CVE-2026-12048 — pgAdmin 4: unauthenticated pickle deserialization RCE, AI-Assistant read-only-transaction bypass, stored XSS
- CVE-2026-42530 / CVE-2026-42055 — NGINX: HTTP/3 QUIC use-after-free and HTTP/2-proxy heap overflow, out-of-band F5 patches
- CVE-2026-55803 / CVE-2026-55804 — Drupal core: PHP object-injection chain in JSON:API, BSI-rated critical
- UPDATE: Nightmare/Chaotic Eclipse zero-day wave — the Defender LPE now carries a CVE, a public PoC, and Microsoft's "Exploitation More Likely" rating, with no patch
- CVE-2026-46978 / CVE-2026-35278 — Oracle June 2026 CSPU: unauthenticated Solaris RAD flaw (CVSS 10.0) and PeopleSoft RCE (9.8)
- CVE-2026-0647 et al. — Rockwell Automation FLEX I/O unauthenticated password reset (CVSS 9.4) and Logix CIP denial-of-service, flagged by NCSC-CH
- BSI flags 13 vulnerabilities patched in Zammad 7.1 — admin privilege escalation in a DACH public-sector helpdesk platform
- CVE-2026-48907 — Widget Factory Joomla Content Editor (JCE) before version 2.9.99.5: unauthenticated profile-import → PHP RCE (CVSS v4 10.0)
- Unit 42 "Pickle in the Middle": cross-tenant code execution in Google Vertex AI via predictable staging buckets (CVE-2026-2473)
- UPDATE: FortiSandbox — three critical flaws now exploited simultaneously, including the previously disclosure-only CVE-2026-25089
- UPDATE: PAN-OS GlobalProtect CVE-2026-0257 — exploitation wave with Impacket post-compromise, NCSC-CH refreshes advisory
- UPDATE: Check Point IKEv1 CVE-2026-50751 — public PoC raises exploitation risk
- CVE-2026-20262 — Cisco Catalyst SD-WAN Manager: authenticated arbitrary file write to root RCE (CISA KEV)
- CVE-2026-54420 — LiteSpeed cPanel/WHM plugin: symlink-following on shared hosting, exploited in the wild (CISA KEV)
- CVE-2026-48611 / CVE-2026-48612 — phpBB: unauthenticated authentication bypass to admin, one HTTP request
- Obsidian Security: a three-CVE chain turns any LiteLLM user into root on the AI gateway
- Varonis "SearchLeak" (CVE-2026-42824): one-click M365 Copilot data exfiltration, now patched
- CVE-2026-10520 / CVE-2026-10523 — Ivanti Sentry: pre-auth command injection to root, now confirmed exploited and gateways backdoored
- CVE-2026-41089 — Windows Netlogon: pre-auth SYSTEM RCE on domain controllers, confirmed exploited in the EU
- CVE-2026-35273 — Oracle PeopleSoft: confirmed zero-day exploited by ShinyHunters (UNC6240), education sector hit hardest
- CVE-2026-50751 — Check Point Security Gateway: IKEv1 VPN authentication bypass exploited by a Qilin affiliate `[SINGLE-SOURCE]`
- Chaotic Eclipse / Nightmare Eclipse Windows zero-day wave — three long-tracked bugs patched, a fourth still open
- CVE-2026-20253 — Splunk Enterprise: unauthenticated arbitrary file creation/truncation via the PostgreSQL sidecar proxy `[SINGLE-SOURCE]`
- CVE-2026-49261 — MariaDB Galera cluster: pre-auth lateral RCE via `wsrep_notify_cmd`
- CVE-2026-44748 — SAP NetWeaver AS ABAP: SAML XML Signature Wrapping (CVSS 9.9) `[SINGLE-SOURCE]`
- CVE-2025-8088 — WinRAR path traversal: still fuelling Ukraine intrusions a year after the fix `[SINGLE-SOURCE]`
- CISA replaces the flat KEV 14-day rule with risk-tiered remediation (BOD 26-04)
- CVE-2026-10795 — UpdraftPlus WordPress backup plugin: unauthenticated authentication bypass to RCE
- CVE-2026-20253 — Splunk Enterprise: unauthenticated pre-auth RCE via the PostgreSQL sidecar proxy
- UPDATE: Ivanti Sentry CVE-2026-10520 — exploitation confirmed in the wild, gateways backdoored
- CVE-2026-48558 — SimpleHelp RMM: unauthenticated OIDC authentication bypass yields a full technician session
- Check Point chains SQL injection to RCE in LangGraph's checkpointer (CVE-2025-67644 + CVE-2026-28277)
- "GreatXML": unpatched BitLocker bypass via crafted XML on the recovery partition — PoC public, practical severity contested
- CISA replaces the KEV 14-day rule: BOD 26-04 introduces risk-tiered remediation with a 3-day class for the worst exposures
- June 2026 Patch Tuesday: four CVSS ≥ 9.1 criticals — Windows kernel TCP/IP RCE, Nuance PowerScribe, Azure Stack Edge, Exchange Online
- CVE-2026-25089 — Fortinet FortiSandbox: unauthenticated OS command injection in the web UI's VNC-launch handler (CVSS 9.8)
- UPDATE: ShinyHunters PeopleSoft campaign — Oracle confirms CVE-2026-35273 and ships an out-of-band patch; Nottingham quantifies 455,000 records
- "RoguePlanet" Microsoft Defender zero-day: TOCTOU race in the scan engine yields a SYSTEM shell, no CVE, no patch
- CVE-2026-5027 — Langflow: unauthenticated path traversal to arbitrary file write, exploited in the wild
- UPDATE: Windows Netlogon RCE CVE-2026-41089 now confirmed exploited in the wild in the EU; CERT-EU issues advisory 2026-007
- CVE-2026-10520 / CVE-2026-10523 — Ivanti Sentry: pre-auth OS command injection to root (CVSS 10.0), public PoC published today
- CVE-2026-47291 — Microsoft June Patch Tuesday: HTTP.sys pre-auth RCE (CVSS 9.8) headlines the largest-ever release (198 CVEs)
- CVE-2026-44748 — SAP June Patch Day: SAML XML Signature Wrapping in NetWeaver AS ABAP (CVSS 9.9) plus an unauth RFC kernel memory-corruption (CVSS 9.8)
- CVE-2026-47895 — strongSwan: pre-auth double-free in libstrongswan identity cloning, unauthenticated RCE over EAP (patched 6.0.7)
- CVE-2026-44963 — Veeam Backup & Replication: authenticated domain-user deserialization RCE on the backup server (CVSS 9.4)
- CVE-2026-11645 — Google Chrome V8 out-of-bounds read/write exploited in the wild, added to CISA KEV
- CVE-2026-7473 — Arista EOS tunnel-decapsulation logic flaw bypasses segmentation, added to CISA KEV
- CVE-2026-47344 et al. — TYPO3 core June release: 13 CVEs across every supported branch (10.4 ELTS → 14.3 LTS)
- UPDATE: PAN-OS GlobalProtect auth-bypass (CVE-2026-0257) — Unit 42 confirms attackers established working gateway sessions
- CVE-2026-50751 — Check Point Security Gateway: IKEv1 VPN authentication bypass, actively exploited by a Qilin affiliate
- CVE-2026-42271 — BerriAI LiteLLM: low-privilege command injection to host RCE, added to CISA KEV
- Exodus Intelligence publishes working exploit for a one-character Linux kernel nf_tables use-after-free (CVE-2026-23111)
- CVE-2026-3300 — Everest Forms Pro (WordPress): unauthenticated `eval()` injection, actively exploited at scale
- CVE-2026-49200 / CVE-2026-49201 — Acer Wave-7 mesh routers: cleartext-credential log + hardcoded backup key, CVSS 10.0, no patch
- CVE-2026-20245 — Cisco Catalyst SD-WAN Manager: no-patch zero-day chain confirmed to push malicious configs to edge devices
- CVE-2026-41089 — Windows Netlogon: pre-auth SYSTEM RCE on domain controllers, actively exploited
- CVE-2026-49975 — HTTP/2 Bomb: HPACK amplification + Slowloris chains to single-connection RAM exhaustion, patch status split by server
- Keycloak 26.6.3 — 16 CVEs in the EU public sector's reference IAM, led by token-exchange privilege escalation and SSRF [SINGLE-SOURCE vendor advisory]
- CVE-2026-10868 — MISP: mass-assignment account-takeover (CVSS 9.0) in the EU threat-sharing platform
- Public sector — most-targeted sector this week by volume and by operational severity
- ENISA NIS360 2026 (3rd edition) — seven sectors in the persistent risk zone where criticality outpaces maturity
- CRA June 11 notifying-authority deadline — first hard CRA milestone with ENISA SRP manual and Secure Update Mechanisms advisory published
- CVE-2026-10881 — Google Chrome (ANGLE graphics engine): out-of-bounds read/write enabling sandbox escape (CVSS 9.6)
- An autonomous AI agent finds 21 zero-days in FFmpeg for ~$1,000 — nine numbered (CVE-2026-39210 to -39218), parser bugs up to 23 years old
- CVE-2026-20245 — Cisco Catalyst SD-WAN Manager: actively-exploited command-injection to root (no patch)
- CVE-2026-28318 — SolarWinds Serv-U: unauthenticated DoS added to CISA KEV
- CVE-2026-10868 — MISP: critical mass-assignment account-takeover in the EU threat-sharing platform
- UK National Federation of Subpostmasters hit by ransomware via a cPanel flaw; disruption persists into June
- CVE-2026-34906 / CVE-2026-34907 — Simple SA "Wirtualna Uczelnia": unauthenticated SSTI-to-RCE in the student-administration platform used across Polish public universities
- University of Toronto / Vector Institute: a self-propagating worm that runs open-weight LLMs on compromised hosts to synthesise per-target exploits
- CVE-2026-45247 — Mirasvit Full Page Cache Warmer (Magento 2 / Adobe Commerce): unauthenticated PHP object-injection RCE, now in CISA KEV
- CVE-2026-8206 + CVE-2026-8181 — Kirki and Burst Statistics WordPress plugins: unauthenticated account takeover under active mass-exploitation
- CVE-2026-20230 — Cisco Unified Communications Manager: unauthenticated SSRF to OS-root file write
- CVE-2026-10611 — MISP: OTP bypass when LDAP mixed-auth and OTP enforcement are both enabled
- Huntress: Windows `search:` URI handler leaks NTLMv2 hashes — Microsoft declines to patch
- Enclave: a single debug flag left on in six Microsoft 365 Android apps allowed silent OAuth-token theft
- One-click GitHub OAuth-token theft via github.dev, full-disclosed with PoC; Microsoft patched 3 June
- CVE-2024-21182 — Oracle WebLogic Server: unauthenticated T3/IIOP data access, KEV-listed on active exploitation
- CVE-2025-48595 — Android Framework: actively-exploited integer-overflow privilege escalation
- UPDATE: Gamaredon weaponises WinRAR CVE-2025-8088 and adds the GammaSteel stealer
- CERT-PL discloses hardcoded-credential supply-chain flaw in KS-SOMED healthcare software (CVE-2026-42251)
- CVE-2026-8732 — WP Maps Pro WordPress plugin: unauthenticated admin-account creation, actively exploited
- CVE-2026-8931 — Disig Web Signer: critical RCE in a Slovak electronic-signature client
- CVE-2026-44825 — Apache Solr: unauthenticated admin via hardcoded template credentials, no patch yet
- UPDATE: Windows Netlogon CVE-2026-41089 moves from "patch-available" to actively exploited
- PostHog rotates all AWS credentials after researcher-confirmed cloud exploit; EU and US clouds degraded
- Mautic 7.1.2 / 6.0.9 — seven authenticated flaws, including two post-auth RCE paths (SSTI and path-traversal-to-PHP-RCE), an SSRF and an API authorization bypass
- [SINGLE-SOURCE] Cisco Talos maps the DICOM-format attack surface against Orthanc PACS — network-ingested medical images as a heap out-of-bounds-write primitive
- CVE-2026-0257 — Palo Alto PAN-OS GlobalProtect: Pre-Auth Authentication Bypass via Certificate Reuse
- CVE-2026-48710 "BadHost" — Starlette (FastAPI / vLLM / LiteLLM / MCP SDK): Pre-Auth Auth Bypass via Malformed Host Header
- Sysdig TRT: first observed LLM-agent-driven post-exploitation — CVE-2026-39987 Marimo notebook RCE to database exfiltration in 4 pivots under one hour
- UPDATE: Nightmare Eclipse / Chaotic Eclipse — Microsoft's Digital Crimes Unit threatens criminal action; GreenPlasma and MiniPlasma (`cldflt.sys` SYSTEM escalation) remain unpatched; researcher announces July 14 drop
- UPDATE: Ivanti Secure Access Client — NCSC.ch adds CVE-2026-8992 (local privilege escalation, CVSS 7.8) to May advisory
- Apereo CAS version 7.3.7.1 patches an OIDC-provider flaw reported by Coop Switzerland; CERT-FR issues advisory CERTFR-2026-AVI-0654
- FortiClient EMS CVE-2026-35616 actively exploited to push EKZ Infostealer through trusted endpoint-management channel
- Rapid7 publishes unpatched Gogs argument-injection RCE with a Metasploit module; maintainer non-responsive
- CVE-2026-4408 & CVE-2026-4480 — Samba: unauthenticated RCE in SAMR RPC and print-command subsystems (CVSS 10.0)
- CVE-2026-44939 (+ CVE-2026-41052, CVE-2026-41053) — SUSE Rancher: command injection on cluster import, PSA label privilege-escalation, GitHub-App over-inclusive team membership
- CVE-2026-44848 & CVE-2026-44849 — Portainer CE: Docker plugin endpoints unguarded; Swarm-service security checks bypassed (CVSS 9.4)
- CVE-2026-9170 — IBM HTTP Server / WebSphere Application Server: pre-auth RCE via improper input validation (CVSS 9.8)
- CVE-2026-4868 (+ five further CVEs) — GitLab 19.0.1 / 18.11.4 / 18.10.7 patch release: Duo AI identity impersonation, unauthenticated project enumeration
- CVE-2026-32996 & CVE-2026-32997 — Veeam Backup & Replication KB4852: LPE in Windows Agent, arbitrary file write in Linux appliance
- ILIAS LMS — nine fixes shipped 2026-05-27, two critical access-control gaps (CVSS 9.8 + 9.3), NCSC.ch flags SOAP interface as primary unauthenticated attack surface
- CVE-2026-48842 — Roundcube Webmail pre-authentication SQL injection in `virtuser_query` plugin (CVSS 8.1)
- CVE-2026-35087 / CVE-2026-35089 / CVE-2026-35090 — Slican PBX telephony exchanges, triple pre-authentication admin bypass (CERT Polska)
- CVE-2026-9312 — GitHub Enterprise Server (< 3.22): unauthenticated SSRF via upload-endpoint path traversal exposes internal services and credentials
- CVE-2026-9642 — Delta Electronics DIAView SCADA: incomplete fix for prior unauthenticated remote database access (CVE-2025-62582) [SINGLE-SOURCE]
- CVE-2026-9058 — Szafir SDK (KIR): signature-verification routine reports success on an untrusted certificate chain, enabling auth bypass in Polish e-government
- CVE-2026-5426 — Digital Knowledge KnowledgeDeliver LMS: pre-shared ASP.NET `machineKey` enables ViewState deserialization RCE, exploited as a zero-day
- Large-scale ClickFix campaign mass-compromises self-hosted Ghost CMS sites via CVE-2026-26980
- CVE-2026-26980 — Ghost CMS Content API: unauthenticated blind SQL injection in the `slug` filter, actively exploited
- CVE-2026-0257 — Palo Alto PAN-OS GlobalProtect pre-auth authentication bypass, exploited in two waves by the same actor
- CVE-2026-35616 — Fortinet FortiClient EMS pre-auth bypass, exploited to push EKZ Infostealer down the management channel
- CVE-2026-26980 — Ghost CMS unauthenticated blind SQL injection, mass-exploited into a ClickFix infostealer chain
- CVE-2026-4408 / CVE-2026-4480 — Samba dual unauthenticated RCE (CVSS 10.0), patch window closed mid-week
- CVE-2026-5426 — Digital Knowledge KnowledgeDeliver LMS: ViewState deserialization RCE exploited as a zero-day
- CVE-2026-9170 — IBM HTTP Server / WebSphere Application Server: pre-auth RCE (CVSS 9.8)
- CVE-2026-48710 "BadHost" — Starlette pre-auth host-header auth bypass across the Python AI/ASGI stack
- CVE-2026-48842 — Roundcube Webmail pre-authentication SQL injection
- Public administration & identity (CH / DACH lead) — the LMS, SSO and e-government estate under multi-product pressure
- Healthcare — administrative and imaging intermediaries remain the soft surface
- Chaotic Eclipse / Nightmare Eclipse — MiniPlasma confirmed SYSTEM on a fully-patched Windows 11; sixth zero-day in six weeks
- EU Cyber Resilience Act — 11 June notifying-authority deadline, then September reporting obligations [SINGLE-SOURCE]
- CVE-2026-48172 — LiteSpeed User-End cPanel plugin: authenticated cPanel user to root via `lsws.redisAble`, actively exploited
- DNS-resolver patch cluster — Unbound 1.25.1 (11 CVEs) and ISC BIND 9.18.49 / 9.20.23
- ANSSI / CERT-FR publishes CERTFR-2026-AVI-0635 on SPIP < 4.4.15 — security-policy bypass in the dominant French public-administration CMS
- ANNUAL REPORT — Rapid7 Q1 2026 Threat Landscape Report: vulnerability exploitation now top initial-access vector at 38 %; KEV median time to listing collapses to 5 days
- UPDATE: Drupal CVE-2026-9082 — CISA KEV addition + active exploitation confirmed; NCSC.ch flips post 12584 to "Actively exploited"
- CVE-2026-34926 — Trend Micro Apex One On-Premise: post-auth directory traversal by admin-credential holder injects code deployed fleet-wide to all managed agents (CISA KEV, ITW)
- CVE-2025-34291 — Langflow AI Workflow Platform: CORS misconfiguration + SameSite=None refresh token enables cross-origin token theft (CISA KEV, ITW, Flodric botnet)
- CVE-2026-20223 — Cisco Secure Workload: CVSS 10.0 zero-auth REST API grants Site Admin privileges across all tenants, no workaround
- UPDATE: Microsoft Defender CVE-2026-41091 + CVE-2026-45498 — both CVEs confirmed exploited, out-of-band engine update 4.18.26040.7 confirmed as fix
- SonicWall Gen6 SSL-VPN incomplete-patching (CVE-2024-12802) — Akira-linked actors brute-force MFA via UPN/SAM account-name split, February–March 2026 intrusions
- CVE-2026-42822 — Microsoft Azure Local Disconnected Operations (ALDO): CVSS 10.0 unauthenticated network elevation-of-privilege, "Exploitation More Likely"
- CVE-2026-45829 — ChromaDB Python FastAPI server: pre-auth RCE via embedding-function model loading before auth check (CVSS 4.0 = 10.0; still unpatched in v1.5.9)
- Keycloak 26.6.2 — 16 CVEs including OIDC session fixation (CVE-2026-7507), WebAuthn execute-actions token replay (CVE-2026-37982), introspection audience bypass (CVE-2026-37979) and cross-realm IDOR in Authorization Services (CVE-2026-4630)
- PinTheft — Linux kernel local-privilege-escalation primitive (RDS zerocopy double-free + io_uring fixed-buffer page-cache overwrite), PoC public, Arch Linux default-loaded
- UPDATE: Drupal SA-CORE-2026-004 / CVE-2026-9082 ships — "highly critical" pre-auth SQL injection in core database API, PostgreSQL-only
- Drupal core "highly critical" pre-patch warning — unauthenticated, zero-complexity, patch window today 17:00–21:00 UTC
- Sparx Enterprise Architect / Pro Cloud Server — five-CVE chain (pre-auth SQL injection + WebEA race-condition RCE), public PoC, no vendor patch
- Huawei VRP enterprise-router zero-day caused POST Luxembourg nationwide telecom outage (July 2025) — no CVE filed 10 months later [SINGLE-SOURCE]
- CVE-2026-41091 — Microsoft Defender Engine link-following EoP, actively exploited
- CVE-2026-45584 — Microsoft Defender Engine heap-buffer-overflow RCE over network
- CVE-2026-31635 ("DirtyDecrypt") — Linux kernel RxGK page-cache write, public PoC; Fedora, Arch, openSUSE Tumbleweed affected
- vm2 Node.js sandbox — 12 critical CVEs (CVE-2026-43997 / 43999 / 44005 / 44006 / 44008 / 44009 et al.), sandbox escape to host RCE, upgrade to ≥ 3.11.4
- UPDATE: CVE-2026-45585 (YellowKey) — Microsoft formally assigns CVE and publishes WinRE mitigation
- UPDATE: SEPPmail Secure E-Mail Gateway — InfoGuard Labs full technical write-up; new CVE-2026-2743 (CVSS 10.0 pre-auth path traversal in LFT)
- BigBlueButton bbb-web < 3.0.21 / < 3.0.23 — three flaws in EU education and government virtual-classroom platform: weak session-token randomness, API checksum bypass, SSRF
- CVE-2026-42231 / -42232 / -44789 / -44790 / -44791 — n8n self-hosted automation: chained prototype-pollution and injection flaws enabling authenticated-to-RCE plus a Git-node arbitrary file read
- UPDATE: Chaotic Eclipse Windows zero-days — MiniPlasma is third PoC in series; cldflt.sys CfAbortHydration path, claimed re-exploitable CVE-2020-17103 regression
- UPDATE: CVE-2026-42897 Exchange OWA — EM Service auto-mitigation depends on outbound connectivity to `officemitigations.microsoft.com`
- UPDATE: CVE-2026-42945 NGINX Rift — in-the-wild exploitation confirmed by VulnCheck honeypots
- UPDATE: CVE-2026-0300 PAN-OS Captive Portal — revised fix-release timelines for 10.2.13-h21 and 10.2.16-h7; wave-2 target remains 2026-05-28
- Microsoft Defender Engine CVE-2026-41091 + CVE-2026-45498 — both confirmed exploited in the wild; out-of-band engine update is the fix
- Drupal core CVE-2026-9082 — pre-auth SQL injection, CISA KEV, active exploitation confirmed; NCSC.ch flipped to "actively exploited"
- SonicWall Gen6 SSL-VPN CVE-2024-12802 — Akira-linked actors bypassing MFA on *officially-patched* firmware
- Two CISA KEV additions under active exploitation — Trend Micro Apex One and Langflow
- Windows "Chaotic Eclipse" zero-day proliferation — YellowKey, GreenPlasma, MiniPlasma
- Drupal CVE-2026-9082 — disclosure-only Monday to KEV-confirmed-exploited by Friday
- CVE-2026-20223 — Cisco Secure Workload: CVSS 10.0 zero-auth REST API grants Site Admin across all tenants, no workaround
- CVE-2026-42822 — Azure Local Disconnected Operations: CVSS 10.0 unauthenticated network elevation-of-privilege
- CVE-2026-45829 — ChromaDB Python server: pre-auth RCE before the auth check, still unpatched
- CVE-2026-48172 — LiteSpeed User-End cPanel plugin: authenticated cPanel user to root, actively exploited
- CVE-2026-42096 … -42100 — Sparx Enterprise Architect / Pro Cloud Server: five-CVE pre-auth chain, public PoC, no patch
- CVE-2026-7507 (+15) — Keycloak 26.6.2: identity-provider cluster including OIDC session fixation and cross-realm IDOR
- Public administration — web-CMS and identity estate under multi-vector pressure
- Telecom — sustained pressure from espionage tradecraft and fragile carrier infrastructure
- Education — virtual-classroom platforms and EdTech SaaS exposure
- Verizon 2026 DBIR — vulnerability exploitation is the #1 breach vector for the first time in 19 years; patching cadence regressed
- Rapid7 Q1 2026 Threat Landscape Report — corroborates the structural shift; KEV-to-listing window collapsing
- Microsoft Exchange CVE-2026-42897 — actively-exploited OWA stored-XSS, no permanent patch, Pwn2Own three-bug chain compounds the picture
- Cisco Catalyst SD-WAN CVE-2026-20182 — UAT-8616 active, CISA Emergency Directive ED-26-03, 10+ companion-CVE clusters
- PAN-OS CVE-2026-0300 — wave 2 confirmed delayed to 2026-05-28; eight build streams remain on mitigation-only for a further 11 days
- Windows BitLocker "YellowKey" + CTFMON "GreenPlasma" — public PoC, no patch, TPM-only BitLocker bypassed
- Dirty Frag (CVE-2026-43284 xfrm-ESP + CVE-2026-43500 RxRPC) — Microsoft confirmed ITW, RxRPC distro patches still propagating
- Microsoft Exchange CVE-2026-42897 OWA-XSS — same-week compounding with the DEVCORE Pwn2Own chain
- PAN-OS CVE-2026-0300 — staged-patch arc spanning W19 and W20
- CVE-2026-44277 / CVE-2026-26083 — Fortinet FortiAuthenticator and FortiSandbox unauthenticated RCE
- CVE-2026-34263 — SAP Commerce Cloud pre-auth RCE; CVE-2026-34260 — SAP S/4HANA Enterprise Search SQL injection
- CVE-2026-44088 — CERT-PL SzafirHost JAR zip-polyglot bypass in Poland's qualified e-signature browser helper
- CVE-2026-6722 — PHP SOAP UAF in `SOAP_GLOBAL(ref_map)` (with companions CVE-2026-7261 / CVE-2026-7262)
- Windows BitLocker "YellowKey" and CTFMON "GreenPlasma" — public PoC, no patch
- CVE-2026-46300 — Linux kernel xfrm ESP-in-TCP LPE ("Fragnesia"), PoC public
- WordPress retail / e-commerce
- SEPPmail CVE-2026-44128 — CIRCL advisory confirms CVSS 9.3 unauthenticated Perl-eval RCE; no third-party PoC in window
- EU CRA milestones — 11 June 2026 CAB notification, 11 September 2026 Article 14 reporting obligations
- ENISA CVE Numbering Authority Root — 4 new CNAs onboarded, identities undisclosed; 7 existing CNAs migrated from MITRE Root
- CISA Emergency Directive ED-26-03 — Cisco Catalyst SD-WAN
- NIS2 transposition — status update; no Court of Justice referral announced this week
- CERT-PL CVE-2026-44088 — SzafirHost JAR zip-polyglot bypass in Poland's qualified e-signature browser helper
- FunnelKit "Funnel Builder for WooCommerce" actively exploited as Magecart skimmer on 40,000+ WordPress stores — no CVE assigned
- CVE-2026-41225 — F5 BIG-IP / BIG-IQ: iControl REST Manager-role authenticated RCE (CVSS 4.0 score 8.6 / CVSS 3.1 score 9.1) leading the May 2026 Quarterly Notification
- CVE-2026-41553 — DHTMLX PDF Export Module: unauthenticated server-side JavaScript injection RCE (CVSS 4.0 score 10.0), with CVE-2026-41552 and CVE-2026-7182 path-traversal companions
- UPDATE: Exchange CVE-2026-42897 — Pwn2Own DEVCORE three-bug SYSTEM RCE chain emerges alongside active OWA-XSS exploitation
- CVE-2026-42897 — Microsoft Exchange Server 2016 / 2019 / SE: stored XSS in OWA, actively exploited, no permanent patch
- CVE-2026-44112 / CVE-2026-44113 / CVE-2026-44115 / CVE-2026-44118 — OpenClaw "Claw Chain": four chainable flaws in autonomous-agent platform enable sandbox escape → credential leak → privilege escalation → file disclosure
- AMD-SB-7052 / CVE-2025-54518 — AMD Zen 2 µop-cache corruption / SoC isolation failure: local privilege escalation (CVSS 7.3), microcode mitigation in May 2026 Windows update and Xen XSA-490
- SentinelOne: "Living Off the Pipeline" — CI/CD subversion taxonomy with three real intrusion cases (TeamCity, GitLab service-account pivot, Contagious Interview) [SINGLE-SOURCE]
- Windows BitLocker "YellowKey" and CTFMON "GreenPlasma" zero-days: public PoC, no patch, TPM-only BitLocker bypassed
- CVE-2026-45691 — Nextcloud Server / Enterprise Server: 2FA bypass on WebDAV via pre-authenticated session token reuse
- CVE-2026-45793 — PHP Composer: GitHub Actions CI token disclosure in error messages [SINGLE-SOURCE]
- CVE-2026-42945 — NGINX Open Source / Plus / F5 WAF products: 18-year-old heap buffer overflow in rewrite module ("NGINX Rift"), PoC public
- CVE-2026-46300 — Linux kernel: local privilege escalation via xfrm ESP-in-TCP ("Fragnesia"), PoC public
- UPDATE: Datadog Security Labs analyzes leaked TeamPCP "Shai-Hulud" offensive framework source code
- CVE-2026-8043 Ivanti Xtraction external file control (CVSS 9.6) plus EPM SQL-injection-to-RCE and vTM admin OS-command injection — May 2026 advisory batch, no ITW
- UPDATE: CVE-2026-0300 PAN-OS Captive Portal — patch wave 2 delayed to 2026-05-28 for eight high-traffic build streams; mitigation remains the only option on those builds [SINGLE-SOURCE]
- CVE-2026-44277 / CVE-2026-26083 — Fortinet FortiAuthenticator and FortiSandbox unauthenticated RCE
- CVE-2026-45185 — Exim "Dead.Letter" use-after-free in BDAT/CHUNKING on GnuTLS builds
- CVE-2026-41089 / CVE-2026-41096 / CVE-2026-41103 / CVE-2026-42898 — Microsoft May 2026 Patch Tuesday (120+ CVEs, no zero-days)
- CVE-2026-34263 / CVE-2026-34260 — SAP Commerce Cloud pre-auth RCE, S/4HANA Enterprise Search SQL injection
- CERTFR-2026-AVI-0564 — SPIP < 4.4.14: multiple RCEs (public and private area)
- CERTFR-2026-AVI-0572 — Centreon Infra Monitoring: RCE / SQLi / XSS cluster (April 2026 bulletin)
- Microsoft MDASH — multi-model agentic vulnerability-discovery harness finds 16 Windows CVEs in network-stack kernel components
- NCSC-UK — "10 questions to ask when using AI models to find vulnerabilities"
- UPDATE: PAN-OS CVE-2026-0300 — first-wave patched builds released on 2026-05-13
- Škoda Auto Deutschland online-shop breach exposes customer PII and password hashes; logging gap prevents exfiltration confirmation
- UPDATE: Palo Alto PAN-OS CVE-2026-0300 — first-wave fixed builds now scheduled for 2026-05-13; until then interim mitigation remains the only option
- UPDATE: TeamPCP (UNC6780 / PCPJack ecosystem) backdoors the Checkmarx Jenkins AST plugin — third Checkmarx supply-chain compromise in three months, SANDCLOCK exfiltrates every CI secret reachable from the runner
- Pre-stage PAN-OS Captive Portal upgrade for the 2026-05-13 first-wave release; keep interim mitigation enforced until then
- Audit SIEM/XDR telemetry coverage as a percentage of host inventory; the South Staffordshire 5%-coverage finding is the operational lesson
- CVE-2026-0300 — Palo Alto PAN-OS Captive Portal unauthenticated root RCE; CL-STA-1132 active since 2026-04-09; no patch until 2026-05-13
- CVE-2026-6973 + CVE-2026-5787 — Ivanti EPMM on-prem pre-auth chain to admin RCE; 508 EU instances internet-exposed; named EU victims include the European Commission
- CVE-2026-31431 "Copy Fail" + CVE-2026-43284 / CVE-2026-43500 "Dirty Frag" — Linux kernel LPE pair confirmed in complementary post-compromise campaigns
- CVE-2026-42208 LiteLLM Proxy — pre-auth SQL injection exposing upstream LLM-provider API keys at the multi-tenant SaaS layer
- CVE-2026-44128 et al. — SEPPmail Secure Email Gateway: six-CVE cluster on the Swiss public sector's dominant email-encryption appliance
- CL-STA-1132 — PAN-OS CVE-2026-0300 exploitation cluster: disclosure-to-deadline-to-deadline-expiry inside the window
- cPanel / WHM — two emergency TSRs inside ten days: post-CVE-2026-41940 fleet now facing CVE-2026-29201/29202/29203
- CVE-2026-26030 + CVE-2026-25592 — Microsoft Semantic Kernel Python and .NET SDKs: a class-of-bug for agentic-AI frameworks
- CVE-2026-32202 — Windows Shell NTLM coercion; Akamai's PatchDiff-AI shows the residual zero-click path left by the CVE-2026-21510 patch
- DENIC .de DNSSEC outage — 3.5 h registry-side trust failure traced to keytag 33834 collision and an alerting-layer fire-without-page
- Kaspersky Q1 2026 Exploits and Vulnerabilities Report
- TeamPCP → PCPJack — cloud-worm successor evicting prior operator artefacts
- ENISA expands CVE Numbering Authority root — 4 new CNAs, 7 migrated from MITRE; ~90 European CNAs eligible for transfer
- CERT-FR CERTFR-2026-ACT-016 — agentic AI three-risk-class advisory; defender obligations explicit
- EU Cybersecurity Package 2026 — NIS2 amendment (COM(2026) 13) + Cybersecurity Act 2 enter EP preparatory phase; PQC obligation embedded
- NCSC Switzerland — formal BACS assessment on AI in vulnerability management; defenders warned against over-reliance on AI detection
- BSI flags Netgate pfSense Community Edition as critical-unpatched — CVE-2025-69690 / CVE-2025-69691 authenticated root RCE, vendor refuses to fix
- CVE-2026-6722 — PHP SOAP extension use-after-free in `SOAP_GLOBAL(ref_map)`, CVSS 9.5 (with companion CVE-2026-7261, CVE-2026-7262)
- UPDATE: Dirty Frag — Microsoft confirms limited in-the-wild exploitation; Red Hat, NCSC.ch, CCB Belgium publish coordinated advisories
- Hardening and mitigation
- Patch PHP across all web-facing infrastructure
- Apply Dirty Frag kernel backports — Microsoft now confirms in-the-wild
- Restrict pfSense CE management interfaces; assume no patch is coming
- CVE-2026-26030 / CVE-2026-25592 — Microsoft Semantic Kernel: prompt-injection-to-RCE in the Python and .NET SDKs of Microsoft's AI agent orchestration framework (CVSS 9.9 each)
- PCPJack — modular cloud-credential-theft worm displaces TeamPCP using five public CVEs and a multi-cloud key-harvesting pipeline
- UPDATE: Ivanti EPMM CVE-2026-6973 — KEV deadline expired today; ~850 internet-exposed instances globally with 508 in Europe; companion CVE-2026-5786/5788 ship in same patch
- UPDATE: cPanel/WHM second emergency TSR in 10 days — embargo lifted on CVE-2026-29202 (post-auth Perl RCE, CVSS 8.8), CVE-2026-29203 (CVSS 8.8), CVE-2026-29201 (CVSS 4.3)
- UPDATE: DENIC .de DNSSEC outage post-mortem — three private keys generated with the same Key Tag (33834); only one DNSKEY published
- Hardening / mitigation
- Patch Ivanti EPMM today — KEV deadline expired
- Upgrade Microsoft Semantic Kernel and audit `[KernelFunction]` methods
- Apply cPanel/WHM second-TSR patches now — embargo lifted, post-auth RCE is real
- LiteLLM Proxy KEV deadline tomorrow (2026-05-11) — patch and rotate every upstream key
- DENIC .de DNSSEC outage — faulty key rollover; 3.5 h disruption for German government and public-sector .de domains
- CVE-2026-43284 / CVE-2026-43500 — Linux "Dirty Frag": deterministic LPE chain via page-cache write primitives in xfrm-ESP and RxRPC, active exploitation confirmed
- CVE-2026-42208 — LiteLLM Proxy pre-authentication SQL injection: CISA KEV deadline 2026-05-11; all upstream LLM API keys at risk
- CVE-2026-44128 et al. — SEPPmail Secure Email Gateway: CVSS 9.3 unauthenticated RCE and five additional CVEs [SINGLE-SOURCE-NATIONAL-CERT carve-out + vendor]
- CVE-2026-40982 — Spring Cloud Config Server: pre-authentication path traversal, CVSS 9.8; all actively-maintained branches affected
- CVE-2025-68670 — xrdp pre-authentication stack overflow, arbitrary code execution [SINGLE-SOURCE]
- ENISA expands CVE Root: four new European organisations onboarded as CVE Numbering Authorities
- UPDATE: Ivanti EPMM CVE-2026-5787 / CVE-2026-6973 — KEV deadline TOMORROW (2026-05-10); EU victim organisations named; 508 internet-exposed EU instances
- UPDATE: CVE-2026-0300 — Palo Alto PAN-OS Captive Portal KEV deadline TODAY (2026-05-09); no patch exists; first patches expected 2026-05-13; CL-STA-1132 post-exploitation detail
- UPDATE: CVE-2026-31431 "Copy Fail" — CISA KEV deadline 2026-05-15 approaching; Microsoft documents Linux LPE cluster post-compromise chain
- Swiss and DACH Deployment Context
- CVE-2026-5787 / CVE-2026-6973 — Ivanti EPMM pre-auth certificate impersonation → admin RCE (CISA KEV deadline **2026-05-10**)
- CVE-2026-32202 — Windows Shell NTLM coercion / credential capture, APT28 active against EU governments (CISA KEV deadline **2026-05-12**)
- CVE-2026-5787 — Ivanti EPMM improper certificate validation (pre-auth Sentry impersonation, CVSS 9.1)
- CVE-2026-6973 — Ivanti EPMM admin API improper input validation → RCE (CVSS 7.2, CISA KEV deadline 2026-05-10)
- CVE-2026-32202 — Windows Shell NTLM coercion, APT28 ITW (CVSS 4.3, CISA KEV deadline 2026-05-12)
- GLPI CERTFR-2026-AVI-0551 — Seven CVEs including SSRF and XSS in EU ITSM platform (advisory 2026-04-29)
- Kaspersky Q1 2026 Exploits and Vulnerabilities Report: document-based exploits resurge; RaaS acquires zero-days
- UPDATE — CVE-2026-0300 (PAN-OS Captive Portal unauthenticated root RCE): CISA KEV deadline is **today (2026-05-09)**; no patch until 2026-05-13