Zero-Days & CVEs

Attackers are exploiting a security hole in Langflow that can let outsiders take over internet-exposed servers without logging in. The flaw, CVE-2026-5027, is an unauthenticated remote-code-execution bug affecting Langflow, an open-source tool for building AI workflows; exploitation means attackers can send crafted requests to run their own commands on vulnerable systems, and the article says no patch is available yet. — Organizations using Langflow should treat this as urgent because an exposed server could be fully compromised with no valid account needed. If you run Langflow, restrict internet access, apply any vendor mitigations, monitor for compromise, and patch immediately once a fix is released.

A researcher’s public release of six Windows zero-days has already led attackers to exploit three of them, and Microsoft says more unpatched flaws remain. Microsoft named the bugs as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma; it said BlueHammer, RedSun, and UnDefend saw attacks after proof-of-concept exploit code was posted, while YellowKey is tracked as CVE-2026-45585 and, along with GreenPlasma and MiniPlasma, still lacks a fix. — Windows defenders may have little time between public disclosure and real-world attacks, especially when proof-of-concept exploit code is available. Organizations should review Microsoft mitigations immediately, monitor for compromise tied to these bug names and CVE-2026-45585, and prioritize hardening or temporary workarounds where patches do not yet exist.

A security researcher published a new Windows zero-day exploit that can give an attacker full SYSTEM privileges on fully patched consumer PCs. The proof-of-concept, dubbed RoguePlanet, abuses a race condition in Microsoft Defender to achieve local privilege escalation on Windows 10 and Windows 11 systems with June 2026 updates installed; the researcher says earlier versions also enabled remote code execution through malicious .vhd(x) files on remote SMB shares and BitLocker bypass paths, but the currently released exploit is validated primarily as local escalation and reportedly does not yet work on Windows Server. — This matters because a public exploit can help malware or intruders turn limited access on a Windows machine into full control even after current patches are installed. Organizations should watch for Microsoft guidance, restrict untrusted SMB and disk-image handling where possible, and prioritize detection for SYSTEM-level escalation from Defender-related activity.

Oracle PeopleSoft customers are being hit in ongoing break-ins and extortion attacks that ShinyHunters says have affected more than 100 organizations and 300 PeopleSoft instances. The campaign reportedly targets both cloud and on-premises PeopleSoft deployments, with the attackers claiming to use a chain of older bugs and at least one zero-day, though no CVE has been confirmed by Oracle. Reported evidence includes extortion notes, exposed attacker tooling, and IP-based indicators of compromise tied to infrastructure previously linked to ShinyHunters. — PeopleSoft is widely used for payroll, HR, finance, procurement, and student systems, so a compromise can expose highly sensitive employee, customer, or student data. Organizations running PeopleSoft should urgently review logs for the listed IPs, investigate possible unauthorized SSH access, and prepare incident response while waiting for Oracle guidance.

Cisco says attackers are exploiting a new zero-day in Catalyst SD-WAN Manager, and affected organizations do not yet have a patch. The flaw, CVE-2026-20245, is a command-injection vulnerability in the command-line interface that lets an authenticated local attacker with netadmin privileges execute arbitrary commands as root by uploading a crafted file. Cisco said exploitation has been limited but observed cases where attackers pushed configuration changes to edge devices, and published indicators of compromise. — Organizations running Cisco Catalyst SD-WAN Manager face an actively exploited flaw that can give attackers full control of the system, with no fix available yet. Defenders should urgently check Cisco's indicators of compromise, restrict and review privileged access, hunt for abuse of related SD-WAN flaws, and prepare to patch as soon as Cisco releases updates.

Google released a Chrome 149 security update that fixes an actively exploited browser flaw, putting Chrome users at risk until they update. The zero-day, CVE-2026-11645, is a high-severity out-of-bounds read/write bug in the V8 JavaScript engine that can let a remote attacker run code inside Chrome’s sandbox via a specially crafted HTML page; exploitation likely requires chaining with a separate sandbox-escape flaw for full compromise. Google said the bug was reported in late April by an anonymous researcher. — Anyone using Chrome should update promptly because this flaw is already being used in real attacks. Even though the code runs inside Chrome’s sandbox, browser zero-days are high-priority because attackers often combine them with other bugs to fully compromise devices.

Arista says hackers have exploited a flaw in its EOS network operating system, and some affected switch platforms will not get a software fix. The issue, CVE-2026-7473, affects certain Arista devices configured as tunnel endpoints and can cause them to accept and decapsulate unconfigured tunnel traffic sent to the same IP address. Arista says impacted products include 7020R, 7280R/R2, and 7500R/R2 series, with some IPv6 decapsulation scenarios also affecting 7280R3, 7500R3, and 7800R3. CISA has added the bug to its Known Exploited Vulnerabilities list. — Organizations using affected Arista switches may be exposed right now, and there is no vendor patch planned, so this is a mitigation-or-replace situation rather than a routine update. Network defenders should identify affected tunnel configurations immediately, apply Arista's workarounds, and prioritize review because CISA says the flaw is being actively exploited.

CISA on May 15, 2026 added CVE-2026-42897, a Microsoft Exchange Server cross-site scripting vulnerability, to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. Under BOD 22-01, federal civilian agencies must remediate by CISA's due date, and CISA urged all organizations to prioritize patching KEV-listed flaws. — Active exploitation of an Exchange Server flaw raises immediate risk for organizations running the product, especially federal agencies subject to KEV deadlines. Defenders should identify exposed Exchange instances and prioritize remediation or mitigation quickly.

Microsoft released its June 2026 security updates to fix 200 vulnerabilities, including three publicly disclosed zero-days in Windows. The zero-days include CVE-2026-45586, a local privilege-escalation flaw in the Windows Collaborative Translation Framework (CTFMON) that can grant SYSTEM access, CVE-2026-49160 in HTTP.sys, and CVE-2026-50507, a BitLocker security-feature bypass requiring physical access. Microsoft says none of the three were known to be exploited at patch time. — Windows systems across enterprises and consumer devices may be exposed to newly public attack methods until they are patched. Organizations should prioritize June Patch Tuesday deployment and review Microsoft’s HTTP.sys mitigation guidance, while users should install Windows updates promptly.

Researchers found critical vulnerabilities in Vertiv UPS network cards and Trane Tracer SC+ HVAC controllers that could let hackers remotely disrupt power protection and cooling systems in data centers and other facilities. Claroty reported authentication-bypass and remote-code-execution flaws in Vertiv cards, and authentication bypass, remote code execution, denial-of-service, and sensitive-information exposure issues in Trane Tracer SC+ building-management controllers; the vendors have issued patches, but the article does not list CVE IDs or affected versions. — These products help keep servers powered and cool, so successful attacks could cause outages, hardware damage, or forced shutdowns. Organizations using Vertiv UPS management cards or Trane Tracer SC+ should identify exposed systems and apply vendor patches and mitigations quickly.

Ivanti released emergency security updates for its Sentry mobile gateway after finding two critical flaws that could let attackers take over affected systems. The bugs are CVE-2026-10520, a maximum-severity OS command injection issue that can enable remote code execution as root, and CVE-2026-10523, an authentication bypass that can let unauthenticated attackers create rogue admin accounts. Fixes are in Sentry versions R10.5.2, R10.6.2, and R10.7.1; Ivanti said it has no evidence of active exploitation at disclosure. — Organizations using Ivanti Sentry should update immediately because these bugs could hand an attacker full control of a gateway that sits between mobile devices and internal corporate systems. Even without confirmed in-the-wild abuse yet, Ivanti edge and management products have a strong history of rapid post-disclosure exploitation.

Microsoft said it is tracking the publicly disclosed YellowKey Windows BitLocker security feature bypass as CVE-2026-45585 and published mitigations pending a security update. The flaw can allow access to BitLocker-protected drives by abusing specially crafted FsTx files and WinRE behavior; Microsoft recommends disabling autofstx.exe auto-start in WinRE and requiring BitLocker TPM+PIN startup authentication. — Organizations and users relying on BitLocker for device-at-rest protection may need to apply mitigations immediately because PoC details are public and a fix is not yet available. Defenders should review BitLocker startup settings and WinRE configuration now.

ServiceNow told affected customers that attackers accessed data from some hosted customer instances through a flaw in an API endpoint. The company said it applied a security update on June 5, 2026 to require authentication for the affected endpoint, reportedly /api/now/related_list_edit/create, after detecting anomalous activity. ServiceNow has not yet assigned a CVE, and says the issue mainly affects customers on the Australia release or older releases with certain configuration changes. — Organizations using affected ServiceNow instances may have exposed sensitive ticket, employee, asset, and incident-response data, including credentials or tokens pasted into support workflows. This is urgent for affected customers: review logs and exposed records immediately, check for requests to the vulnerable endpoint, and rotate any secrets that may have been accessible.

Fortinet fixed a critical flaw in FortiSandbox that could let an attacker take over affected appliances over the internet without a password. The bug, CVE-2026-25089, is an OS command injection issue in the FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS web interface, exploitable via crafted HTTP requests for arbitrary command execution. Fixes shipped in FortiSandbox 5.0.6 and 4.4.9, FortiSandbox Cloud 5.0.6, and FortiSandbox PaaS 5.0.6; Fortinet also patched two medium-severity flaws in FortiOS, FortiProxy, and FortiPortal. — Organizations using FortiSandbox should update quickly because this is the kind of bug that can allow full remote compromise of a security appliance. Even though Fortinet says it has no evidence of attacks yet, internet-facing management interfaces are high-risk and should be patched or tightly restricted immediately.

Anthropic says it intends to eventually make Mythos-class vulnerability-finding artificial intelligence available more broadly, but for now is expanding its restricted Project Glasswing program to additional partners including U.S. and allied governments. The company says Mythos has scanned more than 1,000 open-source projects, estimated 6,202 high-or-critical-severity vulnerabilities and 23,019 total flaws, and validated many findings through coordinated disclosure; no CVE list or release date for public access was provided. — This matters because a powerful AI system for finding software flaws could help defenders patch faster, but could also accelerate criminal discovery of exploitable bugs if released without effective guardrails. Security teams should expect faster vulnerability discovery pressure in widely used open-source components and be prepared for heavier disclosure and patching volume.

Researchers say a new HTTP/2 attack chain can knock major web servers offline within seconds, potentially affecting more than 880,000 websites using default configurations. The technique combines an HPACK header-compression bomb with Slowloris-style connection holding to exhaust memory; it builds on CVE-2016-6581, CVE-2016-8740, CVE-2016-1546, Apache's 2025 fix CVE-2025-53020, and newly assigned Apache CVE-2026-49975. NGINX reportedly fixed the issue in April, Apache in late May, while Microsoft IIS, Envoy, and Cloudflare Pingora had not yet been patched at publication. — Organizations running internet-facing HTTP/2 servers could be taken offline by a relatively low-resource attacker, so this is operationally urgent even though it is a denial-of-service issue rather than data theft. Admins should review vendor advisories, apply available fixes for NGINX and Apache, and add mitigations or rate-limiting for IIS, Envoy, and Pingora until patches arrive.

A newly disclosed Visual Studio Code flaw can let attackers steal a victim’s GitHub sign-in token with a single click on a malicious link, potentially exposing all private repositories that account can access. Researcher Ammar Askar published proof-of-concept exploit code on June 3, 2026; no CVE has been assigned and no official patch is available. The bug abuses message passing between sandboxed webviews and the main editor in github.dev, allowing a malicious extension to be installed and extract a broad GitHub OAuth token. — Developers, maintainers, and employees who use github.dev or VS Code-linked GitHub workflows could have source code and other private repository data exposed before a fix is available. Until Microsoft and GitHub ship a patch, users should treat github.dev links cautiously and clear github.dev cookies/site data so unexpected extension sign-in prompts appear.

SAP released June 2026 security updates for critical flaws in NetWeaver, Commerce Cloud, and Data Hub that could let attackers access sensitive data, crash systems, or bypass normal protections. The most severe issues are CVE-2026-44748, an XML Signature Wrapping flaw in NetWeaver AS ABAP and ABAP Platform SAML authentication rated 9.9; CVE-2026-27671, a 9.8 memory-corruption bug in the SAP kernel's RFC handling affecting NetWeaver and ABAP Platform; CVE-2026-22732, a 9.1 Spring Security header-handling issue affecting Commerce Cloud and Data Hub; and CVE-2026-40128, a 9.0 directory traversal flaw in NetWeaver Application Server Java reachable through crafted HTTP logon requests. — SAP systems often sit at the core of large companies' business operations, so critical flaws in NetWeaver and Commerce can have broad operational and data-security impact. Organizations using affected SAP products should review SAP's June 2026 notes, apply patches promptly, and use temporary mitigations such as disabling SAML where needed until updates are installed.

Adobe released security updates fixing 123 vulnerabilities across 11 products, affecting organizations and users running Experience Manager, ColdFusion, Acrobat Reader and other Adobe software. The biggest group is 57 flaws in Adobe Experience Manager, while ColdFusion and Campaign Classic include the highest-priority issues, with two Campaign Classic remote-code-execution bugs rated CVSS 10. Adobe said it has no evidence of in-the-wild exploitation and did not list CVE IDs in this report, but marked the ColdFusion and Campaign Classic issues as priority 1, meaning exploitation is more likely. — Organizations using Adobe server products should review and apply these updates promptly, especially for ColdFusion and Campaign Classic, because remote-code-execution bugs can let attackers take over systems. End users should update Acrobat and Reader through normal patch channels.

OpenSSL released new versions to fix a high-severity bug that can crash applications and may allow remote code execution when they verify a specially crafted signed message. The main issue, CVE-2026-45447, is a heap use-after-free in PKCS7_verify() triggered by a malformed PKCS#7 or S/MIME SignedData digestAlgorithms field; OpenSSL also patched 17 other flaws ranging from low to moderate severity affecting certificate handling, encryption integrity, denial of service, and possible code execution paths. — OpenSSL is embedded in many servers, appliances, and applications, so this can affect far more systems than organizations realize. Teams should identify where OpenSSL is deployed and apply the new releases promptly, especially in products or services that process S/MIME or PKCS#7 signed content.

Veeam released fixes for a critical flaw in its Backup & Replication software that could let a low-privilege domain user take over a backup server. The issue, CVE-2026-44963, affects Veeam Backup & Replication 12.3.2.4465 and all earlier version 12 builds when the backup server is joined to a Windows domain; it was fixed in version 12.3.2.4854, and Veeam says version 13.x is not affected due to architectural changes. — Backup servers are high-value targets because attackers and ransomware gangs use them to steal data and destroy recovery options. Organizations running affected Veeam versions should update immediately and review whether backup servers are unnecessarily joined to a domain.

Check Point says attackers used a zero-day flaw to break into some of its VPN systems, and at least one confirmed follow-on intrusion was linked to the Qilin ransomware operation. The main issue, CVE-2026-50751, is an unauthenticated authentication-bypass bug affecting Remote Access VPN, Mobile Access / SSL VPN, and Spark gateways when configured with deprecated IKEv1, legacy clients, and no mandatory machine certificate; Check Point also disclosed CVE-2026-50752, an IKEv1 certificate-validation flaw that could enable man-in-the-middle attacks on site-to-site VPNs. Exploitation began May 7 and has hit a few dozen organizations globally. — Organizations using affected Check Point VPN setups could be exposed to break-ins without valid credentials, with ransomware risk if attackers get in. This is urgent: apply Check Point's updates immediately or disable IKEv1, require machine certificates, and follow the vendor's mitigations.

Zcash fixed a critical vulnerability in its Orchard shielded transaction system that could have allowed attackers to generate counterfeit ZEC while transactions still appeared valid. Security researcher Taylor Hornby found the issue on May 29 while auditing Orchard; the bug was a failed transaction-input validation check in the zero-knowledge proof workflow, affecting the Orchard privacy pool introduced in 2022. No CVE is cited, and it is unclear whether the flaw was exploited before the fix. — This is the kind of bug that can undermine trust in a cryptocurrency by allowing undetectable fraudulent coin creation. Zcash users, exchanges, and infrastructure operators should confirm they are running the patched software and watch for any follow-up guidance on possible past exploitation.

A newly disclosed flaw in Gogs can let attackers take over internet-exposed code servers if they can register a normal user account. The unpatched argument-injection vulnerability, not yet assigned a CVE, affects Gogs 0.14.2 and 0.15.0+dev and is triggered during the "Rebase before merging" pull-request flow; because open registration is enabled by default, many default-configured servers may be reachable by unauthenticated attackers who simply sign up first. Rapid7 says successful exploitation can lead to remote code execution as the server process user, access to private repositories, and theft of password hashes, API tokens, SSH keys, and 2FA secrets. — Organizations running self-hosted Gogs should treat this as urgent because exposed servers may be compromiseable even without an existing attacker account. Until a fix is available, admins should disable open registration, restrict internet exposure, and review whether rebase-merging can be turned off or tightly limited.

Researchers say attackers can take over vulnerable UniFi OS Server systems without a password and gain full root control. Bishop Fox showed that three patched bugs in UniFi OS Server 5.0.6 and earlier—CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910—can be chained from the network to bypass authentication, read files, and trigger command injection, leading to remote code execution and trivial privilege escalation via passwordless sudo. — UniFi OS Server can manage core business systems such as networking, cameras, and door access, so compromise can hand attackers broad control of an organization’s environment. Organizations using affected versions should patch immediately and check for suspicious requests to the noted endpoints, because the attack leaves little or no login evidence.

Hackers are actively exploiting a critical bug in the Everest Forms Pro WordPress plugin to seize control of vulnerable websites. The flaw, CVE-2026-3300, affects Everest Forms Pro 1.9.12 and earlier and allows unauthenticated remote code execution through the plugin’s Complex Calculation feature, which unsafely passes form input into PHP eval(). Wordfence says attacks began by April 13 and are creating rogue administrator accounts, including one named “diksimarina.” — Affected WordPress sites can be fully hijacked without a login, allowing attackers to add admin users, install backdoors, and alter site content. Site owners should update immediately, review administrator accounts and logs for suspicious activity, and check for indicators tied to the reported campaign.

CISA says hackers are now actively exploiting a recently patched SolarWinds Serv-U bug to crash exposed file-transfer servers. The flaw, CVE-2026-28318, affects SolarWinds Serv-U MFT and FTP software on Windows and Linux and can be triggered without authentication using specially crafted POST requests with Content-Encoding: deflate; SolarWinds fixed it in Serv-U 15.5.4 Hotfix 1 and advised admins who cannot patch to restrict access and block such requests. — Organizations running internet-exposed Serv-U servers could face service outages right now, including federal agencies ordered to remediate by June 19. If you use Serv-U, patch immediately or apply SolarWinds' temporary filtering and access restrictions while checking for signs of attempted abuse.

A new botnet called C0XMO is infecting DD-WRT routers and other internet-connected devices so they can be used in denial-of-service attacks. Fortinet says the malware exploits CVE-2021-27137, an unauthenticated buffer overflow in DD-WRT, and also brute-forces Telnet and SSH logins while carrying binaries for multiple CPU architectures including ARM, MIPS, PowerPC, x86, and x86_64. The botnet establishes persistence with cron jobs and startup-file changes, then removes rival malware and tooling from infected systems. — Organizations and users with exposed routers, DVRs, and similar devices may be silently pulled into a botnet and used in attacks. Patch affected firmware where available, disable unnecessary remote administration, and change weak or reused device credentials immediately.

Google released Chrome 149 with fixes for 429 security vulnerabilities, a record-sized browser security update that affects users on Windows, macOS, and Linux. The most severe issue is CVE-2026-10881, a CVSS 9.6 out-of-bounds read/write flaw in the ANGLE graphics engine that could let a remote attacker use a crafted HTML page to escape Chrome’s sandbox and potentially run code on the operating system. Google also fixed critical flaws CVE-2026-10882 in Network and CVE-2026-10883 in ANGLE in versions 149.0.7827.53 for Linux and 149.0.7827.53/54 for Windows and macOS. — Chrome is widely used, so a large set of browser bugs with multiple critical issues can put many users and organizations at risk from malicious websites. Users and administrators should update Chrome promptly across all devices and managed fleets.

Cisco released fixes for a serious security flaw in Cisco Unified Communications Manager and Unified Communications Manager Session Management Edition that could let remote attackers gain a path to full control of affected appliances. The bug, CVE-2026-20230, is a server-side request forgery issue caused by improper validation of certain HTTP requests; on systems with the WebDialer service enabled, an unauthenticated attacker can send crafted requests to write files to the underlying operating system and potentially escalate to root. Cisco fixed it in Unified CM and Unified CM SME 14SU6 and plans to include fixes in 15SU5. — Organizations running affected Cisco call-management systems should check whether WebDialer is enabled and apply updates quickly, especially because proof-of-concept exploit code is already public. Even without confirmed in-the-wild exploitation, the flaw could give attackers a foothold that leads to full device compromise.

A flaw in Anthropic's Claude Code GitHub Action could let an attacker use one malicious GitHub issue or comment to hijack affected repositories. The issue affected the GitHub Action integration for Claude Code, where untrusted issue content could be turned into dangerous workflow commands and expose repository secrets or enable unauthorized code changes in automation runs; the article does not provide a CVE in the supplied text. — Projects using the Claude Code GitHub Action may have been exposed to repository takeover through normal issue-tracker interactions, making this a high-priority supply-chain and automation risk. Maintainers should review Anthropic's fix guidance, restrict workflow permissions, rotate exposed secrets, and treat issue-triggered automation as untrusted until patched.

Researchers say attackers could have manipulated Google’s Gemini voice assistant through ordinary message notifications from apps such as WhatsApp, Slack, and SMS. SafeBreach calls the technique “Fake Context Alignment”: hidden instructions embedded in notification content were silently pulled into Gemini’s context when users asked it to read messages aloud, potentially enabling actions such as controlling Google Home devices, starting Zoom calls, sending deceptive messages, and poisoning long-term memory. Google was notified in August 2025 and patched the issue in November 2025 with content-classifier changes. — This matters because it shows how everyday messages could be turned into a hands-free attack path against AI assistants that are connected to calls, messages, and smart-home controls. Users and organizations relying on Gemini should make sure current protections are in place and treat unsolicited messages as a potential trigger for AI-assisted actions.

CISA says attackers are exploiting a serious Adobe Commerce and Magento flaw that can let them take over vulnerable online store servers. The issue, CVE-2026-45247, is a remote-code-execution vulnerability, meaning an attacker can run their own commands on the target system from afar; CISA added it to the Known Exploited Vulnerabilities catalog, which federal agencies use to prioritize urgent fixes. Affected product and version details would follow Adobe’s advisory, and internet-exposed commerce systems are the most immediate concern. — Organizations running Adobe Commerce or Magento should treat this as urgent because CISA only adds bugs to KEV when there is evidence of real-world exploitation. For online stores, the risk can include site takeover, payment-data exposure, and malware implantation, so defenders should identify affected instances and patch or mitigate immediately.

Google released Android security updates that fix an actively exploited flaw affecting devices running Android 14 and later. The zero-day, CVE-2025-48595, is a high-severity Android Framework vulnerability that Google says has seen limited targeted exploitation and can let a local attacker achieve code execution and privilege escalation. The June 2026 bulletins also patch 124 vulnerabilities in total, including 18 critical issues across Framework, System, Qualcomm components, and other closed-source and kernel-related parts. — People and organizations using Android devices may be exposed to a flaw already being used in real attacks, even if only in targeted cases. Apply the June 2026 Android security update as soon as your device vendor makes it available, with particular urgency for Pixel users and higher-risk targets.

CISA says attackers are now exploiting a Linux kernel bug that can let someone break out of a container and gain root-level control on the host system. The flaw, CVE-2022-0492, is an improper authentication issue in Linux cgroups v1 that allows modification of the release_agent mechanism, enabling privilege escalation and container escape; CISA added it to the Known Exploited Vulnerabilities catalog after Kaspersky reported real-world exploitation, and federal agencies were told to patch by June 5. — Organizations running Linux containers could be at risk of full host compromise if affected systems are unpatched. This is urgent for cloud, server, and platform teams: identify systems using cgroups v1, apply available kernel fixes, and review container hardening and isolation settings immediately.

Attackers are exploiting a critical flaw in the Kirki WordPress plugin that can let them take over administrator accounts on affected websites. CVE-2026-8206 affects Kirki versions 6.0.0 through 6.0.6 and abuses a password-reset REST API endpoint so an unauthenticated attacker can send a valid reset link for any user to an attacker-controlled email address. Wordfence says it blocked more than 222 exploit attempts in 24 hours, and the fix shipped in version 6.0.7. — Sites using affected Kirki versions can be quickly hijacked, letting attackers change content, install malicious plugins, or plant persistent backdoors. This is urgent for WordPress administrators: update to 6.0.7 immediately or disable the plugin, and review privileged accounts for suspicious password resets or changes.

Attackers are targeting a flaw in the Burst Statistics WordPress plugin that can let outsiders take over websites by creating administrator accounts. Defiant says versions 3.4.0 to 3.4.1.1 contain an authentication bypass in application-password validation for REST API requests, allowing unauthenticated attackers to impersonate an admin for a request and use admin-level functions. Users should update to version 3.4.2 or newer. — Sites using Burst Statistics may be vulnerable to full website takeover, so this is urgent for WordPress administrators and hosting providers. Check plugin versions now, update immediately, and review for unexpected administrator accounts or suspicious REST API activity.

Acer says two critical security holes in its Wave 7 mesh routers could let attackers break in remotely, and patches are not available yet. The flaws, CVE-2026-49200 and CVE-2026-49201, affect Wave 7 routers running firmware T7c_GBL_1.01.000055 or earlier. One bug exposes plaintext web and Telnet credentials through an unauthenticated web-accessible log file, while the other uses a hardcoded AES key in backup handling to let attackers alter backups and implant persistent backdoor access. — People and organizations using affected Acer Wave 7 routers could face account compromise and long-term unauthorized access if devices are exposed. This is urgent because there is no patch yet; users should disable remote management or restrict it to trusted IP addresses and apply Acer's firmware update as soon as it is released.

A newly reported Windows flaw can expose a user's NTLMv2 password hash, which attackers can try to crack or relay for unauthorized access. The issue affects the Windows Search URI protocol and can be triggered through crafted links or files that cause Windows to connect to an attacker-controlled server. The article indicates the bug is unpatched and enables hash disclosure rather than direct code execution. — Organizations that still rely on NTLM authentication could be exposed to credential theft from a single malicious link or lure, making this a meaningful phishing and lateral-movement risk. Defenders should block or monitor outbound SMB and WebDAV traffic, reduce NTLM use where possible, and warn users not to open unexpected search-related links or files until Microsoft issues a fix.

CISA added seven vulnerabilities to its Known Exploited Vulnerabilities catalog on May 20, 2026, citing evidence of active exploitation. The additions include legacy Microsoft Windows, DirectX, Internet Explorer, and Adobe Reader bugs, plus Microsoft Defender flaws CVE-2026-41091 (elevation of privilege) and CVE-2026-45498 (denial of service). Federal agencies must remediate by the deadlines set under BOD 22-01. — KEV additions indicate real-world exploitation and help defenders prioritize patching and mitigations. Organizations, especially federal agencies, should urgently assess exposure to the newly listed Microsoft Defender and legacy Windows-related vulnerabilities.

A long-patched Oracle WebLogic Server vulnerability is now being exploited in real attacks, putting internet-facing servers at risk if they were not updated. CISA added CVE-2024-21182 to its Known Exploited Vulnerabilities catalog on June 1, 2026. Oracle patched the flaw in July 2024; it can be exploited remotely without authentication against affected WebLogic Server instances, and successful exploitation can expose sensitive data or allow broader server compromise. — Organizations running Oracle WebLogic should treat this as urgent because attackers no longer need valid logins to target exposed systems. Patch immediately, check whether any WebLogic servers are internet-accessible, and hunt for signs of compromise if updates were delayed.

Six Microsoft Android apps could hand Microsoft account tokens to unauthorized apps because a debug setting was left enabled in production code. SecurityWeek reports Enclave found the issue in Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop and OneNote for Android; the flag bypassed checks meant to restrict token sharing to trusted Microsoft apps, allowing any installed app to request reusable FOCI tokens and potentially access account data. No CVE is cited in the report. — People and organizations using these Android apps could have had account access tokens silently stolen by another app on the same phone, potentially enabling long-lived account access. This is urgent for Microsoft mobile users and defenders: watch for Microsoft’s fix, review mobile app trust and update practices, and investigate suspicious Android apps on managed devices.

HP released fixes for a critical flaw in several Poly Voice VoIP phone models that could let an attacker remotely seize control of a phone and use it as a foothold inside a company network. Rapid7 said CVE-2026-0826 is a stack-based buffer overflow in Session Description Protocol parsing when Interactive Connectivity Establishment is enabled, affecting Poly VVX 150/250/350/450 and Trio 8300/8500/8800 devices; a malicious SIP INVITE can trigger root-level remote code execution, and HP has published patched firmware. — Organizations using these desk and conference phones should treat this as urgent because compromised voice devices often sit on trusted internal networks and typically lack security tooling. Update affected Poly firmware now and disable ICE where it is not needed.

Oracle released its first new monthly Critical Security Patch Update, fixing 77 vulnerabilities across several enterprise products used by businesses and public-sector organizations. The May 2026 update covers Oracle Database Server, REST Data Services, Communications, E-Business Suite, and Hospitality Applications, including about a dozen critical-severity flaws and multiple bugs that remote, unauthenticated attackers could exploit over a network. Oracle did not cite active exploitation in this notice but urged customers to patch quickly. — Organizations running affected Oracle software should treat this as a prompt patching event, especially where systems are internet-facing. Several flaws can be exploited remotely without logging in, so defenders should identify exposed Oracle services and apply the new updates as soon as possible.

A U.S. watchdog found that NIST’s National Vulnerability Database, a key public source used to track and prioritize software flaws, has become ineffective after mismanagement caused a massive processing backlog. The report says unprocessed vulnerability records grew from about 13,000 in February 2024 to more than 27,000 by the end of 2025, after NIST stopped paying contractors, missed its recovery goals, and duplicated at least 21,000 pieces of work already handled by CISA’s Vulnrichment program. — This matters because companies, government agencies, and security teams rely on NVD data to decide what to fix first, and delays can slow patching and risk decisions across the ecosystem. Affected users are indirect but broad: defenders may need to lean more on vendor advisories, CISA KEV, and other sources until NVD processing becomes reliable again.

Attackers are trying to take over WordPress sites that use the WP Maps Pro plugin by secretly creating their own administrator accounts. The bug, CVE-2026-8732, affects WP Maps Pro 6.1.0 and earlier and stems from an unauthenticated AJAX endpoint tied to a temporary support-access feature; a crafted request can create an admin user and generate a passwordless login link. Wordfence says it blocked more than 3,600 exploitation attempts in 24 hours, and the vendor fixed the issue in version 6.1.1 on May 20, 2026. — Any site running the vulnerable plugin can be fully taken over, letting attackers plant backdoors, change content, or steal data. Users should update WP Maps Pro to 6.1.1 or later immediately and review WordPress admin accounts for unexpected new users.

A critical Windows Server security flaw that can let outsiders run code on domain controllers is now being exploited in real attacks. Belgium's Centre for Cybersecurity said CVE-2026-41089, a stack-based buffer overflow in the Netlogon remote procedure call (RPC) service, is under active exploitation after Microsoft patched it in May 2026. The bug affects supported Windows Server versions including Windows Server 2025 and can be triggered by a specially crafted network request without prior authentication. — Domain controllers are the systems that authenticate users across many business networks, so compromise can put an entire organization at risk. Organizations running Windows Server should treat this as high priority and patch exposed and internal domain controllers immediately.

Palo Alto Networks says attackers are now using a GlobalProtect VPN flaw to try to get into corporate networks without valid credentials. The issue, CVE-2026-0257, affects PAN-OS GlobalProtect portal and gateway configurations that use authentication override cookies with specific certificate reuse; attackers can forge those cookies and establish unauthorized VPN access on unpatched devices. Rapid7 says it saw exploitation from at least May 17, 2026, and CISA has added the flaw to its Known Exploited Vulnerabilities catalog. — Organizations that use Palo Alto GlobalProtect could be exposed to unauthorized remote access into internal networks, so this is an urgent patch-now issue. Defenders should update PAN-OS immediately and, if needed, disable authentication override cookies or use a separate certificate for that feature.

A newly disclosed Linux flaw called CIFSwitch can let a normal local user take full control of an affected system. The bug is a local privilege-escalation issue in the Linux kernel CIFS subsystem and cifs-utils, where forged cifs.spnego key requests can make the root-run cifs.upcall helper trust attacker-controlled data and load a malicious NSS module. The researcher says vulnerable combinations affect multiple distributions, published a proof-of-concept exploit, and points to upstream fix commit 3da1fdf. — This matters for multi-user Linux systems and enterprise fleets because a user or attacker who already has limited access may be able to become root. Organizations should identify affected distributions, apply vendor kernel updates, and consider mitigations such as disabling unprivileged user namespaces or removing unused CIFS components.

Public exploit code is now available for a critical Flowise bug that can let attackers take over self-hosted AI workflow servers by getting someone to import a malicious chatflow. The flaw, CVE-2026-40933 (CVSS 9.9), affects Flowise before 3.1.0 and stems from unsafe handling of Anthropic Model Context Protocol (MCP) stdio commands in the MCP adapter. Importing a crafted chatflow can trigger command execution during tool enumeration, leading to operating-system-level code execution with the Flowise process's privileges. Flowise Cloud is not affected because stdio MCP is disabled there. — Organizations running self-hosted Flowise should treat this as urgent because working exploit code lowers the barrier to real attacks and the flaw can expose stored credentials and connected services. Update to 3.1.0 or later and limit who can create or import chatflows, especially where Flowise is connected to databases, APIs, or cloud accounts.

Google released a Chrome 148 security update that fixes 151 vulnerabilities, including 22 critical bugs that could help attackers run malicious code through the browser. The most severe issues named are CVE-2026-9872 (out-of-bounds write in GPU), CVE-2026-9873 (use-after-free in Network), CVE-2026-9874 (use-after-free in Dawn), CVE-2026-9875 (out-of-bounds read in WebGL), and CVE-2026-9876 (use-after-free in WebGL). The update is rolling out as 148.0.7778.216/217 for Windows, 148.0.7778.215/216 for macOS, and 148.0.7778.215 for Linux. — Chrome is widely used, so browser flaws with remote-code-execution potential can expose large numbers of people and organizations to drive-by compromise if left unpatched. Users and IT teams should update Chrome promptly across Windows, macOS, and Linux fleets.

Attackers are using a critical Fortinet server flaw to send malware to computers managed by FortiClient Endpoint Management Server (EMS). The issue, CVE-2026-35616, is a remote code execution bug in FortiClient EMS that can be exploited without authentication via crafted requests; Fortinet patched it in April after warning it had already been used as a zero-day, and Arctic Wolf now says fresh attacks are abusing EMS scripting workflows to deploy EKZ Infostealer disguised as a Fortinet patch. — This can turn a central management server into a way to infect every device it manages, putting passwords, browser cookies, and other sensitive data at risk. Organizations running FortiClient EMS should patch immediately, check for suspicious PowerShell/script activity, and investigate whether fake update jobs were pushed to endpoints.

A flaw in Gitea could let outsiders download supposedly private software container images from many self-hosted code servers. NoScope says CVE-2026-27771 is an access-control bug in Gitea’s built-in container registry, also affecting Forgejo, where anonymous Docker/OCI pull requests could retrieve private images; Gitea patched it in version 1.26.2, and Shodan data suggested roughly 31,750 internet-facing instances were likely vulnerable. — Private container images can contain source code, credentials, and details about production systems, so this exposure could hand attackers valuable access and intelligence. Organizations running self-hosted Gitea or Forgejo should update to 1.26.2 immediately or enforce authentication for all content access if possible.

Pretalx, an open source platform used by many conferences to manage call-for-proposals and schedules, fixed a flaw that could let a malicious speaker submission run code in an organizer's browser. The issue, CVE-2026-41241, is a stored cross-site scripting (XSS) bug in searchable fields such as submission titles, speaker names, usernames, and email addresses; when an organizer searched for a matching record, attacker-supplied HTML or JavaScript could execute, steal a cross-site request forgery (CSRF) token, submit authenticated actions, or exfiltrate visible data. It was patched in April and fixed in pretalx 2026.1.0. — Conference teams using pretalx could have had proposal data changed or organizer sessions abused simply by viewing malicious submissions, so affected admins should update to pretalx 2026.1.0 or later and review organizer access and stored submissions. Because pretalx is reused across many events, one product bug can affect multiple independent conference systems at once.

CISA says a critical bug in the LiteSpeed user-end plugin for cPanel is being actively exploited and can give attackers root-level control of affected servers. The flaw, CVE-2026-48172, is a 9.8-severity privilege-escalation vulnerability affecting user-end plugin versions 2.3 through 2.4.4; LiteSpeed fixed it in version 2.4.5, later bundled in WHM Plugin 5.3.1.0 with user-end plugin 2.4.7, while cPanel also removed the vulnerable plugin via a nightly update on May 19. — Organizations running cPanel with the LiteSpeed user-end plugin could be exposed to full server compromise, so this is an update-now or remove-now situation. Admins should upgrade immediately, remove the plugin if they cannot patch, and review logs and suspicious IP activity for signs of exploitation.

Hackers used a previously unknown flaw in Digital Knowledge’s KnowledgeDeliver learning platform to break into servers and plant persistent malware. Mandiant says CVE-2026-5426 affects KnowledgeDeliver deployments before February 24, 2026, because a standardized ASP.NET web.config file contained hardcoded machineKey values, enabling ViewState deserialization attacks for remote code execution. The observed intrusions deployed Godzilla web shells, altered JavaScript to show fake plugin alerts, and ultimately installed a tailored Cobalt Strike backdoor. — Organizations using KnowledgeDeliver, especially enterprise and education users, may already be compromised, not just vulnerable. Admins should urgently rotate machine keys, restrict access to the LMS, hunt for the published indicators of compromise, and check for web shells, modified JavaScript, and follow-on malware.

Drupal announced a core security release for May 20, 2026, warning that exploits could appear within hours of disclosure. The issue affects Drupal core 8+ with patches planned for supported 11.x and 10.x branches, plus hotfixes for end-of-life 9.5 and 8.9 releases. No CVE or technical details were disclosed ahead of release. — Drupal is widely used by government, education, healthcare, and large organizations, so a high-risk core flaw has broad exposure. Defenders should monitor the advisory and be ready to apply updates immediately, especially because Drupal expects rapid exploit development.

Attackers are using a Ghost CMS bug to hijack websites and show visitors fake verification prompts that can infect their computers. The campaign abuses CVE-2026-26980, a critical unauthenticated SQL injection flaw affecting Ghost 3.24.0 through 6.19.0, to steal admin API keys and inject malicious JavaScript into article pages; researchers say more than 700 domains were hit, including university, media, fintech, and tech sites. Victims who follow the ClickFix instructions paste commands into Windows that download malware. — This affects both website owners and ordinary visitors: unpatched Ghost sites can be silently turned into malware delivery pages, and people browsing them can be tricked into infecting their own systems. Ghost administrators should update to 6.19.1 or later immediately, rotate exposed keys, and check for injected scripts and suspicious admin API activity.

Researchers say attackers are exploiting a weakness in shared content delivery network (CDN) infrastructure to make malicious connections look like they are going to legitimate websites. The technique, dubbed Underminr, is described as a variant of domain fronting that abuses mismatches between DNS lookups, server name indication (SNI), HTTP Host headers, edge IP addresses, and CDN tenant routing; ADAMnetworks says it affects roughly 88 million domains and has been used to bypass Protective DNS filtering, conceal command-and-control traffic, and tunnel VPN or proxy connections over TCP port 443. — Organizations that rely on DNS filtering or allowlists could miss malicious outbound traffic that appears to be headed to trusted domains. Defenders should review CDN egress controls, correlate DNS, SNI, Host header, and destination IP telemetry, and watch for guidance or mitigations from affected providers.

CISA has launched a new public form and email pathway for researchers, vendors, and industry partners to submit vulnerabilities for possible inclusion in its Known Exploited Vulnerabilities (KEV) catalog. The change affects no single CVE or product; instead it creates a formal process for reporting suspected exploited-in-the-wild flaws to CISA, with submitters asked to provide vulnerability details and evidence of active exploitation so the agency can validate and potentially add them to KEV. — The KEV catalog is one of the main lists defenders use to decide what to patch first, so a faster path for outside researchers to report exploitation could speed warnings and remediation across government and private networks. Security teams should expect KEV to remain a key prioritization source and monitor for any changes in how quickly new exploited bugs are added.

A zero-day flaw in Huawei enterprise router software was blamed for a July 2025 outage that knocked out landline, 4G, and 5G service across Luxembourg for more than three hours. POST Luxembourg said specially crafted network traffic forced the routers into a reboot loop, causing a denial-of-service condition and disrupting emergency communications for hundreds of thousands of residents. No CVE is provided, and it remains unclear whether Huawei has issued a patch. — This shows how a single unpatched network-device flaw can interrupt phone and mobile service for an entire country, including emergency calls. Organizations using Huawei enterprise routers should urgently seek vendor guidance, limit exposure, and prepare mitigations because patch status is still unclear.

TrendAI says attackers exploited a flaw in its Apex One security software before a patch was available, putting organizations that run the on-premises server at risk. The bug, CVE-2026-34926, is a directory traversal vulnerability in Apex One on-premise that can let an attacker alter a key server table and inject malicious code for deployment to agents; TrendAI says admin credentials to the server are required, and CISA has added the CVE to its Known Exploited Vulnerabilities catalog. — Organizations using Apex One on-premises should treat this as urgent because the flaw was exploited in real attacks and could let attackers push malicious code from the management server to protected endpoints. Apply TrendAI's update immediately and review who has administrative and remote access to the Apex One server.

Ubiquiti released security updates for UniFi OS after disclosing five vulnerabilities that could let attackers tamper with devices, read files, or run commands. The issues include CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, all rated maximum severity, plus CVE-2026-33000 and CVE-2026-34911. They affect UniFi OS on UniFi Consoles that run UniFi Network, Protect, Access, Talk, and Connect; the flaws involve improper access control, path traversal, command injection, and information disclosure. Ubiquiti says the bugs can be exploited with low complexity and nearly 100,000 internet-exposed endpoints have been observed. — Organizations and home or small-business users running UniFi OS may be exposed to remote compromise if their management devices are reachable online. This is an update-now issue: apply Ubiquiti's patches promptly and reduce internet exposure of UniFi management interfaces where possible.

Google briefly made public the technical details of an unfixed Chromium security flaw that affects Chrome and other Chromium-based browsers including Edge, Brave, Opera, Vivaldi, and Arc. Researcher Lyra Rebane says a malicious website can abuse a Service Worker to keep JavaScript running after the browser is closed, potentially enabling stealthy botnet-style abuse such as proxying traffic or launching distributed denial-of-service attacks; no CVE is listed in the report, and the bug was reportedly marked fixed in tracking systems even though current dev builds still appeared vulnerable. — This matters because simply visiting a malicious site once may be enough to leave a browser doing work in the background without the user's knowledge. Users and defenders should watch for an emergency browser update from Google and other Chromium-based vendors and apply it quickly once available.

A newly reported exploit targets a memory-corruption flaw in the macOS kernel on Apple M5 hardware. The source says a group used Anthropic's Mythos AI model to help find the vulnerability and develop an exploit; the brief post does not provide a CVE, affected macOS versions, or details on whether the flaw is patched or exploited in the wild. — A kernel exploit can potentially give attackers deep control over a device, so this is important for Mac users and enterprise defenders even though technical details are still limited. Track for Apple advisories and be ready to apply patches quickly once the vulnerability is formally identified.

Cisco released fixes for CVE-2026-20223, a critical 10.0 vulnerability in Cisco Secure Workload Cluster Software caused by insufficient validation and authentication in internal REST API endpoints. The flaw affects SaaS and on-prem deployments and can let remote attackers read sensitive information and modify configurations across tenant boundaries with Site Admin privileges. Patched versions are 3.10.8.3 and 4.0.3.17. — Organizations using Cisco Secure Workload face high-impact administrative compromise and cross-tenant exposure if unpatched. Defenders should prioritize updates because exploitation requires only a crafted API request and no in-the-wild activity is needed for urgency at this severity.

ReliaQuest and SonicWall say attackers exploited CVE-2024-12802 on SonicWall Gen6 SSL-VPN appliances to bypass MFA when admins installed patched firmware but did not complete required LDAP reconfiguration steps. Intrusions observed from February to March involved brute-forced credentials, internal reconnaissance, RDP access, and attempted deployment of Cobalt Strike and a BYOVD tool across multiple sectors and geographies. — Organizations using SonicWall Gen6 SSL-VPN may still be exposed even if they believe they are patched, because firmware updates alone do not fully mitigate the flaw. Defenders should verify the manual remediation, hunt for listed indicators, and treat exposed Gen6 devices as potentially compromised.

SecurityWeek reports that Anthropic patched a Claude Code network sandbox bypass caused by a SOCKS5 hostname null-byte injection flaw that could let attackers evade outbound allowlist restrictions and exfiltrate data. Researcher Aonan Guan said the issue affected Claude Code from October 20, 2025 until fixes shipped in Claude Code 2.1.88/2.1.90 in March-April 2026. The article also references an earlier related bypass, CVE-2025-66479, involving outbound policy misinterpretation. — Organizations using Claude Code in production may have relied on sandboxing to prevent agent-driven data exfiltration, especially in prompt-injection scenarios. Users should update Claude Code and review whether sensitive credentials, tokens, or environment data could have been exposed through sandbox bypasses.

Researchers disclosed a public proof-of-concept for PinTheft, a recently patched Linux local privilege-escalation flaw in the kernel's RDS zerocopy send path that can yield root on Arch Linux systems. The bug has not yet received a CVE ID. Exploitation requires the RDS module to be loaded, io_uring enabled, and other specific conditions; Arch is reportedly the only common distro tested with RDS enabled by default. — Public exploit code raises the risk of real-world abuse on exposed systems, especially where patching lags. Defenders should prioritize kernel updates or disable/unload the RDS modules as a mitigation.

Researchers disclosed CVE-2026-45829, a maximum-severity flaw in ChromaDB's Python FastAPI server that can let unauthenticated attackers force the server to fetch and execute a malicious Hugging Face model. The bug affects the Python API code introduced in ChromaDB 1.0.0 and was reportedly still present in 1.5.8; it was unclear at publication whether 1.5.9 fixed it. HiddenLayer said about 73% of internet-exposed instances were running vulnerable versions. — Organizations exposing ChromaDB's Python API over HTTP could face full server compromise without authentication. Defenders should immediately restrict exposure, prefer the Rust frontend where possible, and verify whether deployed versions are patched.

CISA published ICS advisory ICSA-26-139-03 for ScadaBR 1.2.0, detailing CVE-2026-8602, CVE-2026-8603, CVE-2026-8604, and CVE-2026-8605. The flaws include missing authentication, OS command injection, CSRF, and hard-coded credentials, and could allow unauthenticated attackers to inject sensor readings, gain admin access, or execute commands on the SCADA system. CISA said ScadaBR had not responded to mitigation requests. — ScadaBR is used in critical infrastructure sectors including energy, water, chemical, dams, and manufacturing, so these bugs present serious operational risk. Defenders should urgently identify exposed ScadaBR 1.2.0 systems and apply mitigations or isolate them, especially given the lack of a vendor response noted by CISA.

CVE-2026-46333 is a Linux kernel local information-disclosure flaw that can let unprivileged users read files normally restricted to root, including SSH keys and other sensitive credentials. The issue affects multiple LTS kernel lines from 5.10 upward, and a fix has landed upstream in commit 31e62c2 adjusting ptrace get_dumpable logic. — Multi-user Linux systems and servers running affected kernels may allow low-privilege users to access highly sensitive secrets and escalate further compromise. Defenders should identify affected kernel versions and apply the upstream fix or vendor updates promptly.

Google Project Zero disclosed a zero-click exploit chain for Pixel 10 that adapts the Dolby decoder vulnerability CVE-2025-54957 and chains it with a local privilege-escalation flaw in the Pixel 10 VPU driver. The writeup says unpatched devices with December 2025 security patch level or earlier are vulnerable, and the VPU mmap bug can expose physical memory and enable kernel code execution. — A published zero-click-to-root chain is high-impact because it lowers the bar for attackers and confirms severe exposure on unpatched Pixel 10 devices. Affected users and enterprise defenders should verify Android security patch levels and prioritize remediation.