> infrastructure security
for people who build things
Tracking vulnerabilities, supply chain attacks, and threat intelligence that matters to engineers running real infrastructure.
Palo Alto PAN-OS CVE-2026-0300: Unauthenticated Root RCE on Captive Portal Exploited in the Wild, No Patch Until May 13
An unauthenticated buffer overflow in the PAN-OS User-ID Authentication Portal hands attackers root on PA-Series and VM-Series firewalls. Limited exploitation is already underway; first patches arrive May 13.
Apache MINA Patches CVE-2026-42778 and CVE-2026-42779: Two Incomplete Fixes Land Back-to-Back as RCE
MINA 2.2.7 and 2.1.12 ship critical patches for two deserialization bypasses that each thread the needle through a previous incomplete fix — the third and fourth iterations of the same root bug stretching back to 2024.
Apache httpd CVE-2026-23918: HTTP/2 Double-Free Puts Millions of Servers at RCE Risk
Critical double-free in mod_http2's early-reset path lets remote attackers crash or take over Apache 2.4.66. Patch shipped May 4 in 2.4.67.
ShinyHunters Hits Instructure Again: 3.65TB, 275M Canvas Users, May 6 Ransom Deadline
ShinyHunters claims 3.65TB stolen from Instructure's Canvas platform — 275M users across ~9,000 institutions. Second hit in eight months. Ransom timer expires tomorrow.
MOVEit Automation Hit With CVSS 9.8 Auth Bypass: CVE-2026-4670 Grants Admin Without Credentials
Progress patches a 9.8-severity authentication bypass plus a 7.7 privilege escalation in MOVEit Automation; Airbus reported both, no in-the-wild exploitation yet but the MFT family's track record demands immediate patching.
Trellix Confirms Source Code Repository Breach: Security Vendor's Internal Code Accessed by Unknown Attackers
Trellix confirms unauthorized access to a portion of its internal source code repository, with forensic experts and law enforcement engaged. The blast radius for a security vendor going public with a code breach is its customer base — every defender running its EDR agents.
DEEP#DOOR: Python Backdoor Hides C2 Behind bore.pub Tunneling Service to Steal Cloud and Browser Credentials
Securonix details DEEP#DOOR, a Python backdoor that uses the public bore.pub TCP tunneling service for C2, disables Defender/SmartScreen via batch loader, and harvests browser-stored cloud credentials from compromised hosts.
Exim 4.99.2 Patches Four Mail Server Flaws: Heap Corruption via JSON Headers, DNS Poisoning, and SPA Auth Bugs
Exim 4.99.2 fixes four memory-safety bugs (CVE-2026-40684 through 40687) in the world's most-deployed MTA, including a JSON heap-write reachable from untrusted headers.
The OAuth Pivot: How SaaS-to-SaaS Trust Became the 2026 Supply Chain Attack
Salesloft Drift industrialized it. UNC6040 weaponized vishing into it. Vercel and Context.ai proved it pivots through Google Workspace. The pattern is the same: a third-party SaaS gets popped, the attacker inherits its OAuth grants, and your password reset does absolutely nothing.
Trellix Confirms Source Code Repository Breach as XDR Vendor Becomes the Target
Trellix has confirmed unauthorized access to a portion of its internal source code repository, putting one of the industry's largest XDR vendors in the unenviable position of being the breached defender.
SimpleHelp Trio Hits CISA KEV as DragonForce Ransomware Tears Through MSP Fleets
CISA dragged three SimpleHelp RMM bugs into the KEV catalog with a May 8 federal deadline after DragonForce operators chained them to push ransomware across MSP customer fleets in a single shot.
Windows Shell CVE-2026-32202: Incomplete APT28 Patch Reopens Zero-Click NTLM Coercion
Microsoft confirms in-the-wild exploitation of CVE-2026-32202, a zero-click Windows Shell flaw born from an incomplete patch of an APT28 zero-day. Browsing a folder with a malicious LNK leaks Net-NTLMv2 hashes.
Mini Shai-Hulud: SAP, Intercom, and PyTorch Lightning Hit by Bun-Based Stealer in 48-Hour TeamPCP Cascade
TeamPCP's Mini Shai-Hulud campaign poisoned SAP CAP, Intercom, and PyTorch Lightning packages on April 29-30 with a Bun-runtime credential stealer that scrapes secrets directly from CI runner memory.
Copy Fail (CVE-2026-31431): A 732-Byte Python Script Roots Every Major Linux Distro Since 2017
A nine-year-old logic bug in the kernel's algif_aead crypto interface lets an unprivileged user plant four bytes anywhere in the page cache — including inside a setuid binary's cached pages. Root in seconds, no on-disk artifacts, breaks containers.
LiteLLM CVE-2026-42208: Pre-Auth SQLi in the AI Gateway, Exploited 36 Hours After Disclosure
A pre-authentication SQL injection in LiteLLM's auth path (CVSS 9.3) lets an unauthenticated attacker read and modify the proxy database — including upstream OpenAI and Anthropic API keys. First exploitation hit 36 hours after the advisory.
cPanel & WHM CVE-2026-41940: Critical Auth Bypass Triggers Global Hosting Lockdown
An unauthenticated CRLF-injection auth bypass in cPanel & WHM (CVSS 9.8) sent every major hosting provider into emergency port-blocking mode within hours of disclosure. All supported release tracks are affected.
CVE-2026-3854: A Single Git Push Owned GitHub.com — and 88% of Enterprise Servers Were Still Vulnerable at Disclosure
Wiz disclosed a CVSS 8.7 RCE in GitHub's internal git push pipeline. Any authenticated user could execute arbitrary commands on backend servers with one git push. 88% of Enterprise Server instances were still unpatched on disclosure day.
CrowdStrike LogScale CVE-2026-40050: Unauthenticated Path Traversal Reads Arbitrary Server Files
A critical 9.8 CVSS path traversal in CrowdStrike's LogScale lets unauthenticated attackers read arbitrary files from self-hosted clusters. Patch to 1.235.1, 1.234.1, 1.233.1, or 1.228.2 LTS.
Entra Agent ID Administrator Role Could Hijack Any Service Principal — CVE-2026-35431
A built-in Entra ID role meant to manage AI agents could be used to take ownership of any service principal in the tenant — including Global Administrator-equivalent ones — and authenticate as it. Microsoft patched cloud-side on April 9; Silverfort published technical details April 27.
CrowdStrike LogScale CVE-2026-40050: Unauthenticated Path Traversal Reads Arbitrary Files (CVSS 9.8)
A critical unauthenticated path-traversal flaw (CVSS 9.8) in CrowdStrike LogScale Self-Hosted lets remote attackers read arbitrary server files via an exposed cluster API endpoint. SaaS already mitigated; on-prem operators must patch immediately.