Vulnerabilities
NGINX Rift: 18-Year-Old Rewrite Module Heap Overflow Hits Unauthenticated RCE With Public PoC
CVE-2026-42945 is a CVSS 9.2 heap buffer overflow in ngx_http_rewrite_module that has lived in NGINX since 2008. A working unauthenticated RCE PoC is public; reachability hinges on a specific rewrite-directive pattern most prod configs actually contain.
Windows Netlogon CVE-2026-41089: Unauthenticated RCE on Every Domain Controller
May Patch Tuesday's marquee bug is a stack-based buffer overflow in MS-NRPC that hands SYSTEM on any domain controller reachable over the network. Patch DCs first, before anything else.
Apache CloudStack CVE-2026-25077: Malicious Template Lands Code Execution on KVM Hosts
Apache CloudStack 4.20.3.0 and 4.22.0.1 ship fixes for seven flaws β the headliner lets any account user execute arbitrary code on KVM hypervisor hosts via a malicious template name.
Ivanti EPMM CVE-2026-6973 Hits CISA KEV as Federal Patch Deadline Passes
Ivanti confirms in-the-wild exploitation of CVE-2026-6973, an authenticated-admin RCE in Endpoint Manager Mobile. CISA gave federal agencies until May 10 to patch β that window has now closed.
Sentry CVE-2026-42354: Incomplete Fix Reopens SAML SSO Account Takeover
Sentry self-hosted is vulnerable again to cross-organization SAML account takeover, three months after CVE-2026-27197 was supposedly patched. Upgrade to 26.4.1.
Palo Alto PAN-OS CVE-2026-0300: Unauthenticated Root RCE on Captive Portal Under Active Exploitation
Palo Alto Networks PAN-OS User-ID Authentication Portal has an unauthenticated buffer overflow yielding root RCE on PA-Series and VM-Series firewalls. CVSS 9.3, in CISA KEV, federal patch deadline May 9, 2026.
Palo Alto PAN-OS CVE-2026-0300: Unauth Root RCE in Captive Portal Exploited as Zero-Day, CISA KEV Deadline May 9
Palo Alto PAN-OS captive portal buffer overflow (CVSS 9.3) under active exploitation gives unauthenticated attackers root on PA- and VM-Series firewalls. Patches don't ship until May 13 β mitigations only.
Apache httpd CVE-2026-23918: HTTP/2 Double-Free Puts Millions of Servers at RCE Risk
Critical double-free in mod_http2's early-reset path lets remote attackers crash or take over Apache 2.4.66. Patch shipped May 4 in 2.4.67.
Exim 4.99.2 Patches Four Mail Server Flaws: Heap Corruption via JSON Headers, DNS Poisoning, and SPA Auth Bugs
Exim 4.99.2 fixes four memory-safety bugs (CVE-2026-40684 through 40687) in the world's most-deployed MTA, including a JSON heap-write reachable from untrusted headers.
SimpleHelp Trio Hits CISA KEV as DragonForce Ransomware Tears Through MSP Fleets
CISA dragged three SimpleHelp RMM bugs into the KEV catalog with a May 8 federal deadline after DragonForce operators chained them to push ransomware across MSP customer fleets in a single shot.
Windows Shell CVE-2026-32202: Incomplete APT28 Patch Reopens Zero-Click NTLM Coercion
Microsoft confirms in-the-wild exploitation of CVE-2026-32202, a zero-click Windows Shell flaw born from an incomplete patch of an APT28 zero-day. Browsing a folder with a malicious LNK leaks Net-NTLMv2 hashes.
Copy Fail (CVE-2026-31431): A 732-Byte Python Script Roots Every Major Linux Distro Since 2017
A nine-year-old logic bug in the kernel's algif_aead crypto interface lets an unprivileged user plant four bytes anywhere in the page cache β including inside a setuid binary's cached pages. Root in seconds, no on-disk artifacts, breaks containers.
LiteLLM CVE-2026-42208: Pre-Auth SQLi in the AI Gateway, Exploited 36 Hours After Disclosure
A pre-authentication SQL injection in LiteLLM's auth path (CVSS 9.3) lets an unauthenticated attacker read and modify the proxy database β including upstream OpenAI and Anthropic API keys. First exploitation hit 36 hours after the advisory.
cPanel & WHM CVE-2026-41940: Critical Auth Bypass Triggers Global Hosting Lockdown
An unauthenticated CRLF-injection auth bypass in cPanel & WHM (CVSS 9.8) sent every major hosting provider into emergency port-blocking mode within hours of disclosure. All supported release tracks are affected.
CVE-2026-3854: A Single Git Push Owned GitHub.com β and 88% of Enterprise Servers Were Still Vulnerable at Disclosure
Wiz disclosed a CVSS 8.7 RCE in GitHub's internal git push pipeline. Any authenticated user could execute arbitrary commands on backend servers with one git push. 88% of Enterprise Server instances were still unpatched on disclosure day.
LMDeploy CVE-2026-33626: SSRF in LLM Inference Server Exploited 12 Hours After Disclosure, Honeypot Sees AWS IMDS Theft
A 7.5-severity SSRF in Shanghai AI Lab's LMDeploy LLM serving toolkit was hit in the wild within 12h31m of the GitHub advisory. Sysdig's honeypot caught an attacker using the vision-language image loader to scrape AWS instance metadata, then pivot to internal Redis and MySQL.
LMDeploy SSRF (CVE-2026-33626) Weaponized in 12 Hours to Loot GPU IAM Credentials
A Server-Side Request Forgery in LMDeploy's vision-language image loader turned LLM inference nodes into SSRF primitives for cloud metadata theft β exploited 12 hours and 31 minutes after disclosure.
Spinnaker Dual 10.0s: Echo SpEL and Clouddriver gitrepo RCE Gut Netflix's CD Platform (CVE-2026-32604, CVE-2026-32613)
Two critical (CVSS 10.0) RCE bugs in Spinnaker, disclosed April 21, 2026 with working PoCs: SpEL expression injection in Echo and shell injection in Clouddriver gitrepo artifacts. Any authenticated user pops the CD plane and walks out with every stored cloud credential.
Quest KACE SMA CVE-2025-32975: CVSS 10.0 SSO Auth Bypass Added to CISA KEV as Admin Takeover Campaign Continues
CISA added CVE-2025-32975 β a CVSS 10.0 SSO authentication bypass in Quest KACE Systems Management Appliance β to the KEV catalog on April 20, 2026. Federal agencies must patch by May 4. Exploitation has been in progress since March.
Cisco Catalyst SD-WAN Manager: Three CVEs Land on CISA KEV With April 28 Federal Deadline
CISA added CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133 in Cisco Catalyst SD-WAN Manager (vManage) to the KEV catalog on April 20, 2026. Two of the three were confirmed exploited in the wild by Cisco PSIRT in March; together they let an attacker move from low-privilege API access to full vManage takeover.
RedSun and UnDefend: Two More Defender Zero-Days Dropped, All Three Now Exploited in the Wild
The same disgruntled researcher who dropped BlueHammer has now released RedSun and UnDefend. Huntress confirms all three Windows Defender zero-days are now being weaponized in hands-on-keyboard intrusions. Two remain unpatched.
Kyverno apiCall Service Helper Leaks ServiceAccount Token to Attacker-Controlled Endpoints (CVE-2026-40868)
A high-severity flaw in Kyverno's apiCall servicecall helper implicitly attaches the controller's ServiceAccount bearer token to policy-controlled outbound URLs, letting any ClusterPolicy author exfiltrate the token and impersonate the Kyverno controller.
CISA Adds Apache ActiveMQ CVE-2026-34197 to KEV as 13-Year-Old Jolokia RCE Sees Active Exploitation
CISA added CVE-2026-34197 to the KEV catalog today with an April 30 patch deadline. The 13-year-old Jolokia MBean flaw yields RCE on the broker JVM and is unauthenticated on ActiveMQ 6.0.0β6.1.1 when chained with CVE-2024-32114.
Two Critical FortiSandbox Flaws Let Unauthenticated Attackers Execute Commands and Bypass Auth
Fortinet discloses CVE-2026-39808 and CVE-2026-39813 β two CVSS 9.1 flaws in FortiSandbox allowing unauthenticated command execution and authentication bypass via crafted HTTP requests.
CVE-2026-21643: Pre-Auth SQL Injection in FortiClient EMS 7.4.4 Under Active Exploitation β CISA Deadline Tomorrow
Critical pre-authentication SQL injection in Fortinet FortiClient EMS 7.4.4 is being actively exploited. CISA KEV remediation deadline is April 16, 2026.
Microsoft April 2026 Patch Tuesday Fixes 167 Flaws Including Actively Exploited SharePoint Zero-Day
Microsoft's second-largest Patch Tuesday ever addresses 167 vulnerabilities, including an actively exploited SharePoint XSS flaw and a critical CVSS 9.8 Windows IKE remote code execution bug.
Red Hat OpenShift AI Dashboard Leaks Kubernetes Service Account Tokens (CVE-2026-5483)
A high-severity flaw in Red Hat OpenShift AI's odh-dashboard exposes Kubernetes Service Account tokens via a NodeJS endpoint, enabling unauthorized cluster access.
Marimo CVE-2026-39987: Pre-Auth RCE Exploited Within 10 Hours of Disclosure
A missing authentication check on Marimo's terminal WebSocket endpoint (CVE-2026-39987, CVSS 9.3) gave attackers a root shell with no credentials required β and they were actively exploiting it less than 10 hours after the advisory dropped.
Chrome 147 Patches 60 Security Flaws Including Two Critical WebML RCE Bugs
Google ships Chrome 147.0.7727.55 with fixes for 60 vulnerabilitiesβtwo critical heap buffer overflow and integer overflow flaws in the WebML component enable remote code execution via crafted HTML pages.
CVE-2026-39860: Nix Package Manager Symlink Bug Gives Any User Root on Multi-User Installs
A critical symlink-following flaw in the Nix daemon lets unprivileged users overwrite arbitrary files as root during fixed-output derivation builds.
CVE-2026-32922: OpenClaw Privilege Escalation Lets Any Paired Device Achieve Full RCE
A missing scope validation in OpenClaw's device.token.rotate endpoint lets any device with operator.pairing scope mint admin tokens and execute arbitrary code on connected nodes.
CISA Adds Ivanti EPMM Zero-Days to KEV as Mass Exploitation Ramps Up
CISA adds CVE-2026-1340 to the Known Exploited Vulnerabilities catalog as attackers chain two Ivanti EPMM zero-days for unauthenticated RCE against mobile device management infrastructure.
BlueHammer: Unpatched Windows Defender Zero-Day Turns Definition Updates Into SYSTEM Shells
A disgruntled researcher leaked BlueHammer, a Windows Defender LPE zero-day that chains TOCTOU race conditions with Cloud Files oplocks to dump SAM hives and escalate to SYSTEM. No patch available.
Docker AuthZ Bypass Returns: CVE-2026-34040 Lets Attackers Create Privileged Containers With a Single Padded Request
An incomplete fix for a 2024 Docker AuthZ bypass has resurfaced as CVE-2026-34040, allowing unauthenticated container creation with host filesystem access via oversized HTTP requests.
Flowise AI Under Active Exploitation: CVSS 10.0 RCE via CustomMCP Node Hits 12,000+ Exposed Instances
Critical unauthenticated RCE in Flowise AI's CustomMCP node (CVE-2025-59528, CVSS 10.0) is under active exploitation. Over 12,000 instances are exposed. Patch to 3.0.6 immediately.
CVE-2026-23442: Remote Kernel Panic via SRv6 NULL Pointer Dereference Threatens IPv6 Infrastructure
A CVSS 8.2 flaw in the Linux kernel's SRv6 implementation lets remote attackers crash systems with crafted IPv6 packets. Patches are outβupdate now.
CVE-2026-34612: Kestra SQL Injection Chains to Host RCE via PostgreSQL COPY TO PROGRAM
Critical CVSS 9.9 flaw in Kestra orchestration platform lets authenticated attackers chain SQL injection through PostgreSQL COPY TO PROGRAM for arbitrary command execution on the Docker host.
CVE-2026-32211: Azure MCP Server Ships with No Auth β Your DevOps Secrets Are One Request Away
Critical CVSS 9.1 flaw in Azure MCP Server has zero authentication on critical functions, exposing API keys, tokens, repos, and pipeline configs to unauthenticated attackers. No patch available.
Ubiquiti UniFi Network Application Hit With CVSS 10 Path Traversal β Unauthenticated Account Takeover Possible
CVE-2026-22557 is a maximum-severity path traversal in Ubiquiti UniFi Network Application that enables unauthenticated full account takeover. Chain it with CVE-2026-22558 for admin escalation. Patch to 10.1.89 immediately.
CVE-2026-4681: CVSS 10.0 Deserialization RCE in PTC Windchill Has German Police Knocking on Doors
A maximum-severity deserialization flaw in PTC Windchill and FlexPLM (CVE-2026-4681, CVSS 10.0) prompted German federal police to physically visit companies and wake up sysadmins. No patch yet. Here's what you need to know.
CVE-2026-33032: Nginx UI MCP Endpoint Lets Anyone Hijack Your Web Server β No Auth Required
Critical 9.8 CVSS flaw in Nginx UI exposes unauthenticated MCP endpoint. Public PoC available, no patch yet. Disable or firewall Nginx UI immediately.
FortiClient EMS Zero-Day Under Active Exploitation β Emergency Hotfixes Released (CVE-2026-35616)
Critical API authentication bypass in FortiClient EMS 7.4.5β7.4.6 is being exploited in the wild. CVSS 9.1. Hotfixes available now.
Ni8mare: CVSS 10.0 Unauthenticated RCE in n8n Workflow Automation (CVE-2026-21858)
A CVSS 10.0 content-type confusion bug in n8n's webhook handler lets unauthenticated attackers read arbitrary files, steal credentials, forge admin sessions, and achieve full RCE. Patch to 1.121.0 immediately.
Progress ShareFile Pre-Auth RCE Chain: CVE-2026-2699 and CVE-2026-2701 Give Attackers Full Server Takeover
Two critical Progress ShareFile flaws chain into a pre-authentication RCE β with ~30,000 Storage Zone Controllers exposed and a public POC now available.
CVE-2026-33186: gRPC-Go Auth Bypass Lets Attackers Skip Deny Rules With a Missing Slash
A critical CVSS 9.1 flaw in gRPC-Go lets unauthenticated attackers bypass path-based authorization by omitting the leading slash from HTTP/2 :path headers.
Langflow's 'Patched' Version Is Still Exploitable β CVE-2026-33017 Deadline Hits April 8
JFrog confirms Langflow 1.8.2 remains vulnerable to CVE-2026-33017 unauthenticated RCE despite being widely reported as fixed. CISA KEV deadline is April 8.
Cisco Patches Two 9.8 CVSS Flaws in IMC and Smart Software Manager β No Workarounds Available
Critical authentication bypass in Cisco IMC (CVE-2026-20093) and unauthenticated root RCE in SSM On-Prem (CVE-2026-20160) both score CVSS 9.8. Patch immediately β no workarounds exist.
CVE-2026-33105: Azure Kubernetes Service RBAC Bypass Scores Perfect 10.0 CVSS
Critical AKS vulnerability allows privilege escalation to cluster admin via RBAC bypass. CVSS 10.0. Patch now.
React2Shell Under Mass Exploitation: 766+ Next.js Hosts Breached in Credential Harvesting Campaign
Threat actor UAT-10608 is mass-exploiting CVE-2025-55182 (React2Shell) to breach Next.js deployments and harvest cloud credentials, SSH keys, and API tokens at scale.
15-Year-Old strongSwan Integer Underflow Lets Unauthenticated Attackers Crash VPN Gateways
CVE-2026-25075 is an integer underflow in strongSwan's EAP-TTLS AVP parser that lets remote, unauthenticated attackers crash the charon IKE daemon β affecting every version since 4.5.0.
CVE-2026-1579: Critical PX4 Autopilot Flaw Gives Attackers Full Drone Control via MAVLink
CISA advisory for CVE-2026-1579 reveals a CVSS 9.8 authentication bypass in PX4 Autopilot that lets unauthenticated attackers gain shell access to drones over MAVLink.
Oracle Identity Manager Pre-Auth RCE: CVE-2026-21992 Emergency Patch
Oracle issued an out-of-band emergency fix for CVE-2026-21992, a CVSS 9.8 unauthenticated RCE in Oracle Identity Manager's REST WebServices component affecting versions 12.2.1.4.0 and 14.1.2.1.0.
CVE-2026-0625: Unauthenticated RCE via DNS Config Endpoint Hits Millions of End-of-Life D-Link Routers
A critical command injection flaw in the dnscfg.cgi endpoint of legacy D-Link DSL, DIR, and DNS devices enables unauthenticated RCE β with no patches coming and active exploitation dating back to November 2025.
F5 BIG-IP APM Flaw Silently Upgraded from DoS to RCE β Now Actively Exploited
A five-month-old F5 BIG-IP APM bug just got reclassified from denial-of-service to pre-auth RCE. Attackers didn't wait for the memo.
Chrome Zero-Day CVE-2026-5281: WebGPU Use-After-Free Under Active Exploitation
Google patches fourth Chrome zero-day of 2026 β a use-after-free in the Dawn WebGPU implementation that enables arbitrary code execution via crafted HTML pages.
CVE-2026-20127: Cisco SD-WAN Zero-Day Exploited for Three Years Before Disclosure
UAT-8616 abused a CVSS 10.0 auth bypass in Cisco Catalyst SD-WAN Controller and Manager since 2023, inserting rogue control-plane peers and escalating to root via a deliberate version-downgrade chain. Cisco disclosed in late February.
CVE-2026-3055: NetScaler SAML IDP Memory Overread Is Under Active Recon β Patch Before April 2
Attackers are actively probing Citrix NetScaler ADC/Gateway for CVE-2026-3055, a CVSS 9.3 memory overread that can leak session tokens from SAML IDP-configured appliances. CISA deadline is April 2.
Cisco FMC Zero-Day Exploited by Interlock Ransomware for 36 Days Before Disclosure
CVE-2026-20131 scores a perfect CVSS 10.0. Interlock ransomware had 36 days of free rein before Cisco went public.
CrackArmor: Nine AppArmor Flaws Enable Container Escape on Debian, Ubuntu, and SUSE
Every Kubernetes node running these distros is potentially exposed. Root escalation from within containers confirmed.