Vulnerabilities
Cisco Unified CM CVE-2026-20230: Public PoC Turns an SSRF Into Root
An unauthenticated SSRF in Cisco Unified Communications Manager (CVE-2026-20230) lets attackers write files to the OS and climb to root. PoC code is public, the 15-train fix is months out, and there's no workaround beyond disabling WebDialer.
CVE-2026-50751: Check Point VPN Auth Bypass Exploited by Qilin — IKEv1 Sessions Without a Password
Check Point confirmed active exploitation of CVE-2026-50751, a CVSS 9.3 authentication bypass in Remote Access VPN and Mobile Access deployments running deprecated IKEv1. Attackers establish VPN sessions without a valid password; one case is tied to a Qilin ransomware affiliate. Earliest exploitation traces to May 7.
An AI Agent Found 21 Zero-Days in FFmpeg for $1,000 — and Your Container Images Are in Scope
depthfirst's autonomous agent found 21 zero-days in FFmpeg for about $1,000, including a 23-year-old stack overflow. Nine carry CVEs (CVE-2026-39210 through CVE-2026-39218). FFmpeg is bundled everywhere — patch upstream and your embedded copies.
SolarWinds Serv-U DoS Flaw CVE-2026-28318 Hits CISA KEV as Attackers Crash File Transfer Servers
CISA added SolarWinds Serv-U CVE-2026-28318 to its KEV catalog after attackers began crashing file transfer servers with a single unauthenticated deflate-encoded POST. Patch to 15.5.4 HF1.
Cisco Catalyst SD-WAN Manager CVE-2026-20245: Root Command Execution, No Patch Yet
Cisco's seventh SD-WAN zero-day of 2026. CVE-2026-20245 lets a netadmin upload a crafted file and execute commands as root on SD-WAN Manager. Exploited in the wild, no fix at disclosure.
Mirasvit Cache Warmer CVE-2026-45247: One Cookie Pops Any Magento Store, No Auth Required
CISA added CVE-2026-45247 to KEV after Imperva confirmed active exploitation. A single crafted CacheWarmer cookie gives unauthenticated RCE on Magento and Adobe Commerce stores running Mirasvit Full Page Cache Warmer below 1.11.12.
Redis CVE-2026-23479: AI-Discovered Use-After-Free Yields RCE on a Database That's Everywhere
An authenticated use-after-free in Redis's blocking-client path (CVE-2026-23479, CVSS 8.8) gives a low-privilege user OS command execution on the host. It sat unnoticed for over two years and was found by an autonomous AI bug-hunting tool.
HTTP/2 Bomb: One Cheap Client Pins 32GB on NGINX, Apache, IIS, Envoy and Cloudflare
A new HPACK-plus-flow-control DoS lets a home broadband connection hold 32GB of server memory in ~20 seconds. Affects the default HTTP/2 config of every major web server and proxy. NGINX and Apache have fixes; IIS, Envoy and Cloudflare Pingora do not yet.
Android Framework Zero-Day CVE-2025-48595: Silent Privilege Escalation Under Active Attack
CVE-2025-48595 is a high-severity integer overflow in the Android Framework that escalates privilege with no user interaction and no special permissions. Google confirms limited, targeted exploitation; CISA added it to KEV on June 2 with a June 5 federal deadline. Affects Android 14, 15, 16, and 16 QPR2.
DirtyDecrypt (CVE-2026-31635): Public PoC Roots Fedora, Arch, and openSUSE via the Kernel's RxGK Path
A released proof-of-concept weaponizes CVE-2026-31635, a missing copy-on-write guard in the Linux kernel's RxGK receive path, for local root on Fedora, Arch, and openSUSE Tumbleweed — and pod escape on affected worker nodes.
Oracle WebLogic CVE-2024-21182 Hits CISA KEV: Two-Year-Old T3 Bug Now Under Active Exploitation
CISA added the unauthenticated Oracle WebLogic T3/IIOP flaw CVE-2024-21182 to its Known Exploited Vulnerabilities catalog on June 1. The patch has shipped for two years — this is a story about exposed, unpatched middleware.
CVE-2026-0257: Palo Alto GlobalProtect Auth Bypass Now Exploited — Unauthorized VPN Access Into Your Network
Palo Alto confirmed active exploitation of CVE-2026-0257, a CVSS 7.8 GlobalProtect authentication bypass that lets attackers establish unauthorized VPN sessions into the internal network. Rapid7 traced exploitation back to May 17. CISA KEV deadline is June 1.
BadHost (CVE-2026-48710): A Forged Host Header Walks Past Auth in Every Starlette App
BadHost (CVE-2026-48710) is a Host-header authentication bypass in Starlette before 1.0.1. One malformed header makes request.url.path lie to your middleware — unlocking protected routes on FastAPI, vLLM, LiteLLM, and MCP servers without credentials.
SharePoint CVE-2026-45659: Site Member Permissions Are Enough to Pop the Farm
Microsoft patched CVE-2026-45659, an 8.8-severity SharePoint deserialization RCE that only requires Site Member permissions — the lowest tier any authenticated user can have.
7-Zip CVE-2026-48095: NTFS Parser Heap Overflow Lets Any Double-Clicked Archive Hijack a vtable
A signed-shift bug in 7-Zip's NTFS handler under-allocates a 1-byte buffer, then writes up to 256 MB of attacker-controlled data straight through the adjacent stream object's vtable pointer. Patched in 26.01.
Ghost CMS CVE-2026-26980: Unauthenticated SQL Injection Powers a 700-Site ClickFix Campaign
CVE-2026-26980 is a CVSS 9.4 unauthenticated SQL injection in Ghost's Content API. A patch shipped in February; attackers have since industrialized it into an automated campaign that has hijacked 700+ sites — including Harvard, Oxford, and DuckDuckGo — to serve ClickFix malware.
LiteSpeed cPanel Plugin CVE-2026-48172: Any User Can Run Scripts as Root
A CVSS 10.0 flaw in the LiteSpeed User-End cPanel Plugin lets any logged-in cPanel user execute scripts as root. It is being exploited in the wild — patch or uninstall now.
Trend Micro Apex One CVE-2026-34926: Directory Traversal Turns the EDR Server Into a Malware Dropper
A directory traversal flaw in on-premise Trend Micro Apex One lets an attacker who already holds server admin access poison the agent build and push malicious code to every managed endpoint. CISA added it to KEV after confirmed in-the-wild exploitation.
Cisco Secure Workload CVE-2026-20223: Unauthenticated API Flaw Hands Over Site Admin
A CVSS 10.0 flaw in Cisco Secure Workload lets unauthenticated attackers reach internal REST APIs with Site Admin privileges across tenant boundaries. No workarounds — patch now.
Two More Defender Zero-Days in the Wild: CVE-2026-41091 Link-Resolution Bug Lands SYSTEM, Added to CISA KEV
Microsoft confirms two Defender flaws — an LPE to SYSTEM and a DoS — are publicly disclosed and exploited in the wild. A third RCE ships in the same engine update. CISA gives federal agencies until June 3.