Vulnerability
LiteSpeed cPanel Plugin CVE-2026-54420: A Symlink Trick That Escapes CageFS for Root
An actively-exploited symlink flaw in LiteSpeed's user-end cPanel plugin lets any tenant with FTP or web-shell access break out of CageFS and become root. CISA's federal patch deadline is today.
Gogs 0-Day: Argument Injection in Rebase Merging Gives Any User RCE — and There's No Patch
Rapid7 disclosed an unpatched CVSS 9.4 RCE in Gogs. A malicious branch name injects --exec into git rebase during 'Rebase before merging,' giving any registered user code execution on the server. No CVE, no fix — only config-level mitigations.
KnowledgeDeliver CVE-2026-5426: Shared ASP.NET Machine Key Burns Every Japanese LMS Tenant at Once
A hardcoded ASP.NET machineKey shipped in Digital Knowledge's KnowledgeDeliver LMS web.config gives any attacker who reads one tenant's config unauthenticated RCE on every other internet-facing instance. Mandiant tied active exploitation to BLUEBEAM web shells and Cobalt Strike beacons consistent with Chinese-speaking APTs.
Gitea CVE-2026-27771: Container Registry Hands Out Private Images Without Authentication, 30,000 Instances Exposed
A four-year-old flaw in Gitea's OCI container registry lets anyone on the internet pull images marked private. 30,000+ deployments are exposed, Forgejo inherits the bug, and the only real fix is upgrading to 1.26.2 or forcing sign-in for all content.
SEPPmail Secure Email Gateway: Seven Flaws Including CVSS 10.0 Path Traversal to RCE
InfoGuard Labs discloses seven vulnerabilities in SEPPmail Secure E-Mail Gateway, including a CVSS 10.0 path-traversal-to-RCE bug and an unauthenticated Perl eval injection — full appliance takeover and mail-traffic interception.
CloudNativePG CVE-2026-44477: Metrics Exporter Escalates Any DB User to Postgres Superuser and Host RCE
A residual session_user=postgres in CloudNativePG's metrics exporter lets any low-privileged database user RESET ROLE back to superuser and reach OS-level command execution via COPY TO PROGRAM. CVSS 9.4. Patched in 1.28.3 and 1.29.1.
Cisco Catalyst SD-WAN CVE-2026-20182: Second vdaemon Auth Bypass Lands in CISA KEV
Cisco patched a CVSS 10.0 auth bypass in Catalyst SD-WAN Controller's vdaemon service. UAT-8616 is already exploiting it. CISA added it to KEV May 15 with a May 17 deadline.
Exchange Server CVE-2026-42897: Unpatched OWA XSS Zero-Day Exploited via Crafted Email
Microsoft confirms in-the-wild exploitation of an unpatched XSS spoofing flaw in on-prem Exchange Server 2016, 2019, and Subscription Edition. Mitigation is automatic only if EEMS is enabled.
Outlook CVE-2026-40361: Zero-Click Word RCE Resurrects BadWinmail's Enterprise-Killer Class
A use-after-free in a shared Office DLL lets a malicious message fire RCE through the Outlook Reading Pane and Explorer Preview Pane. Microsoft rates exploitation 'more likely.'
Every Windows Endpoint is a Target: CVE-2026-41096 Heap Overflow in DNS Client Enables Remote Code Execution
CVE-2026-41096 is a CVSS 9.8 heap overflow in the Windows DNS Client. A single malicious DNS response can yield code execution on any Windows host — no auth, no user click, no document opened. The blast radius is every Windows endpoint that resolves a name.
cPanel Ships Second Emergency TSR in 10 Days: CVE-2026-29201, 29202, 29203 Patch RCE, Arbitrary File Read, DoS
cPanel released its second emergency Technical Security Release in 10 days on May 8, patching three new flaws — including a CVSS 8.8 Perl injection in create_user and a chmod-based privilege escalation — barely a week after the CVE-2026-41940 authentication-bypass meltdown.
Dirty Frag: Chained Linux Kernel Bugs Hand Out Root, One Half Still Unpatched
Dirty Frag chains an xfrm-ESP page-cache write (CVE-2026-43284) with an unpatched RxRPC page-cache write (CVE-2026-43500) for reliable root on most Linux distros. Embargo blew up early — public PoC is out, RxRPC fix is not.
Apache MINA Patches CVE-2026-42778 and CVE-2026-42779: Two Incomplete Fixes Land Back-to-Back as RCE
MINA 2.2.7 and 2.1.12 ship critical patches for two deserialization bypasses that each thread the needle through a previous incomplete fix — the third and fourth iterations of the same root bug stretching back to 2024.
MOVEit Automation Hit With CVSS 9.8 Auth Bypass: CVE-2026-4670 Grants Admin Without Credentials
Progress patches a 9.8-severity authentication bypass plus a 7.7 privilege escalation in MOVEit Automation; Airbus reported both, no in-the-wild exploitation yet but the MFT family's track record demands immediate patching.
CrowdStrike LogScale CVE-2026-40050: Unauthenticated Path Traversal Reads Arbitrary Server Files
A critical 9.8 CVSS path traversal in CrowdStrike's LogScale lets unauthenticated attackers read arbitrary files from self-hosted clusters. Patch to 1.235.1, 1.234.1, 1.233.1, or 1.228.2 LTS.
CrowdStrike LogScale CVE-2026-40050: Unauthenticated Path Traversal Reads Arbitrary Files (CVSS 9.8)
A critical unauthenticated path-traversal flaw (CVSS 9.8) in CrowdStrike LogScale Self-Hosted lets remote attackers read arbitrary server files via an exposed cluster API endpoint. SaaS already mitigated; on-prem operators must patch immediately.
PhantomRPC: Five Endpoint-Spoofing Paths to SYSTEM on Every Windows Build, No Patch Coming
Kaspersky disclosed PhantomRPC at Black Hat Asia 2026 — an architectural flaw in rpcrt4.dll that lets a low-priv process register a rogue RPC endpoint and hijack SYSTEM-level callers. Microsoft declined to patch.
Clerk CVE-2026-41248: createRouteMatcher Bypass Skips Middleware Gating Across Next.js, Nuxt, and Astro
Crafted requests slip past createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro, bypassing middleware-level route protection. Patches landed across three major version branches per SDK on April 24.
ASP.NET Core CVE-2026-40372: Signature-Bypass in DataProtection Forges Auth Cookies, Patching Alone Doesn't Close the Door
Microsoft's out-of-band patch fixes a CVSS 9.1 signature-verification bug in ASP.NET Core DataProtection that lets unauthenticated attackers forge cookies and decrypt protected payloads. Tokens minted during the exposure window stay valid after upgrade — you have to rotate the key ring.
Composer Command Injection (CVE-2026-40261, CVE-2026-40176): Any Malicious Repository Can Execute Code on Your Build Machines
Two high-severity command injection flaws in PHP's Composer package manager allow arbitrary command execution via malicious repository metadata — no Perforce installation required for the worst one.