Proto6: Six protobuf.js Flaws Turn Trusted Schemas Into RCE and DoS Across gRPC, Cloud, and AI Stacks
Cyera's Proto6 research discloses six CVEs in protobuf.js, including a prototype-pollution-to-RCE chain, in a library pulled 50M+ times a week across gRPC, Google Cloud SDKs, vector databases, and CI/CD.
400+ AUR Packages Compromised: atomic-lockfile npm Payload Drops Credential Stealer With eBPF Rootkit
Over 400 Arch User Repository packages were modified to pull a malicious npm package that deploys a developer-focused credential stealer with optional root-only eBPF rootkit capabilities.
CISA Kills the Flat KEV Deadline: BOD 26-04 Starts a Three-Day Patch Clock
BOD 26-04 revokes BOD 22-01 and 19-02, replacing flat KEV due dates with risk-tiered deadlines: three days plus mandatory forensic triage for internet-facing, automatable, total-control flaws.
Oracle Ships Out-of-Band Fix for PeopleSoft Zero-Day CVE-2026-35273 as ShinyHunters Loots 100+ Orgs
Oracle pushed an emergency alert for CVE-2026-35273, an unauthenticated CVSS 9.8 RCE in PeopleSoft PeopleTools. Mandiant confirms in-the-wild exploitation, and ShinyHunters claims data theft from 100+ organizations including the University of Nottingham.
Microsoft's June Patch Tuesday Is Its Biggest Ever: 200 Flaws, 33 Critical, Three Public Zero-Days
Microsoft's largest Patch Tuesday on record fixes 200 vulnerabilities including HTTP.sys and Kerberos KDC RCEs, three Hyper-V escapes, and the HTTP/2 Bomb and YellowKey BitLocker zero-days.
Cisco Unified CM CVE-2026-20230: Public PoC Turns an SSRF Into Root
An unauthenticated SSRF in Cisco Unified Communications Manager (CVE-2026-20230) lets attackers write files to the OS and climb to root. PoC code is public, the 15-train fix is months out, and there's no workaround beyond disabling WebDialer.
CVE-2026-50751: Check Point VPN Auth Bypass Exploited by Qilin — IKEv1 Sessions Without a Password
Check Point confirmed active exploitation of CVE-2026-50751, a CVSS 9.3 authentication bypass in Remote Access VPN and Mobile Access deployments running deprecated IKEv1. Attackers establish VPN sessions without a valid password; one case is tied to a Qilin ransomware affiliate. Earliest exploitation traces to May 7.
An AI Agent Found 21 Zero-Days in FFmpeg for $1,000 — and Your Container Images Are in Scope
depthfirst's autonomous agent found 21 zero-days in FFmpeg for about $1,000, including a 23-year-old stack overflow. Nine carry CVEs (CVE-2026-39210 through CVE-2026-39218). FFmpeg is bundled everywhere — patch upstream and your embedded copies.
CISA and the FBI Warn: Internet-Exposed Fuel Tank Gauges Are Under Active Attack
A June 2 joint advisory from CISA, the FBI, the NSA and five other agencies says attackers are compromising internet-exposed automatic tank gauge systems and modifying them through command execution. Shadowserver counts over 1,000 exposed, 909 in the US — on the same TCP port these consoles have answered on for a decade.
Claude Code's GitHub Action: One Malicious Issue Could Hijack Any Public Repo
A permission bypass chained with prompt injection in Anthropic's Claude Code GitHub Action let a single crafted issue make the agent leak CI secrets and OIDC request tokens — a clean path to poisoning the action's own supply chain. Patched in v1.0.94.
Anatomy of the Interlock Campaign: How a ClickFix Gang Learned to Burn Firewall Zero-Days
For a year, the surest way to get hit by Interlock was to paste a command into your own Run dialog. On January 26, 2026, the group stopped waiting for users to make mistakes and started exploiting a pre-auth, root-level Cisco firewall zero-day instead. The same crew now runs both ends of the sophistication ladder — and that should change how you model initial access.
SolarWinds Serv-U DoS Flaw CVE-2026-28318 Hits CISA KEV as Attackers Crash File Transfer Servers
CISA added SolarWinds Serv-U CVE-2026-28318 to its KEV catalog after attackers began crashing file transfer servers with a single unauthenticated deflate-encoded POST. Patch to 15.5.4 HF1.
Cisco Catalyst SD-WAN Manager CVE-2026-20245: Root Command Execution, No Patch Yet
Cisco's seventh SD-WAN zero-day of 2026. CVE-2026-20245 lets a netadmin upload a crafted file and execute commands as root on SD-WAN Manager. Exploited in the wild, no fix at disclosure.
Mirasvit Cache Warmer CVE-2026-45247: One Cookie Pops Any Magento Store, No Auth Required
CISA added CVE-2026-45247 to KEV after Imperva confirmed active exploitation. A single crafted CacheWarmer cookie gives unauthenticated RCE on Magento and Adobe Commerce stores running Mirasvit Full Page Cache Warmer below 1.11.12.
Sophos Finds an AI-Orchestrated Lab That Auto-Builds EDR-Evasion Payloads for an Active Ransomware Crew
Sophos X-Ops recovered a post-exploitation framework where AI agents read public research, mapped it to MITRE ATT&CK, and generated ~80 Rust and Go payloads tested against Sophos, CrowdStrike, and Microsoft EDR.
IronWorm: A Rust-Built npm Worm With an eBPF Rootkit and Tor C2
JFrog dissected IronWorm, a self-replicating npm supply-chain worm written in Rust that hides behind an eBPF kernel rootkit, beacons over Tor, and steals 86 env vars and 20+ credential files. 36 packages hit before it was caught.
Redis CVE-2026-23479: AI-Discovered Use-After-Free Yields RCE on a Database That's Everywhere
An authenticated use-after-free in Redis's blocking-client path (CVE-2026-23479, CVSS 8.8) gives a low-privilege user OS command execution on the host. It sat unnoticed for over two years and was found by an autonomous AI bug-hunting tool.
HTTP/2 Bomb: One Cheap Client Pins 32GB on NGINX, Apache, IIS, Envoy and Cloudflare
A new HPACK-plus-flow-control DoS lets a home broadband connection hold 32GB of server memory in ~20 seconds. Affects the default HTTP/2 config of every major web server and proxy. NGINX and Apache have fixes; IIS, Envoy and Cloudflare Pingora do not yet.
Android Framework Zero-Day CVE-2025-48595: Silent Privilege Escalation Under Active Attack
CVE-2025-48595 is a high-severity integer overflow in the Android Framework that escalates privilege with no user interaction and no special permissions. Google confirms limited, targeted exploitation; CISA added it to KEV on June 2 with a June 5 federal deadline. Affects Android 14, 15, 16, and 16 QPR2.
DirtyDecrypt (CVE-2026-31635): Public PoC Roots Fedora, Arch, and openSUSE via the Kernel's RxGK Path
A released proof-of-concept weaponizes CVE-2026-31635, a missing copy-on-write guard in the Linux kernel's RxGK receive path, for local root on Fedora, Arch, and openSUSE Tumbleweed — and pod escape on affected worker nodes.