The Edge Device Audit: Turn CISA's BOD 26-02 Into a Playbook You Can Actually Run
CISA's BOD 26-02 just handed every infrastructure team a free edge-device audit checklist. Here is how to run it on your own network — inventory, version, exposure, and end-of-support triage — before an attacker runs theirs.
The 'Private-CISA' Leak: A Contractor Left GovCloud Keys and Artifactory Creds Public on GitHub for Six Months
A CISA contractor's public GitHub repo exposed AWS GovCloud admin keys, internal Artifactory credentials, and plaintext passwords to dozens of agency systems for roughly six months.
Laravel-Lang Supply Chain Attack: 233 Package Versions Backdoored to Steal Cloud and CI/CD Secrets
Attackers repointed git tags across four Laravel-Lang Composer packages to a malicious fork, backdooring 233 versions with a credential stealer that drains cloud, CI/CD, and developer secrets.
Trend Micro Apex One CVE-2026-34926: Directory Traversal Turns the EDR Server Into a Malware Dropper
A directory traversal flaw in on-premise Trend Micro Apex One lets an attacker who already holds server admin access poison the agent build and push malicious code to every managed endpoint. CISA added it to KEV after confirmed in-the-wild exploitation.
Cisco Secure Workload CVE-2026-20223: Unauthenticated API Flaw Hands Over Site Admin
A CVSS 10.0 flaw in Cisco Secure Workload lets unauthenticated attackers reach internal REST APIs with Site Admin privileges across tenant boundaries. No workarounds — patch now.
Two More Defender Zero-Days in the Wild: CVE-2026-41091 Link-Resolution Bug Lands SYSTEM, Added to CISA KEV
Microsoft confirms two Defender flaws — an LPE to SYSTEM and a DoS — are publicly disclosed and exploited in the wild. A third RCE ships in the same engine update. CISA gives federal agencies until June 3.
actions-cool/issues-helper Compromised: Every Tag Repointed to a Credential-Stealing Imposter Commit
An attacker repointed all 53 tags of the popular actions-cool/issues-helper GitHub Action to a single imposter commit that scrapes live CI/CD secrets out of runner process memory.
Drupal SA-CORE-2026-004: Highly Critical Unauthenticated SQL Injection Hits PostgreSQL Sites
CVE-2026-9082 is a highly critical SQL injection in Drupal core's database abstraction API. Anonymous attackers can run arbitrary SQL against PostgreSQL-backed sites. Patches dropped May 20; exploitation is expected within days.
Nx Console VS Code Extension Compromised: Orphan-Commit Stealer Hits a 2.2M-Install Developer Tool
A compromised Nx Console 18.95.0 extension pulled a 498 KB stealer from an orphan commit in the official nrwl/nx repo, harvesting GitHub, npm, AWS and Vault secrets — and shipped tooling to forge signed npm provenance.
SEPPmail Secure Email Gateway: Seven Flaws Including CVSS 10.0 Path Traversal to RCE
InfoGuard Labs discloses seven vulnerabilities in SEPPmail Secure E-Mail Gateway, including a CVSS 10.0 path-traversal-to-RCE bug and an unauthenticated Perl eval injection — full appliance takeover and mail-traffic interception.
Ollama CVE-2026-7482 'Bleeding Llama': Heap OOB Read in GGUF Loader Leaks Server Memory to Unauthenticated Attackers
A heap out-of-bounds read in Ollama's GGUF model loader (CVE-2026-7482, CVSS 9.1) lets unauthenticated attackers exfiltrate server process memory — including API keys, env vars, system prompts, and other users' conversations — from an estimated 300,000+ exposed instances.
MiniPlasma: Public PoC Hands SYSTEM on Fully Patched Windows 11 via cldflt.sys
Chaotic Eclipse published a working PoC for MiniPlasma, a Cloud Filter driver LPE that abuses CfAbortHydration to forge .DEFAULT-hive registry keys — the same bug Microsoft was told about in 2020 and claimed to have fixed.
CloudNativePG CVE-2026-44477: Metrics Exporter Escalates Any DB User to Postgres Superuser and Host RCE
A residual session_user=postgres in CloudNativePG's metrics exporter lets any low-privileged database user RESET ROLE back to superuser and reach OS-level command execution via COPY TO PROGRAM. CVSS 9.4. Patched in 1.28.3 and 1.29.1.
Grafana Refuses Ransom After CoinbaseCartel Pwn Request Attack Steals Source Code From Five Repos
Grafana Labs disclosed that CoinbaseCartel exploited a GitHub Actions pull_request_target misconfiguration to steal privileged CI tokens and pivot into five private repos. A canary token tripped the breach; the company refused the ransom demand.
YellowKey and GreenPlasma: Same Researcher Drops Two More Windows Zero-Days, BitLocker Bypass via WinRE USB
The anonymous researcher behind BlueHammer is back with YellowKey, a BitLocker bypass that drops a CMD shell on protected drives via crafted FsTx files in WinRE, plus GreenPlasma, a CTFMON privilege escalation. No CVE, no patch.
NTLM Coercion's Quiet Resurgence: Why 2026's Zero-Click Attacks Look Like 2021
Two unrelated bugs in the last month — an incomplete APT28 patch and an unpatched RPC defect — both hand attackers a 1990s-era credential primitive. The fact that NTLM coercion still works in 2026 is not a series of accidents. It is the model.
ssh-keysign-pwn (CVE-2026-46333): Six-Year-Old Linux Kernel Race Hands Unprivileged Users SSH Host Keys and /etc/shadow
Qualys disclosed a six-year-old logic flaw in __ptrace_may_access that lets any local user race ssh-keysign and chage out of their host keys and shadow file. Public PoC works out of the box on Debian, Ubuntu, Arch, and the EL9/EL10 families. Patch or set kernel.yama.ptrace_scope=2 now.
Cisco Catalyst SD-WAN CVE-2026-20182: Second vdaemon Auth Bypass Lands in CISA KEV
Cisco patched a CVSS 10.0 auth bypass in Catalyst SD-WAN Controller's vdaemon service. UAT-8616 is already exploiting it. CISA added it to KEV May 15 with a May 17 deadline.
Exchange Server CVE-2026-42897: Unpatched OWA XSS Zero-Day Exploited via Crafted Email
Microsoft confirms in-the-wild exploitation of an unpatched XSS spoofing flaw in on-prem Exchange Server 2016, 2019, and Subscription Edition. Mitigation is automatic only if EEMS is enabled.
NGINX Rift: 18-Year-Old Rewrite Module Heap Overflow Hits Unauthenticated RCE With Public PoC
CVE-2026-42945 is a CVSS 9.2 heap buffer overflow in ngx_http_rewrite_module that has lived in NGINX since 2008. A working unauthenticated RCE PoC is public; reachability hinges on a specific rewrite-directive pattern most prod configs actually contain.