Outlook CVE-2026-40361: Zero-Click Word RCE Resurrects BadWinmail's Enterprise-Killer Class
A use-after-free in a shared Office DLL lets a malicious message fire RCE through the Outlook Reading Pane and Explorer Preview Pane. Microsoft rates exploitation 'more likely.'
Every Windows Endpoint is a Target: CVE-2026-41096 Heap Overflow in DNS Client Enables Remote Code Execution
CVE-2026-41096 is a CVSS 9.8 heap overflow in the Windows DNS Client. A single malicious DNS response can yield code execution on any Windows host — no auth, no user click, no document opened. The blast radius is every Windows endpoint that resolves a name.
Windows Netlogon CVE-2026-41089: Unauthenticated RCE on Every Domain Controller
May Patch Tuesday's marquee bug is a stack-based buffer overflow in MS-NRPC that hands SYSTEM on any domain controller reachable over the network. Patch DCs first, before anything else.
RubyGems Disables New Signups After Hundreds of Malicious Packages Target Registry Staff
RubyGems froze new account registration after an attacker uploaded hundreds of malicious gems on May 11-12 specifically targeting RubyGems engineers, with XSS payloads and credential-stealing exploits embedded in the packages.
Mini Shai-Hulud Wave 4: TanStack, Mistral AI, UiPath Hit by First-Ever SLSA-Attested Malicious npm Packages (CVE-2026-45321)
TeamPCP's fourth Mini Shai-Hulud wave compromised 42 TanStack packages, the Mistral AI SDK, UiPath, OpenSearch, and Guardrails AI by stealing OIDC tokens out of a GitHub Actions runner's process memory — and shipped malicious versions with valid SLSA Build Level 3 provenance attestations.
Apache CloudStack CVE-2026-25077: Malicious Template Lands Code Execution on KVM Hosts
Apache CloudStack 4.20.3.0 and 4.22.0.1 ship fixes for seven flaws — the headliner lets any account user execute arbitrary code on KVM hypervisor hosts via a malicious template name.
Ivanti EPMM CVE-2026-6973 Hits CISA KEV as Federal Patch Deadline Passes
Ivanti confirms in-the-wild exploitation of CVE-2026-6973, an authenticated-admin RCE in Endpoint Manager Mobile. CISA gave federal agencies until May 10 to patch — that window has now closed.
MuddyWater Wears Chaos Ransomware as a Disguise — Teams Screen-Sharing Funnels Iranian Espionage Through Fake Extortion
Rapid7 attributes a Chaos-branded ransomware intrusion to Iran's MuddyWater. No files were ever encrypted — the ransom note was cover for Stagecomp/Darkcomp espionage delivered via Microsoft Teams screen-share.
cPanel Ships Second Emergency TSR in 10 Days: CVE-2026-29201, 29202, 29203 Patch RCE, Arbitrary File Read, DoS
cPanel released its second emergency Technical Security Release in 10 days on May 8, patching three new flaws — including a CVSS 8.8 Perl injection in create_user and a chmod-based privilege escalation — barely a week after the CVE-2026-41940 authentication-bypass meltdown.
Worms All the Way Down: Why npm and PyPI Will Keep Spawning Self-Propagating Compromises Until We Re-Architect Install-Time Trust
From the original Shai-Hulud in September 2025 through CanisterSprawl, the Bitwarden CLI compromise, and Mini Shai-Hulud, every major npm/PyPI worm of the last eight months has used the same primitive: package lifecycle hooks that run arbitrary code on install. Until the registries change that default, each generation will keep landing.
Dirty Frag: Chained Linux Kernel Bugs Hand Out Root, One Half Still Unpatched
Dirty Frag chains an xfrm-ESP page-cache write (CVE-2026-43284) with an unpatched RxRPC page-cache write (CVE-2026-43500) for reliable root on most Linux distros. Embargo blew up early — public PoC is out, RxRPC fix is not.
Sentry CVE-2026-42354: Incomplete Fix Reopens SAML SSO Account Takeover
Sentry self-hosted is vulnerable again to cross-organization SAML account takeover, three months after CVE-2026-27197 was supposedly patched. Upgrade to 26.4.1.
Palo Alto PAN-OS CVE-2026-0300: Unauthenticated Root RCE on Captive Portal Under Active Exploitation
Palo Alto Networks PAN-OS User-ID Authentication Portal has an unauthenticated buffer overflow yielding root RCE on PA-Series and VM-Series firewalls. CVSS 9.3, in CISA KEV, federal patch deadline May 9, 2026.
QLNX: A Stealthy Linux RAT Built To Rob Developer Workstations And Seed The Next Supply Chain Attack
Trend Micro disclosed QLNX, a previously undocumented Linux RAT engineered to harvest developer and CI credentials so operators can trojanize npm, PyPI, Docker Hub, and Kubernetes pipelines downstream.
Palo Alto PAN-OS CVE-2026-0300: Unauth Root RCE in Captive Portal Exploited as Zero-Day, CISA KEV Deadline May 9
Palo Alto PAN-OS captive portal buffer overflow (CVSS 9.3) under active exploitation gives unauthenticated attackers root on PA- and VM-Series firewalls. Patches don't ship until May 13 — mitigations only.
DAEMON Tools Supply Chain Compromise: Signed Installers Backdoored Since April 8, Chinese Actor Suspected
Trojanized DAEMON Tools Lite installers signed with the legitimate vendor certificate distributed a multi-protocol backdoor for nearly a month. Kaspersky telemetry shows infection attempts in 100+ countries, with a second-stage implant on government and scientific targets in Russia, Belarus, and Thailand.
Apache MINA Patches CVE-2026-42778 and CVE-2026-42779: Two Incomplete Fixes Land Back-to-Back as RCE
MINA 2.2.7 and 2.1.12 ship critical patches for two deserialization bypasses that each thread the needle through a previous incomplete fix — the third and fourth iterations of the same root bug stretching back to 2024.
Apache httpd CVE-2026-23918: HTTP/2 Double-Free Puts Millions of Servers at RCE Risk
Critical double-free in mod_http2's early-reset path lets remote attackers crash or take over Apache 2.4.66. Patch shipped May 4 in 2.4.67.
ShinyHunters Hits Instructure Again: 3.65TB, 275M Canvas Users, May 6 Ransom Deadline
ShinyHunters claims 3.65TB stolen from Instructure's Canvas platform — 275M users across ~9,000 institutions. Second hit in eight months. Ransom timer expires tomorrow.
MOVEit Automation Hit With CVSS 9.8 Auth Bypass: CVE-2026-4670 Grants Admin Without Credentials
Progress patches a 9.8-severity authentication bypass plus a 7.7 privilege escalation in MOVEit Automation; Airbus reported both, no in-the-wild exploitation yet but the MFT family's track record demands immediate patching.