Cloud
CVE-2026-8037: Pre-Auth Root RCE in Progress Kemp LoadMaster Now Under Active Exploitation
CVE-2026-8037, a CVSS 9.8 uninitialized-heap flaw in Progress Kemp LoadMaster's escape_quotes() function, lets unauthenticated attackers run root commands on the load balancer's management API. eSentire observed exploitation attempts starting June 29.
Oracle E-Business Suite Payments Flaw Under Active Exploitation Before Patch Window Closed
CVE-2026-46817, a CVSS 9.8 unauthenticated takeover flaw in Oracle E-Business Suite's Payments module, is being mass-exploited via the ibytransmit endpoint β patched in May but hit in the wild before any public PoC existed.
DirtyClone: Linux Kernel LPE via Cloned sk_buff Gives Any Local User Root (CVE-2026-43503)
JFrog releases a working exploit for DirtyClone, a Linux kernel socket-buffer cloning flaw that silently rewrites in-memory setuid binaries and grants rootβwith container escape potential on cloud and Kubernetes hosts.
Linux Kernel CVE-2026-46331: Pedit COW Traffic-Control Bug Delivers Root Shell, Ubuntu Still Unpatched
A weaponized PoC for CVE-2026-46331 (Pedit COW) corrupts the kernel page cache via act_pedit to drop a root shell; Ubuntu 18.04β26.04 remain unpatched.
Apache CloudStack CVE-2026-25077: Malicious Template Lands Code Execution on KVM Hosts
Apache CloudStack 4.20.3.0 and 4.22.0.1 ship fixes for seven flaws β the headliner lets any account user execute arbitrary code on KVM hypervisor hosts via a malicious template name.
Spinnaker Dual 10.0s: Echo SpEL and Clouddriver gitrepo RCE Gut Netflix's CD Platform (CVE-2026-32604, CVE-2026-32613)
Two critical (CVSS 10.0) RCE bugs in Spinnaker, disclosed April 21, 2026 with working PoCs: SpEL expression injection in Echo and shell injection in Clouddriver gitrepo artifacts. Any authenticated user pops the CD plane and walks out with every stored cloud credential.
GPUBreach: GDDR6 Rowhammer Attack Achieves Root Shell, Bypasses IOMMU
University of Toronto researchers demonstrate full CPU privilege escalation from an unprivileged CUDA kernel via GDDR6 bit-flips, bypassing IOMMU β no patch exists yet.
Three High-Severity Command Injection Flaws in AWS Research and Engineering Studio Give Authenticated Users Root RCE
AWS patches three CVSS 8.8 command injection and privilege escalation bugs in Research and Engineering Studio (RES) β any authenticated user could get root on virtual desktop hosts or the cluster manager.
European Commission Confirms Cloud Breach β Trivy Supply Chain Attack Cascades Into 30+ EU Entities
The European Commission confirms a data breach affecting 30+ EU entities after the compromised Trivy scanner leaked AWS API keys to TeamPCP. ShinyHunters published 92 GB of stolen data.