Infrastructure
Splunk Enterprise CVE-2026-20253: An Unauthenticated Postgres Sidecar Hands Over Pre-Auth RCE
CVE-2026-20253 (CVSS 9.8) is a pre-auth RCE in Splunk Enterprise. An unauthenticated Postgres sidecar endpoint gives an arbitrary file write that escalates to code execution — on the box holding all your logs. Full exploit details are public; patch now.
HTTP/2 Bomb: One Cheap Client Pins 32GB on NGINX, Apache, IIS, Envoy and Cloudflare
A new HPACK-plus-flow-control DoS lets a home broadband connection hold 32GB of server memory in ~20 seconds. Affects the default HTTP/2 config of every major web server and proxy. NGINX and Apache have fixes; IIS, Envoy and Cloudflare Pingora do not yet.
Apache httpd CVE-2026-23918: HTTP/2 Double-Free Puts Millions of Servers at RCE Risk
Critical double-free in mod_http2's early-reset path lets remote attackers crash or take over Apache 2.4.66. Patch shipped May 4 in 2.4.67.
CrowdStrike LogScale CVE-2026-40050: Unauthenticated Path Traversal Reads Arbitrary Server Files
A critical 9.8 CVSS path traversal in CrowdStrike's LogScale lets unauthenticated attackers read arbitrary files from self-hosted clusters. Patch to 1.235.1, 1.234.1, 1.233.1, or 1.228.2 LTS.