Zero-Day
Squidbleed: 29-Year-Old Heap Over-Read in Squid Proxy Leaks Cleartext HTTP Traffic (CVE-2026-47729)
A Heartbleed-style heap buffer over-read in Squid's FTP gateway, tracing to a 1997 commit, lets trusted proxy users drain other users' cleartext HTTP requests including credentials, cookies, and session tokens.
Arista EOS CVE-2026-7473: Tunnel Decap Flaw Bypasses Segmentation — and Arista Won't Patch It
CVE-2026-7473 lets an unauthenticated attacker push arbitrary tunneled traffic through Arista data-center switches that decapsulate it without checking the protocol. Exploited in the wild, on CISA's KEV list with a deadline of today — and Arista has confirmed no patch is coming.
RoguePlanet Gets a CVE: Microsoft Confirms Patch in Progress for Defender SYSTEM Race Condition (CVE-2026-50656)
One week after a public PoC dropped during Patch Tuesday, Microsoft has assigned CVE-2026-50656 to RoguePlanet — a Defender Malware Protection Engine race condition that hands SYSTEM on fully patched Windows 10 and 11 — and confirmed a fix is in flight. No patch yet.
Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild — Patch Every Chromium Runtime, Not Just Browsers
Google patched CVE-2026-11645, an actively exploited out-of-bounds read/write in V8. The real blast radius is every Chromium runtime you operate — headless Chrome in CI, Electron apps, and server-side renderers.
Oracle Ships Out-of-Band Fix for PeopleSoft Zero-Day CVE-2026-35273 as ShinyHunters Loots 100+ Orgs
Oracle pushed an emergency alert for CVE-2026-35273, an unauthenticated CVSS 9.8 RCE in PeopleSoft PeopleTools. Mandiant confirms in-the-wild exploitation, and ShinyHunters claims data theft from 100+ organizations including the University of Nottingham.
Microsoft's June Patch Tuesday Is Its Biggest Ever: 200 Flaws, 33 Critical, Three Public Zero-Days
Microsoft's largest Patch Tuesday on record fixes 200 vulnerabilities including HTTP.sys and Kerberos KDC RCEs, three Hyper-V escapes, and the HTTP/2 Bomb and YellowKey BitLocker zero-days.
An AI Agent Found 21 Zero-Days in FFmpeg for $1,000 — and Your Container Images Are in Scope
depthfirst's autonomous agent found 21 zero-days in FFmpeg for about $1,000, including a 23-year-old stack overflow. Nine carry CVEs (CVE-2026-39210 through CVE-2026-39218). FFmpeg is bundled everywhere — patch upstream and your embedded copies.
Anatomy of the Interlock Campaign: How a ClickFix Gang Learned to Burn Firewall Zero-Days
For a year, the surest way to get hit by Interlock was to paste a command into your own Run dialog. On January 26, 2026, the group stopped waiting for users to make mistakes and started exploiting a pre-auth, root-level Cisco firewall zero-day instead. The same crew now runs both ends of the sophistication ladder — and that should change how you model initial access.
Cisco Catalyst SD-WAN Manager CVE-2026-20245: Root Command Execution, No Patch Yet
Cisco's seventh SD-WAN zero-day of 2026. CVE-2026-20245 lets a netadmin upload a crafted file and execute commands as root on SD-WAN Manager. Exploited in the wild, no fix at disclosure.
Android Framework Zero-Day CVE-2025-48595: Silent Privilege Escalation Under Active Attack
CVE-2025-48595 is a high-severity integer overflow in the Android Framework that escalates privilege with no user interaction and no special permissions. Google confirms limited, targeted exploitation; CISA added it to KEV on June 2 with a June 5 federal deadline. Affects Android 14, 15, 16, and 16 QPR2.
Gogs 0-Day: Argument Injection in Rebase Merging Gives Any User RCE — and There's No Patch
Rapid7 disclosed an unpatched CVSS 9.4 RCE in Gogs. A malicious branch name injects --exec into git rebase during 'Rebase before merging,' giving any registered user code execution on the server. No CVE, no fix — only config-level mitigations.
KnowledgeDeliver CVE-2026-5426: Shared ASP.NET Machine Key Burns Every Japanese LMS Tenant at Once
A hardcoded ASP.NET machineKey shipped in Digital Knowledge's KnowledgeDeliver LMS web.config gives any attacker who reads one tenant's config unauthenticated RCE on every other internet-facing instance. Mandiant tied active exploitation to BLUEBEAM web shells and Cobalt Strike beacons consistent with Chinese-speaking APTs.
Two More Defender Zero-Days in the Wild: CVE-2026-41091 Link-Resolution Bug Lands SYSTEM, Added to CISA KEV
Microsoft confirms two Defender flaws — an LPE to SYSTEM and a DoS — are publicly disclosed and exploited in the wild. A third RCE ships in the same engine update. CISA gives federal agencies until June 3.
MiniPlasma: Public PoC Hands SYSTEM on Fully Patched Windows 11 via cldflt.sys
Chaotic Eclipse published a working PoC for MiniPlasma, a Cloud Filter driver LPE that abuses CfAbortHydration to forge .DEFAULT-hive registry keys — the same bug Microsoft was told about in 2020 and claimed to have fixed.
YellowKey and GreenPlasma: Same Researcher Drops Two More Windows Zero-Days, BitLocker Bypass via WinRE USB
The anonymous researcher behind BlueHammer is back with YellowKey, a BitLocker bypass that drops a CMD shell on protected drives via crafted FsTx files in WinRE, plus GreenPlasma, a CTFMON privilege escalation. No CVE, no patch.
Exchange Server CVE-2026-42897: Unpatched OWA XSS Zero-Day Exploited via Crafted Email
Microsoft confirms in-the-wild exploitation of an unpatched XSS spoofing flaw in on-prem Exchange Server 2016, 2019, and Subscription Edition. Mitigation is automatic only if EEMS is enabled.
Ivanti EPMM CVE-2026-6973 Hits CISA KEV as Federal Patch Deadline Passes
Ivanti confirms in-the-wild exploitation of CVE-2026-6973, an authenticated-admin RCE in Endpoint Manager Mobile. CISA gave federal agencies until May 10 to patch — that window has now closed.
Palo Alto PAN-OS CVE-2026-0300: Unauthenticated Root RCE on Captive Portal Under Active Exploitation
Palo Alto Networks PAN-OS User-ID Authentication Portal has an unauthenticated buffer overflow yielding root RCE on PA-Series and VM-Series firewalls. CVSS 9.3, in CISA KEV, federal patch deadline May 9, 2026.
Palo Alto PAN-OS CVE-2026-0300: Unauth Root RCE in Captive Portal Exploited as Zero-Day, CISA KEV Deadline May 9
Palo Alto PAN-OS captive portal buffer overflow (CVSS 9.3) under active exploitation gives unauthenticated attackers root on PA- and VM-Series firewalls. Patches don't ship until May 13 — mitigations only.
RedSun and UnDefend: Two More Defender Zero-Days Dropped, All Three Now Exploited in the Wild
The same disgruntled researcher who dropped BlueHammer has now released RedSun and UnDefend. Huntress confirms all three Windows Defender zero-days are now being weaponized in hands-on-keyboard intrusions. Two remain unpatched.