Zero-Day
Exchange Server CVE-2026-42897: Unpatched OWA XSS Zero-Day Exploited via Crafted Email
Microsoft confirms in-the-wild exploitation of an unpatched XSS spoofing flaw in on-prem Exchange Server 2016, 2019, and Subscription Edition. Mitigation is automatic only if EEMS is enabled.
Ivanti EPMM CVE-2026-6973 Hits CISA KEV as Federal Patch Deadline Passes
Ivanti confirms in-the-wild exploitation of CVE-2026-6973, an authenticated-admin RCE in Endpoint Manager Mobile. CISA gave federal agencies until May 10 to patch โ that window has now closed.
Palo Alto PAN-OS CVE-2026-0300: Unauthenticated Root RCE on Captive Portal Under Active Exploitation
Palo Alto Networks PAN-OS User-ID Authentication Portal has an unauthenticated buffer overflow yielding root RCE on PA-Series and VM-Series firewalls. CVSS 9.3, in CISA KEV, federal patch deadline May 9, 2026.
Palo Alto PAN-OS CVE-2026-0300: Unauth Root RCE in Captive Portal Exploited as Zero-Day, CISA KEV Deadline May 9
Palo Alto PAN-OS captive portal buffer overflow (CVSS 9.3) under active exploitation gives unauthenticated attackers root on PA- and VM-Series firewalls. Patches don't ship until May 13 โ mitigations only.
RedSun and UnDefend: Two More Defender Zero-Days Dropped, All Three Now Exploited in the Wild
The same disgruntled researcher who dropped BlueHammer has now released RedSun and UnDefend. Huntress confirms all three Windows Defender zero-days are now being weaponized in hands-on-keyboard intrusions. Two remain unpatched.
Microsoft April 2026 Patch Tuesday Fixes 167 Flaws Including Actively Exploited SharePoint Zero-Day
Microsoft's second-largest Patch Tuesday ever addresses 167 vulnerabilities, including an actively exploited SharePoint XSS flaw and a critical CVSS 9.8 Windows IKE remote code execution bug.
Adobe Acrobat Reader Zero-Day CVE-2026-34621: Prototype Pollution RCE Exploited Since December
Adobe patches APSB26-43 after confirming CVE-2026-34621, a CVSS 9.6 prototype pollution flaw in Acrobat Reader actively exploited via malicious PDFs since at least December 2025.
Project Glasswing: Anthropic's Claude Mythos AI Autonomously Found Thousands of Zero-Days in Every Major OS and Browser
Anthropic's Claude Mythos Preview autonomously discovered thousands of unpatched zero-days across FreeBSD, Linux, OpenBSD, FFmpeg, and every major browser โ including a sandbox escape that emailed a researcher.
CISA Adds Ivanti EPMM Zero-Days to KEV as Mass Exploitation Ramps Up
CISA adds CVE-2026-1340 to the Known Exploited Vulnerabilities catalog as attackers chain two Ivanti EPMM zero-days for unauthenticated RCE against mobile device management infrastructure.
BlueHammer: Unpatched Windows Defender Zero-Day Turns Definition Updates Into SYSTEM Shells
A disgruntled researcher leaked BlueHammer, a Windows Defender LPE zero-day that chains TOCTOU race conditions with Cloud Files oplocks to dump SAM hives and escalate to SYSTEM. No patch available.
Storm-1175 Chains Zero-Days to Deploy Medusa Ransomware in Under 24 Hours
Microsoft exposes Storm-1175 as a primary Medusa ransomware affiliate, weaponizing zero-days in SmarterMail and GoAnywhere MFT with sub-24-hour dwell times.
CVE-2026-33032: Nginx UI MCP Endpoint Lets Anyone Hijack Your Web Server โ No Auth Required
Critical 9.8 CVSS flaw in Nginx UI exposes unauthenticated MCP endpoint. Public PoC available, no patch yet. Disable or firewall Nginx UI immediately.
FortiClient EMS Zero-Day Under Active Exploitation โ Emergency Hotfixes Released (CVE-2026-35616)
Critical API authentication bypass in FortiClient EMS 7.4.5โ7.4.6 is being exploited in the wild. CVSS 9.1. Hotfixes available now.
CVE-2026-0625: Unauthenticated RCE via DNS Config Endpoint Hits Millions of End-of-Life D-Link Routers
A critical command injection flaw in the dnscfg.cgi endpoint of legacy D-Link DSL, DIR, and DNS devices enables unauthenticated RCE โ with no patches coming and active exploitation dating back to November 2025.
TrueConf Zero-Day Weaponized by Chinese-Nexus APT to Backdoor Southeast Asian Governments
Operation TrueChaos exploited CVE-2026-3502 in TrueConf's update mechanism to push Havoc C2 payloads across government networks via a compromised on-premises server.
Chrome Zero-Day CVE-2026-5281: WebGPU Use-After-Free Under Active Exploitation
Google patches fourth Chrome zero-day of 2026 โ a use-after-free in the Dawn WebGPU implementation that enables arbitrary code execution via crafted HTML pages.
CVE-2026-20127: Cisco SD-WAN Zero-Day Exploited for Three Years Before Disclosure
UAT-8616 abused a CVSS 10.0 auth bypass in Cisco Catalyst SD-WAN Controller and Manager since 2023, inserting rogue control-plane peers and escalating to root via a deliberate version-downgrade chain. Cisco disclosed in late February.
Cisco FMC Zero-Day Exploited by Interlock Ransomware for 36 Days Before Disclosure
CVE-2026-20131 scores a perfect CVSS 10.0. Interlock ransomware had 36 days of free rein before Cisco went public.
Three Chrome Zero-Days Patched in March Alone โ What's Driving the Surge
Google patched three actively exploited Chrome zero-days this month. The browser attack surface is expanding faster than it's being hardened.