[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fYtoGDyjUsW9xfpyuaNMyR322FoRhaZa4kbcit0F833w":3},{"article":4,"iocs":55},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"c6bd45d1-be14-4739-a944-d4badfc3129e","May 2026 CVE Landscape","may-2026-cve-landscape-c2bd94","In May 2026, Insikt Group® identified 41 high-impact vulnerabilities that should be prioritized for remediation, all of which had a Very Critical Recorded Future Risk Score. This represents a 11% increase from last month.","In May 2026, Insikt Group identified 41 high-impact vulnerabilities, an 11% increase from the previous month. Of these, 22 were actively exploited, including 12 that allowed for remote code execution. Notably, five vulnerabilities were over 15 years old, highlighting the continued exploitation of legacy weaknesses. The vulnerabilities affected products from 20 vendors, with Vercel and Microsoft products being significantly impacted.","41 high-impact vulnerabilities identified in May 2026, with 22 actively exploited.","May 2026 CVE Landscape In May 2026, Insikt Group® identified 41 high-impact vulnerabilities that should be prioritized for remediation, all of which had a Very Critical Recorded Future Risk Score. This represents an 11% increase from last month. These vulnerabilities affected products from 20 vendors. 21 of the 41 vulnerabilities were included in the US Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, 19 were surfaced through honeypot data, and one was reported by a cybersecurity vendor. The 41 vulnerabilities in this report affected products from 20 vendors. Vercel accounted for approximately 27% of the vulnerabilities, driven by honeypot-sourced Next.js activity. The remaining exposure was concentrated across a range of enterprise software, security, networking, developer tooling, and cloud-related products. Quick Reference: May 2026 Vulnerability Table All 22 vulnerabilities below were actively exploited in May 2026. This table does not include the 19 CVEs associated with honeypot activity, which are available to Recorded Future customers via the CVE Monthly Report. The table below also provides examples of public PoCs identified by Insikt Group®. These PoCs were not tested for accuracy or efficacy. Vulnerability management teams should exercise caution and verify the validity of PoCs before testing. # Vulnerability RiskScore Vendor\u002FProduct KEV Malware Analysis RCE PoC 1 CVE-2008-4250 99 Microsoft Windows ✓ ✓ ✓ Link 2 CVE-2009-1537 99 Microsoft DirectX ✓ 3 CVE-2009-3459 99 Adobe Acrobat and Reader ✓ 4 CVE-2010-0249 99 Microsoft Internet Explorer ✓ ✓ Link 5 CVE-2010-0806 99 Microsoft Internet Explorer ✓ ✓ (available to Recorded Future Customers) 6 CVE-2025-34291 99 Langflow ✓ ✓ Link 7 CVE-2026-0257 99 Palo Alto Networks PAN-OS, Cloud NGFW, and Prisma Access ✓ ✓ Link 8 CVE-2026-0300 99 Palo Alto Networks PAN-OS, Cloud NGFW, Prisma Access ✓ ✓ Link 9 CVE-2026-20182 99 Cisco Catalyst SD-WAN and SD-WAN Manager ✓ ✓ Link 10 CVE-2026-31431 99 Linux Kernel ✓ ✓ (available to Recorded Future Customers) ✓ Link 11 CVE-2026-34926 99 Trend Micro Apex One (On-Premise) ✓ 12 CVE-2026-41091 99 Microsoft Defender ✓ ✓ Link 13 CVE-2026-42208 99 BerriAI LiteLLM ✓ ✓ Link 14 CVE-2026-42897 99 Microsoft Exchange Server ✓ ✓ Link 15 CVE-2026-45321 99 TanStack (Multiple Packages) ✓ ✓ Link 16 CVE-2026-45498 99 Microsoft Defender ✓ 17 CVE-2026-48027 99 Nx Console ✓ 18 CVE-2026-48172 99 LiteSpeed cPanel Plugin ✓ ✓ Link 19 CVE-2026-6973 99 Ivanti Endpoint Manager Mobile (EPMM) ✓ ✓ 20 CVE-2026-8398 99 Daemon Tools Lite ✓ 21 CVE-2026-9082 99 Drupal Core ✓ ✓ Link 22 CVE-2026-26980 99 Ghost CMS ✓ (available to Recorded Future Customers) ✓ Link Table 1: List of vulnerabilities that were actively exploited in May, 2026 based on Recorded Future data (excluding honeypot-sourced CVEs). Key Trends: May 2026 In May 2026, threat actors exploited a Ghost CMS vulnerability in large-scale ClickFix and FakeCaptcha poisoning campaigns. The campaigns used compromised Ghost CMS websites to inject malicious JavaScript, redirect victims through social engineering lures, and stage dropper and loader payloads from attacker-controlled infrastructure. 12 of the 41 vulnerabilities enabled remote code execution (RCE), affecting products from 8 vendors: Microsoft, Adobe, Langflow, Palo Alto Networks, Apache, openDCIM, Fortinet, and Ivanti. Insikt Group identified public proof-of-concept (PoC) exploits for 32 of the 41 vulnerabilities in this report. The most commonly observed flaws this month were CWE-79 (Cross-site Scripting), CWE-506 (Embedded Malicious Code), and CWE-89 (SQL Injection), with three CVEs each. 5 of the 41 vulnerabilities in this month’s prominent vulnerabilities table were first disclosed between 2008 and 2010, making them at least 15 years old, with the oldest vulnerability being approximately 18 years old. This reinforces our finding that attackers continue to exploit long-known weaknesses in environments where patching has lagged. Additionally, the fastest observed time from a vulnerability’s public disclosure to exploitation was less than one day. Exploitation Analysis This section highlights some of the highest-impact, actively exploited vulnerabilities this month, specifically those linked to known threat actor campaigns or that have public PoC exploits available. Vulnerabilities with no meaningful public technical detail are summarized in the disclosures table only. Threat Actors Exploit CVE-2026-26980 in Ghost CMS To Conduct Large-Scale ClickFix Poisoning Campaigns, Sample Available From Recorded Future Malware Intelligence On May 21, 2026, cybersecurity firm XLab published a technical analysis detailing large-scale ClickFix poisoning campaigns targeting vulnerable Ghost Content Management System (CMS) instances by exploiting CVE-2026-26980. Ghost CMS allows users to create, manage, and publish content for blogs, media sites, newsletters, and subscription-based websites through a node.js-based publishing platform. CVE-2026-26980 is a critical SQL injection vulnerability in Ghost CMS that allows unauthenticated threat actors to extract Ghost Admin API Keys and modify website content through the Ghost Admin API. As previously reported by Insikt Group®, at least two threat groups exploited CVE-2026-26980 to inject malicious JavaScript into more than 700 compromised Ghost CMS websites across industries, including blockchain, artificial intelligence (AI), and financial technology (fintech). According to XLab, the threat actors used the compromised websites to deliver ClickFix and FakeCaptcha social engineering attacks that tricked victims into executing malicious commands and malware payloads on their systems. Insikt Group® obtained one of the malicious samples, UtilifySetup.exe, from Recorded Future Malware Intelligence. The sample matched the sandbox YARA rule for detecting Inno Setup packaging. Based on sandbox and static code analysis, the sample performs the following actions on a victim’s machine: Conducts DLL injection Retrieves the system language and geolocation using the Windows registry Drops files named UtilifySetup.tmp (SHA256: 7790fd1035266000ed6d6cc35822f7683f5271663af8a5b5effadff85316df6d) and Grape.exe Enumerates files and directories Retrieves system information Delays execution using the Sleep API function for evasion Detects debuggers using the GetTickCount API function to compare the timing and the IsDebuggerPresent API function Creates a file inside the C:\\Users\\user\\AppData\\Local\\SuperMaxionQuickMaxlite directory, corroborating XLab’s analysis Terminates running processes Sandbox analysis categorized UtilifySetup.tmp as malicious due to the sample exhibiting discovery capabilities. Based on sandbox and static code analysis, the sample performs the following actions on a victim’s machine: Conducts DLL injection Retrieves the system language and geolocation using the Windows registry Executes UtilifySetup.exe installer from the %Temp% directory using internal Inno Setup \u002FSL5 launch parameters Executes a file named Grape.exe inside the C:\\Users\\user\\AppData\\Local\\SuperMaxionQuickMaxlite directory Once executed, Grape.exe performs the following actions on a victim’s machine: Adds a Windows registry Run key entry named electron.app.Grape set to execute itself when the victim logs in Enumerates running processes Sends DNS request to web-telegram[.]ug Further technical details associated with this activity, including sample analysis, MITRE ATT&CK techniques, and IoCs, are available to Recorded Future customers via Insikt Group® reporting. Recorded Future customers can also access Malware Intelligence queries that surface samples communicating with campaign-associated URLs, domains, and IP addresses. Figure 1: Risk Rules History from Vulnerability Intelligence Card® for CVE-2026-26980 in Recorded Future (Source: Recorded Future) Technical Blog and Alleged PoC for Actively Exploited Critical SQL Injection Vulnerabili","https:\u002F\u002Fbit.ly\u002F4ghl42I","https:\u002F\u002Fwww.recordedfuture.com\u002Fblog\u002Fmedia_1239191713c0e7359a6e3e0dd047fe76e065dcc92.jpg?width=1200&format=pjpg&optimize=medium","2026-06-12T15:47:08+00:00","2026-06-12T16:00:19.668+00:00",9,[18,21,24,26,28,30],{"name":19,"type":20},"Next.js","product",{"name":22,"type":23},"Vercel","vendor",{"name":25,"type":23},"Microsoft",{"name":27,"type":23},"Adobe",{"name":29,"type":23},"Palo Alto Networks",{"name":31,"type":23},"Trend Micro","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":32,"icon":34,"name":35,"slug":36},null,"Vulnerabilities","vulnerabilities",[38,43,45,50],{"category":39},{"id":40,"icon":34,"name":41,"slug":42},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":44},{"id":32,"icon":34,"name":35,"slug":36},{"category":46},{"id":47,"icon":34,"name":48,"slug":49},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",{"category":51},{"id":52,"icon":34,"name":53,"slug":54},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[56,60,63,66,69,71,74,77,80,83,86,89,92,95,98,101,104,107,110,113,116,119],{"type":57,"value":58,"context":59},"cve","CVE-2008-4250","Microsoft Windows vulnerability, actively exploited, RCE, PoC available.",{"type":57,"value":61,"context":62},"CVE-2009-1537","Microsoft DirectX vulnerability, actively exploited.",{"type":57,"value":64,"context":65},"CVE-2009-3459","Adobe Acrobat and Reader vulnerability, actively exploited.",{"type":57,"value":67,"context":68},"CVE-2010-0249","Microsoft Internet Explorer vulnerability, actively exploited, RCE, PoC available.",{"type":57,"value":70,"context":68},"CVE-2010-0806",{"type":57,"value":72,"context":73},"CVE-2025-34291","Langflow vulnerability, actively exploited, RCE, PoC available.",{"type":57,"value":75,"context":76},"CVE-2026-0257","Palo Alto Networks PAN-OS, Cloud NGFW, and Prisma Access vulnerability, actively exploited, RCE, PoC available.",{"type":57,"value":78,"context":79},"CVE-2026-0300","Palo Alto Networks PAN-OS, Cloud NGFW, Prisma Access vulnerability, actively exploited, RCE, PoC available.",{"type":57,"value":81,"context":82},"CVE-2026-20182","Cisco Catalyst SD-WAN and SD-WAN Manager vulnerability, actively exploited, RCE, PoC available.",{"type":57,"value":84,"context":85},"CVE-2026-31431","Linux Kernel vulnerability, actively exploited, RCE, PoC available.",{"type":57,"value":87,"context":88},"CVE-2026-34926","Trend Micro Apex One (On-Premise) vulnerability, actively exploited.",{"type":57,"value":90,"context":91},"CVE-2026-41091","Microsoft Defender vulnerability, actively exploited, RCE, PoC available.",{"type":57,"value":93,"context":94},"CVE-2026-42208","BerriAI LiteLLM vulnerability, actively exploited, RCE, PoC available.",{"type":57,"value":96,"context":97},"CVE-2026-42897","Microsoft Exchange Server vulnerability, actively exploited, RCE, PoC available.",{"type":57,"value":99,"context":100},"CVE-2026-45321","TanStack (Multiple Packages) vulnerability, actively exploited, RCE, PoC available.",{"type":57,"value":102,"context":103},"CVE-2026-45498","Microsoft Defender vulnerability, actively exploited.",{"type":57,"value":105,"context":106},"CVE-2026-48027","Nx Console vulnerability, actively exploited.",{"type":57,"value":108,"context":109},"CVE-2026-48172","LiteSpeed cPanel Plugin vulnerability, actively exploited, RCE, PoC available.",{"type":57,"value":111,"context":112},"CVE-2026-6973","Ivanti Endpoint Manager Mobile (EPMM) vulnerability, actively exploited, RCE.",{"type":57,"value":114,"context":115},"CVE-2026-8398","Daemon Tools Lite vulnerability, actively exploited.",{"type":57,"value":117,"context":118},"CVE-2026-9082","Drupal Core vulnerability, actively exploited, RCE, PoC available.",{"type":57,"value":120,"context":121},"CVE-2026-26980","Ghost CMS vulnerability, actively exploited, PoC available."]