[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"tag:zero-day":3},{"tag":4,"articles":8,"awareness":436,"events":437,"tips":438,"focus_items":439,"total_count":440},{"slug":5,"name":6,"description":7},"zero-day","Zero-day","Zero-day exploits and active exploitation",[9,18,27,36,45,54,63,72,80,89,98,107,116,125,134,143,152,159,166,173,180,186,193,200,209,218,227,236,244,251,259,267,276,285,294,303,312,321,330,339,348,357,366,373,382,391,400,409,418,427],{"id":10,"title":11,"slug":12,"brief":13,"ai_summary":14,"url":15,"image_url":16,"published_at":17},"952dc02f-8cbd-4716-8491-4bd972a74c12","Drupal: Critical SQL injection flaw now targeted in attacks","drupal-critical-sql-injection-flaw-now-targeted-in-attacks-4ce8ff","Drupal SQL injection vulnerability CVE-2026-9082 now actively exploited in attacks.","Drupal has confirmed active exploitation of CVE-2026-9082, a critical SQL injection vulnerability in its database abstraction API affecting PostgreSQL installations. The flaw, discovered by Google\u002FMandiant researcher Michael Maturi, allows unauthenticated attackers to execute arbitrary SQL commands, potentially leading to remote code execution and data breach. Drupal has released patches for versions 10.4.x through 11.3.x and urges immediate upgrades.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fdrupal-critical-sql-injection-flaw-now-targeted-in-attacks\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F22\u002Fdrupal.jpg","2026-05-22T13:14:40+00:00",{"id":19,"title":20,"slug":21,"brief":22,"ai_summary":23,"url":24,"image_url":25,"published_at":26},"11693fbc-af4a-45ff-951d-6911116ee995","macOS Kernel Memory Corruption Exploit - Schneier on Security","macos-kernel-memory-corruption-exploit-schneier-on-security-b53cb4","Researchers used Anthropic's Mythos AI to discover and exploit macOS kernel memory corruption flaw on Apple M5.","A research group leveraged Anthropic's Mythos AI model to identify and develop an exploit for a kernel memory corruption vulnerability affecting Apple's M5 chip architecture. The incident highlights the dual-use nature of AI-assisted security research, where advanced language models can accelerate both defensive and offensive vulnerability discovery. This marks a notable shift in how emerging AI capabilities are being applied to low-level system exploitation.","https:\u002F\u002Fwww.schneier.com\u002Fblog\u002Farchives\u002F2026\u002F05\u002Fmacos-kernel-memory-corruption-exploit.html",null,"2026-05-21T16:03:37+00:00",{"id":28,"title":29,"slug":30,"brief":31,"ai_summary":32,"url":33,"image_url":34,"published_at":35},"08dfd853-ea12-45b3-861c-914ee4bfbfdb","Microsoft acknowledges the YellowKey BitLocker bypass vulnerability and releases mitigations\n\nhtt...","microsoft-acknowledges-the-yellowkey-bitlocker-bypass-vulnerability-and-releases-f12b1d","Microsoft acknowledges YellowKey BitLocker bypass vulnerability and releases mitigations.","Microsoft has publicly acknowledged a BitLocker encryption bypass vulnerability tracked as YellowKey and released mitigations to address the flaw. The vulnerability allows attackers to bypass BitLocker's encryption protections under certain conditions. Microsoft's response includes patches and guidance for affected users.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2057125717373075843","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHIxg7WNWAAAYFTV.png","2026-05-20T15:46:05+00:00",{"id":37,"title":38,"slug":39,"brief":40,"ai_summary":41,"url":42,"image_url":43,"published_at":44},"8a167b5a-bfe3-4f76-b7af-372ce3664f49","Hackers Actively Exploit ‘Nginx Rift’ Vulnerability Affecting NGINX, F5 Products","hackers-actively-exploit-nginx-rift-vulnerability-affecting-nginx-f5-products-36d934","Hackers actively exploit Nginx Rift (CVE-2026-42945) heap buffer overflow in NGINX and F5 products.","A high-severity heap-based buffer overflow vulnerability (CVE-2026-42945, CVSS 8.1) dubbed Nginx Rift has been discovered in NGINX web server software and F5 products, affecting versions 0.6.27 through 1.30.0 of NGINX Open Source and R32 through R36 of NGINX Plus. Hackers began actively exploiting the flaw within three days of public disclosure on May 13, 2026, triggering denial-of-service attacks that crash NGINX worker processes. While the publicly available exploit primarily enables DoS attacks (requiring ASLR to be disabled for RCE), experts warn that weaponized exploits achieving remote code execution are likely only a matter of time, urging immediate patching of all vulnerable instances.","https:\u002F\u002Fhackread.com\u002Fhackers-exploit-nginx-rift-vulnerability-nginx-f5-products\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fhackers-exploit-nginx-rift-vulnerability-nginx-f5-products.jpg","2026-05-19T10:12:20+00:00",{"id":46,"title":47,"slug":48,"brief":49,"ai_summary":50,"url":51,"image_url":52,"published_at":53},"b0f9510b-1846-472d-a1e1-948ec25b3ef6","Hackers earn $1,298,250 for 47 zero-days at Pwn2Own Berlin 2026","hackers-earn-1-298-250-for-47-zero-days-at-pwn2own-berlin-2026-89f8f0","Pwn2Own Berlin 2026 awards $1.3M for 47 zero-day exploits across enterprise and AI products.","Security researchers at Pwn2Own Berlin 2026 (May 14–16) collected $1,298,250 in rewards for discovering and exploiting 47 zero-day vulnerabilities in enterprise software, web browsers, and AI systems. DEVCORE won the competition with $505,000 after chaining multiple bugs in Microsoft SharePoint, Exchange, Edge, and Windows 11. Vendors have 90 days to patch before TrendMicro's Zero Day Initiative publicly discloses the flaws.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fhackers-earn-1-298-250-for-47-zero-days-at-pwn2own-berlin-2026\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2025\u002F05\u002F19\u002FPwn2Own_Berlin.jpg","2026-05-18T05:33:20+00:00",{"id":55,"title":56,"slug":57,"brief":58,"ai_summary":59,"url":60,"image_url":61,"published_at":62},"21b98711-d067-4aa1-a794-18b565803f46","PoC Code Published for Critical NGINX Vulnerability","poc-code-published-for-critical-nginx-vulnerability-27a500","PoC code published for critical NGINX heap buffer overflow vulnerability (CVE-2026-42945).","A critical-severity heap buffer overflow vulnerability (CVE-2026-42945, CVSS 9.2) in NGINX's rewrite module was patched this week by F5, 16 years after its introduction. Proof-of-concept exploit code is now publicly available, demonstrating how attackers can trigger denial-of-service or remote code execution by exploiting a two-pass script engine flaw that leads to undersized buffer allocation. The vulnerability affects NGINX servers using rewrite and set directives, and exploitation can be achieved through crafted URIs and heap spray techniques.","https:\u002F\u002Fwww.securityweek.com\u002Fpoc-code-published-for-critical-nginx-vulnerability\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002FNginx.jpeg","2026-05-16T10:02:00+00:00",{"id":64,"title":65,"slug":66,"brief":67,"ai_summary":68,"url":69,"image_url":70,"published_at":71},"fcd89353-23f6-4186-bd23-5c6773b4e6be","Hackers Use PyInstaller and AMSI Patching to Deliver XWorm RAT v7.4","hackers-use-pyinstaller-and-amsi-patching-to-deliver-xworm-rat-v7-4-7b3e57","Hackers deploy XWorm RAT v7.4 via PyInstaller with AMSI patching to bypass Windows security.","Security researchers at Point Wild discovered a new campaign distributing XWorm RAT v7.4 malware packaged in PyInstaller files to bypass Windows Defender. The attack uses AMSI Memory Patching to disable AmsiScanBuffer, Base64\u002FSHA-512 encryption, and fake obfuscation routines to evade detection. Once activated, the malware connects to C2 infrastructure to steal credentials, spy via webcam, launch DDoS attacks, and achieve full remote control.","https:\u002F\u002Fhackread.com\u002Fhackers-pyinstaller-amsi-patching-xworm-rat-v7-4\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fhackers-pyinstaller-amsi-patching-xworm-rat-v7-4.jpg","2026-05-15T16:42:58+00:00",{"id":73,"title":74,"slug":75,"brief":76,"ai_summary":77,"url":78,"image_url":25,"published_at":79},"0e6deb38-d0f6-4ec3-a6a6-70c8465eafbd","CISA Adds One Known Exploited Vulnerability to Catalog","cisa-adds-one-known-exploited-vulnerability-to-catalog-8f5dc6","CISA adds CVE-2026-42897 Microsoft Exchange XSS vulnerability to KEV Catalog due to active exploitation.","CISA has added CVE-2026-42897, a cross-site scripting vulnerability in Microsoft Exchange Server, to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation in the wild. The addition falls under Binding Operational Directive (BOD) 22-01, which mandates that Federal Civilian Executive Branch agencies remediate identified vulnerabilities by specified deadlines. CISA urges all organizations to prioritize patching this vulnerability as part of their vulnerability management practices.","https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Falerts\u002F2026\u002F05\u002F15\u002Fcisa-adds-one-known-exploited-vulnerability-catalog","2026-05-15T12:00:00+00:00",{"id":81,"title":82,"slug":83,"brief":84,"ai_summary":85,"url":86,"image_url":87,"published_at":88},"f875f3c5-af20-4d63-a74f-2cb621294b65","On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email","on-prem-microsoft-exchange-server-cve-2026-42897-exploited-via-crafted-email-813d5d","Microsoft Exchange Server CVE-2026-42897 XSS flaw actively exploited via crafted emails.","Microsoft disclosed CVE-2026-42897, a critical cross-site scripting vulnerability in on-premises Exchange Server versions (2016, 2019, and Subscription Edition) that is actively being exploited in the wild. The flaw allows attackers to send crafted emails that execute arbitrary JavaScript in Outlook Web Access when opened under certain conditions. Microsoft has provided temporary mitigation via the Exchange Emergency Mitigation Service and a mitigation tool, with a permanent patch forthcoming.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fon-prem-microsoft-exchange-server-cve.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEirN79ZRjEd5wnVbOTlJJsWjQ54cwSj2bM5NDzBSgAFO8f_9LrlIwQRI0ZogQX42iejmhgc1n2YcA91pFrVqtqNKKyAIXblcQ1Yx9LTs1TeNDbNN6JMUBXCKDK1W0IwnwvYl1dhQmcyTPHwakckKT_Kc9fAUDAJRj94g2pENrjy4UyTCCniOXI2rO-q66PC\u002Fs1600\u002FMicrosoft-Exchange.png","2026-05-15T06:19:04+00:00",{"id":90,"title":91,"slug":92,"brief":93,"ai_summary":94,"url":95,"image_url":96,"published_at":97},"5d9ec144-59a4-4646-8efb-000bf578710a","Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin","hackers-exploit-auth-bypass-flaw-in-burst-statistics-wordpress-plugin-987fbb","Authentication bypass vulnerability in Burst Statistics WordPress plugin allows admin account takeover.","A critical authentication bypass flaw (CVE-2026-8181) in the Burst Statistics WordPress plugin, introduced in version 3.4.0, allows unauthenticated attackers to impersonate administrators and create rogue admin accounts via REST API requests. The vulnerability affects approximately 200,000 WordPress sites and has already triggered over 7,400 attacks within 24 hours of public disclosure. A patched version 3.4.2 was released on May 12, 2026, but an estimated 115,000 sites remain unpatched.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fhackers-exploit-auth-bypass-flaw-in-burst-statistics-wordpress-plugin\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F04\u002F15\u002FWordPress.jpg","2026-05-14T21:07:17+00:00",{"id":99,"title":100,"slug":101,"brief":102,"ai_summary":103,"url":104,"image_url":105,"published_at":106},"373cfaca-6979-4a09-9120-a5aaa5e97384","🚨 Nightmare Eclipse just released another vulnerability called MiniPlasma\n\nGitHub: https:\u002F\u002Ft.co\u002F...","nightmare-eclipse-just-released-another-vulnerability-called-miniplasma-github-h-f20cc5","Nightmare Eclipse releases MiniPlasma vulnerability (CVE-2020-17103) in Windows Cloud Files Mini Filter Driver","Nightmare Eclipse has disclosed MiniPlasma, a high-severity elevation of privilege vulnerability (CVE-2020-17103) affecting Windows Cloud Files Mini Filter Driver. The vulnerability allows attackers to gain elevated privileges on affected systems. Technical details and proof-of-concept code are available on GitHub.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2055024386705358967","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHITpbB7WYAAt420.jpg","2026-05-14T20:36:08+00:00",{"id":108,"title":109,"slug":110,"brief":111,"ai_summary":112,"url":113,"image_url":114,"published_at":115},"8d0e4671-1c5a-4ed6-b505-1679ba909603","CVE-2026-20182: Critical Cisco SD-WAN Auth Bypass Under Active Exploitation","cve-2026-20182-critical-cisco-sd-wan-auth-bypass-under-active-exploitation-e9fd55","Cisco SD-WAN Controller\u002FManager CVE-2026-20182 critical auth bypass under active exploitation","CVE-2026-20182 is a critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager that allows unauthenticated remote attackers to bypass peering authentication and gain privileged access to the SD-WAN control plane. The vulnerability affects the vdaemon service over DTLS on UDP port 12346 and has been exploited in the wild. Cisco has published fixed releases across multiple product versions, with no workarounds available; immediate patching is required.","https:\u002F\u002Fdarkwebinformer.com\u002Fcve-2026-20182-critical-cisco-sd-wan-auth-bypass-under-active-exploitation\u002F","https:\u002F\u002Fstorage.ghost.io\u002Fc\u002F6b\u002F16\u002F6b16ac9c-cd67-432f-b0f3-bbec941084ff\u002Fcontent\u002Fimages\u002F2026\u002F05\u002Fcisco_vuln.webp","2026-05-14T20:24:47+00:00",{"id":117,"title":118,"slug":119,"brief":120,"ai_summary":121,"url":122,"image_url":123,"published_at":124},"054756ad-ab67-40ea-b43a-b0e51f79f2c0","Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access","cisco-catalyst-sd-wan-controller-auth-bypass-actively-exploited-to-gain-admin-ac-3e0f6f","Cisco patches critical auth bypass in Catalyst SD-WAN Controller actively exploited for admin access.","Cisco released updates for CVE-2026-20182, a CVSS 10.0 authentication bypass in Catalyst SD-WAN Controller and Manager that allows unauthenticated remote attackers to gain administrative privileges. The flaw, discovered by Rapid7, affects the vdaemon service over DTLS and has been actively exploited in limited attacks since May 2026. Successful exploitation enables attackers to manipulate SD-WAN fabric network configuration via NETCONF access.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fcisco-catalyst-sd-wan-controller-auth.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEh9rok1ToP_K0gWug0GnICltZkvx6bMRyhHfTJG1AcSfrGpM_fOVc61O3Fpyen_IW-wpb4s6Hl3qZcU5nEs77SMWSpKNDR4rrlY2syVVSNEBrpHx8RkWmYaN9MZORNICc8LNhuNjXqqhxmy7JN-y389oyQnAAFoBMJC1NoQSQFaOZ2MnrpKQRfv_eYXIoWI\u002Fs1600\u002Fcisco-exploit.jpg","2026-05-14T17:45:20+00:00",{"id":126,"title":127,"slug":128,"brief":129,"ai_summary":130,"url":131,"image_url":132,"published_at":133},"5ee44e3b-9ed6-4508-9ee5-e9e273c5eafe","ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories","threatsday-bulletin-pan-os-rce-mythos-curl-bug-ai-tokenizer-attacks-and-10-stori-e8a90a","Weekly threat roundup: PAN-OS RCE exploited, Mythos cURL bug, AI tokenizer attacks, and 10+ security stories.","This week's threat bulletin covers multiple critical security incidents including a PAN-OS CVE-2026-0300 buffer overflow being actively exploited to drop EarthWorm and ReverseSocks5 payloads, a zero-auth data leak affecting Schemata's military training platform, and Operation GriefLure targeting Vietnam and Philippines sectors. The roundup highlights escalating supply chain attacks, weak authentication controls, and state-sponsored phishing campaigns alongside emerging AI security risks.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fthreatsday-bulletin-pan-os-rce-mythos.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEjImYNT-qC7frGzEXeok3KDX_JNMKote6V1FVXIpkAoSEER2z1YyT8dpFq5RtRhBQ0cweEPbBIuioDWFf5rw_Mf-0V6rXR2ZrMh2ISDa7X7NlV9zIGsoLSAnyd_86eVkrR4wU24yxbuCYaAmyGFwlF77YCjvgU3n43P-yFT-pzjsmQ35Oaut1klg62bs_-i\u002Fs1600\u002Fthreatsday-2.jpg","2026-05-14T16:07:46+00:00",{"id":135,"title":136,"slug":137,"brief":138,"ai_summary":139,"url":140,"image_url":141,"published_at":142},"126f004f-513c-4146-851c-7c3deb1bc57a","18-year-old NGINX vulnerability allows DoS, potential RCE","18-year-old-nginx-vulnerability-allows-dos-potential-rce-fac815","18-year-old NGINX heap buffer overflow vulnerability allows DoS and potential RCE.","An 18-year-old heap buffer overflow vulnerability (CVE-2026-42945) in NGINX was discovered using autonomous scanning and affects versions 0.6.27 through 1.30.0 with a critical CVSS score of 9.2. The flaw, triggered when NGINX configurations use 'rewrite' and 'set' directives, stems from inconsistent state handling in the rewrite engine that causes buffer size miscalculation. Remote code execution was demonstrated on systems with ASLR disabled; three additional memory corruption flaws were also disclosed.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002F18-year-old-nginx-vulnerability-allows-dos-potential-rce\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F14\u002FNGINX.jpg","2026-05-14T15:43:41+00:00",{"id":144,"title":145,"slug":146,"brief":147,"ai_summary":148,"url":149,"image_url":150,"published_at":151},"be37fef0-37bc-408f-a140-87b19dc7603c","mutreasury Allegedly Breached: Admin Credentials and API Keys Exposed From the Egyptian University Payment Gateway Covering 28+ Universities, Sold With a Zero-Day Vulnerability","mutreasury-allegedly-breached-admin-credentials-and-api-keys-exposed-from-the-eg-413d86","mutreasury payment gateway breach exposes admin credentials, API keys, and student data from 28+ Egyptian universities;","A threat actor claiming the handle INT3X has breached mutreasury, Egypt's centralized university payment gateway serving 28+ institutions, and is selling the stolen database along with an unauthenticated-access zero-day vulnerability. The dump includes administrative credentials, ERP integration API tokens, transaction records linking student PII to payments, and credentials for national payment processors (e-Finance, Khales, Fawry). The actor is using a public preview of 4 major universities as proof-of-concept and claims the zero-day enables full persistence and real-time data extraction from the remaining 24+ connected institutions.","https:\u002F\u002Fdarkwebinformer.com\u002Fmutreasury-allegedly-breached-admin-credentials-and-api-keys-exposed-from-the-egyptian-university-payment-gateway-covering-28-universities-sold-with-a-zero-day-vulnerability\u002F","https:\u002F\u002Fstorage.ghost.io\u002Fc\u002F6b\u002F16\u002F6b16ac9c-cd67-432f-b0f3-bbec941084ff\u002Fcontent\u002Fimages\u002F2026\u002F05\u002F823768598273648972365897263598723589764.png","2026-05-14T15:03:20+00:00",{"id":153,"title":74,"slug":154,"brief":155,"ai_summary":156,"url":157,"image_url":25,"published_at":158},"ee5d881f-d39a-48f0-8912-e4b500160d50","cisa-adds-one-known-exploited-vulnerability-to-catalog-7a9601","CISA adds CVE-2026-20182 Cisco SD-WAN authentication bypass to KEV Catalog as actively exploited.","CISA has added CVE-2026-20182, a Cisco Catalyst SD-WAN Controller authentication bypass vulnerability, to its Known Exploited Vulnerabilities Catalog based on active exploitation evidence. The vulnerability poses significant risk to federal enterprises and triggers mandatory remediation requirements under Binding Operational Directive BOD 22-01 for Federal Civilian Executive Branch agencies. CISA urges all organizations to prioritize patching this vulnerability as part of their vulnerability management practices.","https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Falerts\u002F2026\u002F05\u002F14\u002Fcisa-adds-one-known-exploited-vulnerability-catalog","2026-05-14T12:00:00+00:00",{"id":160,"title":161,"slug":162,"brief":163,"ai_summary":164,"url":165,"image_url":25,"published_at":158},"5aa55168-04ed-44cb-8e3a-6735d92d4fc7","Siemens Siemens ROS#","siemens-siemens-ros-a78764","Siemens ROS# path traversal vulnerability (CVE-2026-41551) allows arbitrary file access in versions before 2.2.2.","Siemens ROS# versions before 2.2.2 contain a critical path traversal vulnerability (CVE-2026-41551) in the file_server ROS service that allows remote attackers to read and write arbitrary files with the privileges of the service user. The vulnerability stems from improper input sanitization and has a CVSS v3.1 score of 9.1 (Critical). Siemens has released version 2.2.2 as a fix and recommends immediate update, while providing interim mitigations including network isolation and appropriate user rights restrictions.","https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fics-advisories\u002Ficsa-26-134-08",{"id":167,"title":168,"slug":169,"brief":170,"ai_summary":171,"url":172,"image_url":25,"published_at":158},"006964ea-040b-4114-84e8-a101ddf93840","Siemens Ruggedcom Rox","siemens-ruggedcom-rox-51f61e","Siemens Ruggedcom Rox input validation flaw allows authenticated RCE with root privileges.","Siemens released a security advisory for Ruggedcom Rox devices (multiple models) disclosing CVE-2025-40949, a critical OS command injection vulnerability in the Scheduler Web UI functionality. An authenticated remote attacker can exploit improper input sanitization to execute arbitrary commands with root privileges on the underlying operating system. Siemens recommends immediate patching to version 2.17.1 or later; the vulnerability affects critical manufacturing infrastructure deployed worldwide.","https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fics-advisories\u002Ficsa-26-134-12",{"id":174,"title":175,"slug":176,"brief":177,"ai_summary":178,"url":179,"image_url":25,"published_at":158},"4403ec30-ad68-4d87-bda0-fc7035750d63","Siemens SENTRON 7KT PAC1261 Data Manager","siemens-sentron-7kt-pac1261-data-manager-b26b5e","Siemens SENTRON 7KT PAC1261 Data Manager HTTP request smuggling flaw allows admin token theft","A critical HTTP request smuggling vulnerability (CVE-2025-22871, CVSS 9.1) in the Go net\u002Fhttp package affects Siemens SENTRON 7KT PAC1261 Data Manager versions before 2.1.0. The flaw permits attackers to retrieve authorization tokens and gain administrative control over affected energy infrastructure devices deployed worldwide. Siemens has released version 2.1.0 as the fix and recommends immediate updates.","https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fics-advisories\u002Ficsa-26-134-14",{"id":181,"title":168,"slug":182,"brief":183,"ai_summary":184,"url":185,"image_url":25,"published_at":158},"c4d19356-d9e2-4ae6-95b8-a6ddf5206131","siemens-ruggedcom-rox-2fb9ad","Siemens Ruggedcom Rox OS command injection vulnerability allows authenticated RCE with root privileges.","Siemens has disclosed CVE-2025-40947, a critical OS command injection vulnerability in Ruggedcom Rox industrial routers affecting 11 product variants. The flaw exists in the feature key installation process and allows authenticated remote attackers to execute arbitrary commands with root privileges. Siemens recommends immediate patching to version 2.17.1 or later for all affected models deployed worldwide in critical manufacturing environments.","https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fics-advisories\u002Ficsa-26-134-11",{"id":187,"title":188,"slug":189,"brief":190,"ai_summary":191,"url":192,"image_url":25,"published_at":158},"0c6b86a4-fa83-4d85-a356-08807a366f82","Universal Robots Polyscope 5","universal-robots-polyscope-5-c0567f","Critical OS command injection in Universal Robots Polyscope 5 allows unauthenticated remote code execution.","Universal Robots has released a critical security advisory (CISA ICSA-26-134-17) addressing CVE-2026-8153, an OS command injection vulnerability in Polyscope 5 versions prior to 5.25.1. The flaw allows unauthenticated attackers to execute arbitrary code on the robot's operating system via the Dashboard Server interface, with a CVSS score of 9.8 (critical). Universal Robots has released patched version 5.25.1 to remediate the vulnerability.","https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fics-advisories\u002Ficsa-26-134-17",{"id":194,"title":195,"slug":196,"brief":197,"ai_summary":198,"url":199,"image_url":25,"published_at":158},"7fbabda1-e355-4a36-97a7-7a859a8232d3","Siemens gWAP","siemens-gwap-850a8a","Siemens gWAP RCE vulnerability via Axios library prototype pollution gadget chain","Siemens gPROMS Web Applications Publisher (gWAP) versions prior to 3.1.1 are vulnerable to remote code execution through a prototype pollution gadget chain in the Axios HTTP client library (CVE-2026-40175). The vulnerability allows attackers to execute arbitrary code or achieve full cloud compromise via AWS IMDSv2 bypass. Siemens has released version 3.1.1 as a fix and recommends immediate patching for critical manufacturing deployments worldwide.","https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fics-advisories\u002Ficsa-26-134-01",{"id":201,"title":202,"slug":203,"brief":204,"ai_summary":205,"url":206,"image_url":207,"published_at":208},"8c021596-bdc0-4ddb-b399-65abcbc96387","PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure","praisonai-cve-2026-44338-auth-bypass-targeted-within-hours-of-disclosure-d33a9e","PraisonAI CVE-2026-44338 auth bypass exploited within hours of disclosure","Threat actors began exploiting CVE-2026-44338, a missing authentication vulnerability in PraisonAI's legacy Flask API server, within 3 hours 44 minutes of public disclosure on May 11, 2026. The flaw (CVSS 7.3) allows unauthenticated access to sensitive endpoints including agent enumeration and workflow invocation. The vulnerability affects versions 2.5.6 through 4.6.33 and has been patched in version 4.6.34.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fpraisonai-cve-2026-44338-auth-bypass.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEg2IaSkdVZD_wyJJT-sODoazviDXhw3MGkn5XHYocnTL1YfLJpgJ-1wNaAm0Rk0phyrIv8vS73SNNkPSmlxRkK9ySAQGnn_tCP9JcVKyqee6lxjlYEp0cs2C_R9cDtgCEXwsjWtx1XnafF5r_fAuDDAvg0CRMOgJk8ZMwSjRsw1Js90uR-97t-rh5yU12Oj\u002Fs1600\u002Fpraison.jpg","2026-05-14T11:40:14+00:00",{"id":210,"title":211,"slug":212,"brief":213,"ai_summary":214,"url":215,"image_url":216,"published_at":217},"296fb746-0313-429b-917b-3918597fbd0e","New Fragnesia Linux flaw lets attackers gain root privileges","new-fragnesia-linux-flaw-lets-attackers-gain-root-privileges-4bf6ea","Fragnesia Linux kernel flaw (CVE-2026-46300) enables local privilege escalation to root.","A new high-severity Linux kernel vulnerability called Fragnesia (CVE-2026-46300) allows unprivileged local attackers to gain root privileges through a logic bug in the XFRM ESP-in-TCP subsystem. Discovered by Zellic's William Bowling, the flaw enables arbitrary byte writes to the kernel page cache of read-only files and is part of the Dirty Frag vulnerability class. Linux distributions are rolling out patches, and users unable to patch immediately are advised to disable vulnerable kernel modules as a mitigation.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fnew-fragnesia-linux-flaw-lets-attackers-gain-root-privileges\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2025\u002F10\u002F31\u002FLinux.jpg","2026-05-14T07:34:19+00:00",{"id":219,"title":220,"slug":221,"brief":222,"ai_summary":223,"url":224,"image_url":225,"published_at":226},"632b8a20-2ba0-4d68-a5e0-e8c430e4d85d","18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE","18-year-old-nginx-rewrite-module-flaw-enables-unauthenticated-rce-af295a","18-year-old NGINX rewrite module heap buffer overflow enables unauthenticated RCE","Researchers disclosed CVE-2026-42945, a critical heap buffer overflow in NGINX's ngx_http_rewrite_module that went undetected for 18 years. The flaw allows unauthenticated remote attackers to achieve code execution or DoS by sending crafted HTTP requests with specific PCRE capture patterns. F5 released patches across multiple NGINX Plus and Open Source versions after responsible disclosure in April 2026.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002F18-year-old-nginx-rewrite-module-flaw.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEhhCvxtNv7UYYMCITB2HLsBgkN83LdRXcw0wmP9gMAfXeNpmJoOJKNIaQb55b-GLDeQHx-dUBkASGDYgstnvYAE5eFuwyzMSxY804fn56OaTsGlESOab9y-kFHJ-iV5iUlWrc5j27WLduUDhW6nRSjkv5tFMKZjDbbmDdk7_NMZ3y7sipHKy7t4XuMQ9YfG\u002Fs1600\u002Fnn.gif","2026-05-14T06:00:09+00:00",{"id":228,"title":229,"slug":230,"brief":231,"ai_summary":232,"url":233,"image_url":234,"published_at":235},"4ae44407-278c-4c2a-8754-02e9744a8864","Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticator","fortinet-warns-of-critical-rce-flaws-in-fortisandbox-and-fortiauthenticator-b3d857","Fortinet patches critical RCE flaws in FortiSandbox and FortiAuthenticator.","Fortinet released security patches for two critical remote code execution vulnerabilities affecting FortiAuthenticator (CVE-2026-44277) and FortiSandbox (CVE-2026-26083). Both flaws stem from improper access control and missing authorization checks that allow unauthenticated attackers to execute arbitrary commands. While not currently known to be exploited in the wild, Fortinet vulnerabilities have a history of frequent exploitation in ransomware and cyber-espionage campaigns, with CISA tracking 24 Fortinet CVEs in its actively exploited vulnerabilities catalog.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Ffortinet-warns-of-critical-rce-flaws-in-fortisandbox-and-fortiauthenticator\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2025\u002F12\u002F29\u002FFortinet.jpg","2026-05-12T18:23:09+00:00",{"id":237,"title":238,"slug":239,"brief":240,"ai_summary":241,"url":242,"image_url":25,"published_at":243},"9727331f-9656-477a-a8d4-b1511d29a41d","Fuji Electric Tellus","fuji-electric-tellus-b679a0","Fuji Electric Tellus 5.0.2 kernel driver flaw allows local privilege escalation (CVE-2026-8108)","CISA released an advisory for CVE-2026-8108 affecting Fuji Electric Tellus 5.0.2, a critical manufacturing software used worldwide. The vulnerability exists in a kernel driver that grants all users read and write permissions, allowing local privilege escalation from user to system level, potentially enabling denial of service, file access, or deletion. Fuji Electric recommends installing Tellus only with administrator privileges; no public exploitation has been reported to date.","https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fics-advisories\u002Ficsa-26-132-01","2026-05-12T12:00:00+00:00",{"id":245,"title":246,"slug":247,"brief":248,"ai_summary":249,"url":250,"image_url":25,"published_at":243},"135be911-8b50-4c71-b7e1-8c5e1779b9b1","ABB AC500 V3 Stack Buffer Overflow in Cryptographic Message Syntax","abb-ac500-v3-stack-buffer-overflow-in-cryptographic-message-syntax-9ca9b2","ABB AC500 V3 PLC critical stack buffer overflow in CMS cryptographic parsing (CVE-2025-15467)","ABB disclosed a critical stack buffer overflow vulnerability (CVE-2025-15467, CVSS 9.8) in AC500 V3 PLCs affecting firmware versions 3.9.0 and 3.9.0_HF1. The flaw occurs when parsing CMS EnvelopedData structures with AEAD ciphers, where an oversized IV is copied into a fixed-size stack buffer without length validation, allowing unauthenticated remote code execution or denial-of-service. Firmware hotfix 3.9.0_HF1 is available and recommended for immediate deployment across critical infrastructure sectors worldwide.","https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fics-advisories\u002Ficsa-26-132-05",{"id":252,"title":253,"slug":254,"brief":255,"ai_summary":256,"url":257,"image_url":25,"published_at":258},"4a148912-52c8-4734-97fc-16e40e77f9d5","Copy.Fail Linux Vulnerability - Schneier on Security","copy-fail-linux-vulnerability-schneier-on-security-f6956d","Copy.Fail Linux kernel LPE vulnerability disclosed; affects Ubuntu, RHEL, Debian, SUSE, Amazon Linux, Fedora.","Copy.Fail is a critical Linux kernel local privilege escalation vulnerability disclosed by Theori on 29 April 2026 that exploits the kernel crypto API (AF_ALG sockets) and splice() to write arbitrary data into the page cache of files an attacker does not own. The vulnerability works unmodified across major Linux distributions and bypasses file integrity monitoring tools like AIDE and Tripwire. Mainline fixes landed on 1 April, and distributions are rolling out patched kernels.","https:\u002F\u002Fwww.schneier.com\u002Fblog\u002Farchives\u002F2026\u002F05\u002Fcopy-fail-linux-vulnerability.html","2026-05-12T11:06:53+00:00",{"id":260,"title":261,"slug":262,"brief":263,"ai_summary":264,"url":265,"image_url":266,"published_at":258},"52b9ffa3-06c1-4d86-ade2-95490dd2a0ee","Copy Fail — 732 Bytes to Root","copy-fail-732-bytes-to-root-f6e2bc","CVE-2026-31431 Copy Fail: 732-byte Linux kernel LPE affecting all major distros since 2017","Copy Fail (CVE-2026-31431) is a 732-byte Linux privilege escalation vulnerability affecting kernels built between 2017 and the patch date. It exploits page-cache write bypasses in the kernel crypto API (AF_ALG) to achieve unprivileged local root, requiring only a regular user account. The same exploit works unmodified across Ubuntu, Amazon Linux, RHEL, SUSE, and other mainstream distributions, and can cross container boundaries in multi-tenant environments.","http:\u002F\u002FCopy.Fail","https:\u002F\u002Fcopy.fail\u002Fog.png",{"id":268,"title":269,"slug":270,"brief":271,"ai_summary":272,"url":273,"image_url":274,"published_at":275},"5fbecace-8942-4859-8c96-b19bc80693d6","'Dirty Frag' Exploit Poised to Blow Up on Enterprise Linux Distros","dirty-frag-exploit-poised-to-blow-up-on-enterprise-linux-distros-818e1c","'Dirty Frag' Linux privilege escalation vulnerability discovered, similar to Dirty Pipe flaw.","A new privilege escalation vulnerability dubbed 'Dirty Frag' has been discovered affecting enterprise Linux distributions. The flaw, which shares similarities with previously disclosed Linux vulnerabilities like Copy Fail and Dirty Pipe, may already be undergoing limited exploitation in the wild.","https:\u002F\u002Fwww.darkreading.com\u002Fvulnerabilities-threats\u002Fdirty-frag-exploit-blow-up-enterprise-linux-distros","https:\u002F\u002Feu-images.contentstack.com\u002Fv3\u002Fassets\u002Fblt6d90778a997de1cd\u002Fblt6294394cb13e6ebe\u002F6a01bfb65f98bb6fdefc0215\u002Fbombs-Valeriy_Kachaev-Alamy.png?width=1280&auto=webp&quality=80&disable=upscale","2026-05-11T15:05:45+00:00",{"id":277,"title":278,"slug":279,"brief":280,"ai_summary":281,"url":282,"image_url":283,"published_at":284},"fc11db82-5c50-4ba9-af65-9ff1a1ae00b8","⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More","weekly-recap-linux-rootkit-macos-crypto-stealer-websocket-skimmers-and-more-4dc027","Weekly security recap covers Linux RAT, macOS stealer, WebSocket skimmers, and active exploitation of Ivanti and Palo","This weekly recap highlights multiple active threats including Quasar Linux RAT (QLNX), a modular Linux malware with P2P mesh networking and rootkit capabilities designed for supply chain and cloud breaches; PCPJack replacing TeamPCP for credential theft; active exploitation of CVE-2026-6973 in Ivanti EPMM and zero-day CVE-2026-0300 in Palo Alto Networks PAN-OS affecting thousands of exposed hosts. The recap emphasizes recurring patterns of supply chain poisoning, cloud misconfigurations, and exploitation of years-old vulnerabilities.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fweekly-recap-linux-rootkit-macos-crypto.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEiD4a3gzeAEAv4Bs5FqWbHG1cRyNqIOjygeSxxpNoChwyyMUWlbZHzkG0n8ysGpoAYuKqklfMtTKRct0OeYktaKLhdXpRH5pKH94tVaMX7iPeNDf7vZjFky3myBkFPJPl1xIdsWDlIYP30IeR7IZGhQZ5p82yHRdRO1OGkpAtTWgZcQSG3zXqh9tLbSSrgP\u002Fs1600\u002Fcyber-recap.jpg","2026-05-11T12:36:00+00:00",{"id":286,"title":287,"slug":288,"brief":289,"ai_summary":290,"url":291,"image_url":292,"published_at":293},"b4e1e1aa-a9a9-4473-8b8c-1b3e283a2a40","9-Year-Old Dirty Frag Vulnerability Enables Root Access on Linux Systems","9-year-old-dirty-frag-vulnerability-enables-root-access-on-linux-systems-05fe8f","9-year-old Dirty Frag Linux kernel vulnerability enables unprivileged root access; public PoC released.","Dirty Frag is a pair of Linux kernel vulnerabilities (CVE-2026-43284 and CVE-2026-43500) discovered by researcher Hyunwoo Kim that existed undetected for nine years. The flaws affect IPSec ESP and RxRPC modules and allow local privilege escalation to root by chaining two page-cache-write bugs. Public exploit code has been released, prompting Red Hat and other vendors to rush patches while recommending defensive measures like disabling vulnerable modules and enforcing SELinux.","https:\u002F\u002Fhackread.com\u002F9-year-old-dirty-frag-vulnerability-root-access-linux\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002F9-year-old-dirty-frag-vulnerability-root-access-linux.jpg","2026-05-11T12:35:15+00:00",{"id":295,"title":296,"slug":297,"brief":298,"ai_summary":299,"url":300,"image_url":301,"published_at":302},"acc8bb46-c2fc-49f3-8337-f29b7bd576a8","New ‘Dirty Frag’ Linux Vulnerability Possibly Exploited in Attacks","new-dirty-frag-linux-vulnerability-possibly-exploited-in-attacks-a58382","Dirty Frag Linux privilege escalation vulnerability possibly exploited in wild attacks.","A new local privilege escalation vulnerability dubbed Dirty Frag (CVE-2026-43284 and CVE-2026-43500) chains two kernel flaws in xfrm-ESP and RxRPC components, allowing unprivileged users to escalate to root with very high success rate. The vulnerability was disclosed publicly before patches were available, and Microsoft reports it may already be exploited in the wild for post-compromise lateral movement. Major Linux distributions including Red Hat, Ubuntu, Fedora, and Amazon Linux have begun releasing patches and mitigations.","https:\u002F\u002Fwww.securityweek.com\u002Fnew-dirty-frag-linux-vulnerability-possibly-exploited-in-attacks\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2024\u002F09\u002FLinux.jpeg","2026-05-11T08:15:28+00:00",{"id":304,"title":305,"slug":306,"brief":307,"ai_summary":308,"url":309,"image_url":310,"published_at":311},"d274d683-cd7d-40cb-b33d-18135559cc9a","Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak","ollama-out-of-bounds-read-vulnerability-allows-remote-process-memory-leak-c84897","Critical out-of-bounds read in Ollama allows remote memory leak affecting 300K+ servers.","A critical out-of-bounds read vulnerability (CVE-2026-7482, CVSS 9.1) in Ollama's GGUF model loader allows unauthenticated remote attackers to leak entire process memory by uploading a specially crafted model file. The flaw, codenamed \"Bleeding Llama,\" affects versions before 0.17.1 and impacts an estimated 300,000+ servers globally, potentially exposing API keys, environment variables, system prompts, and user conversation data. Additionally, two unpatched Windows update mechanism vulnerabilities in Ollama can be chained for persistent code execution.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Follama-out-of-bounds-read-vulnerability.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEj92eUjjTTMJPizvUJGwq7Ych7nrXHwGRNt3hS9yjNGRJk5d3pdIKjeZhQDVuFp0DnKjP4qoieGWFjswm7nHDLBaxWC3DxFIfLfRjMSEXd0Ta04vcTrbCpS9PEXebUUbMBxBt0VOb-PKVk-7Cq0FjuMXl4VtKneb5a3ujCo872goPN22GBFFhReJtWsQJLK\u002Fs1600\u002Foll.jpg","2026-05-10T12:41:00+00:00",{"id":313,"title":314,"slug":315,"brief":316,"ai_summary":317,"url":318,"image_url":319,"published_at":320},"04802cf4-c46a-4959-b67c-11b19e65a864","Dirty Frag: Using the Page Caches as an Attack Surface","dirty-frag-using-the-page-caches-as-an-attack-surface-36be4f","Dirty Frag LPE chain exploits two Linux kernel page-cache vulnerabilities to escalate to root.","Dirty Frag is a Linux local privilege escalation chain disclosed on May 7, 2026, combining two previously unknown kernel vulnerabilities (CVE-2026-43284 in xfrm-ESP and CVE-2026-43500 in RxRPC) that allow unprivileged users to escalate to root on major distributions. The attack exploits a zero-copy send path flaw that plants attacker-controlled pages into kernel data structures, enabling in-place writes to memory the attacker should not have access to. The exploit operates entirely in the page cache (RAM), making it invisible to file-hash-based security tools until the system reboots or caches are dropped.","https:\u002F\u002Fblog.qualys.com\u002Fproduct-tech\u002Fvulnmgmt-detection-response\u002F2026\u002F05\u002F09\u002Fdirty-frag-using-the-page-caches-as-an-attack-surface","https:\u002F\u002Fik.imagekit.io\u002Fqualys\u002Fwp-content\u002Fuploads\u002F2024\u002F05\u002Fqblog-thumbnail.png","2026-05-09T07:22:34+00:00",{"id":322,"title":323,"slug":324,"brief":325,"ai_summary":326,"url":327,"image_url":328,"published_at":329},"80da3634-e1ee-414f-b554-856ee63d49e4","‼️ Dirty Frag: A Universal Linux Local Privilege Escalation via Page-Cache Write Primitives\n\nGitH...","dirty-frag-a-universal-linux-local-privilege-escalation-via-page-cache-write-pri-e57a31","Dirty Frag Linux LPE vulnerability in kernel page-cache xfrm-ESP subsystem disclosed","CVE-2026-43284 is a page-cache write flaw in the Linux kernel's xfrm-ESP (IPsec) subsystem allowing local privilege escalation. The vulnerability enables local users to corrupt kernel memory through page-cache write primitives. Patches have been released and details are publicly available on GitHub.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2052869070022721951","https:\u002F\u002Fpbs.twimg.com\u002Famplify_video_thumb\u002F2052868119396229123\u002Fimg\u002FS9FxWLov-OVK7B98.jpg","2026-05-08T21:51:41+00:00",{"id":331,"title":332,"slug":333,"brief":334,"ai_summary":335,"url":336,"image_url":337,"published_at":338},"53e43741-6a2f-48bd-bacb-42e452c2c23e","Ransomware negotiator tied to $56M in attacks was sentenced, DPRK-linked fraudulent IT worker sch...","ransomware-negotiator-tied-to-56m-in-attacks-was-sentenced-dprk-linked-fraudulen-ca0709","Ransomware negotiator sentenced for $56M attacks; DPRK IT fraud disrupted; PCPJack targets cloud credentials; Palo Alto","A ransomware negotiator was sentenced for involvement in attacks totaling $56 million. Additionally, law enforcement disrupted DPRK-linked fraudulent IT worker schemes, researchers discovered PCPJack malware targeting cloud infrastructure to steal credentials, and a Palo Alto Networks firewall zero-day vulnerability is under active exploitation.","https:\u002F\u002Fx.com\u002FSentinelOne\u002Fstatus\u002F2052813317811347693","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHH0O0TiW4AYe-iP.jpg","2026-05-08T18:10:09+00:00",{"id":340,"title":341,"slug":342,"brief":343,"ai_summary":344,"url":345,"image_url":346,"published_at":347},"708f0c71-e5fe-4aa1-8ab7-70135743eb66","Active attack: Dirty Frag Linux vulnerability expands post-compromise risk","active-attack-dirty-frag-linux-vulnerability-expands-post-compromise-risk-50905a","Dirty Frag Linux kernel vulnerability enables reliable privilege escalation from unprivileged user to root.","Dirty Frag is a newly disclosed Linux local privilege escalation vulnerability affecting kernel networking components (esp4, esp6, rxrpc) that enables reliable escalation from unprivileged users to root access. The vulnerability is actively being exploited post-compromise via SSH access, web shells, containers, or low-privileged accounts. Microsoft Defender is actively monitoring exploitation attempts and providing detection coverage.","https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002F2026\u002F05\u002F08\u002Factive-attack-dirty-frag-linux-vulnerability-expands-post-compromise-risk\u002F","https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002Fwp-content\u002Fuploads\u002F2026\u002F04\u002FMS_Actional-Insights_Rapid-response.jpg","2026-05-08T17:12:46+00:00",{"id":349,"title":350,"slug":351,"brief":352,"ai_summary":353,"url":354,"image_url":355,"published_at":356},"1482029f-3a36-4c47-a648-4fa024045e2d","Dirty Frag is a Linux LPE case worth watching closely\n\nIt chains two page-cache write issues to g...","dirty-frag-is-a-linux-lpe-case-worth-watching-closely-it-chains-two-page-cache-w-c9a24b","Dirty Frag Linux LPE chains two page-cache write bugs for root access on major distros","Dirty Frag is a high-impact local privilege escalation vulnerability affecting Linux that chains two page-cache write issues to gain root access on major distributions. A public proof-of-concept is available, with one vulnerability partially patched in the mainline kernel while patches for the full attack chain remain incomplete across distributions. This creates an active exploitation window on unpatched systems.","https:\u002F\u002Fx.com\u002Fnextronresearch\u002Fstatus\u002F2052771584180359222","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHHzo0ArW4Ac-dbn.jpg","2026-05-08T15:24:18+00:00",{"id":358,"title":359,"slug":360,"brief":361,"ai_summary":362,"url":363,"image_url":364,"published_at":365},"c41eb32c-333d-408e-8d45-5708466540df","ClaudeBleed Vulnerability Lets Hackers Hijack Claude Chrome Extension to Steal Data","claudebleed-vulnerability-lets-hackers-hijack-claude-chrome-extension-to-steal-d-2767ad","ClaudeBleed vulnerability in Claude Chrome extension allows data exfiltration via guardrail bypass.","Security researchers at LayerX discovered ClaudeBleed, a critical vulnerability in Anthropic's Claude for Chrome extension that allows attackers to hijack the AI assistant and steal private Google Drive and Gmail data. The flaw stems from improper message source validation and trust boundary violations, enabling even unprivileged extensions to execute malicious commands. Anthropic's May 6 patch remains incomplete, as researchers demonstrated additional bypass techniques including forcing privileged mode activation without user consent.","https:\u002F\u002Fhackread.com\u002Fclaudebleed-vulnerability-hackers-claude-chrome-extension\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fclaudebleed-vulnerability-hackers-claude-chrome-extension.jpg","2026-05-08T13:36:18+00:00",{"id":367,"title":74,"slug":368,"brief":369,"ai_summary":370,"url":371,"image_url":25,"published_at":372},"0fbfe4c4-7570-4097-8af9-39e91d3cf38a","cisa-adds-one-known-exploited-vulnerability-to-catalog-602ea8","CISA adds BerriAI LiteLLM SQL injection vulnerability to Known Exploited Vulnerabilities catalog.","CISA added CVE-2026-42208, a SQL injection vulnerability in BerriAI LiteLLM, to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The vulnerability poses significant risk to federal enterprise networks. While BOD 22-01 mandates remediation for Federal Civilian Executive Branch agencies, CISA urges all organizations to prioritize patching this actively exploited flaw as part of vulnerability management.","https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Falerts\u002F2026\u002F05\u002F08\u002Fcisa-adds-one-known-exploited-vulnerability-catalog","2026-05-08T12:00:00+00:00",{"id":374,"title":375,"slug":376,"brief":377,"ai_summary":378,"url":379,"image_url":380,"published_at":381},"a741ba94-d132-49ba-93af-9322a600a781","Pentest-Tools.com Releases Free Scanner for CVE-2026-41940 as cPanel Authentication Bypass Enters Its Third Week of Active Exploitation","pentest-tools-com-releases-free-scanner-for-cve-2026-41940-as-cpanel-authenticat-a77388","Pentest-Tools releases free scanner for CVE-2026-41940, critical cPanel auth bypass actively exploited for 3 weeks.","CVE-2026-41940, a CVSS 9.8 critical authentication bypass in cPanel & WHM and WP Squared, has been actively exploited since February 2026—64 days before public disclosure. The vulnerability exploits a CRLF injection flaw in cpsrvd that allows unauthenticated attackers to bypass login entirely by manipulating the whostmgrsession cookie. Pentest-Tools.com released a free scanner to detect exploitability, while cPanel patched on April 28, 2026, and Cloudflare deployed emergency WAF mitigation; approximately 1.5 million cPanel instances are exposed on the internet.","https:\u002F\u002Fwww.itsecurityguru.org\u002F2026\u002F05\u002F08\u002Fpentest-tools-com-releases-free-scanner-for-cve-2026-41940-as-cpanel-authentication-bypass-enters-its-third-week-of-active-exploitation\u002F?utm_source=rss&utm_medium=rss&utm_campaign=pentest-tools-com-releases-free-scanner-for-cve-2026-41940-as-cpanel-authentication-bypass-enters-its-third-week-of-active-exploitation","https:\u002F\u002Fwww.itsecurityguru.org\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002FcPanel.jpg","2026-05-08T10:25:22+00:00",{"id":383,"title":384,"slug":385,"brief":386,"ai_summary":387,"url":388,"image_url":389,"published_at":390},"b69e388d-d461-4010-a0cf-6aa6f98e4eb5","CVE-2025-68670: discovering an RCE vulnerability in xrdp","cve-2025-68670-discovering-an-rce-vulnerability-in-xrdp-191ad6","CVE-2025-68670: Pre-auth RCE in xrdp server via buffer overflow in UTF-16 conversion.","Kaspersky researchers discovered CVE-2025-68670, a pre-authentication remote code execution vulnerability in the xrdp remote desktop server component used by Kaspersky USB Redirector. The vulnerability exists in the UTF-16 to UTF-8 conversion logic handling client credentials during the Secure Settings Exchange phase of RDP connection setup. xrdp maintainers promptly patched the issue in version 0.10.5 and backported fixes to earlier versions.","https:\u002F\u002Fsecurelist.com\u002Fcve-2025-68670\u002F119742\u002F","https:\u002F\u002Fmedia.kasperskycontenthub.com\u002Fwp-content\u002Fuploads\u002Fsites\u002F43\u002F2026\u002F05\u002F07125309\u002FSL-RCE-in-xrdp-featured-scaled.jpg","2026-05-08T08:00:54+00:00",{"id":392,"title":393,"slug":394,"brief":395,"ai_summary":396,"url":397,"image_url":398,"published_at":399},"848aae5a-8dd2-4399-ba6b-0517cda71179","Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions","linux-kernel-dirty-frag-lpe-exploit-enables-root-access-across-major-distributio-30edb1","Unpatched Linux kernel Dirty Frag LPE vulnerability enables root access across major distributions.","A new unpatched local privilege escalation vulnerability called Dirty Frag has been discovered in the Linux kernel, allowing unprivileged users to gain root access on most major distributions including Ubuntu, RHEL, openSUSE, and Fedora. The flaw chains two page-cache write vulnerabilities (xfrm-ESP and RxRPC) to bypass namespace restrictions and achieve deterministic exploitation without race conditions. A working proof-of-concept exploit has been publicly released, prompting immediate recommendations to blocklist affected kernel modules until patches become available.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Flinux-kernel-dirty-frag-lpe-exploit.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEgnVSDBWt4hKZ-DOrZqHWPVH0JxrpcUeup9hpMpoH5Ny8bpuJ6Lviv58aH0aK2S2IJvAugaYRhM8P9wUW3tbVCu2kFMQbG5F16kI3PvS6gmR2Px8qOxcat-tK-UHV9oSDsAv9MHjvrduyndsqhicJxX1GroDTBo8it4ANI2wKIUVauhdxbgrNBQHhdgq2SW\u002Fs1600\u002Flinux.gif","2026-05-08T05:12:00+00:00",{"id":401,"title":402,"slug":403,"brief":404,"ai_summary":405,"url":406,"image_url":407,"published_at":408},"476c5f20-550d-492d-809c-e9532333904e","New threat brief: CVE-2026-0300, a buffer overflow vulnerability in the PAN-OS User-ID Authentica...","new-threat-brief-cve-2026-0300-a-buffer-overflow-vulnerability-in-the-pan-os-use-66a8ac","CVE-2026-0300 buffer overflow in PAN-OS User-ID portal enables unauthenticated RCE.","Unit 42 has identified CVE-2026-0300, a buffer overflow vulnerability in the Palo Alto Networks PAN-OS User-ID Authentication Portal that allows unauthenticated remote code execution. Limited exploitation has been observed in the wild. Palo Alto Networks has released mitigation guidance and patches to address the flaw.","https:\u002F\u002Fx.com\u002FUnit42_Intel\u002Fstatus\u002F2052533460523200691","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHHwQSgZXAAAWGbd.jpg","2026-05-07T23:38:05+00:00",{"id":410,"title":411,"slug":412,"brief":413,"ai_summary":414,"url":415,"image_url":416,"published_at":417},"dca4a3f3-cdf4-4d0f-a9d9-7b81ea7e0ef6","When prompts become shells: RCE vulnerabilities in AI agent frameworks","when-prompts-become-shells-rce-vulnerabilities-in-ai-agent-frameworks-1f0439","Microsoft discloses RCE vulnerabilities in Semantic Kernel AI agent framework via prompt injection.","Microsoft Security researchers discovered two critical vulnerabilities (CVE-2026-25592 and CVE-2026-26030) in Semantic Kernel, an open-source AI agent framework, that could allow attackers to achieve remote code execution through prompt injection attacks. By leveraging the framework's tool-binding mechanisms, attackers can turn prompt injections into host-level RCE, enabling unauthorized execution of system commands. The vulnerabilities underscore systemic risks in popular AI frameworks used to build production agents with active network access.","https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002F2026\u002F05\u002F07\u002Fprompts-become-shells-rce-vulnerabilities-ai-agent-frameworks\u002F","https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002Fwp-content\u002Fuploads\u002F2026\u002F03\u002FMS_Actional-Insights_AI-agents.jpg","2026-05-07T20:22:39+00:00",{"id":419,"title":420,"slug":421,"brief":422,"ai_summary":423,"url":424,"image_url":425,"published_at":426},"6bf27e9b-adcb-471a-b707-e84ecea5bcb9","Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access","ivanti-epmm-cve-2026-6973-rce-under-active-exploitation-grants-admin-level-acces-dc3fb0","Ivanti EPMM CVE-2026-6973 RCE under active exploitation requires admin auth.","Ivanti disclosed CVE-2026-6973, a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) affecting versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1 that is currently under limited active exploitation. The flaw stems from improper input validation and requires admin-level authentication to exploit. CISA has added it to the Known Exploited Vulnerabilities catalog, mandating Federal agencies patch by May 10, 2026.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fivanti-epmm-cve-2026-6973-rce-under.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEiX-v9Rdn-UppGqdbm0oFYXNg6myRCPn8r-d4BXVN0e2r2hqrYbGPUwOKafMbwKlojjbck4C8Ez6dxZ7WcLF45PNphvCo1K4OGhXl0u9fWanVMbO62iZoWMQJrplTa6VaXfI2rhQL40PoDK0ZNh2jqDJGBc9LylbIE92LWSNEIkVUhSpkGyAfV7g-DVZlU1\u002Fs1600\u002Fivanti.jpg","2026-05-07T17:55:00+00:00",{"id":428,"title":429,"slug":430,"brief":431,"ai_summary":432,"url":433,"image_url":434,"published_at":435},"fa5ae2df-53d2-4abd-9cdd-03cdc0387907","ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories","threatsday-bulletin-edge-plaintext-passwords-ics-0-days-patch-or-die-alerts-and--2f7a3d","Weekly threat bulletin covers MicroStealer, ICS flaws, supply chain defenses, and North Korea cybercrime case.","ThreatsDay Bulletin for May 7, 2026 aggregates multiple security incidents including a new MicroStealer malware targeting education and telecom sectors, critical vulnerabilities in Eclipse BaSyx V2 industrial systems, FTC settlement with Kochava over location data abuse, and supply chain hardening measures in pnpm 11. The roundup reflects ongoing trends of credential theft, zero-day exploitation in ICS environments, and attackers increasingly using automation and AI to accelerate attacks.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fthreatsday-bulletin-edge-plaintext.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEhYNaH2vOiD-OgAVnO0nGCSr8j4nnvHD2n7RieJD2mDMlPev_fKoBafjhvob13LV4pOFhgMuZd6ex8zyQnCM1AyVfl6fuRG9Max2F76Ku9rWbieBvF0AtGlQd0nXlIwHDKvq5H4BJn3hGCRfE86fHs5SL05RywOADNDC9J5lG9DF8goavgxWzAh7a7isNMB\u002Fs1600\u002Fthreatsday-1.jpg","2026-05-07T11:33:00+00:00",[],[],[],[],50]