cisa-kev

Microsoft has disclosed an actively exploited cross-site scripting flaw in on-premises Exchange Server's Outlook Web Access. No patch has shipped; CISA gave federal agencies until May 29 to apply mitigations.

A second authentication bypass in the same vdaemon stack as February's CVE-2026-20127 carries a CVSS 10.0 and is being exploited by the same UAT-8616 cluster, Cisco and Talos disclosed on May 14.

Ivanti disclosed an actively exploited authenticated RCE in Endpoint Manager Mobile alongside four other high-severity flaws. CISA added it to KEV on May 7 with a May 10 federal patch deadline.

Palo Alto Networks disclosed CVE-2026-0300, a critical buffer overflow in PAN-OS that grants unauthenticated root code execution and has been exploited in the wild since April 9. CISA added it to KEV on May 6 with a May 9 federal deadline; first fixes ship May 13.