cve

A second authentication bypass in the same vdaemon stack as February's CVE-2026-20127 carries a CVSS 10.0 and is being exploited by the same UAT-8616 cluster, Cisco and Talos disclosed on May 14.

CVE-2026-45185, found by XBOW's Federico Kirschbaum and patched in Exim 4.99.3, lets an unauthenticated SMTP client corrupt the heap via a TLS close_notify during a CHUNKING transfer.

Next.js 15.5.18 and 16.2.6 land with a 13-advisory bundle covering a React Server Components DoS (CVE-2026-23870), middleware-bypass routes, SSRF, and cache poisoning; Vercel says the WAF cannot reliably block them.

An integer overflow in PgBouncer's SCRAM packet parser lets unauthenticated attackers crash the pooler, and three more flaws ship in the same release. Debian stable, testing, and pre-release archives are all still vulnerable.

Vim 9.2.0435 fixes an OS command injection in :find completion where backtick-enclosed shell commands inside the path option ran during Tab completion, with a modeline-set path enabling exploitation by simply opening a malicious file.

Apache HTTP Server 2.4.67 fixes CVE-2026-23918, a double-free in mod_http2 that triggers on early stream reset and may enable remote code execution on Debian-default builds.

CVE-2026-31431, discovered by Theori using its AI scanner Xint Code, lets unprivileged users root Ubuntu, Amazon Linux, RHEL, and SUSE through a logic flaw in the kernel's crypto subsystem.

A researcher's protest disclosure turned Microsoft Defender's remediation engine into an attack vector, with two of three zero-days remaining unpatched as ransomware actors move in.

A regression shipped in .NET 10.0.6 broke HMAC validation and exposed cookie-forging attacks. Microsoft released out-of-band .NET 10.0.7 on April 21 to patch CVE-2026-40372, rated 9.1 CVSS.

CISA added CVE-2026-34197, a 13-year-old remote code execution flaw in Apache ActiveMQ Classic, to its Known Exploited Vulnerabilities catalog on April 16 as Horizon3.ai's Naveen Sunkavally described finding the chain with Anthropic's Claude in about ten minutes.

NIST will now enrich only CVEs meeting federal priority criteria, leaving thousands of vulnerabilities without severity scores as AI-driven discovery overwhelms the 21-person NVD team.

Security researchers disclose a critical deserialization flaw and two high-severity bugs in the most widely downloaded AI framework on PyPI, with patches now available.