Cybersecurity
138 articles RSS
SAP Issues 15 May Security Notes With Two 9.6 CVEs: a Read-Only SQL Injection in S/4HANA Enterprise Search and an Unauthenticated Commerce Cloud Bypass
SAP's May 12 Patch Day fixes CVE-2026-34260 in S/4HANA's Enterprise Search for ABAP and CVE-2026-34263 in Commerce Cloud, plus a high-severity OS command injection in Forecasting & Replenishment.
Checkmarx Jenkins AST Plugin Backdoored for 31 Hours as TeamPCP Returns Weeks After the KICS Compromise
A malicious build of Checkmarx's Jenkins AST plugin was live on the Jenkins Marketplace from May 9 at 01:25 UTC to May 10 at 08:47 UTC, the latest TeamPCP intrusion against Checkmarx weeks after the April KICS wave.
PgBouncer 1.25.2 Patches Four CVEs Including a Pre-Auth SCRAM Crash That Hits Every Currently Shipping Debian Release
An integer overflow in PgBouncer's SCRAM packet parser lets unauthenticated attackers crash the pooler, and three more flaws ship in the same release. Debian stable, testing, and pre-release archives are all still vulnerable.
RedAccess Finds More Than 5,000 Vibe-Coded Apps on Lovable, Replit, Base44 and Netlify Running With No Authentication
Israeli security firm RedAccess says vibe-coding platforms ship apps that default to public, exposing medical, financial and corporate data to anyone who can find them.
Dirty Frag: A Second Linux Kernel Zero-Day in Five Weeks Hands Root via Chained ESP and rxrpc Page-Cache Bugs
CVE-2026-43284 and CVE-2026-43500 chain two page-cache write primitives in IPsec ESP and rxrpc to give unprivileged users root on every major Linux distribution shipped in the last nine years.
Vim Patches CVE-2026-44656, a Modeline-Triggered Shell Injection in :find Completion Affecting All Versions Up Through 9.2.0435
Vim 9.2.0435 fixes an OS command injection in :find completion where backtick-enclosed shell commands inside the path option ran during Tab completion, with a modeline-set path enabling exploitation by simply opening a malicious file.
Ivanti Patches CVE-2026-6973 Zero-Day in EPMM as CISA Adds Authenticated Admin RCE Bug to KEV
Ivanti disclosed an actively exploited authenticated RCE in Endpoint Manager Mobile alongside four other high-severity flaws. CISA added it to KEV on May 7 with a May 10 federal patch deadline.
Apache patches a double-free in HTTP/2 that crashes workers with two frames and one TCP connection
Apache HTTP Server 2.4.67 fixes CVE-2026-23918, a double-free in mod_http2 that triggers on early stream reset and may enable remote code execution on Debian-default builds.
Palo Alto Networks Discloses CVE-2026-0300, a 9.3 PAN-OS Captive Portal RCE Exploited Since April 9 With Patches Starting May 13
Palo Alto Networks disclosed CVE-2026-0300, a critical buffer overflow in PAN-OS that grants unauthenticated root code execution and has been exploited in the wild since April 9. CISA added it to KEV on May 6 with a May 9 federal deadline; first fixes ship May 13.
Critical cPanel Authentication Bypass CVE-2026-41940 Exploited as Zero-Day for Two Months Before April 28 Patch
A CVSS 9.8 CRLF-injection bug in cPanel and WHM let unauthenticated attackers gain root, exploited since February 23 against roughly 1.5 million exposed servers and now weaponized against governments in Southeast Asia.
OpenSSH Patches a 15-Year-Old Comma-Parsing Bug That Could Promote Certificate Holders to Root
CVE-2026-35414 lets a comma in an SSH certificate principal slip past authorized_keys access controls, granting root on vulnerable servers. OpenSSH 10.3 ships the fix.
Instructure Confirms Canvas Data Breach as ShinyHunters Claims 275 Million Records From 9,000 Schools
Instructure says names, email addresses, student IDs and user messages were exposed in a breach disclosed May 1. ShinyHunters then listed the firm on its leak site, claiming 3.65 TB of data tied to 275 million people at close to 9,000 institutions.