Vulnerabilities
55 articles RSS
Attackers Exploit CVE-2026-35616 in FortiClient EMS to Deploy EKZ Infostealer Disguised as a Fortinet Patch
Arctic Wolf found attackers abusing a critical 9.8-CVSS FortiClient EMS authentication bypass to silently push EKZ Infostealer to every managed endpoint via legitimate VPN scripting workflows.
Trend Micro Patches Apex One Zero-Day CVE-2026-34926 Exploited in the Wild, CISA Orders Federal Agencies to Patch by June 4
A directory traversal flaw in Trend Micro Apex One lets an attacker with admin server access inject malicious code into managed endpoints. CISA added it to KEV on May 21 with a June 4 federal deadline.
Ghost CMS SQL Injection CVE-2026-26980 Exploited to Hijack 700 Sites in Large-Scale ClickFix Campaign
A patched SQL injection in Ghost CMS (versions 3.24.0–6.19.0) has been exploited at scale to compromise 700+ websites, including Harvard and Oxford, turning them into ClickFix malware distribution points.
Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector for First Time in 19 Years
The 2026 DBIR finds 31% of breaches now begin with unpatched vulnerabilities -- surpassing credential abuse for the first time in the report's 19-year history -- as median patch time climbs to 43 days and ransomware reaches 48% of all breaches.
MiniPlasma: A Five-Year-Old Windows Zero-Day Resurfaces With Working PoC, Granting SYSTEM Privileges on Fully Patched Systems
A researcher named Chaotic Eclipse released a working exploit for an unpatched Windows privilege escalation flaw in the Cloud Filter driver, confirmed to grant SYSTEM access on fully patched Windows 11.
Microsoft Confirms Active Exploitation of Unpatched Exchange Server CVE-2026-42897 as CISA Adds It to KEV With May 29 Deadline
Microsoft has disclosed an actively exploited cross-site scripting flaw in on-premises Exchange Server's Outlook Web Access. No patch has shipped; CISA gave federal agencies until May 29 to apply mitigations.
DepthFirst's AI Scanner Surfaces NGINX Rift, an 18-Year-Old Heap Overflow in the Rewrite Module That Enables Unauthenticated RCE
An LLM-powered scanner from security startup DepthFirst flagged a heap buffer overflow that had sat undetected in NGINX's rewrite module for roughly 18 years, prompting F5 to ship coordinated patches on May 13.
Cisco Patches Sixth SD-WAN Zero-Day of 2026 as CISA Adds CVE-2026-20182 to KEV With Three-Day Federal Deadline
A second authentication bypass in the same vdaemon stack as February's CVE-2026-20127 carries a CVSS 10.0 and is being exploited by the same UAT-8616 cluster, Cisco and Talos disclosed on May 14.
PostgreSQL Ships Coordinated Security Release Fixing 11 CVEs Across Five Supported Versions
PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 landed May 14, fixing 11 security flaws and over 60 bugs, with four CVEs rated 8.8.
XBOW Discloses 'Dead.Letter' Use-After-Free in Exim's BDAT Path, CVSS 9.8 Pre-Auth RCE Against GnuTLS Builds 4.97 to 4.99.2
CVE-2026-45185, found by XBOW's Federico Kirschbaum and patched in Exim 4.99.3, lets an unauthenticated SMTP client corrupt the heap via a TLS close_notify during a CHUNKING transfer.
Microsoft Unveils MDASH, a Multi-Model Agentic Security Harness That Tops the CyberGym Leaderboard and Finds 16 Windows Bugs
Microsoft's new Autonomous Code Security team disclosed MDASH alongside its May 2026 Patch Tuesday, crediting the multi-model agentic scanner with 16 Windows vulnerabilities — four of them critical RCEs — and an 88.45 percent score on CyberGym.
Vercel Ships Coordinated Next.js Security Release Patching 13 Advisories Across DoS, Middleware Bypass, SSRF and Cache Poisoning
Next.js 15.5.18 and 16.2.6 land with a 13-advisory bundle covering a React Server Components DoS (CVE-2026-23870), middleware-bypass routes, SSRF, and cache poisoning; Vercel says the WAF cannot reliably block them.