// #cve
21 articles
Microsoft May 2026 Patch Tuesday Fixes 120 Vulnerabilities — No Zero-Days but Wormable RCEs Demand Immediate Action
Microsoft released 120 security fixes in May's Patch Tuesday update, including 17 Critical-rated vulnerabilities and no actively exploited zero-days. Among the most significant are a network-based Windows DNS Client RCE and an authenticated SharePoint Server RCE. Security teams should prioritise network-facing systems within 48 hours.
FreeBSD CVE-2026-42511 — NFS Stack Vulnerability Affecting Network Appliances and BSD-Based Storage
A new vulnerability in FreeBSD's NFS networking stack has been disclosed as CVE-2026-42511, distinct from the previously covered CVE-2026-4747 (the 17-year-old NFSv4 daemon RCE). CVE-2026-42511 affects the NFS client implementation and is exploitable by a malicious NFS server to achieve code execution on FreeBSD hosts connecting to untrusted NFS mounts — a relevant threat model for enterprise environments mounting network storage from potentially compromised infrastructure.
SonicWall CVE-2026-0204 — Authentication Bypass in SSLVPN Allows Unauthenticated Network Access
SonicWall has disclosed CVE-2026-0204, an authentication bypass vulnerability in the SonicWall SSLVPN product that allows a remote attacker to bypass VPN authentication and gain access to the protected network without valid credentials. SonicWall SSLVPN appliances are widely deployed as enterprise and SMB VPN concentrators. Patch available — update immediately.
Eclipse BaSyx ICS Platform: CVE-2026-7411 CVSS 10.0 Path Traversal RCE Threatens Industrial Asset Administration
Two critical vulnerabilities in Eclipse BaSyx V2 — the open-source Industrial Internet of Things Asset Administration Shell implementation used in Industry 4.0 infrastructure — allow an unauthenticated attacker to achieve remote code execution and bypass network segmentation. CVE-2026-7411 (CVSS 10.0) enables arbitrary file write on the BaSyx server; CVE-2026-7412 (CVSS 8.6) enables blind SSRF that can bypass OT network isolation. Patches are available in BaSyx V2 milestone-10.
Firefox and Tor Browser CVE-2026-6770 — IndexedDB Cross-Origin Data Leak Exposes User Browsing Identity
A cross-origin data leakage vulnerability in Firefox and Tor Browser's IndexedDB implementation allows a malicious web page to read data stored by other origins in the IndexedDB API — potentially identifying users by their stored browsing data and breaking the origin isolation that Tor Browser's anonymity model depends on. CVE-2026-6770 is fixed in Firefox 130.0.1 and a Tor Browser update. Tor Browser users should update immediately given the privacy implications.
Ivanti EPMM CVE-2026-6973 — Remote Code Execution Added to CISA KEV, Patch Required
Ivanti has disclosed CVE-2026-6973, a remote code execution vulnerability in Endpoint Manager Mobile (EPMM, formerly MobileIron) that has been added to the CISA Known Exploited Vulnerabilities catalogue following confirmed limited exploitation. EPMM is a mobile device management platform used by government agencies and enterprises. Organisations should apply the available patch and audit administrator account activity. EPMM has a prior history of critical exploitation including the 2023 Norwegian government attack.
LiteLLM CVE-2026-42208 — SQL Injection in AI Gateway Proxy Added to CISA KEV
CVE-2026-42208, a SQL injection vulnerability in the LiteLLM AI gateway proxy, has been added to the CISA Known Exploited Vulnerabilities catalogue following confirmed exploitation. LiteLLM is widely deployed in enterprise environments as a unified API layer routing requests to multiple LLM providers (OpenAI, Anthropic, Azure OpenAI, Bedrock). Exploitation allows an attacker to read and modify the LiteLLM database, including API keys, user records, and model configuration. Update to LiteLLM 1.42.2 immediately.
ProFTPD CVE-2026-42167 — Authentication Bypass Leading to Remote Code Execution
A vulnerability in ProFTPD — one of the most widely deployed open-source FTP server implementations — allows a remote unauthenticated attacker to bypass authentication controls and achieve code execution on the server. CVE-2026-42167 affects ProFTPD versions prior to 1.3.9a. FTP servers are frequently forgotten in patch management programmes; administrators should verify ProFTPD version and apply the update.
Cisco CVE-2026-20188 — Unauthenticated DoS Permanently Crashes Crosswork Network Controller Until Manual Reboot
Cisco has disclosed a high-severity denial-of-service vulnerability in Crosswork Network Controller and NSO (Network Services Orchestrator) that allows an unauthenticated remote attacker to exhaust connection resources and permanently disable the device — requiring physical manual reboot to recover. CVE-2026-20188 affects the network automation and orchestration platforms used by major service providers and large enterprise networks for intent-based networking automation.
cPanel/WHM Patches Three New Vulnerabilities Including CVSS 8.8 Code Execution and Privilege Escalation
cPanel has released security updates addressing three new vulnerabilities distinct from the previously covered CVE-2026-41940 zero-day: CVE-2026-29202 (CVSS 8.8, Perl code execution), CVE-2026-29203 (CVSS 8.8, symlink-based privilege escalation), and CVE-2026-29201 (CVSS 4.3, arbitrary file read). Web hosting providers running cPanel/WHM should apply the updates urgently given the platform's current elevated threat posture following mass exploitation in May 2026.
vm2 Node.js Sandbox Escape CVE-2026-26956 — 1.3 Million Weekly Downloads, PoC Published
A critical sandbox escape vulnerability in the vm2 Node.js sandboxing library allows a malicious script to break out of the sandbox and execute arbitrary code in the host Node.js process. CVE-2026-26956 affects all vm2 versions prior to 3.9.22 and is present in any application using vm2 to safely execute untrusted code — including serverless platforms, coding challenge sites, CI/CD systems, and plugin architectures. A PoC is publicly available.
CISA ICS Advisory: GRASSMARLIN OT Network Visualisation Tool Vulnerability CVE-2026-6807
CISA has issued ICS advisory ICSA-26-118-01 for CVE-2026-6807, a vulnerability in GRASSMARLIN — the NSA-developed open-source network visualisation tool widely used by industrial control system operators and OT security teams to map and analyse operational technology networks. The vulnerability affects teams using GRASSMARLIN for defensive ICS visibility, creating a risk of compromise of the analyst workstations conducting that analysis.
OpenSSH CVE-2026-35414 — Certificate Authentication Bypass via Comma Bug Grants Root Access
A single-character defect in OpenSSH's certificate Subject Alternative Name parsing allows an attacker with a maliciously crafted certificate to bypass host-based and user certificate authentication entirely, potentially gaining unauthorised access to systems relying on certificate-based SSH for privileged access. Researchers have named the vulnerability SplitSSHell. Operators using OpenSSH certificate authentication for root or privileged user access should review their CA trust chains immediately.
PAN-OS CVE-2026-0300 — Unauthenticated RCE Zero-Day Actively Exploited in Firewall Espionage Attacks
A critical unauthenticated remote code execution vulnerability in Palo Alto Networks PAN-OS has been under active exploitation since at least early April 2026, linked to espionage-motivated threat actors targeting government and critical infrastructure networks. CVE-2026-0300 affects the User-ID authentication portal on VM-Series and hardware firewalls; CISA added it to the KEV catalogue on 6 May 2026. Patches are available — apply immediately.
Wireshark CVE-2026-5656 — Remote Code Execution via Malicious PCAP File, Update to 4.4.6
A code execution vulnerability in Wireshark's PCAP/PCAPNG file parser allows a malicious capture file to trigger arbitrary code execution when opened by an analyst. CVE-2026-5656 affects all Wireshark versions prior to 4.4.6 across Windows, macOS, and Linux. The attack vector is especially concerning for security teams that open externally-sourced capture files during incident response or threat hunting — update Wireshark to 4.4.6 immediately.
Three Critical Buffer Overflow Vulnerabilities Disclosed in Hashcat — Penetration Testing Toolchain at Risk
Security researchers have disclosed three buffer overflow vulnerabilities (CVE-2026-42482, CVE-2026-42483, CVE-2026-42484) in Hashcat, the widely-used open-source password recovery and penetration testing tool. The flaws can be triggered via maliciously crafted hash files or wordlists and may allow code execution in environments where Hashcat processes untrusted input — including shared red team infrastructure and automated password auditing pipelines.
NIST Ends Full NVD Enrichment — What It Means for Your Vulnerability Management Programme
NIST has announced it will no longer enrich every CVE record in the National Vulnerability Database, shifting to a risk-based model that prioritises only the most critical submissions. With CVE volumes up 263% since 2020 and the NVD backlog now officially unresolvable, security teams that rely on NVD CVSS scores and CPE data for vulnerability prioritisation must urgently adapt their tooling and workflows.
Linux Kernel Netfilter Vulnerability Batch: CVE-2026-31414 and Cluster Require Prompt Patching
A cluster of Linux kernel vulnerabilities in the netfilter subsystem — led by CVE-2026-31414 — has been patched across stable kernel branches, affecting versions 6.1 through 6.10. The flaws span NULL pointer dereferences and connection tracking weaknesses that can cause privilege escalation or denial of service. Enterprise Linux distributions are releasing updates; unmanaged servers and container hosts running custom kernel builds require manual attention.
CISA Flags SharePoint Zero-Day CVE-2026-32201 as Actively Exploited — Patch Arrives Tomorrow
CISA has added CVE-2026-32201, a Microsoft SharePoint Server spoofing vulnerability under active exploitation, to the KEV catalogue with a 28 April remediation deadline. The timing is unusual: Microsoft has not yet released a patch as of this alert, with the fix expected in tomorrow's Patch Tuesday release. Organisations must decide whether to implement mitigations today or accept overnight exposure until the patch lands.
Second Critical FortiClient EMS Flaw in a Month: CVE-2026-21643 Pre-Auth SQL Injection Exposed
Bishop Fox has published full technical details of CVE-2026-21643, a CVSS 9.8 pre-authentication SQL injection in Fortinet FortiClient EMS 7.4.4 that enables unauthenticated remote code execution. The flaw is distinct from last week's CVE-2026-35616 and affects a different version — organisations that patched for CVE-2026-35616 by upgrading to 7.4.5 or 7.4.6 may now be running a version vulnerable to the newer access control flaw.
Smart Slider 3 Pro Update Infrastructure Compromised — Backdoored Plugin Pushed to 800,000 Sites
Attackers breached Nextend's update servers and distributed a fully weaponised backdoor through the official Smart Slider 3 Pro update channel, affecting WordPress and Joomla sites that auto-updated between 7–8 April 2026. The compromised version 3.5.1.35 creates rogue admin accounts, drops persistent remote access tools, and exfiltrates credentials — all delivered through the trusted plugin update mechanism.