CISA adds SolarWinds Serv-U CVE-2026-28318 to KEV, DoS in the wild
CISA added CVE-2026-28318 — an unauthenticated DoS in SolarWinds Serv-U — to KEV on June 5. CVSS 7.5. Fix is 15.5.4 Hotfix 1. FCEB deadline June 19.
Newsroom
All cybersecurity stories from the Hacker Posts desk.
Anthropic patches Claude Code GitHub Action repo-takeover chain
GMO Flatt Security's RyotaK chained a checkWritePermissions bot bypass with prompt injection to hijack any public repo running claude-code-action. Fix shipped in v1.0.94.
Cisco SD-WAN Manager CVE-2026-20245 exploited, no patch yet
Cisco disclosed a command-injection zero-day in Catalyst SD-WAN Manager on June 5. Mandiant credited as reporter. CVSS 7.8, exploitation observed, no fix available.
VS Code github.dev zero-day exposed full GitHub OAuth tokens in one click
Researcher Ammar Askar dropped a webview-postMessage exploit on June 2 that steals github.dev OAuth tokens via a single click. Microsoft shipped a stopgap fix the next day.
CISA adds Oracle WebLogic CVE-2024-21182 to KEV catalog
CISA added the two-year-old Oracle WebLogic auth-bypass CVE-2024-21182 to KEV on June 1, citing active exploitation. Federal agencies have until June 4 to patch.
Android Framework zero-day CVE-2025-48595 added to CISA KEV
Google's June 2026 Android Security Bulletin fixes 124 flaws, including a Framework integer overflow under limited, targeted exploitation. CISA wants federal agencies patched by 5 June.
HTTP/2 Bomb (CVE-2026-49975) drops nginx, Apache, IIS, Envoy
Calif researchers crash 32 GB of Envoy memory in seconds with one connection. nginx 1.29.8 and Apache mod_http2 2.0.41 are patched; IIS, Envoy and Cloudflare Pingora are not.
Red Hat npm packages backdoored: Miasma worm hits @redhat-cloud-services
Red Hat security bulletin RHSB-2026-006 confirms 32 @redhat-cloud-services npm packages were trojaned on June 1, 2026 with a self-spreading credential-stealing worm derived from Shai-Hulud.
Windows Netlogon RCE CVE-2026-41089 now exploited in the wild
Belgium's CCB confirms active exploitation of the CVSS 9.8 Netlogon stack-overflow patched by Microsoft in May. Unauthenticated, no user interaction, domain controller takeover.