CIFSwitch: 19-year-old Linux CIFS bug gives any local user root
Researcher Asim Manizada disclosed CIFSwitch on May 28 — a cifs.spnego upcall flaw that grants root on default Mint, Rocky, AlmaLinux, Kali, and SUSE 15 SP7.
Newsroom
Marimo CVE-2026-39987 RCE chains into LLM-driven post-exploit
Sysdig documents an LLM agent driving post-exploitation after a CVE-2026-39987 Marimo notebook compromise: cloud creds and SSH key pulled in under three minutes.
npm supply-chain campaign: 14 typosquats target AWS, Vault, npm tokens
Microsoft says a single maintainer 'vpmdhaj' pushed 14 typosquatted npm packages on May 28 that exfiltrate AWS, ECS, HashiCorp Vault and npm tokens via a Bun-runtime payload.
Palo Alto GlobalProtect auth bypass (CVE-2026-0257) added to CISA KEV after weeks of exploitation
PAN-OS portals with authentication-override cookies on a shared certificate let attackers forge a valid session. Rapid7 observed exploitation since May 17. Federal patch deadline June 19.
FortiClient EMS bug CVE-2026-35616 now drops EKZ stealer as fake patch
Arctic Wolf says attackers are using the pre-auth FortiClient EMS flaw to push a previously undocumented infostealer disguised as a Fortinet endpoint update.
CISA links GitHub repo exfiltration to malicious Nx Console 18.95.0
CISA's May 28 alert ties the 3,800-repo GitHub breach to a poisoned Nx Console VS Code extension. CVE-2026-48027 is in KEV. Federal deadline June 10.
Gitea CVE-2026-27771: anyone could pull your private container images, no login
An access-control flaw in Gitea's container registry let anonymous clients pull images marked private. Patched in 1.26.2. Forgejo affected too.
Starlette BadHost (CVE-2026-48710): one Host header bypasses auth in FastAPI, vLLM, MCP
X41 D-Sec discloses CVE-2026-48710 in Starlette <1.0.1: a Host-header re-parse desync that lets attackers forge request.url.path. Upgrade to 1.0.1.
KnowledgeDeliver CVE-2026-5426: Mandiant traces RCE to shared ASP.NET keys
Mandiant traces a zero-day in Japan's KnowledgeDeliver LMS to ASP.NET machineKey values reused across customers — enabling unauthenticated ViewState RCE and BLUEBEAM web-shell drops.