CISA flags Langflow CVE-2025-34291: CORS chain yields RCE
CISA added CVE-2025-34291 to the KEV catalog on May 21. An overly permissive CORS plus a misconfigured refresh-token cookie chain to account takeover and code execution in Langflow ≤ 1.6.9.
Newsroom
Ghost CMS SQLi (CVE-2026-26980) hijacks 700+ sites — Harvard, Oxford, DuckDuckGo serve ClickFix
An unauthenticated SQL injection in Ghost's Content API leaks admin API keys. Attackers chain it into stored XSS and a fake Cloudflare ClickFix lure. Upgrade to 6.19.1.
Trend Micro Apex One CVE-2026-34926 exploited; CISA deadline June 4
Trend Micro patches a directory-traversal flaw in the Apex One server after observing in-the-wild exploitation. CISA orders federal agencies to remediate by June 4.
Canvas LMS breach: ShinyHunters claims 275M records; Instructure says it paid for deletion
ShinyHunters exfiltrated 3.65 TB from Instructure's Canvas LMS, defaced login pages at 330 schools, then accepted a payment in exchange for 'returning' the data. The data is still out there.
Drupal patches highly critical SQL injection (CVE-2026-9082) — exploited in the wild within 48h
An unauthenticated SQL injection in Drupal core's database abstraction API affects every PostgreSQL-backed site. Drupal scored it 23/25. Attacks started two days after the patch dropped.
Laravel-Lang Composer packages hijacked — 700+ versions ship a credential stealer
Attackers rewrote Git tags across four Laravel-Lang repos to point at a malicious fork, planting a Composer-autoloaded stealer that runs on every request. Packagist has unlisted the packages.
LiteSpeed cPanel plugin RCE (CVE-2026-48172, CVSS 10.0) actively exploited — any cPanel user can run code as root
A privilege-escalation flaw in the LiteSpeed User-End cPanel plugin lets any cPanel account execute arbitrary scripts as root. Mass scanning began within 72 hours of disclosure.