CISA adds SolarWinds Serv-U CVE-2026-28318 to KEV, DoS in the wild
CISA added CVE-2026-28318 — an unauthenticated DoS in SolarWinds Serv-U — to KEV on June 5. CVSS 7.5. Fix is 15.5.4 Hotfix 1. FCEB deadline June 19.
Stories tagged: #advisory
Anthropic patches Claude Code GitHub Action repo-takeover chain
GMO Flatt Security's RyotaK chained a checkWritePermissions bot bypass with prompt injection to hijack any public repo running claude-code-action. Fix shipped in v1.0.94.
Cisco SD-WAN Manager CVE-2026-20245 exploited, no patch yet
Cisco disclosed a command-injection zero-day in Catalyst SD-WAN Manager on June 5. Mandiant credited as reporter. CVSS 7.8, exploitation observed, no fix available.
VS Code github.dev zero-day exposed full GitHub OAuth tokens in one click
Researcher Ammar Askar dropped a webview-postMessage exploit on June 2 that steals github.dev OAuth tokens via a single click. Microsoft shipped a stopgap fix the next day.
Red Hat npm packages backdoored: Miasma worm hits @redhat-cloud-services
Red Hat security bulletin RHSB-2026-006 confirms 32 @redhat-cloud-services npm packages were trojaned on June 1, 2026 with a self-spreading credential-stealing worm derived from Shai-Hulud.
npm supply-chain campaign: 14 typosquats target AWS, Vault, npm tokens
Microsoft says a single maintainer 'vpmdhaj' pushed 14 typosquatted npm packages on May 28 that exfiltrate AWS, ECS, HashiCorp Vault and npm tokens via a Bun-runtime payload.
Palo Alto GlobalProtect auth bypass (CVE-2026-0257) added to CISA KEV after weeks of exploitation
PAN-OS portals with authentication-override cookies on a shared certificate let attackers forge a valid session. Rapid7 observed exploitation since May 17. Federal patch deadline June 19.
CISA links GitHub repo exfiltration to malicious Nx Console 18.95.0
CISA's May 28 alert ties the 3,800-repo GitHub breach to a poisoned Nx Console VS Code extension. CVE-2026-48027 is in KEV. Federal deadline June 10.
Gitea CVE-2026-27771: anyone could pull your private container images, no login
An access-control flaw in Gitea's container registry let anonymous clients pull images marked private. Patched in 1.26.2. Forgejo affected too.
Starlette BadHost (CVE-2026-48710): one Host header bypasses auth in FastAPI, vLLM, MCP
X41 D-Sec discloses CVE-2026-48710 in Starlette <1.0.1: a Host-header re-parse desync that lets attackers forge request.url.path. Upgrade to 1.0.1.
Ghost CMS SQLi (CVE-2026-26980) hijacks 700+ sites — Harvard, Oxford, DuckDuckGo serve ClickFix
An unauthenticated SQL injection in Ghost's Content API leaks admin API keys. Attackers chain it into stored XSS and a fake Cloudflare ClickFix lure. Upgrade to 6.19.1.
Drupal patches highly critical SQL injection (CVE-2026-9082) — exploited in the wild within 48h
An unauthenticated SQL injection in Drupal core's database abstraction API affects every PostgreSQL-backed site. Drupal scored it 23/25. Attacks started two days after the patch dropped.
Laravel-Lang Composer packages hijacked — 700+ versions ship a credential stealer
Attackers rewrote Git tags across four Laravel-Lang repos to point at a malicious fork, planting a Composer-autoloaded stealer that runs on every request. Packagist has unlisted the packages.
LiteSpeed cPanel plugin RCE (CVE-2026-48172, CVSS 10.0) actively exploited — any cPanel user can run code as root
A privilege-escalation flaw in the LiteSpeed User-End cPanel plugin lets any cPanel account execute arbitrary scripts as root. Mass scanning began within 72 hours of disclosure.