CISA adds SolarWinds Serv-U CVE-2026-28318 to KEV, DoS in the wild
CISA added CVE-2026-28318 — an unauthenticated DoS in SolarWinds Serv-U — to KEV on June 5. CVSS 7.5. Fix is 15.5.4 Hotfix 1. FCEB deadline June 19.
Stories tagged: #cve
Cisco SD-WAN Manager CVE-2026-20245 exploited, no patch yet
Cisco disclosed a command-injection zero-day in Catalyst SD-WAN Manager on June 5. Mandiant credited as reporter. CVSS 7.8, exploitation observed, no fix available.
CISA adds Oracle WebLogic CVE-2024-21182 to KEV catalog
CISA added the two-year-old Oracle WebLogic auth-bypass CVE-2024-21182 to KEV on June 1, citing active exploitation. Federal agencies have until June 4 to patch.
Android Framework zero-day CVE-2025-48595 added to CISA KEV
Google's June 2026 Android Security Bulletin fixes 124 flaws, including a Framework integer overflow under limited, targeted exploitation. CISA wants federal agencies patched by 5 June.
HTTP/2 Bomb (CVE-2026-49975) drops nginx, Apache, IIS, Envoy
Calif researchers crash 32 GB of Envoy memory in seconds with one connection. nginx 1.29.8 and Apache mod_http2 2.0.41 are patched; IIS, Envoy and Cloudflare Pingora are not.
Windows Netlogon RCE CVE-2026-41089 now exploited in the wild
Belgium's CCB confirms active exploitation of the CVSS 9.8 Netlogon stack-overflow patched by Microsoft in May. Unauthenticated, no user interaction, domain controller takeover.
Marimo CVE-2026-39987 RCE chains into LLM-driven post-exploit
Sysdig documents an LLM agent driving post-exploitation after a CVE-2026-39987 Marimo notebook compromise: cloud creds and SSH key pulled in under three minutes.
Palo Alto GlobalProtect auth bypass (CVE-2026-0257) added to CISA KEV after weeks of exploitation
PAN-OS portals with authentication-override cookies on a shared certificate let attackers forge a valid session. Rapid7 observed exploitation since May 17. Federal patch deadline June 19.
FortiClient EMS bug CVE-2026-35616 now drops EKZ stealer as fake patch
Arctic Wolf says attackers are using the pre-auth FortiClient EMS flaw to push a previously undocumented infostealer disguised as a Fortinet endpoint update.
CISA links GitHub repo exfiltration to malicious Nx Console 18.95.0
CISA's May 28 alert ties the 3,800-repo GitHub breach to a poisoned Nx Console VS Code extension. CVE-2026-48027 is in KEV. Federal deadline June 10.
Gitea CVE-2026-27771: anyone could pull your private container images, no login
An access-control flaw in Gitea's container registry let anonymous clients pull images marked private. Patched in 1.26.2. Forgejo affected too.
Starlette BadHost (CVE-2026-48710): one Host header bypasses auth in FastAPI, vLLM, MCP
X41 D-Sec discloses CVE-2026-48710 in Starlette <1.0.1: a Host-header re-parse desync that lets attackers forge request.url.path. Upgrade to 1.0.1.
KnowledgeDeliver CVE-2026-5426: Mandiant traces RCE to shared ASP.NET keys
Mandiant traces a zero-day in Japan's KnowledgeDeliver LMS to ASP.NET machineKey values reused across customers — enabling unauthenticated ViewState RCE and BLUEBEAM web-shell drops.
CISA flags Langflow CVE-2025-34291: CORS chain yields RCE
CISA added CVE-2025-34291 to the KEV catalog on May 21. An overly permissive CORS plus a misconfigured refresh-token cookie chain to account takeover and code execution in Langflow ≤ 1.6.9.
Ghost CMS SQLi (CVE-2026-26980) hijacks 700+ sites — Harvard, Oxford, DuckDuckGo serve ClickFix
An unauthenticated SQL injection in Ghost's Content API leaks admin API keys. Attackers chain it into stored XSS and a fake Cloudflare ClickFix lure. Upgrade to 6.19.1.
Trend Micro Apex One CVE-2026-34926 exploited; CISA deadline June 4
Trend Micro patches a directory-traversal flaw in the Apex One server after observing in-the-wild exploitation. CISA orders federal agencies to remediate by June 4.
Drupal patches highly critical SQL injection (CVE-2026-9082) — exploited in the wild within 48h
An unauthenticated SQL injection in Drupal core's database abstraction API affects every PostgreSQL-backed site. Drupal scored it 23/25. Attacks started two days after the patch dropped.
LiteSpeed cPanel plugin RCE (CVE-2026-48172, CVSS 10.0) actively exploited — any cPanel user can run code as root
A privilege-escalation flaw in the LiteSpeed User-End cPanel plugin lets any cPanel account execute arbitrary scripts as root. Mass scanning began within 72 hours of disclosure.