Hacker Posts — Blog

CISA adds SolarWinds Serv-U CVE-2026-28318 to KEV, DoS in the wild

Hacker Posts Desk — Mon, 08 Jun 2026 00:00:00 GMT

CISA added CVE-2026-28318 — an unauthenticated DoS in SolarWinds Serv-U — to KEV on June 5. CVSS 7.5. Fix is 15.5.4 Hotfix 1. FCEB deadline June 19.

Anthropic patches Claude Code GitHub Action repo-takeover chain

Hacker Posts Desk — Sun, 07 Jun 2026 00:00:00 GMT

GMO Flatt Security's RyotaK chained a checkWritePermissions bot bypass with prompt injection to hijack any public repo running claude-code-action. Fix shipped in v1.0.94.

Cisco SD-WAN Manager CVE-2026-20245 exploited, no patch yet

Hacker Posts Desk — Sat, 06 Jun 2026 00:00:00 GMT

Cisco disclosed a command-injection zero-day in Catalyst SD-WAN Manager on June 5. Mandiant credited as reporter. CVSS 7.8, exploitation observed, no fix available.

VS Code github.dev zero-day exposed full GitHub OAuth tokens in one click

Hacker Posts Desk — Sat, 06 Jun 2026 00:00:00 GMT

Researcher Ammar Askar dropped a webview-postMessage exploit on June 2 that steals github.dev OAuth tokens via a single click. Microsoft shipped a stopgap fix the next day.

CISA adds Oracle WebLogic CVE-2024-21182 to KEV catalog

Hacker Posts Desk — Fri, 05 Jun 2026 00:00:00 GMT

CISA added the two-year-old Oracle WebLogic auth-bypass CVE-2024-21182 to KEV on June 1, citing active exploitation. Federal agencies have until June 4 to patch.

Android Framework zero-day CVE-2025-48595 added to CISA KEV

Hacker Posts Desk — Thu, 04 Jun 2026 00:00:00 GMT

Google's June 2026 Android Security Bulletin fixes 124 flaws, including a Framework integer overflow under limited, targeted exploitation. CISA wants federal agencies patched by 5 June.

HTTP/2 Bomb (CVE-2026-49975) drops nginx, Apache, IIS, Envoy

Hacker Posts Desk — Thu, 04 Jun 2026 00:00:00 GMT

Calif researchers crash 32 GB of Envoy memory in seconds with one connection. nginx 1.29.8 and Apache mod_http2 2.0.41 are patched; IIS, Envoy and Cloudflare Pingora are not.

Red Hat npm packages backdoored: Miasma worm hits @redhat-cloud-services

Hacker Posts Desk — Wed, 03 Jun 2026 00:00:00 GMT

Red Hat security bulletin RHSB-2026-006 confirms 32 @redhat-cloud-services npm packages were trojaned on June 1, 2026 with a self-spreading credential-stealing worm derived from Shai-Hulud.

Windows Netlogon RCE CVE-2026-41089 now exploited in the wild

Hacker Posts Desk — Tue, 02 Jun 2026 00:00:00 GMT

Belgium's CCB confirms active exploitation of the CVSS 9.8 Netlogon stack-overflow patched by Microsoft in May. Unauthenticated, no user interaction, domain controller takeover.

CIFSwitch: 19-year-old Linux CIFS bug gives any local user root

Hacker Posts Desk — Mon, 01 Jun 2026 00:00:00 GMT

Researcher Asim Manizada disclosed CIFSwitch on May 28 — a cifs.spnego upcall flaw that grants root on default Mint, Rocky, AlmaLinux, Kali, and SUSE 15 SP7.

Marimo CVE-2026-39987 RCE chains into LLM-driven post-exploit

Hacker Posts Desk — Mon, 01 Jun 2026 00:00:00 GMT

Sysdig documents an LLM agent driving post-exploitation after a CVE-2026-39987 Marimo notebook compromise: cloud creds and SSH key pulled in under three minutes.

npm supply-chain campaign: 14 typosquats target AWS, Vault, npm tokens

Hacker Posts Desk — Sun, 31 May 2026 00:00:00 GMT

Microsoft says a single maintainer 'vpmdhaj' pushed 14 typosquatted npm packages on May 28 that exfiltrate AWS, ECS, HashiCorp Vault and npm tokens via a Bun-runtime payload.

Palo Alto GlobalProtect auth bypass (CVE-2026-0257) added to CISA KEV after weeks of exploitation

Hacker Posts Desk — Sun, 31 May 2026 00:00:00 GMT

PAN-OS portals with authentication-override cookies on a shared certificate let attackers forge a valid session. Rapid7 observed exploitation since May 17. Federal patch deadline June 19.

FortiClient EMS bug CVE-2026-35616 now drops EKZ stealer as fake patch

Hacker Posts Desk — Sat, 30 May 2026 00:00:00 GMT

Arctic Wolf says attackers are using the pre-auth FortiClient EMS flaw to push a previously undocumented infostealer disguised as a Fortinet endpoint update.

CISA links GitHub repo exfiltration to malicious Nx Console 18.95.0

Hacker Posts Desk — Fri, 29 May 2026 00:00:00 GMT

CISA's May 28 alert ties the 3,800-repo GitHub breach to a poisoned Nx Console VS Code extension. CVE-2026-48027 is in KEV. Federal deadline June 10.

Gitea CVE-2026-27771: anyone could pull your private container images, no login

Hacker Posts Desk — Fri, 29 May 2026 00:00:00 GMT

An access-control flaw in Gitea's container registry let anonymous clients pull images marked private. Patched in 1.26.2. Forgejo affected too.

Starlette BadHost (CVE-2026-48710): one Host header bypasses auth in FastAPI, vLLM, MCP

Hacker Posts Desk — Thu, 28 May 2026 00:00:00 GMT

X41 D-Sec discloses CVE-2026-48710 in Starlette <1.0.1: a Host-header re-parse desync that lets attackers forge request.url.path. Upgrade to 1.0.1.

KnowledgeDeliver CVE-2026-5426: Mandiant traces RCE to shared ASP.NET keys

Hacker Posts Desk — Wed, 27 May 2026 00:00:00 GMT

Mandiant traces a zero-day in Japan's KnowledgeDeliver LMS to ASP.NET machineKey values reused across customers — enabling unauthenticated ViewState RCE and BLUEBEAM web-shell drops.

CISA flags Langflow CVE-2025-34291: CORS chain yields RCE

Hacker Posts Desk — Wed, 27 May 2026 00:00:00 GMT

CISA added CVE-2025-34291 to the KEV catalog on May 21. An overly permissive CORS plus a misconfigured refresh-token cookie chain to account takeover and code execution in Langflow ≤ 1.6.9.

Ghost CMS SQLi (CVE-2026-26980) hijacks 700+ sites — Harvard, Oxford, DuckDuckGo serve ClickFix

Hacker Posts Desk — Tue, 26 May 2026 00:00:00 GMT

An unauthenticated SQL injection in Ghost's Content API leaks admin API keys. Attackers chain it into stored XSS and a fake Cloudflare ClickFix lure. Upgrade to 6.19.1.