Search

Search the Hacker Posts newsroom.

CISA adds SolarWinds Serv-U CVE-2026-28318 to KEV, DoS in the wild
CISA added CVE-2026-28318 — an unauthenticated DoS in SolarWinds Serv-U — to KEV on June 5. CVSS 7.5. Fix is 15.5.4 Hotfix 1. FCEB deadline June 19.
Anthropic patches Claude Code GitHub Action repo-takeover chain
GMO Flatt Security's RyotaK chained a checkWritePermissions bot bypass with prompt injection to hijack any public repo running claude-code-action. Fix shipped in v1.0.94.
Cisco SD-WAN Manager CVE-2026-20245 exploited, no patch yet
Cisco disclosed a command-injection zero-day in Catalyst SD-WAN Manager on June 5. Mandiant credited as reporter. CVSS 7.8, exploitation observed, no fix available.
VS Code github.dev zero-day exposed full GitHub OAuth tokens in one click
Researcher Ammar Askar dropped a webview-postMessage exploit on June 2 that steals github.dev OAuth tokens via a single click. Microsoft shipped a stopgap fix the next day.
CISA adds Oracle WebLogic CVE-2024-21182 to KEV catalog
CISA added the two-year-old Oracle WebLogic auth-bypass CVE-2024-21182 to KEV on June 1, citing active exploitation. Federal agencies have until June 4 to patch.
Android Framework zero-day CVE-2025-48595 added to CISA KEV
Google's June 2026 Android Security Bulletin fixes 124 flaws, including a Framework integer overflow under limited, targeted exploitation. CISA wants federal agencies patched by 5 June.
HTTP/2 Bomb (CVE-2026-49975) drops nginx, Apache, IIS, Envoy
Calif researchers crash 32 GB of Envoy memory in seconds with one connection. nginx 1.29.8 and Apache mod_http2 2.0.41 are patched; IIS, Envoy and Cloudflare Pingora are not.
Red Hat npm packages backdoored: Miasma worm hits @redhat-cloud-services
Red Hat security bulletin RHSB-2026-006 confirms 32 @redhat-cloud-services npm packages were trojaned on June 1, 2026 with a self-spreading credential-stealing worm derived from Shai-Hulud.
Windows Netlogon RCE CVE-2026-41089 now exploited in the wild
Belgium's CCB confirms active exploitation of the CVSS 9.8 Netlogon stack-overflow patched by Microsoft in May. Unauthenticated, no user interaction, domain controller takeover.
CIFSwitch: 19-year-old Linux CIFS bug gives any local user root
Researcher Asim Manizada disclosed CIFSwitch on May 28 — a cifs.spnego upcall flaw that grants root on default Mint, Rocky, AlmaLinux, Kali, and SUSE 15 SP7.
Marimo CVE-2026-39987 RCE chains into LLM-driven post-exploit
Sysdig documents an LLM agent driving post-exploitation after a CVE-2026-39987 Marimo notebook compromise: cloud creds and SSH key pulled in under three minutes.
npm supply-chain campaign: 14 typosquats target AWS, Vault, npm tokens
Microsoft says a single maintainer 'vpmdhaj' pushed 14 typosquatted npm packages on May 28 that exfiltrate AWS, ECS, HashiCorp Vault and npm tokens via a Bun-runtime payload.
Palo Alto GlobalProtect auth bypass (CVE-2026-0257) added to CISA KEV after weeks of exploitation
PAN-OS portals with authentication-override cookies on a shared certificate let attackers forge a valid session. Rapid7 observed exploitation since May 17. Federal patch deadline June 19.
FortiClient EMS bug CVE-2026-35616 now drops EKZ stealer as fake patch
Arctic Wolf says attackers are using the pre-auth FortiClient EMS flaw to push a previously undocumented infostealer disguised as a Fortinet endpoint update.
CISA links GitHub repo exfiltration to malicious Nx Console 18.95.0
CISA's May 28 alert ties the 3,800-repo GitHub breach to a poisoned Nx Console VS Code extension. CVE-2026-48027 is in KEV. Federal deadline June 10.
Gitea CVE-2026-27771: anyone could pull your private container images, no login
An access-control flaw in Gitea's container registry let anonymous clients pull images marked private. Patched in 1.26.2. Forgejo affected too.
Starlette BadHost (CVE-2026-48710): one Host header bypasses auth in FastAPI, vLLM, MCP
X41 D-Sec discloses CVE-2026-48710 in Starlette <1.0.1: a Host-header re-parse desync that lets attackers forge request.url.path. Upgrade to 1.0.1.
KnowledgeDeliver CVE-2026-5426: Mandiant traces RCE to shared ASP.NET keys
Mandiant traces a zero-day in Japan's KnowledgeDeliver LMS to ASP.NET machineKey values reused across customers — enabling unauthenticated ViewState RCE and BLUEBEAM web-shell drops.
CISA flags Langflow CVE-2025-34291: CORS chain yields RCE
CISA added CVE-2025-34291 to the KEV catalog on May 21. An overly permissive CORS plus a misconfigured refresh-token cookie chain to account takeover and code execution in Langflow ≤ 1.6.9.
Ghost CMS SQLi (CVE-2026-26980) hijacks 700+ sites — Harvard, Oxford, DuckDuckGo serve ClickFix
An unauthenticated SQL injection in Ghost's Content API leaks admin API keys. Attackers chain it into stored XSS and a fake Cloudflare ClickFix lure. Upgrade to 6.19.1.
Trend Micro Apex One CVE-2026-34926 exploited; CISA deadline June 4
Trend Micro patches a directory-traversal flaw in the Apex One server after observing in-the-wild exploitation. CISA orders federal agencies to remediate by June 4.
Canvas LMS breach: ShinyHunters claims 275M records; Instructure says it paid for deletion
ShinyHunters exfiltrated 3.65 TB from Instructure's Canvas LMS, defaced login pages at 330 schools, then accepted a payment in exchange for 'returning' the data. The data is still out there.
Drupal patches highly critical SQL injection (CVE-2026-9082) — exploited in the wild within 48h
An unauthenticated SQL injection in Drupal core's database abstraction API affects every PostgreSQL-backed site. Drupal scored it 23/25. Attacks started two days after the patch dropped.
Laravel-Lang Composer packages hijacked — 700+ versions ship a credential stealer
Attackers rewrote Git tags across four Laravel-Lang repos to point at a malicious fork, planting a Composer-autoloaded stealer that runs on every request. Packagist has unlisted the packages.
LiteSpeed cPanel plugin RCE (CVE-2026-48172, CVSS 10.0) actively exploited — any cPanel user can run code as root
A privilege-escalation flaw in the LiteSpeed User-End cPanel plugin lets any cPanel account execute arbitrary scripts as root. Mass scanning began within 72 hours of disclosure.

Search

CISA adds SolarWinds Serv-U CVE-2026-28318 to KEV, DoS in the wild

Anthropic patches Claude Code GitHub Action repo-takeover chain

Cisco SD-WAN Manager CVE-2026-20245 exploited, no patch yet

VS Code github.dev zero-day exposed full GitHub OAuth tokens in one click

CISA adds Oracle WebLogic CVE-2024-21182 to KEV catalog

Android Framework zero-day CVE-2025-48595 added to CISA KEV

HTTP/2 Bomb (CVE-2026-49975) drops nginx, Apache, IIS, Envoy

Red Hat npm packages backdoored: Miasma worm hits @redhat-cloud-services

Windows Netlogon RCE CVE-2026-41089 now exploited in the wild

CIFSwitch: 19-year-old Linux CIFS bug gives any local user root

Marimo CVE-2026-39987 RCE chains into LLM-driven post-exploit

npm supply-chain campaign: 14 typosquats target AWS, Vault, npm tokens

Palo Alto GlobalProtect auth bypass (CVE-2026-0257) added to CISA KEV after weeks of exploitation

FortiClient EMS bug CVE-2026-35616 now drops EKZ stealer as fake patch

CISA links GitHub repo exfiltration to malicious Nx Console 18.95.0

Gitea CVE-2026-27771: anyone could pull your private container images, no login

Starlette BadHost (CVE-2026-48710): one Host header bypasses auth in FastAPI, vLLM, MCP

KnowledgeDeliver CVE-2026-5426: Mandiant traces RCE to shared ASP.NET keys

CISA flags Langflow CVE-2025-34291: CORS chain yields RCE

Ghost CMS SQLi (CVE-2026-26980) hijacks 700+ sites — Harvard, Oxford, DuckDuckGo serve ClickFix

Trend Micro Apex One CVE-2026-34926 exploited; CISA deadline June 4

Canvas LMS breach: ShinyHunters claims 275M records; Instructure says it paid for deletion

Drupal patches highly critical SQL injection (CVE-2026-9082) — exploited in the wild within 48h

Laravel-Lang Composer packages hijacked — 700+ versions ship a credential stealer

LiteSpeed cPanel plugin RCE (CVE-2026-48172, CVSS 10.0) actively exploited — any cPanel user can run code as root