HOT NEWS 2026 MAY January(174) February(168) March(221) April(222) May(261) June(0) July(0) August(0) September(0) October(0) November(0) December(0) | HOT NEWS 2026 HOT NEWS 2025 HOT NEWS 2024
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
| 31.5.26 | CIFSwitch | CIFSwitch: a non-universal Linux local root vulnerability | VULNEREBILITY | VULNEREBILITY |
| 31.5.26 | LLMShare | LLMShare: how attackers are turning AI chatbot pages into malware delivery platforms | HACKING | AI |
| 31.5.26 | Casdoor contains multiple authentication bypass and access management vulnerabilities | Casdoor versions 2.362.0 and earlier contain several identity and access management vulnerabilities that enable broad authentication bypass and privilege escalation. These flaws relate to Casdoor’s Security Assertion Markup Language (SAML) processing, account binding, and token exchange mechanisms. | ALERT | ALERT |
| 30.5.26 | CVE-2026-0257 | CVE-2026-0257 PAN-OS: GlobalProtect Authentication Bypass Vulnerabilities | VULNEREBILITY | VULNEREBILITY |
| 30.5.26 | SymJack | SymJack: the approval prompt is lying to you. A symlink-hijack RCE in six AI coding agents | HACKING | AI |
| 30.5.26 | TrustFall | TrustFall: coding agent security flaw enables one-click RCE in Claude, Cursor, Gemini CLI and GitHub Copilot | HACKING | AI |
| 30.5.26 | ChatGPhish | ChatGPhish: The Page Is the Payload | PHISHING | PHISHING |
| 30.5.26 | Operation Dragon Weave | Contents Introduction Key Targets Industries Affected Geographical focus Infection Chain Initial Findings Looking into the Decoy Document Technical Analysis Stage 1 – Initial Delivery Path A: LNK-Based Execution Path B: Executable-Based Delivery Stage 2 – Script-Based Dropper Chain Stage... | OPERATION | OPERATION |
| 30.5.26 | Operation XENOFISCAL | Authors: Dixit Panchal & Vaibhav Krushna Billade Table of Contents: Introduction: Key Targets: Infection Chain: Initial Findings about Campaign: Analysis of Decoy: Technical Analysis: Stage 1: Analysis of LNK File. Stage 2: Analysis of HTA/JavaScript Payload Stage 3: Analysis... | OPERATION | OPERATION |
| 29.5.26 | CVE-2026-39987 | marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. | VULNEREBILITY | VULNEREBILITY |
| 29.5.26 | GREYVIBE | GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations | GROUP | GROUP |
| 29.5.26 | M3RX Ransomware | M3RX is a newly observed ransomware actor that surfaced in late April 2026 and has since claimed around 20 victims across 11 countries. The group appears to operate as a double-extortion crew, combining file encryption with data-theft threats to pressure victims into paying. | ALERTS | RANSOM |
| 29.5.26 | BTMOB RAT Evolves Into a Stealthy Android MaaS Operation | A recent article by ESET researchers highlights BTMOB, a sophisticated Android remote access trojan that evolved from the SpySolr malware family and is heavily targeting users in Brazil and across Latin America. | ALERTS | VIRUS |
| 29.5.26 | OverlayPhantom - Android banking malware | Cyble Research and Intelligence Labs (CRIL) has identified OverlayPhantom. a new Android banking trojan distributed via malicious URLs. The malware utilizes a two-stage delivery process, beginning with a dropper that mimics trusted applications such as TikTok or the official Austrian identity app, "ID Austria." | ALERTS | VIRUS |
| 29.5.26 | CVE-2026-42945 - NGINX vulnerability | CVE-2026-42945 is a recently disclosed high severity (CVSS score 8.1) vulnerability affecting NGINX Plus and NGINX Open Source products. If successfully exploited the flaw might lead to a heap buffer overflow in the NGINX worker process and allow the attackers to execute arbitrary code within the context of the vulnerable systems. | ALERTS | VULNEREBILITY |
| 29.5.26 | Purseweb APT distributes updated BeaverTail and InvisibleFerret malware variants | The North Korean APT group Purseweb (also known as Void Dokkaebi and Famous Chollima) has updated its InvisibleFerret malware, transitioning from readable Python scripts to compiled Cython binaries. | ALERTS | APT |
| 29.5.26 | TrollAgent | TrollAgent (Kimsuky Group) infected during the security program installation process | MALWARE | TROJAN |
| 29.5.26 | 5 EUROPEAN THREAT LANDSCAPE REPORT | Europe’s cyber threat actors are accelerating. eCrime adversaries, state-backed operators, and hacktivists are conducting faster intrusions, employing new social engineering tradecraft, and operating resilient criminal ecosystems. | REPORT | REPORT |
| 28.5.26 | CVE-2026-35616 | A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests. | VULNEREBILITY | VULNEREBILITY |
| 28.5.26 | State of AI in the Cloud 2026 | How AI Adoption, Autonomy, and Attacker Innovation Are Reshaping Cloud Security | REPORT | REPORT |
| 28.5.26 | JINX-0164 | Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure | GROUP | GROUP |
| 27.5.26 | BTMOB | BTMOB: A stealthy RAT burrowing deep into Android devices | MALWARE | RAT |
| 27.5.26 | CVE-2026-33439 - OpenAM Pre-Auth RCE vulnerability | CVE-2026-33439 is a recently disclosed critical (CVSS score 9.8) pre-authentication Remote Code Execution (RCE) affecting Open Access Management (OpenAM) which is an access management solution. If successfully exploited the flaw might allow unauthenticated remote attackers to execute arbitrary code within the context of the vulnerable application. | ALERTS | VULNEREBILITY |
| 27.5.26 | DPAPILoader and RemotePE malware leveraged in recent campaign attributed to Lazarus APT | The infamous Lazarus threat group has been deploying a newly discovered memory-only remote access trojan (RAT) called RemotePE. Found by researchers at Fox-IT during an incident response at a financial organization, the threat actor is reported to secure initial access through Telegram-based social engineering. The attack utilizes a sophisticated three-stage pipeline. | ALERTS | VIRUS |
| 27.5.26 | Glassworm | Disrupting Glassworm: Inside CrowdStrike’s Takedown of a Developer-Targeting Botnet | MALWARE | WORM |
| 27.5.26 | MiniFast Backdoor Used in Nimbus Manticore Operations | According to Check Point Research, Nimbus Manticore conducted new operations during the 2026 Iranian conflict, introducing updated infection methods and a newly documented backdoor named MiniFast. | ALERTS | VIRUS |
| 27.5.26 | Banking malware: Banana RAT | A new campaign documented by Trend Micro, tracked as SHADOW-WATER-063, is running a Brazilian banking trojan dubbed Banana RAT against customers of 16 Brazilian financial institutions and locally focused cryptocurrency exchanges. | ALERTS | VIRUS |
| 27.5.26 | CVE-2026-34926 - Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability | CVE-2026-34926 identifies a critical path-sanitization flaw within the centralized architecture of Trend Micro Apex One (specifically affecting on-premise configurations). | ALERTS | VULNEREBILITY |
| 27.5.26 | CVE-2026-27771 | Undefined behavior in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. | VULNEREBILITY | VULNEREBILITY |
| 26.5.26 | CVE-2026-45659 | Microsoft SharePoint Remote Code Execution Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 26.5.26 | Nimbus Manticore Operations | The Iranian, IRGC affiliated, threat actor Nimbus Manticore resurfaced during Operation Epic Fury, the US military campaign against Iran launched on February 28, 2026, demonstrating newly adopted techniques and enhanced capabilities. | OPERATION | OPERATIONS |
| 26.5.26 | CVE-2026-5426 | Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks | VULNEREBILITY | VULNEREBILITY |
| 25.5.26 | CVE-2026-26980 | A SQL injection vulnerability existed in Ghost's Content API that allowed unauthenticated attackers to read arbitrary data from the database. | VULNEREBILITY | VULNEREBILITY |
| 25.5.26 | RemotePE | RemotePE: The Lazarus RAT that lives in memory | MALWARE | RAT |
| 25.5.26 | TrapDoor | TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io | MALWARE | CRYPTO |
| 24.5.26 | SmartApeSG ClickFix --> Unidentified RAT --> NetSupport RAT | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. | MALWARE TRAFFIC | MALWARE TRAFFIC |
| 24.5.26 | CVE-2026-22557 | A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network Application to access files on the underlying system that could be manipulated to access an underlying account. | VULNEREBILITY | VULNEREBILITY |
| 24.5.26 | CVE-2026-22558 | An Authenticated NoSQL Injection vulnerability found in UniFi Network Application could allow a malicious actor with authenticated access to the network to escalate privileges. | VULNEREBILITY | VULNEREBILITY |
| 24.5.26 | CVE-2010-5330 | On certain Ubiquiti devices, Command Injection exists via a GET request to stainfo.cgi (aka Show AP info) because the ifname variable is not sanitized, as demonstrated by shell metacharacters. The fixed version is v4.0.1 for 802.11 ISP products, v5.3.5 for AirMax ISP products, and v5.4.5 for AirSync firmware. For example, Nanostation5 (Air OS) is affected. | VULNEREBILITY | VULNEREBILITY |
| 24.5.26 | CVE-2026-33000 | A malicious actor with access to the network and high privileges could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection. | VULNEREBILITY | VULNEREBILITY |
| 24.5.26 | CVE-2026-34911 | A malicious actor with access to the network and low privileges could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to obtain sensitive information. | VULNEREBILITY | VULNEREBILITY |
| 24.5.26 | CVE-2026-34910 | A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection. | VULNEREBILITY | VULNEREBILITY |
| 24.5.26 | CVE-2026-34909 | A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account. | VULNEREBILITY | VULNEREBILITY |
| 24.5.26 | CVE-2026-34908 | A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system. | VULNEREBILITY | VULNEREBILITY |
| 24.5.26 | CVE-2024-12802 | SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Account Manager) account names when integrated with Microsoft Active Directory, allowing MFA to be configured independently for each login method and potentially enabling attackers to bypass MFA by exploiting the alternative account name. | VULNEREBILITY | VULNEREBILITY |
| 23.5.26 | CVE-2026-5194 | Missing hash/digest size and OID checks allow digests smaller than allowed when verifying ECDSA certificates, or smaller than is appropriate for the relevant key type, to be accepted by signature verification functions. | VULNEREBILITY | VULNEREBILITY |
| 23.5.26 | Laravel Lang Compromised | Laravel Lang Compromised with RCE Backdoor Across 700+ Versions | INCIDENT | INCIDENT |
| 23.5.26 | CVE-2026-48172 | LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. | VULNEREBILITY | VULNEREBILITY |
| 23.5.26 | Storm-2949 | How Storm-2949 turned a compromised identity into a cloud-wide breach | GROUP | GROUP |
| 23.5.26 | SHub | SHub Reaper | macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain | MALWARE | MacOS |
| 23.5.26 | CVE-2026-45829 | A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint. | VULNEREBILITY | VULNEREBILITY |
| 23.5.26 | 2026Microsoft Vulnerabilities Report13th Edition | Data-packed insights and expert analysis to help you mitigate security risks in your Microsoft estate. | REPORT | REPORT |
| 23.5.26 | Operation Dragon Whistle | Table of Contents: Introduction: Key Targets: Infection Chain: Initial Findings about Campaign: Analysis of Decoys & Spear phishing Email: Technical Analysis: Stage1: Analysis of LNK File. Stage2: Analysis of VBS. Stage3: DLL Side Loading. Infrastructural Artefacts & Threat actor... | OPERATION | OPERATION |
| 23.5.26 | UnDefend - CVE-2026-45498 - Microsoft Defender Denial of Service Vulnerability | UnDefend (CVE-2026-45498) is a zero-day denial-of-service vulnerability affecting the Microsoft Defender Antimalware Platform. Originating from a publicly leaked proof-of-concept exploit by a security researcher, it enables threat actors to intentionally crash, freeze, or disable real-time protection capabilities. | ALERTS | VULNEREBILITY |
| 23.5.26 | Operation SilentCanvas | SilentCanvas is malicious operation recently identified by the researchers from Cyfirma. The attack disguises a weaponized PowerShell payload as a benign image file. Likely initiated via social engineering, this loader aims to bypass standard file-extension filters to initiate a multi-staged malicious chain. | ALERTS | OPERATION |
| 23.5.26 | Springtail APT activity in the first half of 2026 | During the first half of 2026, the Springtail (aka Kimsuky) threat group executed four distinct spear-phishing campaigns targeting defense sector officials, software developers, corporate recruiters, cryptocurrency investors, and academic education personnel. | ALERTS | APT |
| 23.5.26 | CVE-2026-42208 - LiteLLM SQL Injection vulnerability exploited in the wild | CVE-2026-42208 is a recently disclosed critical (CVSS score 9.8) SQL injection vulnerability in LiteLLM, which is a popular open-source AI gateway created by BerriAI. If successfully exploited the flaw might grant attackers read access to data from the proxy's PostgreSQL database and allow for modifications, leading to unauthorized access to the proxy and the credentials it manages. | ALERTS | VULNEREBILITY |
| 23.5.26 | Recent Gentlemen ransomware deployment activities | In their latest publication, the analysts from LevelBlue discuss findings around the latest Gentlemen ransomware activities observed in the wild. This malware variant, which emerged in late 2025, is a rapidly scaling ransomware operation leveraging sophisticated ransomware-as-a-service (RaaS) operational model. | RANSOM | |
| 23.5.26 | NPM Stealer | I found a Node.js stealer that looked pretty well obfuscated. The file was not running out-of-the-box because it was uploaded on VT as “extracted-decoded.js” (and reformated). | MALWARE | STEALER |
| 23.5.26 | Megalodon | Megalodon: Mass GitHub Repo Backdooring via CI Workflows | CAMPAIGN | CAMPAIGN |
| 22.5.26 | CVE-2026-20223 | Cisco Secure Workload Unauthorized API Access Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 22.5.26 | CVE-2025-34291 | (CVSS score: 9.4) - An origin validation error vulnerability in Langflow that could allow an attacker to execute arbitrary code and achieve full system compromise. | VULNEREBILITY | VULNEREBILITY |
| 22.5.26 | CVE-2026-34926 | (CVSS score: 6.7) - A directory traversal vulnerability in on-premise versions of Trend Micro Apex One that could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations. | VULNEREBILITY | VULNEREBILITY |
| 22.5.26 | Showboat | Introducing Showboat: A new malware family taunts defenses and targets international telecom firms | MALWARE | LINUX |
| 21.5.26 | CVE-2008-4250 | Microsoft Windows contains a buffer overflow vulnerability in the Windows Server Service that allows remote attackers to execute arbitrary code via a crafted RPC request. | VULNEREBILITY | VULNEREBILITY |
| 21.5.26 | CVE-2009-1537 | Microsoft DirectX contains a NULL byte overwrite vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow, which could allow remote attackers to execute arbitrary code via a crafted QuickTime media file. | VULNEREBILITY | VULNEREBILITY |
| 21.5.26 | CVE-2010-0249 | Microsoft Internet Explorer contains a use-after-free vulnerability that could allow remote attackers to execute arbitrary code. | VULNEREBILITY | VULNEREBILITY |
| 21.5.26 | CVE-2010-0806 | Microsoft Internet Explorer contains a use-after-free vulnerability that could allow remote attackers to execute arbitrary code. | VULNEREBILITY | VULNEREBILITY |
| 21.5.26 | CVE-2026-41091 | Microsoft Defender Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 21.5.26 | CVE-2026-45498 | Microsoft Defender Denial of Service Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 21.5.26 | Оновлений інструментарій UAC-0057: OYSTERFRESH, OYSTERSHUCK та OYSTERBLUES | Починаючи з весни 2026 року, CERT-UA фіксує численні випадки розсилання електронних листів серед державних організацій із використанням скомпрометованих облікових записів, зокрема із використанням тематики отримання сертифікатів через онлайн-платформу Prometheus. | BATTLEFIELD UKRAINE | BATTLEFIELD UKRAINE |
| 21.5.26 | CVE-2026-46333 | In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. | VULNEREBILITY | VULNEREBILITY |
| 21.5.26 | ExifTool vulnerability | How an image could compromise your Mac: understanding an ExifTool vulnerability (CVE-2026-3102) | VULNEREBILITY | VULNEREBILITY |
| 21.5.26 | CVE-2026-3102 | A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. | VULNEREBILITY | VULNEREBILITY |
| 21.5.26 | CVE-2026-8181 - Burst Statistics Auth Bypass vulnerability | CVE-2026-8181 is a recently disclosed Authentication Bypass vulnerability affecting Burst Statistics which is a privacy-friendly WordPress Analytics plugin for WordPress, Affected plugin versions include 3.4.0 and 3.4.1 through 3.4.1.1. | ALERTS | VULNEREBILITY |
| 21.5.26 | Phishing: FlowerStorm Turns to KrakVM Obfuscation | In a recent article, Sublime Security researchers reported that threat actors behind FlowerStorm have started using KrakVM, an open-source JavaScript virtual-machine obfuscation tool, to make malicious HTML attachments harder to analyze and detect. | ALERTS | PHISHING |
| 21.5.26 | CVE-2026-42897 - Microsoft Exchange Server Cross-Site Scripting vulnerability | CVE-2026-42897 is a recently disclosed 0-day Cross-Site Scripting vulnerability affecting the Microsoft Exchange Server: Subscription Edition RTM, 2019, and 2016. If successfully exploited the flaw might allow the attacker to send a specially crafted email to a user. If the email is opened in Outlook Web Access (OWA), arbitrary JavaScript can be executed in the browser context leading to compromise. | ALERTS | VULNEREBILITY |
| 21.5.26 | FDMTP Backdoor Activity in APJ | Darktrace recently reported a China-nexus campaign, moderately linked to Twill Typhoon, targeting organizations mainly in the APJ region since late September 2025. | ALERTS | VIRUS |
| 21.5.26 | Local privilege escalation in Linux Kernel (Dirty Frag) | A privilege escalation vulnerability, nicknamed "Dirty Frag," has been discovered in the Linux kernel versions 4.10 and later. This vulnerability is a result of chaining together two previously discovered vulnerabilities, xfrm-ESP Page-Cache Write CVE-2026-43284 and the RxRPC Page-Cache Write CVE-2026-43500. This vulnerability was publicly disclosed on May 07, 2026. | ALERTS | ALERTS |
| 21.5.26 | CVE-2026-9082 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10. | VULNEREBILITY | VULNEREBILITY |
| 20.5.26 | Disrupting Fox Tempest | Disrupting Fox Tempest: A cybercrime service that turned “verified” software into a pathway for ransomware | GROUPS | RANSOMWARE |
| 20.5.26 | Webworm | Webworm: New burrowing techniques | MALWARE | WORM |
| 20.5.26 | Mikroceen | Mikroceen: Spying backdoor leveraged in high-profile networks in Central Asia | MALWARE | BACKDOOR |
| 20.5.26 | Trapdoor funnels malvertising into ad fraud | HUMAN’s Satori Threat Intelligence and Research Team has identified and has disrupted an ad fraud and malvertising operation dubbed Trapdoor. The operation encompasses 455 malicious Android apps and 183 threat actor-owned command-and-control (C2) domains that together form a multi-stage fraud pipeline | HACKING | HACKING |
| 20.5.26 | CVE-2026-45585 | Windows BitLocker Security Feature Bypass Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 20.5.26 | StopRansomware Guide | Ransomware is a form of malware designed to encrypt files on a device, rendering them and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. | PAPERS | PAPERS |
| 20.5.26 | IT threat evolution in Q1 2026. Non-mobile statistics | The statistics in this report are based on detection verdicts returned by Kaspersky products unless otherwise stated. The information was provided by Kaspersky users who consented to sharing statistical data. | ANALÝZA | ANALÝZA |
| 20.5.26 | IT threat evolution in Q1 2026. Mobile statistics | In the third quarter of 2025, we updated the methodology for calculating statistical indicators based on the Kaspersky Security Network. These changes affected all sections of the report except for the statistics on installation packages, which remained unchanged. | ANALÝZA | ANALÝZA |
| 20.5.26 |
SOFTWARE BILL OF MATERIALS FOR AI |
Accessing information on the supply chain of an artificial intelligence (AI) system, as well as its individual components and dependencies, is critical to strengthen cybersecurity of AI. Transparency and knowledge about AI system composition fosters vulnerability management and supports cybersecurity risk management. | PAPERS | PAPERS |
| 19.5.26 | DirtyDecrypt | DirtyDecrypt: Linux kernel LPE in the RxGK subsystem (CVE-2026-31635) with public PoC | VULNEREBILITY | VULNEREBILITY |
| 19.5.26 | CVE-2026-31635 | In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix oversized RESPONSE authenticator length check rxgk_verify_response() decodes auth_len from the packet and is supposed to verify that it fits in the remaining bytes. | VULNEREBILITY | VULNEREBILITY |
| 19.5.26 | CVE-2026-2743 | (CVSS score: 10.0) - A path traversal vulnerability in the SeppMail User Web Interface's large file transfer (LFT) feature that could enable arbitrary file write, resulting in remote code execution. | VULNEREBILITY | VULNEREBILITY |
| 19.5.26 | CVE-2026-7864 | (CVSS score: 6.9) - An exposure of sensitive system information vulnerability that leaks server environment variables through an unauthenticated endpoint in the new GINA UI. | VULNEREBILITY | VULNEREBILITY |
| 19.5.26 | CVE-2026-44125 | (CVSS score: 9.3) - A missing authorization check vulnerability for multiple endpoints in the new GINA UI that allows unauthenticated remote attackers to access functionality that would otherwise require a valid session. | VULNEREBILITY | VULNEREBILITY |
| 19.5.26 | CVE-2026-44126 | (CVSS score: 9.2) - A deserialization of untrusted data vulnerability that allows unauthenticated remote attackers to execute code via a crafted serialized object. | VULNEREBILITY | VULNEREBILITY |
| 19.5.26 | CVE-2026-44127 | (CVSS score: 8.8) - An unauthenticated path traversal vulnerability in "/api.app/attachment/preview" that allows remote attackers to read arbitrary local files and trigger deletion of files in the targeted directory with the privileges of the "api.app" process. | VULNEREBILITY | VULNEREBILITY |
| 19.5.26 | CVE-2026-44128 | (CVSS score: 9.3) - An eval injection vulnerability that allows unauthenticated remote code execution by taking advantage of the fact that the /api.app/template feature directly passes user-supplied upldd parameter into a Perl eval() statement without any sanitization. | VULNEREBILITY | VULNEREBILITY |
| 19.5.26 | CVE-2026-44129 | (CVSS score: 8.3) - An improper neutralization of special elements used in a template engine vulnerability that allows remote attackers to execute arbitrary template expressions and potentially achieve remote code execution depending on the enabled template plugins. | VULNEREBILITY | VULNEREBILITY |
| 19.5.26 | CVE-2026-41940 - cPanel & WHM Authentication Bypass vulnerability | CVE-2026-41940 is a recently disclosed critical (CVSS score 9.8) pre-authentication remote auth bypass vulnerability affecting cPanel and WebHost Manager (WHM) which are web-based software tools used to manage web hosting servers and websites through a GUI. | ALERTS | VULNEREBILITY |
| 19.5.26 | Kazuar Botnet | Microsoft’s latest intelligence report dives into the evolution of Kazuar, a sophisticated peer-to-peer botnet orchestrated by the Russian threat group Waterbug (aka Secret Blizzard). No longer a simple backdoor, this malware now utilizes a modular "Kernel-Bridge-Worker" architecture to enhance its stealth and operational resilience. | ALERTS | BOTNET |
| 19.5.26 | CVE-2026-6692 - Slider Revolution Plugin vulnerability | CVE-2026-6692 is a recently disclosed high severity (CVSS score 8.8) Arbitrary File Upload vulnerability affecting Slider Revolution plugin for WordPress. If successfully exploited the flaw might allow the authenticated attacker with low-level privileges to upload files without proper validation leading up to remote code execution on the vulnerable instances. The vulnerability has already been patched in the updated version 7.0.11 of the plugin. | VULNEREBILITY | |
| 18.5.26 | SGLang contains two remote code execution and one path traversal vulnerability | Three vulnerabilities have been discovered in the SGLang project, two enabling remote code execution (RCE), and one regarding a path traversal vulnerability. In order for an attacker to exploit these vulnerabilities, the multimodal generation mode must be enabled, and an attacker must have network access to the SGLang service. No patch is available at this time, and no response was obtained from the project maintainers during coordination. | ALERT | ALERT |
| 18.5.26 | CVE-2026-44277 | (CVSS score: 9.1) - An improper access control vulnerability in FortiAuthenticator that may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests. (Fixed in FortiAuthenticator versions 6.5.7, 6.6.9, and 8.0.3) | VULNEREBILITY | VULNEREBILITY |
| 18.5.26 | CVE-2026-26083 | (CVSS score: 9.1) - A missing authorization vulnerability in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI that may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests. (Fixed in FortiSandbox versions 4.4.9 and 5.0.2, FortiSandbox Cloud version 5.0.6, and FortiSandbox PaaS versions 4.4.9. and 5.0.2) | VULNEREBILITY | VULNEREBILITY |
| 18.5.26 | CVE-2026-34260 | (CVSS score: 9.6) - An SQL injection vulnerability in SAP S/4HANA | VULNEREBILITY | VULNEREBILITY |
| 18.5.26 | CVE-2026-34263 | (CVSS score: 9.6) - A missing authentication check in the SAP Commerce cloud configuration | VULNEREBILITY | VULNEREBILITY |
| 18.5.26 | Fast16 | Fast16: Pre-Stuxnet Sabotage Tool Was Built to Subvert Nuclear Weapons Simulations | GROUP | GROUP |
| 18.5.26 | CVE-2020-17103 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 17.5.26 | Remus | Remus: Unpacking the 64-bit Evolution of the Lumma Stealer | MALWARE | STEALER |
| 17.5.26 | CVE-2026-45185 | Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code. | VULNEREBILITY | VULNEREBILITY |
| 17.5.26 | CVE-2026-44277 | A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, FortiAuthenticator 8.0.0, FortiAuthenticator 6.6.0 through 6.6.8, FortiAuthenticator 6.5.0 through 6.5.6 may allow attacker to execute unauthorized code or commands via <insert attack vector here> | VULNEREBILITY | VULNEREBILITY |
| 16.5.26 | GhostLock | GhostLock: SMB Deny-Share Handles as a Zero-Privilege Availability Weapon | WHITEPAPERS | WHITEPAPERS |
| 16.5.26 | CVE-2026-34260 | SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. | VULNEREBILITY | VULNEREBILITY |
| 16.5.26 | CVE-2026-34263 | Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application. | VULNEREBILITY | VULNEREBILITY |
| 16.5.26 | Angry Spark | A VM-obfuscated backdoor observed on a single machine in the UK, operated for one year, and vanished without a trace. | MALWARE | BACKDOOR |
| 16.5.26 | Kazuar | Kazuar: Anatomy of a nation-state botnet | BOTNET | BOTNET |
| 16.5.26 | Gremlin Stealer | This article examines new obfuscation techniques the Gremlin stealer malware uses to conceal malicious payloads within embedded resources. We analyze a variant protected by a sophisticated commercial packing utility that employs instruction virtualization, transforming the original code into a custom, non-standard bytecode executed by a private virtual machine. | MALWARE | STEALER |
| 15.5.26 | CVE-2026-44112 | (CVSS score: 9.6/6.3) - A time-of-check/time-of-use (TOCTOU) race condition vulnerability in the OpenShell managed sandbox backend that allows attackers to bypass sandbox restrictions and redirect writes outside the intended mount root. | VULNEREBILITY | VULNEREBILITY |
| 15.5.26 | CVE-2026-44113 | (CVSS score: 7.7/6.3) - A TOCTOU race condition vulnerability in OpenShell that allows attackers to bypass sandbox restrictions and read files outside the intended mount root. | VULNEREBILITY | VULNEREBILITY |
| 15.5.26 | CVE-2026-44115 | (CVSS score: 8.8) - An incomplete list of disallowed inputs vulnerability that allows attackers to bypass allowlist validation by embedding shell expansion tokens in a here document (heredoc) body to execute unapproved commands at runtime. | VULNEREBILITY | VULNEREBILITY |
| 15.5.26 | CVE-2026-44118 | (CVSS score: 7.8) - An improper access control vulnerability that could allow non-owner loopback clients to impersonate an owner to elevate their privileges and gain control over gateway configuration, cron scheduling, and execution environment management. | VULNEREBILITY | VULNEREBILITY |
| 15.5.26 | CVE-2026-42897 | Microsoft Exchange Server Spoofing Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 15.5.26 | CVE-2026-20182 | May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. | VULNEREBILITY | VULNEREBILITY |
| 14.5.26 |
APT ActivityApril 2025 – September 2025 Report |
RUSSIA-ALIGNED APTs RAMP UP ATTACKS AGAINST UKRAINE AND ITS STRATEGIC PARTNERS | REPORT | REPORT |
| 14.5.26 | BitUnlocker | BitUnlocker: Leveraging Windows Recovery to Extract BitLocker Secrets | MALWARE | TOOL |
| 14.5.26 | PebbleDash-based tools | Kimsuky targets organizations with PebbleDash-based tools | MALWARE | TOOL |
| 14.5.26 | Gamaredon | Gamaredon: Now Downloading via Windows Updates Best Friend “BITS” | MALWARE | LOADER |
| 14.5.26 | GammaLoad | Gamaredon’s infection chain: Spoofed emails, GammaDrop and GammaLoadS | MALWARE | LOADER |
| 14.5.26 | UNC1151 | UNC1151 exploiting Roundcube to steal user credentials in a spearphishing campaign | GROUP | GROUP |
| 14.5.26 | FrostyNeighbor | FrostyNeighbor: Fresh mischief and digital shenanigans | GROUP | GROUP |
| 14.5.26 | CVE-2026-44338 | PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. This issue has been patched in version 4.6.34. | VULNEREBILITY | VULNEREBILITY |
| 14.5.26 | Fragnesia | Fragnesia: Linux Kernel Local Privilege Escalation via ESP-in-TCP | VULNEREBILITY | VULNEREBILITY |
| 14.5.26 | NGINX Rift | An 18 year old memory corruption flaw in NGINX Plus and NGINX Open Source lets an unauthenticated attacker crash worker processes or execute remote code with crafted HTTP requests. | VULNEREBILITY | VULNEREBILITY |
| 14.5.26 | CVE-2026-42945 | NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). | VULNEREBILITY | VULNEREBILITY |
| 14.5.26 | CVE-2026-42946 | (CVSS v4 score: 8.3) - An excessive memory allocation vulnerability in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that could allow a remote, unauthenticated attacker with adversary-in-the-middle (AitM) capabilities to control responses from an upstream server to read the memory of the NGINX worker process or restart it when scgi_pass or uwsgi_pass is configured. | VULNEREBILITY | VULNEREBILITY |
| 14.5.26 | CVE-2026-40701 | (CVSS v4 score: 6.3) - A use-after-free vulnerability in the ngx_http_ssl_module module that could allow a remote, unauthenticated attacker to have limited control of modification of data or restart the NGINX worker process when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on." | VULNEREBILITY | VULNEREBILITY |
| 14.5.26 | CVE-2026-42934 | (CVSS v4 score: 6.3) - An out-of-bounds read vulnerability in the ngx_http_charset_module module that could allow a remote, unauthenticated attacker to disclose memory contents or restart the NGINX worker process when charset, source_charset, and charset_map, and proxy_pass with disabled buffering ("off") directives are configured. | VULNEREBILITY | VULNEREBILITY |
| 14.5.26 | CVE-2026-40466 - Remote Code Execution vulnerability in Apache ActiveMQ | CVE-2026-40466 is a recently disclosed high severity (CVSS score 8.8) Remote Code Execution vulnerability affecting Apache ActiveMQ, which is a popular open-source, Java-based message broker. If successfully exploited the flaw might allow the authenticated attacker to add a connector using an HTTP Discovery transport through Jolokia leading up to arbitrary code execution. | ALERTS | VULNEREBILITY |
| 14.5.26 | CVE-2026-39987 - Marimo RCE Vulnerability | CVE-2026-39987 is a recently disclosed critical (CVSS score 9.3) pre-authentication Remote Code Execution (RCE) vulnerability affecting Marimo which is an open-source reactive Python notebook platform. If successfully exploited the flaw might allow the unauthenticated attackers to obtain a full interactive shell on any exposed Marimo instance through a single WebSocket connection. | ALERTS | VULNEREBILITY |
| 14.5.26 | Southeast Asia Campaign Uses Legal and Whistleblower-Themed Lures to Deliver RAT | Researchers at Seqrite Labs recently reported a campaign, dubbed Operation GriefLure, in which threat actors targeted a military-linked telecom organization in Vietnam and a medical center in the Philippines. The attacks use highly credible legal and whistleblower-themed lures, delivered through compressed archives containing decoy PDFs and malicious LNK files that kick off an attack chain leading to a remote access Trojan. | CAMPAIGN | |
| 14.5.26 | Fake ScreenConnect Update Leads to CloudZ RAT | Cisco Talos reported an intrusion active since at least January 2026 involving CloudZ RAT and a previously undocumented plugin called Pheno. The activity appears focused on credential theft and possible interception of SMS-based one-time passwords by abusing Microsoft Phone Link on compromised Windows systems. | ALERTS | VIRUS |
| 14.5.26 | TCLBanker malware distributed in latest campaigns | Elastic Security Labs has discovered TCLBanker, an advanced Brazilian banking trojan believed to be a significant evolution of the Maverick/Sorvepotel malware families. The threat is distributed via ZIP files containing malicious MSI installers that exploit a legitimate, signed Logitech application through DLL side-loading techniques.S | ALERTS | VIRUS |
| 14.5.26 | CVE-2026-33032 - Nginxui Nginx UI Auth Bypass Vulnerability | CVE-2026-33032 is a recently disclosed critical (CVSS score 9.8) authentication bypass vulnerability affecting Nginx UI which is an open-source web interface used to centralize the management of Nginx configurations and SSL certificates. | ALERTS | VULNEREBILITY |
| 14.5.26 | CVE-2026-3296 - Everest Forms WordPress Plugin RCE vulnerability | CVE-2026-3296 is a recently disclosed critical (CVSS score 9.8) PHP Object Injection vulnerability affecting Everest Forms WordPress plugin. If successfully exploited the flaw might allow the unauthenticated attackers to inject malicious serialized PHP objects through any public form field leading up to remote code execution on the vulnerable instances. The vulnerability has already been patched in the updated version 3.4.4 of the plugin. | VULNEREBILITY | |
| 14.5.26 | PCPJack - a new sophisticated credential-harvesting framework | SentinelLABS has uncovered "PCPJack," a sophisticated credential-harvesting framework designed to autonomously propagate across vulnerable cloud environments. Unlike conventional cloud-based malware, PCPJack deliberately avoids deploying cryptocurrency miners. | ALERTS | VIRUS |
| 14.5.26 | Iran-Linked Hackers Breached Major Korean Electronics Maker in Global Espionage Campaign | Iran-linked attackers spent a week inside the network of a major South Korean electronics manufacturer in February 2026, as part of a sprawling early-year espionage campaign affecting at least nine organizations across four continents. | ALERTS | APT |
| 14.5.26 | Smishing Campaigns Use UAE and Singapore Service Lures | A recent investigation by a researcher describes a large smishing operation impersonating trusted transportation, logistics, and government services in the UAE and Singapore. The campaign uses deceptive domains, mobile-focused phishing pages, geo-filtering, HTTPS certificates, and centralized hosting to make fraudulent payment or identity-verification pages appear legitimate. | ALERTS | PHISHING |
| 14.5.26 | Action1 RMM Abused in “April Statements” Invoice Malspam | Symantec has identified a malspam campaign that abuses the legitimate Action1 remote monitoring and management (RMM) platform to gain hands-on-keyboard access to victim endpoints. The campaign uses an invoice-themed lure ("April Statements") impersonating a US residential property-management organization. | SPAM | |
| 13.5.26 | CVE-2026-42826 | (CVSS score: 10.0) - An exposure of sensitive information to an unauthorized actor in Azure DevOps that allows an unauthorized attacker to disclose information over a network. (Requires no customer action) | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-33109 | (CVSS score: 9.9) - An improper access control in Azure Managed Instance for Apache Cassandra that allows an authorized attacker to execute code over a network. (Requires no customer action) | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-42898 | (CVSS score: 9.9) - A code injection vulnerability in Microsoft Dynamics 365 (on-premises) that allows an authorized attacker to execute code over a network. | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-42823 | (CVSS score: 9.9) - An improper access control in Azure Logic Apps that allows an authorized attacker to elevate privileges over a network. | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-41089 | (CVSS score: 9.8) - A stack-based buffer overflow in Windows Netlogon that allows an unauthorized attacker to execute code over a network without needing to sign in or have prior access by sending a specially crafted network request to a Windows server that is acting as a domain controller. | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-33823 | (CVSS score: 9.6) - An improper authorization in Microsoft Teams that allows an authorized attacker to disclose information over a network. (Requires no customer action) | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-35428 | (CVSS score: 9.6) - A command injection vulnerability in Azure Cloud Shell that allows an unauthorized attacker to perform spoofing over a network. (Requires no customer action) | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-40379 | (CVSS score: 9.3) - An exposure of sensitive information to an unauthorized actor in Azure Entra ID that allows an unauthorized attacker to perform spoofing over a network. (Requires no customer action) | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-40402 | (CVSS score: 9.3) - A user-after-free in Windows Hyper-V that allows an unauthorized attacker to gain SYSTEM privileges and access the Hyper-V host environment. | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-41103 | (CVSS score: 9.1) - An incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira & Confluence that allows an unauthorized attacker to gain unauthorized access to Jira or Confluence as a valid user and perform actions with the same permissions as the compromised account. | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-33117 | (CVSS score: 9.1) - An improper authentication in Azure SDK that allows an unauthorized attacker to bypass a security feature over a network. | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-42833 | (CVSS score: 9.1) - An execution with unnecessary privileges in Microsoft Dynamics 365 (on-premises) that allows an authorized attacker to execute code over a network and gain the ability to interact with other tenant’s applications and content. | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-33844 | (CVSS score: 9.0) - An improper input validation in Azure Managed Instance for Apache Cassandra that allows an authorized attacker to execute code over a network. (Requires no customer action) | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-40361 | (CVSS score: 8.4) - A use-after-free vulnerability in Microsoft Office Word that allows an unauthorized attacker to execute code locally without requiring user interaction. | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-40364 | (CVSS score: 8.4) - A type confusion vulnerability in Microsoft Office Word that allows an unauthorized attacker to execute code locally without requiring user interaction. | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | FamousSparrow | FamousSparrow APT Targets Azerbaijani Oil and Gas Industry | APT | APT |
| 13.5.26 | GemStuffer Campaign | GemStuffer Campaign Abuses RubyGems as Exfiltration Channel Targeting UK Local Government | CAMPAIGN | CAMPAIGN |
| 13.5.26 | Operation NoVoice | Operation NoVoice: Android Malware Found in 50+ Apps Can Hijack Devices | OPERATION | OPERATION |
| 12.5.26 | Google ad for Claude leads to macOS malware infection | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. | MALWARE TRAFFIC | MALWARE TRAFFIC |
| 12.5.26 | macOS Shub Stealer infection | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. | MALWARE TRAFFIC | MALWARE TRAFFIC |
| 12.5.26 | dnsmasq contains several vulnerabilities, including attacker DNS redirect, privilege escalation, and heap manipulation | dnsmasq is affected by multiple memory safety and input validation vulnerabilities, including heap buffer overflows, heap corruption, and code execution flaws. Collectively, these vulnerabilities enable attackers to poison cached DNS records, bypass security controls, crash the dnsmasq process, or under certain conditions, achieve local privilege escalation. dnsmasq has released version 2.92rel2 to fix the vulnerabilities. | ALERT | ALERT |
| 12.5.26 | Casdoor contains Arbitrary File Write vulnerability | Casdoor contains an arbitrary file write vulnerability in the implementation of its "Local File System" storage provider. Due to insufficient sanitization of user-supplied paths, an authenticated user with file upload permissions can escape the intended storage directory and write files elsewhere on the target filesystem. | ALERT | ALERT |
| 12.5.26 | Mini Shai-Hulud | Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Tanstack | MALWARE | PYTHON |
| 12.5.26 | TrickMo | New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps | MALWARE | ANDROID |
| 12.5.26 | Actively Exploits CVE-2026-41940 | CVE-2026-41940 is a high-severity unauthenticated authentication bypass vulnerability affecting cPanel & WHM. This product is widely used in Linux server operations and virtual hosting management. | EXPLOIT | EXPLOIT |
| 11.5.26 | ClickFix distributing Vidar Stealer via WordPress targeting Australian infrastructure | The Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC) has observed ClickFix associated activity leveraging WordPress hosted infrastructure to distribute the Vidar Stealer malware. | REPORT | REPORT |
| 11.5.26 | CVE-2026-26956 | WASM Sandbox Escape | VULNEREBILITY | VULNEREBILITY |
| 11.5.26 | CVE-2026-20188 | A vulnerability in the connection-handling mechanism of Cisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. This vulnerability is due to an inadequate implementation of rate-limiting on incoming network connections. | VULNEREBILITY | VULNEREBILITY |
| 11.5.26 | Acronis Cyberthreats Report, H2 2025: From exploits to malicious IA |
The Acronis Cyberthreats Report covers the global threat
landscape as encountered by the Acronis Threat Research Unit (TRU) and Acronis sensors in the second half of 2025. General threat data (including malware, ransomware, web and email threats, vulnerabilities, etc.) presented in the report is gathered from January–December of 2025 and reflects threats targeting endpoints we observed in this time frame. |
REPORT | REPORT |
| 11.5.26 | State of the SOFTWARE SUPPLY CHAIN 2026 | The Limits of Legacy Vulnerability Management | REPORT | REPORT |
| 11.5.26 | Legitimate | “Legitimate” phishing: how attackers weaponize Amazon SES to bypass email security | PHISHING | PHISHING |
| 11.5.26 | CVE-2023-43896 | A buffer overflow in Macrium Reflect 8.1.7544 and below allows attackers to escalate privileges or execute arbitrary code. | VULNEREBILITY | VULNEREBILITY |
| 11.5.26 | FEMITBOT | Abuse of Telegram Mini Apps for Large-Scale Fraud Campaigns | REPORT | REPORT |
| 11.5.26 | CVE-2026-7482 | Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. | VULNEREBILITY | VULNEREBILITY |
| 9.5.26 | Linux kernel contains local privilege escalation vulnerability (Copy Fail) | A privilege escalation vulnerability has been discovered in Linux kernel versions version 4.17 (released 2017) and later. Many popular distributions and Linux-based containers are affected. This vulnerability was publicly disclosed on April 29, 2026, has been assigned CVE ID CVE-2026-31431, and is commonly referred to as "Copy Fail." | ALERT | ALERT |
| 9.5.26 | DirtyFrag vulnerability - CVE-2026-43284 / CVE-2026-43500 | Just a week after the disclosure of the CopyFail (CVE-2026-31431) vulnerability, a second Linux kernel critical flaw has been discovered with public technical details and proof-of-concept code released publicly. Dubbed Dirty Frag, the vulnerability chains two distinct kernel bugs: CVE-2026-43284 (ESP subsystem) and CVE-2026-43500 (RxRPC subsystem). | ALERTS | VULNEREBILITY |
| 9.5.26 | macOS infostealer delivery campaign leverages ClickFix techniques | Microsoft researchers have identified an evolving macOS infostealer campaign that leverages "ClickFix" tactics to compromise users. Rather than relying on traditional methods like malicious disk images (.dmg files), attackers now embed deceptive instructions within public blogs and user-generated content sites. These sites trick victims into executing specific Terminal commands under the guise of installing system optimization utilities. | ALERTS | VIRUS |
| 9.5.26 | Unpacking UAT-8302: A New Arsenal of China-Nexus Malware | Cisco Talos has uncovered UAT-8302, a sophisticated China-nexus threat group aggressively targeting government entities, primarily observed in Europe and South America. This actor utilizes an extensive toolkit of custom malware, notably the .NET-based NetDraft backdoor, which leverages MS Graph for stealthy command-and-control. Their arsenal further includes CloudSorcerer v3, a refined backdoor that manipulates legitimate platforms like GitHub to retrieve operational instructions | APT | |
| 9.5.26 | Supply Chain Alert: DAEMON Tools Installers Compromised | Security researchers at Kaspersky have uncovered a sophisticated supply chain attack targeting DAEMON Tools, where legitimate installers were trojanized with a multi-stage backdoor. Since April 2026, compromised binaries signed with valid certificates have deployed an initial information collector to thousands of global victims. | ALERTS | VIRUS |
| 9.5.26 | ShadowPad Resurfaces in State Espionage Campaign Targeting Asian Governments | Trend Micro researchers recently identified SHADOW-EARTH-053, a China-aligned espionage group targeting Asian government sectors. The campaign centers on the modular ShadowPad malware, often deployed through DLL sideloading using legitimate signed executables. Attackers establish initial persistence via GODZILLA web shells before utilizing registry-based loaders to execute shellcode covertly. | ALERTS | CAMPAIGN |
| 9.5.26 | Tax Lures Deliver ValleyRAT and ABCDoor | Researchers at Kaspersky recently published an article on a Silver Fox campaign in which the actor used tax-themed phishing lures against organizations in India and Russia, impersonating official tax authorities to push victims toward malicious archives. Per their analysis, the campaign used a custom RustSL loader, ValleyRAT, and a Python-based backdoor dubbed ABCDoor. | VIRUS | |
| 9.5.26 | CVE-2026-29201 | (CVSS score: 4.3) - An insufficient input validation of the feature file name in the "feature::LOADFEATUREFILE" adminbin call that could result in an arbitrary file read. | VULNEREBILITY | VULNEREBILITY |
| 9.5.26 | CVE-2026-29202 | (CVSS score: 8.8) - An insufficient input validation of the "plugin" parameter in the "create_user API" call that could result in arbitrary Perl code execution on behalf of the already authenticated account's system user. | VULNEREBILITY | VULNEREBILITY |
| 9.5.26 | CVE-2026-29203 | (CVSS score: 8.8) - An unsafe symlink handling vulnerability that allows a user to modify access permissions of an arbitrary file using chmod, resulting in denial-of-service or possible privilege escalation. | VULNEREBILITY | VULNEREBILITY |
| 9.5.26 | TCLBANKER | TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook | MALWAREs | BANKING |
| 9.5.26 | CallPhantom tricks | Fake call logs, real payments: How CallPhantom tricks Android users | HACKING | HACKING |
| 9.5.26 | Operation GriefLure | Table of Contents: Introduction: Key Targets: Infection Chain: Initial Findings about Campaign: Analysis of Decoys: Technical Analysis: Campaign-1: Stage-1: Ho so.rar Campaign: 2 Stage-1: download.zip Stage-2: The LNK & Batch file (Common in 1 & 2 both) Stage-3: Analysis | OPERATION | OPERATION |
| 9.5.26 | Operation Silent Rotor | Operation Silent Rotor: Targeted Campaign Compromises Unmanned Aviation Sector Ahead of Moscow Summit Table of Content Introduction Key Targets Industries Affected Geographical focus Infection Chain Initial Findings Looking into the Decoy Documents Technical Analysis Stage 1 – Analysis of... | OPERATION | OPERATION |
| 9.5.26 | Operation HumanitarianBait | Cyble analyzes Operation HumanitarianBait, a stealthy espionage campaign using aid-themed lures to deploy a fileless Python infostealer. | OPERATION | OPERATION |
| 8.5.26 | Dirty Frag | Dirty Frag (CVE-2026-43284, CVE-2026-43500) vulnerability fix is ready for testing | VULNEREBILITY | VULNEREBILITY |
| 8.5.26 | Plague | ‘Plague’ malware exploits Pluggable Authentication Module to breach Linux systems | MALWARE | EXPLOIT |
| 8.5.26 | PamDOORa | PamDOORa: Analyzing a New Linux PAM-Based Backdoor for Sale on the Dark Web | MALWARE | BACKDOOR |
| 8.5.26 | Quasar Linux | Quasar Linux (QLNX) – A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities | MALWARE | RAT |
| 8.5.26 | CVE-2026-6973 | An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution. | VULNEREBILITY | VULNEREBILITY |
| 8.5.26 | PCPJack | PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale | MALWARE | WORM |
| 7.5.26 | CVE-2026-24118 | (CVSS score: 9.8) - A vulnerability that allows sandbox escape via "__lookupGetter__" and permits an attacker to run arbitrary code on the underlying host. (Affects versions <= 3.10.4, patches in 3.11.0) | VULNEREBILITY | VULNEREBILITY |
| 7.5.26 | CVE-2026-24120 | (CVSS score: 9.8) - A patch bypass for CVE-2023-37466 (CVSS score: 9.8) that could allow attackers to escape the sandbox through the species property of promise objects and execute arbitrary commands on the underlying host. (Affects versions <= 3.10.3, patched in 3.10.5) | VULNEREBILITY | VULNEREBILITY |
| 7.5.26 | CVE-2026-24781 | (CVSS score: 9.8) - A vulnerability that allows sandbox escape via the "inspect" function and permits an attacker to run arbitrary code on the underlying host. (Affects versions <= 3.10.3, patches in 3.11.0) | VULNEREBILITY | VULNEREBILITY |
| 7.5.26 | CVE-2026-26332 | (CVSS score: 9.8) - A vulnerability that allows sandbox escape via "SuppressedError" and permits an attacker to run arbitrary code on the underlying host. (Affects versions <= 3.10.4, patches in 3.11.0) | VULNEREBILITY | VULNEREBILITY |
| 7.5.26 | CVE-2026-26956 | (CVSS score: 9.8) - A protection mechanism failure vulnerability that allows sandbox escape with arbitrary code execution by triggering a TypeError produced by Symbol-to-string coercion. (Affects version 3.10.4, confirmed on Node.js 25.6.1, patched in 3.10.5) | VULNEREBILITY | VULNEREBILITY |
| 7.5.26 | CVE-2026-43997 | (CVSS score: 10.0) - A code injection vulnerability that allows an attacker to obtain the host Object and escape the sandbox, leading to arbitrary code execution. (Affects versions <= 3.10.5, patched in 3.11.0) | VULNEREBILITY | VULNEREBILITY |
| 7.5.26 | CVE-2026-43999 | (CVSS score: 9.9) - A vulnerability that allows a bypass of NodeVM's built-in allowlist and enables an attacker to load excluded builtins like child_process and achieve remote code execution. (Affects version 3.10.5, patched in 3.11.0) | VULNEREBILITY | VULNEREBILITY |
| 7.5.26 | CVE-2026-44005 | (CVSS score: 10.0) - A vulnerability that allows attacker-controlled JavaScript to escape the sandbox and enable prototype pollution. (Affects versions 3.9.6-3.10.5, patched in 3.11.0) | VULNEREBILITY | VULNEREBILITY |
| 7.5.26 | CVE-2026-44006 | (CVSS score: 10.0) - A code injection vulnerability via "BaseHandler.getPrototypeOf" that enables sandbox escape and remote code execution. (Affects versions <= 3.10.5, patched in 3.11.0) | VULNEREBILITY | VULNEREBILITY |
| 7.5.26 | CVE-2026-44007 | (CVSS score: 9.1) - An improper access control vulnerability that allows sandbox escape and execution of arbitrary operating system commands on the underlying host. (Affects versions <= 3.11.0, patched in 3.11.1) | VULNEREBILITY | VULNEREBILITY |
| 7.5.26 | CVE-2026-44008 | (CVSS score: 9.8) - A vulnerability that allows sandbox escape via "neutralizeArraySpeciesBatch()" and permits an attacker to execute arbitrary commands on the underlying host. (Affects versions <= 3.11.1, patched in 3.11.2) | VULNEREBILITY | VULNEREBILITY |
| 7.5.26 | CVE-2026-44009 | (CVSS score: 9.8) - A vulnerability that allows sandbox escape via a null proto exception and permits an attacker to execute arbitrary commands on the underlying host. (Affects versions <= 3.11.1, patched in 3.11.2) | VULNEREBILITY | VULNEREBILITY |
| 7.5.26 | ZiChatBot | While these wheel packages do implement the features described on their PyPI web pages, their true purpose is to covertly deliver malicious files. | MALWARE | Python |
| 7.5.26 | OceanLotus | OceanLotus suspected of using PyPI to deliver ZiChatBot malware | APT | APT |
| 7.5.26 | xlabs_v1 | xlabs_v1 DDoS-for-Hire IoT Botnet Exposed: One Operator Error. An Entire Operation Revealed | BOTNET | BOTNET |
| 6.5.26 |
Middle East Conflict & Cyber Escalation Overview |
Advisory: Middle East Conflict & Cyber Escalation | ANALÝZA | ANALÝZA |
| 6.5.26 | Iranian-Nexus Operation | Iranian-Nexus Operation Against Oman's Government: 12 Ministries Hit and 26,000 Citizen Records Exposed | OPERATION | OPERATION |
| 6.5.26 | MuddyWater | Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware | APT | APT |
| 6.5.26 | CloudZ RAT | CloudZ RAT potentially steals OTP messages using Pheno plugin | MALWARE | RAT |
| 6.5.26 | CVE-2026-0300 | CVE-2026-0300 PAN-OS: Unauthenticated user initiated Buffer Overflow Vulnerability in User-ID™ Authentication Portal | VULNEREBILITY | VULNEREBILITY |
| 6.5.26 | CVE-2026-23918 | Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. | VULNEREBILITY | VULNEREBILITY |
| 6.5.26 | DAEMON Tools software infected | DAEMON Tools software infected – supply chain attack ongoing since April 8, 2026 | INCIDENT | INCIDENT |
| 6.5.26 | UAT-8302 | UAT-8302 and its box full of malware | GROUP | GROUP |
| 5.5.26 | Zscaler ThreatLabz 2026 VPN Risk Report | For decades, VPN was the default answer to remote access security – reliable, familiar, and deeply embedded in enterprise architecture. That era is ending. AI has accelerated attack timelines from weeks to minutes, automated credential theft at industrial scale, and given adversaries a speed advantage that human-led defense cannot match. | REPORT | REPORT |
| 5.5.26 | CVE-2026-29014 | MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. | VULNEREBILITY | VULNEREBILITY |
| 5.5.26 | ScarCruft compromises | A rigged game: ScarCruft compromises gaming platform in a supply-chain attack | INCIDENT | APT |
| 5.5.26 | CVE-2026-22679 | Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by invoking exposed debug functionality. | VULNEREBILITY | VULNEREBILITY |
| 5.5.26 | Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise | Phishing campaigns continue to improve sophistication and refinement in blending social engineering, delivery and hosting infrastructure, and authentication abuse to remain effective against evolving security controls. | CAMPAIGN | CAMPAIGN |
| 5.5.26 | VENOMOUS#HELPER | You’re invited: Four phishing lures in campaigns dropping RMM tools | CAMPAIGN | CAMPAIGN |
| 5.5.26 | CVE-2026-5174 | Improper input validation vulnerability in Progress Software MOVEit Automation allows Privilege Escalation. This issue affects MOVEit Automation: from 2025.1.0 before 2025.1.5, from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0. | VULNEREBILITY | VULNEREBILITY |
| 5.5.26 | CVE-2026-4670 | Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication Bypass. This issue affects MOVEit Automation: from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0. | VULNEREBILITY | VULNEREBILITY |
| 4.5.26 | Silver Fox | Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India | APT | APT |
| 4.5.26 | South-East Asian Military Entities Targeted via cPanel (CVE-2026-41940) | On April 29th 2026, watchTowr Labs published research on CVE-2026-41940, a critical authentication bypass in cPanel & WHM. Within days, reporting from Censys and Ctrl-Alt-Intel made clear that exploitation had rapidly moved from disclosure to in-the-wild abuse. | APT | APT |
| 3.5.26 | Copy Fail | Most Linux LPEs need a race window or a kernel-specific offset. Copy Fail is a straight-line logic flaw — it needs neither. The same 732-byte Python script roots every Linux distribution shipped since 2017. | VULNEREBILITY | VULNEREBILITY |
| 3.5.26 | Bluekit | Meet Bluekit: The AI-Powered All-in-One Phishing Kit | PHISHING | KIT |
| 3.5.26 | CVE-2026-41940 | CVE-2026-41940: cPanel & WHM Authentication Bypass | VULNEREBILITY | VULNEREBILITY |
| 3.5.26 | CVE-2026-31431 | Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 3.5.26 | CVE-2026-21510 | Windows Shell Security Feature Bypass Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 2.5.26 | TeamPCP Targets SAP Developers with Obfuscated npm Backdoor | A sophisticated supply chain attack recently compromised several SAP CAP npm packages, as reported by researchers at Socket. The breach utilizes a malicious preinstall script that bootstraps a Bun runtime to execute a heavily obfuscated payload. | ALERTS | VIRUS |
| 2.5.26 | Fake GitHub Repositories Push StealC | Researchers recently reported a malicious GitHub campaign that is using fake repositories across 17 accounts to impersonate popular Python projects and lure developers into running trojanized code. The repositories carried a Python dropper that fetched an encrypted Windows loader that is designed to load StealC.s | ALERTS | VIRUS |
| 2.5.26 | CopyFail (CVE-2026-31431) | CopyFail, tracked as CVE-2026-31431, is a Linux kernel local privilege escalation vulnerability affecting the authencesn / algif_aead crypto path, with public technical details and proof-of-concept code now available. The flaw can allow an unprivileged local attacker to create a controlled page-cache overwrite and potentially gain root by modifying the cached copy of a readable setuid binary, making it especially relevant after an initial foothold has already been gained. | VULNEREBILITY | |
| 2.5.26 | VECT 2.0 Ransomware - The Accidental Wiper | Check Point Research shared details of VECT 2.0, a multi-platform ransomware targeting Windows, Linux, and ESXi environments. Although marketed as a sophisticated ransomware-as-a-service offering, the malware contains a critical flaw in its encryption routine that impacts files larger than 128 KB. | ALERTS | RANSOM |
| 2.5.26 | Fake Minecraft Hacks Deliver LofyStealer Infostealer | LofyStealer is a modular infostealer currently preying on Minecraft players by masquerading as a game hack. This Brazilian-linked threat utilizes a large Node.js-based loader to bypass traditional sandbox detection before injecting a payload directly into browser memory. | ALERTS | VIRUS |
| 2.5.26 | Inside Vidar’s Latest Variant: Stealth, Social Engineering, and Memory Execution | An analysis from the Lat61 Threat Intelligence Team by Point Wild details a recent variant of the Vidar infostealer as a highly stealthy, multi-stage threat that relies on social engineering and “living-off-the-land” techniques rather than traditional exploits. Initial infections often originate from fake GitHub repositories masquerading as legitimate tools, CAPTCHA prompts, or compromised websites, which trigger scripts chaining WScript and PowerShell. | VIRUS | |
| 2.5.26 | The Rise of the Sleeper: GlassWorm’s Deceptive IDE Tactics | The GlassWorm campaign has intensified, with new research from Socket identifying 73 deceptive "sleeper" extensions on the Open VSX marketplace. These clones impersonate popular developer tools to build trust before activating malicious payloads via updates. | ALERTS | VIRUS |
| 2.5.26 | Snake Keylogger campaign: Saudi Procurement Lure and Multi-Stage Chain | Symantec's Threat Intelligence team has observed a Snake Keylogger malspam campaign leveraging a multi-stage delivery chain that starts with a forged "procurement introduction" email carrying a RAR attachment, and ends with credential theft exfiltrated over the Telegram Bot API. | ALERTS | CAMPAIGN |
| 2.5.26 | Tropic Trooper leverages trojanized binaries to distribute AdaptixC2 | Cybersecurity researchers at Zscaler ThreatLabz uncovered a sophisticated cyberespionage operation orchestrated by the Tropic Trooper threat group (aka Earth Centaur). The attackers specifically targeted Chinese-speaking users, predominantly located within Taiwan, Japan, and South Korea, using deceptive ZIP files disguised as official military documents. | VIRUS | |
| 2.5.26 | AccountDumpling | Hunting Down the Google-Sent Phishing Wave Compromising 30,000+ Facebook Accounts | PHISHING | PHISHING |
| 2.5.26 | Snow Flurries | Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite | CAMPAIGN | CAMPAIGN |
| 1.5.26 | Cordial Spider | CORDIAL SPIDER is a financially motivated eCrime adversary that has performed data theft and extortion since at least October 2025. CORDIAL SPIDER gains initial access to victim systems via voice phishing (vishing) calls in which they direct targeted users to single sign-on (SSO)–themed phishing pages. | GROUP | GROUP |
| 1.5.26 | Snarky Spider | SNARKY SPIDER is a financially motivated eCrime adversary that has performed data theft and extortion and cryptocurrency theft since at least October 2025. T | GROUP | GROUP |
| 1.5.26 | Shadow-Earth-053 | Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia | GROUP | GROUP |
|
|
|
|
|
|