HOT NEWS 2026 January(174) February(168) March(221) April(222) May(111) June(0) July(0) August(0) September(0) October(0) November(0) December(0) | HOTNEWS 2026(896) HOTNEWS 2025(3125) HOTNEWS 2024(2588) | STATISTICS | ALL
|
DATE |
NAME |
INFO |
CATEGORY |
SUBCATE |
| 17.5.26 | Remus | Remus: Unpacking the 64-bit Evolution of the Lumma Stealer | MALWARE | STEALER |
| 17.5.26 | CVE-2026-45185 | Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code. | VULNEREBILITY | VULNEREBILITY |
| 17.5.26 | CVE-2026-44277 | A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, FortiAuthenticator 8.0.0, FortiAuthenticator 6.6.0 through 6.6.8, FortiAuthenticator 6.5.0 through 6.5.6 may allow attacker to execute unauthorized code or commands via <insert attack vector here> | VULNEREBILITY | VULNEREBILITY |
| 16.5.26 | GhostLock | GhostLock: SMB Deny-Share Handles as a Zero-Privilege Availability Weapon | WHITEPAPERS | WHITEPAPERS |
| 16.5.26 | CVE-2026-34260 | SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. | VULNEREBILITY | VULNEREBILITY |
| 16.5.26 | CVE-2026-34263 | Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application. | VULNEREBILITY | VULNEREBILITY |
| 16.5.26 | Angry Spark | A VM-obfuscated backdoor observed on a single machine in the UK, operated for one year, and vanished without a trace. | MALWARE | BACKDOOR |
| 16.5.26 | Kazuar | Kazuar: Anatomy of a nation-state botnet | BOTNET | BOTNET |
| 16.5.26 | Gremlin Stealer | This article examines new obfuscation techniques the Gremlin stealer malware uses to conceal malicious payloads within embedded resources. We analyze a variant protected by a sophisticated commercial packing utility that employs instruction virtualization, transforming the original code into a custom, non-standard bytecode executed by a private virtual machine. | MALWARE | STEALER |
| 15.5.26 | CVE-2026-44112 | (CVSS score: 9.6/6.3) - A time-of-check/time-of-use (TOCTOU) race condition vulnerability in the OpenShell managed sandbox backend that allows attackers to bypass sandbox restrictions and redirect writes outside the intended mount root. | VULNEREBILITY | VULNEREBILITY |
| 15.5.26 | CVE-2026-44113 | (CVSS score: 7.7/6.3) - A TOCTOU race condition vulnerability in OpenShell that allows attackers to bypass sandbox restrictions and read files outside the intended mount root. | VULNEREBILITY | VULNEREBILITY |
| 15.5.26 | CVE-2026-44115 | (CVSS score: 8.8) - An incomplete list of disallowed inputs vulnerability that allows attackers to bypass allowlist validation by embedding shell expansion tokens in a here document (heredoc) body to execute unapproved commands at runtime. | VULNEREBILITY | VULNEREBILITY |
| 15.5.26 | CVE-2026-44118 | (CVSS score: 7.8) - An improper access control vulnerability that could allow non-owner loopback clients to impersonate an owner to elevate their privileges and gain control over gateway configuration, cron scheduling, and execution environment management. | VULNEREBILITY | VULNEREBILITY |
| 15.5.26 | CVE-2026-42897 | Microsoft Exchange Server Spoofing Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 15.5.26 | CVE-2026-20182 | May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. | VULNEREBILITY | VULNEREBILITY |
| 14.5.26 |
APT ActivityApril 2025 – September 2025 Report |
RUSSIA-ALIGNED APTs RAMP UP ATTACKS AGAINST UKRAINE AND ITS STRATEGIC PARTNERS | REPORT | REPORT |
| 14.5.26 | BitUnlocker | BitUnlocker: Leveraging Windows Recovery to Extract BitLocker Secrets | MALWARE | TOOL |
| 14.5.26 | PebbleDash-based tools | Kimsuky targets organizations with PebbleDash-based tools | MALWARE | TOOL |
| 14.5.26 | Gamaredon | Gamaredon: Now Downloading via Windows Updates Best Friend “BITS” | MALWARE | LOADER |
| 14.5.26 | GammaLoad | Gamaredon’s infection chain: Spoofed emails, GammaDrop and GammaLoadS | MALWARE | LOADER |
| 14.5.26 | UNC1151 | UNC1151 exploiting Roundcube to steal user credentials in a spearphishing campaign | GROUP | GROUP |
| 14.5.26 | FrostyNeighbor | FrostyNeighbor: Fresh mischief and digital shenanigans | GROUP | GROUP |
| 14.5.26 | CVE-2026-44338 | PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. This issue has been patched in version 4.6.34. | VULNEREBILITY | VULNEREBILITY |
| 14.5.26 | Fragnesia | Fragnesia: Linux Kernel Local Privilege Escalation via ESP-in-TCP | VULNEREBILITY | VULNEREBILITY |
| 14.5.26 | NGINX Rift | An 18 year old memory corruption flaw in NGINX Plus and NGINX Open Source lets an unauthenticated attacker crash worker processes or execute remote code with crafted HTTP requests. | VULNEREBILITY | VULNEREBILITY |
| 14.5.26 | CVE-2026-42945 | NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). | VULNEREBILITY | VULNEREBILITY |
| 14.5.26 | CVE-2026-42946 | (CVSS v4 score: 8.3) - An excessive memory allocation vulnerability in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that could allow a remote, unauthenticated attacker with adversary-in-the-middle (AitM) capabilities to control responses from an upstream server to read the memory of the NGINX worker process or restart it when scgi_pass or uwsgi_pass is configured. | VULNEREBILITY | VULNEREBILITY |
| 14.5.26 | CVE-2026-40701 | (CVSS v4 score: 6.3) - A use-after-free vulnerability in the ngx_http_ssl_module module that could allow a remote, unauthenticated attacker to have limited control of modification of data or restart the NGINX worker process when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on." | VULNEREBILITY | VULNEREBILITY |
| 14.5.26 | CVE-2026-42934 | (CVSS v4 score: 6.3) - An out-of-bounds read vulnerability in the ngx_http_charset_module module that could allow a remote, unauthenticated attacker to disclose memory contents or restart the NGINX worker process when charset, source_charset, and charset_map, and proxy_pass with disabled buffering ("off") directives are configured. | VULNEREBILITY | VULNEREBILITY |
| 14.5.26 | CVE-2026-40466 - Remote Code Execution vulnerability in Apache ActiveMQ | CVE-2026-40466 is a recently disclosed high severity (CVSS score 8.8) Remote Code Execution vulnerability affecting Apache ActiveMQ, which is a popular open-source, Java-based message broker. If successfully exploited the flaw might allow the authenticated attacker to add a connector using an HTTP Discovery transport through Jolokia leading up to arbitrary code execution. | ALERTS | VULNEREBILITY |
| 14.5.26 | CVE-2026-39987 - Marimo RCE Vulnerability | CVE-2026-39987 is a recently disclosed critical (CVSS score 9.3) pre-authentication Remote Code Execution (RCE) vulnerability affecting Marimo which is an open-source reactive Python notebook platform. If successfully exploited the flaw might allow the unauthenticated attackers to obtain a full interactive shell on any exposed Marimo instance through a single WebSocket connection. | ALERTS | VULNEREBILITY |
| 14.5.26 | Southeast Asia Campaign Uses Legal and Whistleblower-Themed Lures to Deliver RAT | Researchers at Seqrite Labs recently reported a campaign, dubbed Operation GriefLure, in which threat actors targeted a military-linked telecom organization in Vietnam and a medical center in the Philippines. The attacks use highly credible legal and whistleblower-themed lures, delivered through compressed archives containing decoy PDFs and malicious LNK files that kick off an attack chain leading to a remote access Trojan. | CAMPAIGN | |
| 14.5.26 | Fake ScreenConnect Update Leads to CloudZ RAT | Cisco Talos reported an intrusion active since at least January 2026 involving CloudZ RAT and a previously undocumented plugin called Pheno. The activity appears focused on credential theft and possible interception of SMS-based one-time passwords by abusing Microsoft Phone Link on compromised Windows systems. | ALERTS | VIRUS |
| 14.5.26 | TCLBanker malware distributed in latest campaigns | Elastic Security Labs has discovered TCLBanker, an advanced Brazilian banking trojan believed to be a significant evolution of the Maverick/Sorvepotel malware families. The threat is distributed via ZIP files containing malicious MSI installers that exploit a legitimate, signed Logitech application through DLL side-loading techniques.S | ALERTS | VIRUS |
| 14.5.26 | CVE-2026-33032 - Nginxui Nginx UI Auth Bypass Vulnerability | CVE-2026-33032 is a recently disclosed critical (CVSS score 9.8) authentication bypass vulnerability affecting Nginx UI which is an open-source web interface used to centralize the management of Nginx configurations and SSL certificates. | ALERTS | VULNEREBILITY |
| 14.5.26 | CVE-2026-3296 - Everest Forms WordPress Plugin RCE vulnerability | CVE-2026-3296 is a recently disclosed critical (CVSS score 9.8) PHP Object Injection vulnerability affecting Everest Forms WordPress plugin. If successfully exploited the flaw might allow the unauthenticated attackers to inject malicious serialized PHP objects through any public form field leading up to remote code execution on the vulnerable instances. The vulnerability has already been patched in the updated version 3.4.4 of the plugin. | VULNEREBILITY | |
| 14.5.26 | PCPJack - a new sophisticated credential-harvesting framework | SentinelLABS has uncovered "PCPJack," a sophisticated credential-harvesting framework designed to autonomously propagate across vulnerable cloud environments. Unlike conventional cloud-based malware, PCPJack deliberately avoids deploying cryptocurrency miners. | ALERTS | VIRUS |
| 14.5.26 | Iran-Linked Hackers Breached Major Korean Electronics Maker in Global Espionage Campaign | Iran-linked attackers spent a week inside the network of a major South Korean electronics manufacturer in February 2026, as part of a sprawling early-year espionage campaign affecting at least nine organizations across four continents. | ALERTS | APT |
| 14.5.26 | Smishing Campaigns Use UAE and Singapore Service Lures | A recent investigation by a researcher describes a large smishing operation impersonating trusted transportation, logistics, and government services in the UAE and Singapore. The campaign uses deceptive domains, mobile-focused phishing pages, geo-filtering, HTTPS certificates, and centralized hosting to make fraudulent payment or identity-verification pages appear legitimate. | ALERTS | PHISHING |
| 14.5.26 | Action1 RMM Abused in “April Statements” Invoice Malspam | Symantec has identified a malspam campaign that abuses the legitimate Action1 remote monitoring and management (RMM) platform to gain hands-on-keyboard access to victim endpoints. The campaign uses an invoice-themed lure ("April Statements") impersonating a US residential property-management organization. | SPAM | |
| 13.5.26 | CVE-2026-42826 | (CVSS score: 10.0) - An exposure of sensitive information to an unauthorized actor in Azure DevOps that allows an unauthorized attacker to disclose information over a network. (Requires no customer action) | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-33109 | (CVSS score: 9.9) - An improper access control in Azure Managed Instance for Apache Cassandra that allows an authorized attacker to execute code over a network. (Requires no customer action) | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-42898 | (CVSS score: 9.9) - A code injection vulnerability in Microsoft Dynamics 365 (on-premises) that allows an authorized attacker to execute code over a network. | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-42823 | (CVSS score: 9.9) - An improper access control in Azure Logic Apps that allows an authorized attacker to elevate privileges over a network. | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-41089 | (CVSS score: 9.8) - A stack-based buffer overflow in Windows Netlogon that allows an unauthorized attacker to execute code over a network without needing to sign in or have prior access by sending a specially crafted network request to a Windows server that is acting as a domain controller. | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-33823 | (CVSS score: 9.6) - An improper authorization in Microsoft Teams that allows an authorized attacker to disclose information over a network. (Requires no customer action) | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-35428 | (CVSS score: 9.6) - A command injection vulnerability in Azure Cloud Shell that allows an unauthorized attacker to perform spoofing over a network. (Requires no customer action) | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-40379 | (CVSS score: 9.3) - An exposure of sensitive information to an unauthorized actor in Azure Entra ID that allows an unauthorized attacker to perform spoofing over a network. (Requires no customer action) | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-40402 | (CVSS score: 9.3) - A user-after-free in Windows Hyper-V that allows an unauthorized attacker to gain SYSTEM privileges and access the Hyper-V host environment. | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-41103 | (CVSS score: 9.1) - An incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira & Confluence that allows an unauthorized attacker to gain unauthorized access to Jira or Confluence as a valid user and perform actions with the same permissions as the compromised account. | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-33117 | (CVSS score: 9.1) - An improper authentication in Azure SDK that allows an unauthorized attacker to bypass a security feature over a network. | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-42833 | (CVSS score: 9.1) - An execution with unnecessary privileges in Microsoft Dynamics 365 (on-premises) that allows an authorized attacker to execute code over a network and gain the ability to interact with other tenant’s applications and content. | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-33844 | (CVSS score: 9.0) - An improper input validation in Azure Managed Instance for Apache Cassandra that allows an authorized attacker to execute code over a network. (Requires no customer action) | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-40361 | (CVSS score: 8.4) - A use-after-free vulnerability in Microsoft Office Word that allows an unauthorized attacker to execute code locally without requiring user interaction. | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | CVE-2026-40364 | (CVSS score: 8.4) - A type confusion vulnerability in Microsoft Office Word that allows an unauthorized attacker to execute code locally without requiring user interaction. | VULNEREBILITY | VULNEREBILITY |
| 13.5.26 | FamousSparrow | FamousSparrow APT Targets Azerbaijani Oil and Gas Industry | APT | APT |
| 13.5.26 | GemStuffer Campaign | GemStuffer Campaign Abuses RubyGems as Exfiltration Channel Targeting UK Local Government | CAMPAIGN | CAMPAIGN |
| 13.5.26 | Operation NoVoice | Operation NoVoice: Android Malware Found in 50+ Apps Can Hijack Devices | OPERATION | OPERATION |
| 12.5.26 | Google ad for Claude leads to macOS malware infection | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. | MALWARE TRAFFIC | MALWARE TRAFFIC |
| 12.5.26 | macOS Shub Stealer infection | Zip files are password-protected. Of note, this site has a new password scheme. For the password, see the "about" page of this website. | MALWARE TRAFFIC | MALWARE TRAFFIC |
| 12.5.26 | dnsmasq contains several vulnerabilities, including attacker DNS redirect, privilege escalation, and heap manipulation | dnsmasq is affected by multiple memory safety and input validation vulnerabilities, including heap buffer overflows, heap corruption, and code execution flaws. Collectively, these vulnerabilities enable attackers to poison cached DNS records, bypass security controls, crash the dnsmasq process, or under certain conditions, achieve local privilege escalation. dnsmasq has released version 2.92rel2 to fix the vulnerabilities. | ALERT | ALERT |
| 12.5.26 | Casdoor contains Arbitrary File Write vulnerability | Casdoor contains an arbitrary file write vulnerability in the implementation of its "Local File System" storage provider. Due to insufficient sanitization of user-supplied paths, an authenticated user with file upload permissions can escape the intended storage directory and write files elsewhere on the target filesystem. | ALERT | ALERT |
| 12.5.26 | Mini Shai-Hulud | Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Tanstack | MALWARE | PYTHON |
| 12.5.26 | TrickMo | New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps | MALWARE | ANDROID |
| 12.5.26 | Actively Exploits CVE-2026-41940 | CVE-2026-41940 is a high-severity unauthenticated authentication bypass vulnerability affecting cPanel & WHM. This product is widely used in Linux server operations and virtual hosting management. | EXPLOIT | EXPLOIT |
| 11.5.26 | ClickFix distributing Vidar Stealer via WordPress targeting Australian infrastructure | The Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC) has observed ClickFix associated activity leveraging WordPress hosted infrastructure to distribute the Vidar Stealer malware. | REPORT | REPORT |
| 11.5.26 | CVE-2026-26956 | WASM Sandbox Escape | VULNEREBILITY | VULNEREBILITY |
| 11.5.26 | CVE-2026-20188 | A vulnerability in the connection-handling mechanism of Cisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. This vulnerability is due to an inadequate implementation of rate-limiting on incoming network connections. | VULNEREBILITY | VULNEREBILITY |
| 11.5.26 | Acronis Cyberthreats Report, H2 2025: From exploits to malicious IA |
The Acronis Cyberthreats Report covers the global threat
landscape as encountered by the Acronis Threat Research Unit (TRU) and Acronis sensors in the second half of 2025. General threat data (including malware, ransomware, web and email threats, vulnerabilities, etc.) presented in the report is gathered from January–December of 2025 and reflects threats targeting endpoints we observed in this time frame. |
REPORT | REPORT |
| 11.5.26 | State of the SOFTWARE SUPPLY CHAIN 2026 | The Limits of Legacy Vulnerability Management | REPORT | REPORT |
| 11.5.26 | Legitimate | “Legitimate” phishing: how attackers weaponize Amazon SES to bypass email security | PHISHING | PHISHING |
| 11.5.26 | CVE-2023-43896 | A buffer overflow in Macrium Reflect 8.1.7544 and below allows attackers to escalate privileges or execute arbitrary code. | VULNEREBILITY | VULNEREBILITY |
| 11.5.26 | FEMITBOT | Abuse of Telegram Mini Apps for Large-Scale Fraud Campaigns | REPORT | REPORT |
| 11.5.26 | CVE-2026-7482 | Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. | VULNEREBILITY | VULNEREBILITY |
| 9.5.26 | Linux kernel contains local privilege escalation vulnerability (Copy Fail) | A privilege escalation vulnerability has been discovered in Linux kernel versions version 4.17 (released 2017) and later. Many popular distributions and Linux-based containers are affected. This vulnerability was publicly disclosed on April 29, 2026, has been assigned CVE ID CVE-2026-31431, and is commonly referred to as "Copy Fail." | ALERT | ALERT |
| 9.5.26 | DirtyFrag vulnerability - CVE-2026-43284 / CVE-2026-43500 | Just a week after the disclosure of the CopyFail (CVE-2026-31431) vulnerability, a second Linux kernel critical flaw has been discovered with public technical details and proof-of-concept code released publicly. Dubbed Dirty Frag, the vulnerability chains two distinct kernel bugs: CVE-2026-43284 (ESP subsystem) and CVE-2026-43500 (RxRPC subsystem). | ALERTS | VULNEREBILITY |
| 9.5.26 | macOS infostealer delivery campaign leverages ClickFix techniques | Microsoft researchers have identified an evolving macOS infostealer campaign that leverages "ClickFix" tactics to compromise users. Rather than relying on traditional methods like malicious disk images (.dmg files), attackers now embed deceptive instructions within public blogs and user-generated content sites. These sites trick victims into executing specific Terminal commands under the guise of installing system optimization utilities. | ALERTS | VIRUS |
| 9.5.26 | Unpacking UAT-8302: A New Arsenal of China-Nexus Malware | Cisco Talos has uncovered UAT-8302, a sophisticated China-nexus threat group aggressively targeting government entities, primarily observed in Europe and South America. This actor utilizes an extensive toolkit of custom malware, notably the .NET-based NetDraft backdoor, which leverages MS Graph for stealthy command-and-control. Their arsenal further includes CloudSorcerer v3, a refined backdoor that manipulates legitimate platforms like GitHub to retrieve operational instructions | APT | |
| 9.5.26 | Supply Chain Alert: DAEMON Tools Installers Compromised | Security researchers at Kaspersky have uncovered a sophisticated supply chain attack targeting DAEMON Tools, where legitimate installers were trojanized with a multi-stage backdoor. Since April 2026, compromised binaries signed with valid certificates have deployed an initial information collector to thousands of global victims. | ALERTS | VIRUS |
| 9.5.26 | ShadowPad Resurfaces in State Espionage Campaign Targeting Asian Governments | Trend Micro researchers recently identified SHADOW-EARTH-053, a China-aligned espionage group targeting Asian government sectors. The campaign centers on the modular ShadowPad malware, often deployed through DLL sideloading using legitimate signed executables. Attackers establish initial persistence via GODZILLA web shells before utilizing registry-based loaders to execute shellcode covertly. | ALERTS | CAMPAIGN |
| 9.5.26 | Tax Lures Deliver ValleyRAT and ABCDoor | Researchers at Kaspersky recently published an article on a Silver Fox campaign in which the actor used tax-themed phishing lures against organizations in India and Russia, impersonating official tax authorities to push victims toward malicious archives. Per their analysis, the campaign used a custom RustSL loader, ValleyRAT, and a Python-based backdoor dubbed ABCDoor. | VIRUS | |
| 9.5.26 | CVE-2026-29201 | (CVSS score: 4.3) - An insufficient input validation of the feature file name in the "feature::LOADFEATUREFILE" adminbin call that could result in an arbitrary file read. | VULNEREBILITY | VULNEREBILITY |
| 9.5.26 | CVE-2026-29202 | (CVSS score: 8.8) - An insufficient input validation of the "plugin" parameter in the "create_user API" call that could result in arbitrary Perl code execution on behalf of the already authenticated account's system user. | VULNEREBILITY | VULNEREBILITY |
| 9.5.26 | CVE-2026-29203 | (CVSS score: 8.8) - An unsafe symlink handling vulnerability that allows a user to modify access permissions of an arbitrary file using chmod, resulting in denial-of-service or possible privilege escalation. | VULNEREBILITY | VULNEREBILITY |
| 9.5.26 | TCLBANKER | TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook | MALWAREs | BANKING |
| 9.5.26 | CallPhantom tricks | Fake call logs, real payments: How CallPhantom tricks Android users | HACKING | HACKING |
| 9.5.26 | Operation GriefLure | Table of Contents: Introduction: Key Targets: Infection Chain: Initial Findings about Campaign: Analysis of Decoys: Technical Analysis: Campaign-1: Stage-1: Ho so.rar Campaign: 2 Stage-1: download.zip Stage-2: The LNK & Batch file (Common in 1 & 2 both) Stage-3: Analysis | OPERATION | OPERATION |
| 9.5.26 | Operation Silent Rotor | Operation Silent Rotor: Targeted Campaign Compromises Unmanned Aviation Sector Ahead of Moscow Summit Table of Content Introduction Key Targets Industries Affected Geographical focus Infection Chain Initial Findings Looking into the Decoy Documents Technical Analysis Stage 1 – Analysis of... | OPERATION | OPERATION |
| 9.5.26 | Operation HumanitarianBait | Cyble analyzes Operation HumanitarianBait, a stealthy espionage campaign using aid-themed lures to deploy a fileless Python infostealer. | OPERATION | OPERATION |
| 8.5.26 | Dirty Frag | Dirty Frag (CVE-2026-43284, CVE-2026-43500) vulnerability fix is ready for testing | VULNEREBILITY | VULNEREBILITY |
| 8.5.26 | Plague | ‘Plague’ malware exploits Pluggable Authentication Module to breach Linux systems | MALWARE | EXPLOIT |
| 8.5.26 | PamDOORa | PamDOORa: Analyzing a New Linux PAM-Based Backdoor for Sale on the Dark Web | MALWARE | BACKDOOR |
| 8.5.26 | Quasar Linux | Quasar Linux (QLNX) – A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities | MALWARE | RAT |
| 8.5.26 | CVE-2026-6973 | An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution. | VULNEREBILITY | VULNEREBILITY |
| 8.5.26 | PCPJack | PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale | MALWARE | WORM |
| 7.5.26 | CVE-2026-24118 | (CVSS score: 9.8) - A vulnerability that allows sandbox escape via "__lookupGetter__" and permits an attacker to run arbitrary code on the underlying host. (Affects versions <= 3.10.4, patches in 3.11.0) | VULNEREBILITY | VULNEREBILITY |
| 7.5.26 | CVE-2026-24120 | (CVSS score: 9.8) - A patch bypass for CVE-2023-37466 (CVSS score: 9.8) that could allow attackers to escape the sandbox through the species property of promise objects and execute arbitrary commands on the underlying host. (Affects versions <= 3.10.3, patched in 3.10.5) | VULNEREBILITY | VULNEREBILITY |
| 7.5.26 | CVE-2026-24781 | (CVSS score: 9.8) - A vulnerability that allows sandbox escape via the "inspect" function and permits an attacker to run arbitrary code on the underlying host. (Affects versions <= 3.10.3, patches in 3.11.0) | VULNEREBILITY | VULNEREBILITY |
| 7.5.26 | CVE-2026-26332 | (CVSS score: 9.8) - A vulnerability that allows sandbox escape via "SuppressedError" and permits an attacker to run arbitrary code on the underlying host. (Affects versions <= 3.10.4, patches in 3.11.0) | VULNEREBILITY | VULNEREBILITY |
| 7.5.26 | CVE-2026-26956 | (CVSS score: 9.8) - A protection mechanism failure vulnerability that allows sandbox escape with arbitrary code execution by triggering a TypeError produced by Symbol-to-string coercion. (Affects version 3.10.4, confirmed on Node.js 25.6.1, patched in 3.10.5) | VULNEREBILITY | VULNEREBILITY |
| 7.5.26 | CVE-2026-43997 | (CVSS score: 10.0) - A code injection vulnerability that allows an attacker to obtain the host Object and escape the sandbox, leading to arbitrary code execution. (Affects versions <= 3.10.5, patched in 3.11.0) | VULNEREBILITY | VULNEREBILITY |
| 7.5.26 | CVE-2026-43999 | (CVSS score: 9.9) - A vulnerability that allows a bypass of NodeVM's built-in allowlist and enables an attacker to load excluded builtins like child_process and achieve remote code execution. (Affects version 3.10.5, patched in 3.11.0) | VULNEREBILITY | VULNEREBILITY |
| 7.5.26 | CVE-2026-44005 | (CVSS score: 10.0) - A vulnerability that allows attacker-controlled JavaScript to escape the sandbox and enable prototype pollution. (Affects versions 3.9.6-3.10.5, patched in 3.11.0) | VULNEREBILITY | VULNEREBILITY |
| 7.5.26 | CVE-2026-44006 | (CVSS score: 10.0) - A code injection vulnerability via "BaseHandler.getPrototypeOf" that enables sandbox escape and remote code execution. (Affects versions <= 3.10.5, patched in 3.11.0) | VULNEREBILITY | VULNEREBILITY |
| 7.5.26 | CVE-2026-44007 | (CVSS score: 9.1) - An improper access control vulnerability that allows sandbox escape and execution of arbitrary operating system commands on the underlying host. (Affects versions <= 3.11.0, patched in 3.11.1) | VULNEREBILITY | VULNEREBILITY |
| 7.5.26 | CVE-2026-44008 | (CVSS score: 9.8) - A vulnerability that allows sandbox escape via "neutralizeArraySpeciesBatch()" and permits an attacker to execute arbitrary commands on the underlying host. (Affects versions <= 3.11.1, patched in 3.11.2) | VULNEREBILITY | VULNEREBILITY |
| 7.5.26 | CVE-2026-44009 | (CVSS score: 9.8) - A vulnerability that allows sandbox escape via a null proto exception and permits an attacker to execute arbitrary commands on the underlying host. (Affects versions <= 3.11.1, patched in 3.11.2) | VULNEREBILITY | VULNEREBILITY |
| 7.5.26 | ZiChatBot | While these wheel packages do implement the features described on their PyPI web pages, their true purpose is to covertly deliver malicious files. | MALWARE | Python |
| 7.5.26 | OceanLotus | OceanLotus suspected of using PyPI to deliver ZiChatBot malware | APT | APT |
| 7.5.26 | xlabs_v1 | xlabs_v1 DDoS-for-Hire IoT Botnet Exposed: One Operator Error. An Entire Operation Revealed | BOTNET | BOTNET |
| 6.5.26 |
Middle East Conflict & Cyber Escalation Overview |
Advisory: Middle East Conflict & Cyber Escalation | ANALÝZA | ANALÝZA |
| 6.5.26 | Iranian-Nexus Operation | Iranian-Nexus Operation Against Oman's Government: 12 Ministries Hit and 26,000 Citizen Records Exposed | OPERATION | OPERATION |
| 6.5.26 | MuddyWater | Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware | APT | APT |
| 6.5.26 | CloudZ RAT | CloudZ RAT potentially steals OTP messages using Pheno plugin | MALWARE | RAT |
| 6.5.26 | CVE-2026-0300 | CVE-2026-0300 PAN-OS: Unauthenticated user initiated Buffer Overflow Vulnerability in User-ID™ Authentication Portal | VULNEREBILITY | VULNEREBILITY |
| 6.5.26 | CVE-2026-23918 | Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. | VULNEREBILITY | VULNEREBILITY |
| 6.5.26 | DAEMON Tools software infected | DAEMON Tools software infected – supply chain attack ongoing since April 8, 2026 | INCIDENT | INCIDENT |
| 6.5.26 | UAT-8302 | UAT-8302 and its box full of malware | GROUP | GROUP |
| 5.5.26 | Zscaler ThreatLabz 2026 VPN Risk Report | For decades, VPN was the default answer to remote access security – reliable, familiar, and deeply embedded in enterprise architecture. That era is ending. AI has accelerated attack timelines from weeks to minutes, automated credential theft at industrial scale, and given adversaries a speed advantage that human-led defense cannot match. | REPORT | REPORT |
| 5.5.26 | CVE-2026-29014 | MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. | VULNEREBILITY | VULNEREBILITY |
| 5.5.26 | ScarCruft compromises | A rigged game: ScarCruft compromises gaming platform in a supply-chain attack | INCIDENT | APT |
| 5.5.26 | CVE-2026-22679 | Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by invoking exposed debug functionality. | VULNEREBILITY | VULNEREBILITY |
| 5.5.26 | Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise | Phishing campaigns continue to improve sophistication and refinement in blending social engineering, delivery and hosting infrastructure, and authentication abuse to remain effective against evolving security controls. | CAMPAIGN | CAMPAIGN |
| 5.5.26 | VENOMOUS#HELPER | You’re invited: Four phishing lures in campaigns dropping RMM tools | CAMPAIGN | CAMPAIGN |
| 5.5.26 | CVE-2026-5174 | Improper input validation vulnerability in Progress Software MOVEit Automation allows Privilege Escalation. This issue affects MOVEit Automation: from 2025.1.0 before 2025.1.5, from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0. | VULNEREBILITY | VULNEREBILITY |
| 5.5.26 | CVE-2026-4670 | Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication Bypass. This issue affects MOVEit Automation: from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0. | VULNEREBILITY | VULNEREBILITY |
| 4.5.26 | Silver Fox | Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India | APT | APT |
| 4.5.26 | South-East Asian Military Entities Targeted via cPanel (CVE-2026-41940) | On April 29th 2026, watchTowr Labs published research on CVE-2026-41940, a critical authentication bypass in cPanel & WHM. Within days, reporting from Censys and Ctrl-Alt-Intel made clear that exploitation had rapidly moved from disclosure to in-the-wild abuse. | APT | APT |
| 3.5.26 | Copy Fail | Most Linux LPEs need a race window or a kernel-specific offset. Copy Fail is a straight-line logic flaw — it needs neither. The same 732-byte Python script roots every Linux distribution shipped since 2017. | VULNEREBILITY | VULNEREBILITY |
| 3.5.26 | Bluekit | Meet Bluekit: The AI-Powered All-in-One Phishing Kit | PHISHING | KIT |
| 3.5.26 | CVE-2026-41940 | CVE-2026-41940: cPanel & WHM Authentication Bypass | VULNEREBILITY | VULNEREBILITY |
| 3.5.26 | CVE-2026-31431 | Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 3.5.26 | CVE-2026-21510 | Windows Shell Security Feature Bypass Vulnerability | VULNEREBILITY | VULNEREBILITY |
| 2.5.26 | TeamPCP Targets SAP Developers with Obfuscated npm Backdoor | A sophisticated supply chain attack recently compromised several SAP CAP npm packages, as reported by researchers at Socket. The breach utilizes a malicious preinstall script that bootstraps a Bun runtime to execute a heavily obfuscated payload. | ALERTS | VIRUS |
| 2.5.26 | Fake GitHub Repositories Push StealC | Researchers recently reported a malicious GitHub campaign that is using fake repositories across 17 accounts to impersonate popular Python projects and lure developers into running trojanized code. The repositories carried a Python dropper that fetched an encrypted Windows loader that is designed to load StealC.s | ALERTS | VIRUS |
| 2.5.26 | CopyFail (CVE-2026-31431) | CopyFail, tracked as CVE-2026-31431, is a Linux kernel local privilege escalation vulnerability affecting the authencesn / algif_aead crypto path, with public technical details and proof-of-concept code now available. The flaw can allow an unprivileged local attacker to create a controlled page-cache overwrite and potentially gain root by modifying the cached copy of a readable setuid binary, making it especially relevant after an initial foothold has already been gained. | VULNEREBILITY | |
| 2.5.26 | VECT 2.0 Ransomware - The Accidental Wiper | Check Point Research shared details of VECT 2.0, a multi-platform ransomware targeting Windows, Linux, and ESXi environments. Although marketed as a sophisticated ransomware-as-a-service offering, the malware contains a critical flaw in its encryption routine that impacts files larger than 128 KB. | ALERTS | RANSOM |
| 2.5.26 | Fake Minecraft Hacks Deliver LofyStealer Infostealer | LofyStealer is a modular infostealer currently preying on Minecraft players by masquerading as a game hack. This Brazilian-linked threat utilizes a large Node.js-based loader to bypass traditional sandbox detection before injecting a payload directly into browser memory. | ALERTS | VIRUS |
| 2.5.26 | Inside Vidar’s Latest Variant: Stealth, Social Engineering, and Memory Execution | An analysis from the Lat61 Threat Intelligence Team by Point Wild details a recent variant of the Vidar infostealer as a highly stealthy, multi-stage threat that relies on social engineering and “living-off-the-land” techniques rather than traditional exploits. Initial infections often originate from fake GitHub repositories masquerading as legitimate tools, CAPTCHA prompts, or compromised websites, which trigger scripts chaining WScript and PowerShell. | VIRUS | |
| 2.5.26 | The Rise of the Sleeper: GlassWorm’s Deceptive IDE Tactics | The GlassWorm campaign has intensified, with new research from Socket identifying 73 deceptive "sleeper" extensions on the Open VSX marketplace. These clones impersonate popular developer tools to build trust before activating malicious payloads via updates. | ALERTS | VIRUS |
| 2.5.26 | Snake Keylogger campaign: Saudi Procurement Lure and Multi-Stage Chain | Symantec's Threat Intelligence team has observed a Snake Keylogger malspam campaign leveraging a multi-stage delivery chain that starts with a forged "procurement introduction" email carrying a RAR attachment, and ends with credential theft exfiltrated over the Telegram Bot API. | ALERTS | CAMPAIGN |
| 2.5.26 | Tropic Trooper leverages trojanized binaries to distribute AdaptixC2 | Cybersecurity researchers at Zscaler ThreatLabz uncovered a sophisticated cyberespionage operation orchestrated by the Tropic Trooper threat group (aka Earth Centaur). The attackers specifically targeted Chinese-speaking users, predominantly located within Taiwan, Japan, and South Korea, using deceptive ZIP files disguised as official military documents. | VIRUS | |
| 2.5.26 | AccountDumpling | Hunting Down the Google-Sent Phishing Wave Compromising 30,000+ Facebook Accounts | PHISHING | PHISHING |
| 2.5.26 | Snow Flurries | Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite | CAMPAIGN | CAMPAIGN |
| 1.5.26 | Cordial Spider | CORDIAL SPIDER is a financially motivated eCrime adversary that has performed data theft and extortion since at least October 2025. CORDIAL SPIDER gains initial access to victim systems via voice phishing (vishing) calls in which they direct targeted users to single sign-on (SSO)–themed phishing pages. | GROUP | GROUP |
| 1.5.26 | Snarky Spider | SNARKY SPIDER is a financially motivated eCrime adversary that has performed data theft and extortion and cryptocurrency theft since at least October 2025. T | GROUP | GROUP |
| 1.5.26 | Shadow-Earth-053 | Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia | GROUP | GROUP |