What is CVE Radar and how does it work?

CVE Radar is a free vulnerability intelligence platform by SOCRadar that provides real-time threat context for every CVE identifier. It aggregates data from the National Vulnerability Database (NVD), exploit databases, threat actor activity feeds, and SOCRadar's proprietary intelligence corpus. For each CVE, it surfaces exploit availability, active exploitation evidence, CVSS scores, affected product versions, and patch status — updated hourly so your team always works with current risk data.

How do I search for a specific CVE or vulnerability?

Enter a CVE identifier (e.g. CVE-2024-12345) or a product name directly into the search bar. CVE Radar returns the full vulnerability profile: severity score, affected versions, exploit availability, vendor patch status, and whether the vulnerability is being actively exploited in the wild. You can also browse trending CVEs on the landing page to identify which vulnerabilities threat actors are currently targeting.

What does 'exploit available' mean in CVE Radar?

The 'exploit available' flag indicates that working exploit code for this CVE has been identified in public repositories (GitHub, Exploit-DB, Metasploit modules) or underground forums. A CVE with a public exploit is substantially more dangerous than one without — attackers can weaponize it with minimal effort. CVE Radar distinguishes between proof-of-concept (PoC) code and fully weaponized exploits used in active attacks.

How is CVE Radar different from the NVD or Mitre database?

The NVD and Mitre databases are authoritative vulnerability registries but they only provide base metadata. CVE Radar enriches each entry with real-world threat intelligence: active exploitation signals from honeypot and telemetry networks, exploit code references, threat actor targeting patterns, and vendor patch release timing. This context transforms a raw severity score into an actionable priority — helping security teams distinguish which CVEs require immediate patching from which can follow a normal patch cycle.

Is CVE Radar free? Do I need to create an account?

CVE Radar is completely free to use. No account, credit card, or software installation is required. You can search any CVE identifier or product name and view full vulnerability profiles instantly. Advanced features such as bulk CVE monitoring, alerting, and integration into security workflows are available through the SOCRadar platform.

Welcome To CVE Radar

Discover trending vulnerabilities, explore attack vectors, exploits, and security details

Top CVE Trend (Last 30 Days)

Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first. As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel. In userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system.

clearbluejar@clearbluejar

1 day ago

@XenoKovah Just ran a Qwen 3.6 27b - it did the best of all, albeit more time to run. 9 VALID from original pipeline and 2 after reachability pass. Kept CVE-2026-4747 for the full pipeline https://t.co/3KI10p8AEf

clearbluejar@clearbluejar

3 days ago

Latest post showing once again the power of system over model 👀 See how Gemma 4 31b performs trying to find CVE-2026-4747 : the same FreeBSD RCE that Mythos found and AISLE rediscovered with local models https://t.co/GxIFxkEy8r

clearseclabs@clearseclabs

3 days ago

New post from @clearbluejar dives into the system over model concept: We take AISLE's nano-analyzer that found CVE-2026-4747 (like Mythos) and tune it for Gemma 4 locally. Smaller model. One System Tweak. Same CVE. https://t.co/uk5u8vhP8R

VicOne@VicOneAuto

13 days ago

4/7 In April 2026, a researcher documented AI taking a FreeBSD vulnerability advisory to a working remote kernel exploit with root shell (CVE-2026-4747).

Dispatchy@dispatchy_ai

15 days ago

Anthropic's Mythos-1 is moving into Claude Code and Claude Security - Project Glasswing reports 10,000+ high/critical vulnerabilities found in 30 days. The model autonomously exploited a 17-year FreeBSD RCE (CVE-2026-4747). Anthropic put $100M in credits on the table.

KompasTekno@KompasTekno

27 days ago

Baca di sini: https://t.co/lJnn2jOYEH Teknologi AI sukses mengeksploitasi celah keamanan kritis sistem operasi (OS) di kernel FreeBSD (kode CVE-2026-4747) secara jarak jauh hanya dalam waktu kurang dari 10 jam, cuma 4 hingga 8 jam. ~AM #ArtificialIntelligence #Hackers #FreeBSD https://t.co/5zWB9qFxT8

Kompas.com@kompascom

27 days ago

Baca di sini: https://t.co/9vVykooC1l Teknologi Artificial Intelligence (AI) sukses mengeksploitasi celah keamanan kritis sistem operasi (OS) di kernel FreeBSD (kode CVE-2026-4747) secara jarak jauh hanya dalam waktu kurang dari 10 jam, cuma 4 hingga 8 jam. ~AM https://t.co/Qxe9744r5k

Abdur@SyedAbdurR2hman

27 days ago

So AISLE went further and built nano-analyzer, a whole codebase parallel scanner. Pointed at the full FreeBSD and OpenBSD kernels. Still detected CVE-2026-4747 with models as small as 3.6B parameters. And found NEW bugs Mythos missed. Confirmed by maintainers.

Daily AI@DailyAILog

29 days ago

CVE-2026-4747, is a stack-based buffer overflow in FreeBSD’s RPCSEC_GSS implementation. In sys/rpc/rpcsec_gss/svc_rpcsec_gss.c, the svc_rpc_gss_validate function fails to check the oa_length field before a 128-byte stack buffer copy, enabling remote code execution.

Daily AI@DailyAILog

29 days ago

Anthropic recently claimed its Mythos model achieved the first AI-driven remote kernel exploit (CVE-2026-4747). However, analysis shows the "novel" bug was actually a rediscovery of an older vulnerability likely present in the model's training data.

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Md Ismail Šojal 🕷️@0x0SojalSec

17 hours ago

FULL REMOTE CODE EXECUTION on default nginx 1.30.0 no config changes needed. 🫠 Verichains a deadly exploit chain combining Nginx-Rift (CVE-2026-42945) + Nginx-PoolSlip (CVE-2026-9256). 2-byte heap pointer overwrite & heap over-read then ASLR bypass to arbitrary command

Lyrie.ai@lyrie_ai

1 day ago

05:09 UTC: Lyrie Sentinel flagged it. 0day Intel: ⚠️CVE-2026-42945: RCE Proof of concept for CVE-2026-42945, a critical heap buffe

Lyrie.ai@lyrie_ai

1 day ago

08:06 UTC: First exploit attempt in the wild. 0day Intel: ⚠️CVE-2026-42945: RCE Proof of concept for CVE-2026-42945, a critical heap buffe

Lyrie.ai@lyrie_ai

1 day ago

05:20 UTC: Thread live on @lyrie_ai. 0day Intel: ⚠️CVE-2026-42945: RCE Proof of concept for CVE-2026-42945, a critical heap buffe

Lyrie.ai@lyrie_ai

1 day ago

05:17 UTC: GPT-5 enrichment complete. 52 words. 1 citations. 0day Intel: ⚠️CVE-2026-42945: RCE Proof of concept for CVE-2026-42945, a critical heap buffe

Lyrie.ai@lyrie_ai

1 day ago

05:06 UTC: CVE-2026-42945 disclosed. ⚠️CVE-2026-42945: RCE Proof of concept for CVE-2026-42945, a critical heap buffer overflow in NGINX's ngxhttprewritem

Lyrie.ai@lyrie_ai

1 day ago

05:35 UTC: First exploit attempt in the wild. 0day Intel: 🚨Alert🚨 CVE-2026-42945: A Critical Heap Buffer Overflow in NGINX. 🧐Credit by

Lyrie.ai@lyrie_ai

1 day ago

02:46 UTC: GPT-5 enrichment complete. 59 words. 1 citations. 0day Intel: 🚨Alert🚨 CVE-2026-42945: A Critical Heap Buffer Overflow in NGINX. 🧐Credit by

Lyrie.ai@lyrie_ai

1 day ago

02:38 UTC: Lyrie Sentinel flagged it. 0day Intel: 🚨Alert🚨 CVE-2026-42945: A Critical Heap Buffer Overflow in NGINX. 🧐Credit by

Lyrie.ai@lyrie_ai

1 day ago

Vendor. Source: X search for CVE-2026 critical Posted: 2026-05-19T20:34:16.000Z Likes: 24 Heads up if you run NGINX:⚠️ A critical flaw (CVE-2026-42945) is being actively exploited right now.

Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection. Panorama and Cloud NGFW are not impacted by these issues.

Kanishk@Kanishk72749273

15 hours ago

@PaloAltoNtwks GlobalProtect auth bypass (CVE-2026-0257) — patched weeks ago, now actively exploited. Attackers forging VPN cookies to walk straight into internal networks. @CISAgov added it to KEV. Unpatched devices are open doors. Patch velocity matters as much as detection https://t.co/YE3I3bW38M

𝔸𝕟𝕠𝕟𝕪𝕞𝕠𝕦𝕤 ℍ𝕒𝕔𝕜𝕥𝕚𝕧𝕚𝕤𝕥☭⃠🅇@YourAnon_irc

17 hours ago

New zero-day in Cisco SD-WAN (CVE-2026-20245) actively exploited, no patch available. Palo Alto PAN-OS (CVE-2026-0257) also targeted for auth bypass. Critical risk to data privacy & integrity in transit. #Cybersecurity #News #Vulnerabilities

ADK Cyber@ADKCyber

1 day ago

New on the blog — When the Front Door Has a Skeleton Key: The GlobalProtect Authentication Bypass (CVE-2026-0257). An unauthenticated bypass on Palo Alto Networks GlobalProtect that lets attackers mint valid VPN sessio… https://t.co/eUxz2ZMUxb https://t.co/fYQappMTf6

Cyber Netsec IO@NetSecIO

1 day ago

⚠️ Active Exploitation Alert! Unidentified actors are exploiting PAN-OS auth bypass CVE-2026-0257 to access GlobalProtect VPNs. CISA KEV listed. Patch or apply mitigations immediately to prevent unauthorized access. #PANOS #CVE #CyberSecurity 🌐 cyber[.]netsecops[.]io https://t.co/rXQohu6HJS

ProtAAPP - Protege las AAPP@ProtAAPP

1 day ago

Palo Alto Networks Unit 42 ha detectado la explotación activa de la vulnerabilidad CVE-2026-0257 en PAN-OS, que permite a atacantes no autorizados eludir controles de seguridad y establecer conexiones VPN. Se recomienda revisar el asesoramiento de… https://t.co/DIco2XggnP https://t.co/6obTvXYpIX

Sami Laiho@samilaiho

2 days ago

CVE-2026-0257: Rapid7 Caught Attackers Abusing Forged VPN Cookies Against Multiple Customers https://t.co/Wnumz9Rh3R

Sami Laiho@samilaiho

2 days ago

PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation https://t.co/G7kv2tydMC

Cyber Research@Cyb3rR3s34rch

2 days ago

Originally from Unit 42: Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 https://t.co/jMmw45YFb5 ( :-{ı▓ #unit42 #threathunting #cyberresearch https://t.co/PFFWNTWTik

Abhishek Shukla@thetechnofeak

6 days ago

Alert 🚨 : Today during work, I was involved in an incident response engagement around CVE-2026-0257 affecting Palo Alto Networks PAN-OS GlobalProtect. What initially stood out to me was the CVSS score. On paper, it doesn't look extremely severe. But when you dig deeper, it's an

Cybersecurity News Everyday@TweetThreatNews

6 days ago

Palo Alto Networks CVE-2026-0257, an auth-bypass flaw, was rapidly escalated to critical after active exploitation. Attackers can bypass controls and gain VPN access. CISA added it to KEV. #CVE-2026-0257 #PaloAltoNetworks #CISA https://t.co/1PVRn6YXiw

In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can core dump or not - and makes no sense when you don't have an associated mm. And almost all users do in fact use it only for the case where the task has a mm pointer. But we have one odd special case: ptrace_may_access() uses 'dumpable' to check various other things entirely independently of the MM (typically explicitly using flags like PTRACE_MODE_READ_FSCREDS). Including for threads that no longer have a VM (and maybe never did, like most kernel threads). It's not what this flag was designed for, but it is what it is. The ptrace code does check that the uid/gid matches, so you do have to be uid-0 to see kernel thread details, but this means that the traditional "drop capabilities" model doesn't make any difference for this all. Make it all make a *bit* more sense by saying that if you don't have a MM pointer, we'll use a cached "last dumpability" flag if the thread ever had a MM (it will be zero for kernel threads since it is never set), and require a proper CAP_SYS_PTRACE capability to override.

AlmaLinux@AlmaLinux

2 days ago

Patched kernels for CVE-2026-46333 are now in production repos. A single dnf upgrade and reboot gets you patched kernels for ssh-keysign-pwn and Fragnesia 👇 https://t.co/BdTyfPA9z1

ThreatCluster@threatcluster

3 days ago

Oracle issued advisories for Oracle Linux 7, 8 and 9 fixing CVE-2026-46300 and CVE-2026-46333 that allow denial of service and privilege escalation in kernels 5.4, 5.15 and 6.12, according to Oracle. https://t.co/cMIsksTcuc

Linux Kernel Security@linkersec

4 days ago

Logic bug in the Linux kernel's __ptrace_may_access() function (CVE-2026-46333) Article about a logical bug in ptrace implementation that allows getting access to file descriptors of other processes and thus escalating privileges in certain scenarios. https://t.co/s5jkzBpV36 https://t.co/GgwEtmnIP5

Flatcar Container Linux@flatcar

6 days ago

📦 Package updates: Linux 6.12.91 (Alpha/Beta/Stable), Linux 6.6.141 (LTS), ca-certificates 3.124 🔒 Security maintenance release for the recently disclosed kernel LPEs Fragnesia (CVE-2026-46300) and ssh-keysign-pwn (CVE-2026-46333), plus the usual kernel CVE roll-up

IntegSec@integ_sec

6 days ago

CVE-2026-46333: Linux Kernel Local Privilege Escalation Bug - What It Means for Your Business and How to Respond https://t.co/B90MSy7C1B

WindowsForum@windowsforum

12 days ago

🪲 MSRC dropped another Linux kernel ptrace grenade (CVE-2026-46333). “get_dumpable” sounds harmless—until your Azure Linux boxes can be pried open. Patch fast, IT. #Windows #Security #Azure #Linux https://t.co/p5B5n6pSX7 #AzureLinux #LinuxKernelSecurity #PtraceVulnerability https://t.co/7A0nFJ6nSq

Diario฿itcoin@DiarioBitcoin

17 days ago

🚨 FALLO CRÍTICO EN LINUX 🚨 Una vulnerabilidad en el kernel de Linux (CVE-2026-46333) permite escalar a root y robar credenciales sensibles. Afecta a distribuciones populares como Debian y Ubuntu. Los administradores deben aplicar parches de inmediato. Existen exploits https://t.co/M7YdOTurxl

Canonical@Canonical

19 days ago

Mitigations for "ssh-keysign-pwn" (CVE-2026-46333) Linux kernel vulnerability are available in Ubuntu. Read the blog for details: https://t.co/woaA6Jsfjg https://t.co/HodyPMhRFi

Ubuntu@ubuntu

19 days ago

Mitigations for "ssh-keysign-pwn" (CVE-2026-46333) Linux kernel vulnerability are available in Ubuntu. Read the blog for details: https://t.co/Abz34ZwPN3 https://t.co/4wAtbVXEHB

Chris Short@ChrisShort

20 days ago

AI Discovers CVE-2026-46333 Linux Kernel Vulnerability #devopsish https://t.co/8ElwqTsKFi https://t.co/itQsFI8TS9

In multiple locations, there is a possible way to achieve code execution due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

nivelepsilon@FpeSre

15 hours ago

Google patched 124 Android flaws this week. CVE-2025-48595 (CVSS 8.4) gives root with no user interaction on Android 14-16 and is actively exploited. CISA's remediation deadline was yesterday. Update MDM policies now. #Google #CVE https://t.co/MtcOCtZNE5

Cyber Netsec IO@NetSecIO

1 day ago

⚠️ ANDROID ZERO-DAY! Google has patched CVE-2025-48595, a privilege escalation flaw actively exploited in the wild. The fix is in the June 2026 security update, which patches 124 flaws total. Update your Android device NOW! #Android #ZeroDay #CyberSe... 🌐 cyber[.]netsecops[.]io https://t.co/Zg2QN1tG3Y

The Cyber Security Hub™@TheCyberSecHub

5 days ago

Google fixes actively exploited Android vulnerability (CVE-2025-48595) https://t.co/b78SK7JBTu

Eric Vanderburg@evanderburg

6 days ago

Google fixes actively exploited #Android #vulnerability (#CVE-2025-48595) https://t.co/gz7xLZld1x https://t.co/6pzfvw3jGA

Help Net Security@helpnetsecurity

6 days ago

Google fixes actively exploited Android vulnerability (CVE-2025-48595) - https://t.co/YIDfEMyRPp - @Google @Android @GooglePlay #CVE #SecurityUpdate #Vulnerability #Cybersecurity #CybersecurityNews https://t.co/6dN5GrzwxL

Shah Sheikh@shah_sheikh

6 days ago

Google fixes actively exploited Android vulnerability (CVE-2025-48595): Google has announced the June 2026 Android security updates, which fix a bucketload of vulnerabilities, including a high-severity vulnerability (CVE-2025-48595) in the Android… https://t.co/mKi8thcE7t https://t.co/Rol75R0X3k

SQ Magazine News@sqmagazine_news

6 days ago

Google rolls out an urgent Android security update to combat a zero day flaw under active attack. Ensure you update your device to secure against CVE-2025-48595 now!🔒 👉🏻 https://t.co/Et5K8Z2gzY #AndroidSecurity #ZeroDay #TechAlert

ThreadLinqs@threadlinqs

6 days ago

NEW THREAT INTEL: Android Framework 0-Day CVE-2025-48595 - zero-click privesc, actively exploited. 9 detections, 13 IOCs. https://t.co/KZvLJe0Sul #ThreatIntel #Android https://t.co/JkPV0seJxo

MalaysianWireless@malaysia601

6 days ago

Android June 2026 security update includes Google fixes, Samsung SMR patches, app updates and CVE-2025-48595 details. https://t.co/bY802wdxDk

VulDB 🛡@vuldb

6 days ago

We have just added an important vulnerability affecting Google Android (CVE-2025-48595) https://t.co/hdcxvjNBXo

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

John McClure@johnmcclure00

2 days ago

CVE-2026-42897: unauthenticated RCE on Exchange Server — no patch, mitigation-only via EM Service. Echoes ProxyLogon and ProxyShell. If your EM Service is off, you're exposed. Verify your status today. #Cybersecurity #InfoSec https://t.co/MfWNkHPzIf

Rich Greene@secgreene

3 days ago

Monday. You open the third email. Nothing visible happens. A piece of JavaScript just grabbed the proof you were logged in. That's CVE-2026-42897. The Microsoft Exchange zero-day under active attack. New Plaintext with Rich is live. https://t.co/GZSDj57EpZ https://t.co/X4WQEIgM9d

Dr. Siraj Dokadia@SirajD_Official

6 days ago

CVE-2026-42897 - Microsoft Exchange Server Cross-Site Scripting vulnerability https://t.co/kkM9hpcMQ0 https://t.co/h6nJju2vdL

Dr.Philippe Vynckier, CISSP - Influencer@PVynckier

12 days ago

CVE-2026-42897, Microsoft publie une atténuation d'urgence pour la faille XSS d'Exchange - IT SOCIAL https://t.co/wYjkGRA3ZQ

The Daily Tech Feed@dailytechonx

19 days ago

CISA warns of active exploitation of Microsoft Exchange Server XSS vulnerability (CVE-2026-42897). Organizations urged to apply patches immediately. Link: https://t.co/zyw0NAnLhl #CISA #Microsoft #Exchange #XSS #Vulnerability #CVE202642897 #Exploitation #Security #Cybersecurity https://t.co/dnMeP0WEPK

OpenVPN Inc.@OpenVPN

19 days ago

Two critical zero-days need your attention today. Unpatched Exchange CVE-2026-42897: exploited via crafted email, no patch yet. Cisco SD-WAN CVE-2026-20182 (CVSS 10.0): max-severity auth bypass, CISA 3-day federal deadline. Both active in the wild now. https://t.co/F0vOZsc5S2 https://t.co/uBfneEwNSK

N_{Dario Fadda}@nuke86

20 days ago

New Post: CVE-2026-42897: vulnerabilità critica XSS in Exchange Server OWA — mitigazione di emergenza disponibile https://t.co/3mLqHkkkBS https://t.co/QILM1Ne6jw

Lyrie.ai@lyrie_ai

20 days ago

🚨 No patch yet for CVE-2026-42897. Attackers are exploiting Exchange Server's OWA right now via crafted emails — no auth needed. CISA KEV-listed May 15. Enable EEMS mitigation M2.1.x immediately. https://t.co/qZ9FQAGF9K #Cybersecurity

sushi com abacate@sushicomabacate

20 days ago

Vale deixar clara que o CVE-2026-42897 não afeta o Exchange Online (que é o mais usado) Afeta apenas instancias on-premise #bolhasec https://t.co/idglbq23FX

CiberBaur@BotBauR

20 days ago

🚨 Acaba de confirmarse: Un zero-day en Microsoft Exchange está siendo atacado, y no hay parche disponible, lo que permite a los atacantes comprometer las casillas de correo de Outlook Web Access. El ataque se basa en la vulnerabilidad CVE-2026-42897, que afecta a Microsoft

Extended Threat Intelligence

Free Trial

Stay ahead with proactive cyber threat warnings

Discover how SOCRadar's all-in-one platform can help protect your digital assets with extended threat intelligence, digital risk protection, and attack surface management.

Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.

Lyrie.ai@lyrie_ai

7 hours ago

Full Tweet Heads up about a critical SQL injection vuln in Ghost CMS affecting Harvard, Oxford, and DuckDuckGo among others CVE-2026-26980 Source: X search for CVE-2026 critical Posted: 2026-05-28T21:50:58.000Z Likes: 14

Lyrie.ai@lyrie_ai

7 hours ago

Source: X search for CVE-2026 critical Posted: 2026-05-28T21:50:58.000Z Likes: 14 Heads up about a critical SQL injection vuln in Ghost CMS affecting Harvard, Oxford, and DuckDuckGo among others CVE-2026-26980 https://t.co/rRbYE1mcNX

Lyrie.ai@lyrie_ai

7 hours ago

CVE-2026-26980: Heads up about a critical SQL injection vuln in Ghost CMS affecting Harvard, Oxford, and DuckDuckGo among others CVE-2026-26980 Source: X search for CVE-2026 critical Posted: 2026-05-28T21:50:58.000Z Likes: 14

Lyrie.ai@lyrie_ai

10 hours ago

CVE-2026-26980. 0day Intel: 🚨 Hackers breached 700+ Ghost CMS websites to serve ClickFix malware attacks.

Wordfence@wordfence

2 days ago

700+ Ghost CMS Sites Hit By Click Fix Attack Wordfence Security News Clip | May 25, 2026 Over 700 Ghost CMS sites are compromised via a critical SQL injection flaw (CVE-2026-26980) in the content API. Attackers extract admin API keys, inject JavaScript loaders into articles, https://t.co/PtAIPHnBGn

INFOSEC.WATCH@InfosecDotWatch

4 days ago

Ghost CMS CVE-2026-26980 was reportedly used to compromise hundreds of sites and inject malicious JavaScript loaders. https://t.co/5OtBUZVUq1

Asta@astasolutions

5 days ago

A critical Ghost CMS vulnerability (CVE-2026-26980) is being actively exploited worldwide, impacting universities, fintechs, media, and AI platforms. Strengthen your cybersecurity posture with proactive monitoring and threat detection. Learn more at https://t.co/aH9WSJOqn8 https://t.co/kYjDrw7Zqe

Cyber Netsec IO@NetSecIO

5 days ago

📢 GHOST CMS HACKED: A critical SQL injection flaw (CVE-2026-26980) is being mass-exploited to hack Ghost sites. Attackers steal API keys to inject malware that targets visitors. Over 700 sites hit. Patch and rotate keys NOW! #GhostCMS #CVE #SQLi 🌐 cyber[.]netsecops[.]io https://t.co/8GiFzawFLK

Tim Wilson@TimWilsonAtDxc

6 days ago

The attacks that XLab observed begin by exploiting CVE-2026-26980 to steal the admin API keys, and then use the elevated rights to inject malicious JavaScript into articles https://t.co/eIy9YQPKAf

Andre Gironda@AndreGironda

29 days ago

@Xlab_qax https://t.co/6rwoGVyzML -- CVE-2026-26980 -- https://t.co/sruPGqjokS -- live demo at [un]prompted 2026 conference, found via GenAI tool calling -- ?

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.

Lyrie.ai@lyrie_ai

3 days ago

CVE-2026-31431 (Copy Fail): A Linux kernel logic bug discovered by AI, disclosed publicly April 22, and actively exploited by May 1. Dwell time: 9 days from public disclosure to live attacks.

ThreatCluster@threatcluster

3 days ago

Two local privilege escalation flaws CVE-2026-31431 and CVE-2026-43284 in Ubuntu 18.04 and 20.04 LTS kernels, including Raspberry Pi and Azure variants, are under active exploitation, Ubuntu Security Notices USN-8390 and USN-8391 said. https://t.co/1sWdt9AJY9

Lyrie.ai@lyrie_ai

4 days ago

Unpopular opinion: The cybersecurity industry is selling you dashboards. CVE-2026-31431 ("Copy Fail") is a local privilege escalation (LPE) zero-day in the Linux kernel that allows any authenticated user — including those with no special permissions — to obtain a root…

Hi@hieyz6838

4 days ago

CVE-2026-31431 (Copy Fail) is a masterclass in how three "individually benign" mistakes compound into root. 9 years in the kernel, KEV list, 732-byte PoC. this is the new template: trivial primitives + container escape = full host takeover. #bugbounty #cybersecurity

Hi@hieyz6838

4 days ago

19-year-old CIFSwitch and 9-year-old CVE-2026-31431 in the same week. Linux kernel's been quietly rotting in crypto/smb code while everyone chased web CVEs. Both require zero user interaction. Patch your stuff. #Linux #cybersecurity

Alexander Leonov@leonov_av

5 days ago

🚨 May Linux Patch Wednesday: 1,638 vulns (474 kernel), 7 exploited in the wild incl. Copy Fail (CVE-2026-31431), Dirty Frag (CVE-2026-43500), ActiveMQ, NGINX, Rclone & PgBouncer, plus 264 with public exploits. #LinuxPatchWednesday #Linux #Vulristics ➡️ https://t.co/ByXnqFEh0Z https://t.co/yXt5qw4aij

Lyrie.ai@lyrie_ai

7 days ago

A nine-year-old logic bug in the Linux kernel's cryptographic authentication subsystem is being actively exploited in the wild. CISA added CVE-2026-31431 ("Copy Fail") to its Known Exploited Vulnerabilities catalog Friday, citing real-world attacks. Any unprivileged local…

Lyrie.ai@lyrie_ai

7 days ago

On May 1, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) formally acknowledged that CVE-2026-31431—a Linux kernel privilege escalation flaw—is being exploited in active, in-the-wild attacks. The vulnerability, nicknamed "Copy Fail" by its researchers at…

Lyrie.ai@lyrie_ai

7 days ago

The Supply-Chain Collapse: Vulnerabilities don't live in isolation. CVE-2026-31431 (Copy Fail) doesn't get patched by you—the Linux kernel maintainers patch it, then your distro releases it, then your CI/CD pipeline tests it, then you deploy it. Autonomous discovery skips…

Lyrie.ai@lyrie_ai

7 days ago

490% · CVE-2026-31431 TL;DR The $40B+ consolidation wave in autonomous defense (ServiceNow/Armis $7.75B, CrowdStrike/SGNL $740M, Palo Alto/Koi $400M) is not a sign of innovation—it's a tacit admission that point solutions can't compete with machine-speed attacks.

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Cyber Netsec IO@NetSecIO

1 day ago

🚨 CISA KEV ALERT: A 2-year-old Oracle WebLogic flaw (CVE-2024-21182) is now under active attack. The RCE bug allows unauthenticated compromise. If you're running a vulnerable version, patch immediately or restrict access! #CyberSecurity #KEV #Oracle 🌐 cyber[.]netsecops[.]io https://t.co/p5mALcQUbX

ADK Cyber@ADKCyber

5 days ago

Oracle WebLogic servers are being targeted by a remotely exploitable vulnerability (CVE-2024-21182). If your environment includes WebLogic, review Oracle advisories and apply available updates promptly. https://t.co/2HgoCby18Q https://t.co/JWMuOSp6gb via SecurityWeek https://t.co/fLfy5mvhbW

Israel@f1tym1

5 days ago

CISA Warns of Two-Year-Old Oracle WebLogic Server Vulnerability Exploited in Attacks https://t.co/EFWbnG8D64 CISA has issued a fresh warning highlighting active exploitation of a critical Oracle WebLogic Server vulnerability, tracked as CVE-2024-21182, adding it to its Known E…

Elusive@ElusivePrivacy

5 days ago

CISA Adds Oracle WebLogic CVE-2024-21182 to KEV Catalog CISA has added CVE-2024-21182 an Oracle WebLogic Server vulnerability to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation. FCEB agencies must remediate per BOD 22-01. WebLogic remains a

Xavier Rivera@XavierRiveraX

5 days ago

CISA flagged Oracle WebLogic CVE-2024-21182 as actively exploited, adding it to the KEV catalog. Attackers exploit WebLogic's T3 and IIOP ports (7001/7002) without credentials to achieve remote code execution. Federal agencies patch deadline is June 22. Block external T3 access

Israel@f1tym1

6 days ago

Oracle WebLogic Vulnerability Exploited in the Wild https://t.co/cvf3ynRaoX The vulnerability is CVE-2024-21182 and it can be exploited without authentication to hack affected WebLogic servers. The post Oracle WebLogic Vulnerability Exploited in the Wild appeared first on Sec…

America's Pick@nims213

6 days ago

Oracle WebLogic Vulnerability Exploited in the Wild https://t.co/EGIvapFtSL CISA is warning organizations that an Oracle WebLogic vulnerability patched nearly two years ago is being exploited in the wild. The security hole, tracked as CVE-2024-21182, was patched by Oracle in…

Shah Sheikh@shah_sheikh

6 days ago

Oracle WebLogic Vulnerability Exploited in the Wild: The vulnerability is CVE-2024-21182 and it can be exploited without authentication to hack affected WebLogic servers. The post Oracle WebLogic Vulnerability Exploited in the Wild appeared first on… https://t.co/f3bgYVAdol https://t.co/nZPvR6Td63

ThreatCluster@threatcluster

6 days ago

BREAKING: CISA adds actively exploited Oracle WebLogic CVE-2024-21182 to KEV, unauthenticated T3/IIOP access affects 12.2.1.4.0 and 14.1.1.0.0 with CVSS 7.5. https://t.co/gpf03Veolc

VulnTracker@vuln_tracker

6 days ago

@CISACyber CISA just added CVE-2024-21182 to the KEV catalog. Oracle WebLogic Server. Actively exploited. In 2026 - from a 2024 CVE. WebLogic powers enterprise Java applications at banks, telcos, and government agencies worldwide. If it's in your stack and unpatched, attackers already

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Gabriella Nelms@GabriellaNelms

12 days ago

Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions https://t.co/0hAThgxXVX

SempreUpdate@SempreUpdate

12 days ago

Microsoft corrige vulnerabilidade no SharePoint (CVE-2026-45659) https://t.co/SnrsHGgnqL

elhacker.NET@elhackernet

12 days ago

Vulnerabilidad de Microsoft SharePoint permite ejecución remota de código Microsoft ha revelado una vulnerabilidad crítica de seguridad en SharePoint Server (identificada como CVE-2026-45659 ) https://t.co/LWH40H4Y4J

Shah Sheikh@shah_sheikh

12 days ago

Microsoft SharePoint Has a New RCE Flaw. If You Haven’t Patched Yet, Go Do That.: A critical vulnerability, tracked as CVE-2026-45659, in Microsoft SharePoint can allow attackers to achieve remote code execution with little effort. Microsoft released… https://t.co/DhDJZHvSH9 https://t.co/JWtmiRAFB8

UNDERCODE TESTING@UndercodeUpdate

12 days ago

🚨 #Microsoft SharePoint Server Flaw Enables Remote Code Execution Attacks – #CVE-2026-45659 Exploit Analysis & Hardening + Video https://t.co/YK84FYxIIO Educational Purposes!

Jedi Security •|• OSS@JedisecX

12 days ago

Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions https://t.co/Nn6rmPb0RM

VulnTracker@vuln_tracker

12 days ago

@TheHackersNews You don't need to be an admin to own SharePoint anymore. CVE-2026-45659 - any Site Member can trigger RCE on SharePoint Server 2016, 2019, and Subscription Edition. CVSS 8.8. Every employee with a SharePoint login is now a potential threat vector. Track it. Patch it.

Joel Domenech@Joel_DAA

12 days ago

Microsoft parchea la vulnerabilidad crítica CVE-2026-45659 en SharePoint que permitía ejecución remota de código. ¡Actualiza ya para proteger tus sistemas! #Ciberseguridad #Microsoft #SharePoint #SeguridadTI

DCI CyberSec News@DCICyberSecNews

12 days ago

Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions https://t.co/R1qtcuESdf via @TheHackersNews

DFIR Lab@DFIR_Lab

12 days ago

🚨 HIGH SEVERITY: CVE-2026-45659 (CVSS 8.8) Deserialization flaw in Microsoft SharePoint allows authenticated attackers to execute remote code over network. Patch immediately. #CVE #Vulnerability #PatchNow #ThreatIntel #DFIR https://t.co/62V8Mrbba0

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server.

Lucas@lucasverdan

7 hours ago

Most people will see the headline. The real signal is what Mirasvit Cache Warmer RCE Threat… CVE-2026-45247 is an actively exploited Mirasvit Cache Warmer flaw that can let unauthenticated attackers achieve remote code execution on 🔗 Details → https://t.co/tsdSkfbAoK

Lucas@lucasverdan

8 hours ago

🛑 CVE-2026-45247: Mirasvit Cache Warmer RCE Threatens Magento Stores CVE-2026-45247 is an actively exploited Mirasvit Cache Warmer flaw that can let unauthentic… 🔗 Details → https://t.co/tsdSkfbAoK

Enigma-Global@EnigmaGlobalSW

1 day ago

Intel Report [CRITICAL] - The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-45247 to its Known Exploited Vulnerabilities (KEV) catalog on June 3, 2026, following confirmed active exploitation in the wild. This... https://t.co/X4lFWcBMXN

Enigma-Global@EnigmaGlobalSW

1 day ago

Intel Report [CRITICAL] - On June 3, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-45247 to its Known Exploited Vulnerabilities (KEV) catalog following confirmed active exploitation in the wild. The... https://t.co/IXGB4dTRuh

Jedi Security •|• OSS@JedisecX

4 days ago

CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog https://t.co/9YPRfmbbxb

iT4iNT SERVER Pvt Ltd@it4int

4 days ago

iT4iNT SERVER CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog https://t.co/iB4sP5Z4is VDS VPS Cloud #CISA #Cybersecurity #Magento #Vulnerabilities #RCEFlaw

Buzz Hillestad@buzz_sec

4 days ago

The Hacker News - CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog https://t.co/7oUBVups7h

The Cyber Security Hub™@TheCyberSecHub

4 days ago

CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog https://t.co/0ax8TGB5WL

The Hacker News@TheHackersNews

4 days ago

🚨 Attackers are actively exploiting CVE-2026-45247, a critical Magento RCE flaw in Mirasvit Cache Warmer. CISA added it to KEV. The bug scores 9.8 CVSS and allows unauthenticated PHP code execution via crafted CacheWarmer cookies. Patch before June 6. Read: https://t.co/8Mi4jPebwq

Cyber Edition@CyberEdition

6 days ago

⚠️ Critical Magento flaw CVE-2026-45247 in the Mirasvit Cache Warmer plugin can let attackers run code on stores without login or user interaction. Thousands of Magento shops may be exposed. Patch to v1.11.12 ASAP. #Magento #CyberSecurity Read more https://t.co/eF7zx8COPL

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.

Lyrie.ai@lyrie_ai

1 day ago

Full Tweet CVE-2026-48172: Critical LiteSpeed cPanel Plugin Flaw Exploited for Privilege Escalation 0day Intel: CVE-2026-48172: Critical LiteSpeed cPanel Plugin Flaw Exploited for Privilege Es

Lyrie.ai@lyrie_ai

1 day ago

Source: X search for CVE-2026 critical Posted: 2026-05-22T17:35:17.000Z Likes: 17 0day Intel: CVE-2026-48172: Critical LiteSpeed cPanel Plugin Flaw Exploited for Privilege Es

Lyrie.ai@lyrie_ai

1 day ago

0day Intel: CVE-2026-48172: Critical LiteSpeed cPanel Plugin Flaw Exploited for Privilege Es

Lyrie.ai@lyrie_ai

1 day ago

CVE-2026-48172: CVE-2026-48172: Critical LiteSpeed cPanel Plugin Flaw Exploited for Privilege Escalation 0day Intel: CVE-2026-48172: Critical LiteSpeed cPanel Plugin Flaw Exploited for Privilege Es

Lucas@lucasverdan

5 days ago

CISA added CVE-2026-48172 to KEV. This LiteSpeed cPanel plugin bug can turn a tenant-level foothold into root-level script execution. In shared hosting, that's an incident-response problem, not a routine plugin update. Patch fast or remove the plugin.

MiGuεl CaRvAjAl ®@miguelcarvajalm

5 days ago

#LiteSpeed #cPanel #Plugin CVE-2026-48172 #Exploited to Run #Scripts as #Root https://t.co/MYy23diF1Q

Cybersecurity News Everyday@TweetThreatNews

12 days ago

CISA added CVE-2026-48172 to its exploited vulnerabilities list. The LiteSpeed cPanel plugin flaw can let attackers gain root access via arbitrary script execution. Patch with LiteSpeed WHM Plugin 5.3.1.0+ #LiteSpeed #cPanel #CISA https://t.co/DX51zm0jqW

Nicolas Coolman@NicolasCoolman

12 days ago

⚠️ Alerte CISA sur LiteSpeed cPanel Plugin : une vulnérabilité critique activement exploitée (CVE-2026-48172). #zoneantimalware https://t.co/ctEvQ8KIYD

VulnTracker@vuln_tracker

12 days ago

@CISACyber CISA just added CVE-2026-48172 to the KEV catalog. That means it's being exploited. Right now. LiteSpeed cPanel Plugin privilege escalation - on one of the most widely deployed web hosting stacks in the world. KEV = patch deadline. Federal agencies have no choice. Do you?

Gray Hats@the_yellow_fall

12 days ago

The LiteSpeed cPanel plugin exploit (CVE-2026-48172) allows attackers to escape shared hosting sandboxes and gain root access. Learn how to patch it now. #LiteSpeed #cPanel #WebHosting #CVE202648172 #RootAccess #PrivilegeEscalation #SysAdmin https://t.co/UUaANEVIyD https://t.co/F2XA5lJuBS

marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. This vulnerability is fixed in 0.23.0.

iSECTECH@isectech_

6 hours ago

Now the AI-on-offense side. Researchers documented attackers using an LLM agent for post-exploitation after a CVE-2026-39987 exploit. Hands-on-keyboard work is being automated. Dwell time compresses. Your response window does too. #ThreatIntel

ThreadLinqs@threadlinqs

1 day ago

NEW THREAT INTEL: AI-agent chains marimo RCE (CVE-2026-39987) to K8s secret dump via Docker socket + nsenter escape. 9 detections, 16 IOCs. https://t.co/JIqbaKHAyo #RCE https://t.co/SlXnzKjRUG

Agent X AGI@agentxagi

3 days ago

Same CVE. Third attack. The agent took the orchestration plane. CVE-2026-39987 → container escape → host root → K8s credential replay. All autonomous. Same vuln that dumped a DB in 2min now owns your infrastructure. → https://t.co/rxW7ntqWZK

Daniel B. - AI & Tech@danielbitpro

3 days ago

Sysdig just documented the first autonomous LLM-agent cyberattack and the scary part isn't the AI. The full attack chain (CVE-2026-39987 → AWS credentials → SSH pivoting → DB exfil) took about an hour with <2 minutes for exfiltration. Zero humans. Zero. The threat isn't that

Dennis Ludena@DennisLudena

3 days ago

Seems like the exploit associated with the critical flaw CVE-2026-39987 was created using AI tools due to the short time between the vulnerability disclosure and deployment time. While this is not the first malware or exploit designed using AI tools, it showcases how fast the

IntegSec@integ_sec

3 days ago

CVE-2026-39987: Marimo Remote Code Execution Bug - What It Means for Your Business and How to Respond https://t.co/Lej1Hb8zd7

Divinmentis@Divinmentis

4 days ago

Patching and AV assume fixed exploit signatures. This worm destroys that model. Its on-device LLM adapts to each unique target, no static signature needed. CVE-2026-39987 showed AI pivoting AWS to SSH to PostgreSQL in under 2 min. This is that capability at network scale. The

Julio Elizondo@jelizor

6 days ago

On May 10, the Sysdig Threat Research Team observed something that should change how defenders think about post-exploitation. An attacker compromised an internet-reachable Marimo notebook through CVE-2026-39987, a pre-authentication RCE in the terminal WebSocket endpoint patched

AI Security Gateway@AISGateway

6 days ago

🚨Real attack chain, May 2026: Threat actor exploits CVE-2026-39987 in a public Marimo notebook, extracts cloud credentials, then deploys an LLM agent to automate post-exploitation. AI isn't just a target now. It's a weapon in the attacker's toolkit.

Gray Hats@the_yellow_fall

7 days ago

Analyze the Marimo CVE-2026-39987 exploit. Learn how an autonomous AI agent weaponized this flaw to exfiltrate internal database credentials. #Marimo #CVE202639987 #AIAgent #Cyberattack #Sysdig #ThreatIntel https://t.co/mcdKklNpiI https://t.co/ddrR3nWuL0

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

Versa@versanetworks

3 days ago

When the control plane is compromised, everything it manages is at risk. CVE-2026-41940 is a pre-auth bypass in cPanel and WHM, the layer that runs accounts, DNS, databases, and server config for hosted environments. CVSS 9.8. Exploitation confirmed. These slides outline the https://t.co/nliSr0W7qT

0x0smilex@0x0smilex

3 days ago

Replicating CVE-2026-41940🚀Testing out the critical cPanel & WHM pre-auth bypass. Watching a simple CRLF injection via the Basic Auth header manipulate on-disk session storage to force user=root is wild.Patch your fleets! 🛑 #bugbounty #infosec #togetherwehit #cybersecurity https://t.co/ZdM2oTub3L

Lyrie.ai@lyrie_ai

4 days ago

The Hosting Panel That Opened the Server Room Door: CVE-2026-41940 cPanel Auth Bypass, 1.5M Targets, and Southeast Asian State Espionage. ---

Lyrie.ai@lyrie_ai

4 days ago

Unpopular opinion: The cybersecurity industry is selling you dashboards. The Hosting Panel That Opened the Server Room Door: CVE-2026-41940 cPanel Auth Bypass, 1.5M Targets, and Southeast Asian State Espionage

Lyrie.ai@lyrie_ai

4 days ago

The elegance — and danger — of CVE-2026-41940 is that it is not a single programming mistake. It is three independently reasonable implementation decisions that chain together catastrophically.

Lyrie.ai@lyrie_ai

4 days ago

28.3% · CVE-2026-41940 · 28.3 → 2.3 The Patch Window Is Now the Attack Window: Why May 2026's Exploitation Speed Broke Enterprise Defense

Lyrie.ai@lyrie_ai

4 days ago

What this means for your agents and systems: In the first week of May alone, we've witnessed the mechanics of modern attack velocity: cPanel CVE-2026-41940 (April 28): Within 24 hours of disclosure, Censys observed the vulnerability weaponized by multiple threat actors.…

Lyrie.ai@lyrie_ai

4 days ago

cPanel CVE-2026-41940 (April 30 disclosure, CVSS 9.8) proves this: 44,000 vulnerable servers scanning defender honeypots within 48 hours. Shadowserver detected active exploitation before official patches hit. The Sorry Ransomware group exploited it in real-time across…

Komodo Cyber Security@Komodosec

5 days ago

The Internet Is Falling Down, Falling Down, Falling Down (cPanel & WHM Authentication Bypass CVE-2026-41940) https://t.co/Jhg88cOomL

Lyrie.ai@lyrie_ai

7 days ago

Unpopular opinion: The cybersecurity industry is selling you dashboards. A critical pre-authentication bypass in cPanel and WebHost Manager (WHM) — tracked as CVE-2026-41940 (CVSS 9.8) — gave unauthenticated attackers root-level control of the hosting management plane on…

A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user. To exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of or . Cisco is not aware of successful exploitation by other methods. Cisco has observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices. Cisco recommends that customers upgrade to the fixed software that is documented in the that was published on May 14, 2026, and verify the configuration of the edge devices.

ProtAAPP - Protege las AAPP@ProtAAPP

7 hours ago

Cisco alerta sobre la explotación activa de una vulnerabilidad crítica en Catalyst SD-WAN Manager (CVE-2026-20245) con un CVSS de 7.8. Esta falla permite a atacantes locales ejecutar comandos como root tras subir un archivo manipulado. #Ciberseguridad https://t.co/2S6rO2E8wZ https://t.co/hpBQN5uTCN

Carlos Fynn@fynn_JourX

8 hours ago

Legacy exposure keeps paying off for attackers. Cisco SD-WAN zero-day turns earlier auth bypass flaws int… Cisco says CVE-2026-20245 is being exploited with no patch yet, making earlier SD-WAN auth… 🔗 Read → https://t.co/rlQ4pJHnW7

Lucas@lucasverdan

9 hours ago

🛑 Cisco SD-WAN zero-day turns earlier auth bypass flaws into root access… Cisco says CVE-2026-20245 is being exploited with no patch yet, making earlier SD-WAN auth… 🔗 Details → https://t.co/RvVYXsPPsQ

Senshin108™@Senshin108

12 hours ago

Cisco’s disclosure of the actively exploited zero-day command injection flaw (CVE-2026-20245) in Catalyst SD-WAN highlights the structural failure of centralized network management. Because the vulnerability allows root-level command injection via unvalidated input, attackers are

iSECTECH@isectech_

12 hours ago

Cisco Catalyst SD-WAN Manager: CVE-2026-20245, actively exploited, no patch available at disclosure. When there's no patch, your only controls are network segmentation, access restriction, and monitoring. Compensating controls aren't a backup plan. They ARE the plan. #CVE

CyDhaal@CyberDhaal

2 days ago

1/2🚨 Critical Zero-Day Alert: Cisco SD-WAN Manager Under Active Attack (No Patch Yet) 🚨 https://t.co/QN4wt9D6Zc Cisco has just dropped a high-severity security advisory for a new zero-day vulnerability (CVE-2026-20245) affecting the Command-Line Interface (CLI) of Cisco https://t.co/3RrguqVxKQ

UNDERCODE NEWS@UndercodeNews

2 days ago

🚨 #Cisco SD-WAN Under Siege: Active Exploitation of #CVE-2026-20245 Exposes Critical Command Injection Risk Across Enterprise Networks + Video -Fact Checker: ✅: 2 ❌: 3 || 2/5 → Score: 40% 🤏🏻 -Prediction: 📈 2 Positive | 📉 2 Negative https://t.co/pJXEnDDKTJ

sean walker@seanwalker64354

2 days ago

CVE-2026-20245: Cisco 7th SD-WAN Zero-Day — Unpatched Root Escalation, No Patch Available https://t.co/jwZiMu1UkX

The Hacker News@TheHackersNews

2 days ago

🚨 New Cisco SD-WAN vulnerability under active exploitation. CVE-2026-20245 lets authenticated netadmin attackers run commands as root via crafted file uploads. No patches or mitigations are available. Check /var/log/scripts.log for IoCs. Read: https://t.co/s4EJM5zeKC

Divinmentis@Divinmentis

2 days ago

⚠️ Cisco discloses CVE-2026-20245 — the 7th SD-WAN zero-day exploited in 2026. No patch available. Affects Catalyst SD-WAN Manager on-prem, cloud, and FedRAMP. Grants root command execution. Reported by Mandiant after Cisco confirmed active exploitation in the wild. #Cisco

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

Lyrie.ai@lyrie_ai

7 hours ago

19:26 UTC: First exploit attempt in the wild. 0day Intel: CVE-2026-35616: FortiClient EMS Flaw Actively Exploited in Malware Attacks https

Lyrie.ai@lyrie_ai

7 hours ago

16:40 UTC: Thread live on @lyrie_ai. 0day Intel: CVE-2026-35616: FortiClient EMS Flaw Actively Exploited in Malware Attacks https

Lyrie.ai@lyrie_ai

7 hours ago

16:37 UTC: GPT-5 enrichment complete. 41 words. 1 citations. 0day Intel: CVE-2026-35616: FortiClient EMS Flaw Actively Exploited in Malware Attacks https

Lyrie.ai@lyrie_ai

7 hours ago

16:29 UTC: Lyrie Sentinel flagged it. 0day Intel: CVE-2026-35616: FortiClient EMS Flaw Actively Exploited in Malware Attacks https

Lyrie.ai@lyrie_ai

7 hours ago

16:26 UTC: CVE-2026-35616 disclosed. CVE-2026-35616: FortiClient EMS Flaw Actively Exploited in Malware Attacks 0day Intel: CVE-2026-35616: FortiClient EMS Flaw Actively Exploited in Malware Attacks https

Lyrie.ai@lyrie_ai

8 hours ago

CVE-2026-35616: ⚠️ Threat actors are exploiting a critical FortiClient EMS flaw to push credential-stealing malware to entire networks of managed endpoints. CVE-2026-35616 (CVSS 9.1) allows pre-auth bypass and privilege escalation. Read full report:

RHTG@RightHandTech

1 day ago

🔒 Think your EMS is secure? Think again! CVE-2026-35616 highlights the importance of proper access control. Always patch vulnerabilities ASAP and monitor logs for suspicious admin activity. Protect your endpoints from unauthorized access! #InfoSecTips

Carlos Fynn@fynn_JourX

7 days ago

Legacy exposure keeps paying off for attackers. FortiClient EMS exploit turns endpoint management into cr… CVE-2026-35616 shows how a vulnerable FortiClient EMS server can become a malware delivery… 🔗 Read → https://t.co/cBoTi33dIS

Lucas@lucasverdan

7 days ago

🛑 FortiClient EMS exploit turns endpoint management into credential theft… CVE-2026-35616 shows how a vulnerable FortiClient EMS server can become a malware delivery… 🔗 Details → https://t.co/QRuF3O21Vx

Gray Hats@the_yellow_fall

7 days ago

Analyze the recent FortiClient EMS exploit. Learn how attackers leverage CVE-2026-35616 to deliver EKZ Infostealer and bypass endpoint protection. #Fortinet #FortiClientEMS #CVE202635616 #EKZInfostealer #Cybersecurity #ThreatIntel https://t.co/lpGROuJRW3 https://t.co/mkN8wohXif

Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices. We are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available. Mitigation FAQs Should I leverage the temporary mitigation? Microsoft recommends that you consider implementing these mitigations if you are concerned your devices and data are at risk of being compromised or stolen. For example, if your organization’s employees take their work devices home or on business travel. What impact to service availability/management could be caused by implementing the mitigations? Implementing these mitigations will not impact service availability or management operations. Do customers need to revert the changes made to mitigate the vulnerability once the security update to protect against this vulnerability is available? No. The security update will maintain the mitigation's behavior once the security update is installed. I am using TPM+PIN, am I at risk of this vulnerability being exploited No, if you are using TPM+PIN the vulnerability is not exploitable.

Chander Mani Pandey l MVP@Mani_CMPandey

7 hours ago

Hello Friends 👋 If you're interested in understanding the basics of the Yellow Key | BitLocker Bypass Vulnerability (CVE-2026-45585) and learning how to manually check for it, this video is for you. 👀 🎥 Watch here: https://t.co/jpYf9qOaAP #MicrosoftIntune #Intune

Lyrie.ai@lyrie_ai

1 day ago

Microsoft has disclosed a critical zero-day vulnerability in Windows BitLocker, tracked as CVE-2026-45585, that allows threat actors with physical access

Lyrie.ai@lyrie_ai

1 day ago

CVE-2026-45585: ⚠️ Microsoft Releases Mitigation for Windows BitLocker Security Bypass 0-Day Vulnerability Source: Microsoft has disclosed a critical zero-day vulnerability in Windows BitLocker, tracked as CVE-2026-45585, that allows threat actors…

DFIR Radar@DFIR_Radar

16 days ago

CVE-2026-45585 (CVSS 6.8) "YellowKey" bypasses BitLocker via Windows Recovery Environment using crafted FsTx files on USB/EFI. Affects Windows 11 24H2+ and Server 2025. Apply Microsoft's WinRE mitigation or switch to TPM+PIN authentication. #DFIR_Radar https://t.co/Ld31NmNemF

P.@PDotXL

17 days ago

Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit https://t.co/eC4GNiauW8 via @TheHackersNews

Cyber News Live@cybernewslive

17 days ago

A security flaw called YellowKey (CVE-2026-45585) lets anyone with physical access to a Windows computer bypass BitLocker — the encryption that protects everything on your hard drive — by plugging in a USB drive and rebooting into recovery mode. The exploit code is publicly

Todd Pigram@pigram86

19 days ago

Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit https://t.co/YmD0vx96WW

Roger Mitan@molari999

19 days ago

Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit https://t.co/fVUORv1Amf

Shah Sheikh@shah_sheikh

19 days ago

Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit: Microsoft on Tuesday released a mitigation for a BitLocker bypass vulnerability named YellowKey following its public disclosure last week. The zero-day flaw, now tracked… https://t.co/nmsVvXta2r https://t.co/EBbjfBm8xl

DFIR Radar@DFIR_Radar

19 days ago

Microsoft shares mitigations for CVE-2026-45585 (YellowKey), a Windows BitLocker zero-day that grants access to protected drives via specially crafted USB files. Switch BitLocker from TPM-only to TPM+PIN mode to block exploitation. #DFIR_Radar https://t.co/uKGGqI1cPN

Microsoft Defender Denial of Service Vulnerability

NEWSTECNICAS | Tecnología, IA y Gaming.@newstecnicas

16 hours ago

🚨 Alerta: #Explotación activa de #vulnerabilidades críticas en Microsoft #Defender | CVE-2026-4109 | CVE-2026-45498 | https://t.co/O8ZFbTJFjG

NEWSTECNICAS | Tecnología, IA y Gaming.@newstecnicas

23 hours ago

🚨 #Vulnerabilidad crítica de escalada de privilegios en Microsoft Defender (CVE-2026-41091 / CVE-2026-45498) (+MITIGACIÓN) https://t.co/BebWtRlAGy

Lyrie.ai@lyrie_ai

1 day ago

Full Tweet 🚨 Microsoft patched two Defender zero-days (CVE-2026-41091 & CVE-2026-45498) — one escalates a low-privileged attacker to SYSTEM level (local exploit, no user interaction needed), the other causes a denial-of-service. Both actively exploited; CISA added…

Lyrie.ai@lyrie_ai

1 day ago

Source: X search for actively exploited 2026 Posted: 2026-05-21T13:50:03.000Z Likes: 10 0day Intel: 🚨 Microsoft patched two Defender zero-days (CVE-2026-41091 & CVE-2026-45498

Lyrie.ai@lyrie_ai

1 day ago

0day Intel: 🚨 Microsoft patched two Defender zero-days (CVE-2026-41091 & CVE-2026-45498

Lyrie.ai@lyrie_ai

1 day ago

CVE-2026-41091: 🚨 Microsoft patched two Defender zero-days (CVE-2026-41091 & CVE-2026-45498) — one escalates a low-privileged attacker to SYSTEM level (local exploit, no user interaction needed), the other causes a denial-of-service. Both actively exploited; CISA…

NEWSTECNICAS | Tecnología, IA y Gaming.@newstecnicas

2 days ago

🚨 #Alerta: Explotación activa de #vulnerabilidades críticas en #MicrosoftDefender | CVE-2026-4109 | CVE-2026-45498 | https://t.co/O8ZFbTJFjG

Jim Nitterauer 🇺🇸@JNitterauer

5 days ago

🛡️ Microsoft Defender itself has active zero-days (CVE-2026-45498). Platform v4.18.26030.3011 & older = vulnerable. Run Windows Update NOW on every endpoint. #Microsoft #Defender #ZeroDay #cybersecurity https://t.co/SR7Key7X58

B2B Cyber Security.de@B2bCyber

5 days ago

https://t.co/oRe1yxVAe2 Check for updates: Defender vulnerabilities were actively exploited. Microsoft has patched three security vulnerabilities in Defender that organizations should check: CVE-2026-41091, CVE-2026-45584, and CVE-2026-45498. Two of the vulnerabilities have r… https://t.co/MXUx8w7iN9

B2B Cyber Security.de@B2bCyber

6 days ago

Updates prüfen: Defender-Lücken wurden aktiv attackiert https://t.co/0ken7JP267 Microsoft hat drei Sicherheitslücken in Defender geschlossen, die Unternehmen prüfen sollten: Betroffen sind CVE-2026-41091, CVE-2026-45584 und CVE-2026-45498. Zwei der Schwachstellen wurden laut …

In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().

nivelepsilon@FpeSre

17 hours ago

Dirty Frag (CVE-2026-43284, CVSS 8.8) chains IPsec ESP and RxRPC bugs to give any local user kernel root in one command. Container escape is also in scope. Ubuntu patches are available. Interim fix: disable esp4, esp6, rxrpc. Your VPN will notice. https://t.co/JLW9cOVuSe

ThreatCluster@threatcluster

3 days ago

Adrien Linuxtricks @_adriend_

30 days ago

Excellent article en français sur la faille Dirty Frag aka la double CVE-2026-43284 et CVE-2026-43500 ! Je vous recommande grandement sa lecture ! https://t.co/AEucePEjqp #Linux #LPE #DirtyFrag

DevOps Daily@thedevopsdaily

30 days ago

📝 Dirty Frag (CVE-2026-43284 + CVE-2026-43500): Local Root on Every Major Linux Distro A two-bug chain in the Linux kernel networking subsystems lets any unprivileged local user become ro https://t.co/iskAtvIOh8 #DevOps #Security

Aaryan Bansal@NotUnHackable

30 days ago

NEW Linux vuln dropped — "Dirty Frag" (CVE-2026-43284/43500). No patch yet. Chains ESP + RxRPC bugs to get root. Affects kernels from 2017-2023. PoC already exists. Arch, Ubuntu, Debian, Fedora all in scope. Disable esp4/esp6/rxrpc NOW.

𝔸𝕟𝕠𝕟𝕪𝕞𝕠𝕦𝕤 ℍ𝕒𝕔𝕜𝕥𝕚𝕧𝕚𝕤𝕥☭⃠🅇@YourAnon_irc

30 days ago

Critical zero-days actively exploited: Ivanti EPMM (CVE-2026-6973) & Palo Alto PAN-OS (CVE-2026-0300) allow RCE/root access. Linux "Dirty Frag" (CVE-2026-43284) also grants root. Immediate threats to data privacy & integrity in transit. Patch now! #Cybersecurity #ZeroDay #News

Mēås@castomeas

30 days ago

LInux en 2026 ...🥲 Dirty Frag (CVE-2026-43284) ? Pas chez moi🛡️ Modules ESP/RxRPC bloqués et initramfs clean #Linux #CyberSecurity #DirtyFrag #Ubuntu #CVE202643284 https://t.co/qnqSohwBxZ

VulDB 🛡@vuldb

30 days ago

Our CTI team identified a lot of activities targeting Linux Kernel (CVE-2026-43284) https://t.co/AenG45LQqp

Gray Hats@the_yellow_fall

30 days ago

The Dirty Frag Linux vulnerability (CVE-2026-43284 & CVE-2026-43500) is being actively exploited in the wild. Learn how to secure your servers from this root LPE exploit. #DirtyFrag #LinuxSecurity #CyberSecurity #ZeroDay #Vulnerability #ExploitInTheWild https://t.co/aE1kKXrFl7 https://t.co/U6K6y1hFiy

UNRAID@UnraidOfficial

30 days ago

Unraid OS 7.2.6 is now available. This is an important security release that upgrades the Linux kernel to address the "Dirty Frag" local privilege escalation vulnerability (CVE-2026-43284 & CVE-2026-43500). All users should update their systems immediately to stay protected.

A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses. Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.

Lyrie.ai@lyrie_ai

22 hours ago

The Firewall Flipped: CVE-2026-0300 Turns PAN-OS Captive Portal Into a State-Sponsored Entry Point A critical unauthenticated buffer overflow in Palo Alto Networks PAN-OS — tracked as CVE-2026-0300, CVSS 9.3 — is being actively exploited in the wild by a likely…

Lyrie.ai@lyrie_ai

22 hours ago

A critical unauthenticated buffer overflow in Palo Alto Networks PAN-OS — tracked as CVE-2026-0300, CVSS 9.3 — is being actively exploited in the wild by a likely state-sponsored threat cluster designated CL-STA-1132. The vulnerability lives in the User-ID™ Authentication…

Lyrie.ai@lyrie_ai

22 hours ago

CVE-2026-0300 · < 12.1.4 → < 12.1.7 The Firewall Flipped: CVE-2026-0300 Turns PAN-OS Captive Portal Into a State-Sponsored Entry Point

Alexander Leonov@leonov_av

1 day ago

🚨 PAN-OS RCE (CVE-2026-0300): unauth buffer overflow in User-ID Auth Portal → root RCE, in-the-wild exploit May6, CISA KEV + public PoC same day, ~135k exposed #PANOS #RCE #KEV ➡️ https://t.co/fwRpwYCLvC https://t.co/z3Tmj3g6mP

Lyrie.ai@lyrie_ai

3 days ago

Palo Alto Networks issued an emergency advisory today confirming active exploitation of CVE-2026-0300, a buffer overflow vulnerability affecting the User-ID Authentication Portal—also called the Captive Portal—service in PAN-OS.

Lyrie.ai@lyrie_ai

3 days ago

Palo Alto Networks confirmed today that a critical, unpatched buffer overflow vulnerability in the User-ID Authentication Portal (CVE-2026-0300) is being actively exploited against internet-exposed PA and VM-series firewalls. Unauthenticated remote attackers can execute…

Lyrie.ai@lyrie_ai

3 days ago

The Portal Just Became the Weapon: Palo Alto PAN-OS CVE-2026-0300 Zero-Day RCE Now Actively Exploited. Palo Alto Networks confirmed today that a critical, unpatched buffer overflow vulnerability in the User-ID Authentication Portal CVE-2026-0300 is being actively…

Lyrie.ai@lyrie_ai

3 days ago

Unpopular opinion: The cybersecurity industry is selling you dashboards. The Portal Just Became the Weapon: Palo Alto PAN-OS CVE-2026-0300 Zero-Day RCE Now Actively Exploited

Umair Haider@UhuUmair

6 days ago

Firewalls are not automatically safe because they are “security devices.” Palo Alto PAN-OS CVE-2026-0300 shows why edge infrastructure needs serious attention. If an attacker can exploit a firewall remotely and gain root-level access, the risk is huge. Edge systems control:

SANS Institute@SANSInstitute

30 days ago

Great breakdown from SANS instructor @fulmetalpackets on CVE-2026-0300. If you manage Palo Alto firewalls, this is worth two minutes of your time. https://t.co/nyBop7Uz9a

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence Access

F.A.Q.

Find answers to common questions about CVEs and vulnerability intelligence