Vulnerabilities
CVE-2026-48172, a CVSS 10.0 flaw in the LiteSpeed User-End cPanel plugin, lets anyone with a valid cPanel account run code as root. LiteSpeed confirms it is being actively exploited. On shared hosting, one cheap account is now a path to every account on the server.
Vulnerabilities
Ubiquiti has patched three maximum-severity flaws in UniFi OS — the operating system behind its gateways, Dream Machines, and network video recorders. All three are rated CVSS 10.0, and all three are remotely exploitable by an attacker with no privileges.
Vulnerabilities
Trend Micro's own Incident Response team discovered CVE-2026-34926, a directory-traversal zero-day in Apex One, while it was being exploited. CISA added it to the KEV catalog with a June 4 federal deadline. Its modest 6.7 CVSS score conceals an environment-wide blast radius.
Vulnerabilities
Cisco patched CVE-2026-20223, a CVSS 10.0 flaw in Cisco Secure Workload: insufficient authentication on internal REST API endpoints lets an unauthenticated attacker seize Site Admin — full control of the microsegmentation platform built to contain attackers.
Vulnerabilities
Drupal shipped an out-of-band 'Highly Critical' fix for CVE-2026-9082, an unauthenticated SQL injection in Drupal core affecting every PostgreSQL-backed site. Maintainers warned exploits could land within hours — for a core flaw pre-announced on schedule, the patch window is effectively closed.
Vulnerabilities
Qualys disclosed CVE-2026-46333 — 'ssh-keysign-pwn' — a nine-year-old Linux kernel ptrace flaw that gives an unprivileged user root. Its defining feature is credential theft: the exploit captures SSH keys and shadow-file password hashes, so a patched kernel does not end the exposure.
Vulnerabilities
Microsoft patched UnDefend (CVE-2026-41091) and RedSun (CVE-2026-45498), two Defender zero-days exploited in the wild since April. Their purpose is the security tool itself — one escalates through Defender, the other disables it. Barracuda ties the wave to the researcher behind MiniPlasma.
Vulnerabilities
Microsoft released mitigations for YellowKey (CVE-2026-45585), a BitLocker bypass disclosed by the researcher behind MiniPlasma. A USB port and a reboot defeat the encryption on any TPM-only device — and the only fix is a TPM+PIN configuration change, not a patch.
Vulnerabilities
cPanel released its second emergency Technical Security Release in 10 days on May 8, patching three new vulnerabilities (CVE-2026-29201, CVE-2026-29202, CVE-2026-29203) just after CVE-2026-41940 compromised an estimated 44,000 servers. The pattern is the story.
Vulnerabilities
CISA confirmed active exploitation of two vulnerabilities — a ConnectWise ScreenConnect path traversal flaw linked to Medusa ransomware and a Microsoft Windows Shell spoofing bug attributed to Russian APT28 — adding both to its Known Exploited Vulnerabilities catalog with a federal patching deadline of May 12, 2026. WASHINGTON, D.C. — The Cybersecurity
Vulnerabilities
A critical authentication vulnerability in cPanel and WebHost Manager allowed attackers to access hosting control panels without valid credentials — and exploits were confirmed in the wild before the emergency patch was released on April 28, 2026. HOUSTON, TX — cPanel has issued an emergency security update to address a critical flaw
Vulnerabilities
A file-upload bug in the Breeze Cache plugin is under active exploitation, but only sites with the optional “Host Files Locally – Gravatars” feature enabled appear exposed. The issue highlights how a niche plugin setting can create outsized risk across a large WordPress install base. VALENCIA, SPAIN — Threat actors have begun