Vulnerabilities
Ubiquiti has patched three maximum-severity flaws in UniFi OS — the operating system behind its gateways, Dream Machines, and network video recorders. All three are rated CVSS 10.0, and all three are remotely exploitable by an attacker with no privileges.
Vulnerabilities
Trend Micro's own Incident Response team discovered CVE-2026-34926, a directory-traversal zero-day in Apex One, while it was being exploited. CISA added it to the KEV catalog with a June 4 federal deadline. Its modest 6.7 CVSS score conceals an environment-wide blast radius.
Vulnerabilities
Cisco patched CVE-2026-20223, a CVSS 10.0 flaw in Cisco Secure Workload: insufficient authentication on internal REST API endpoints lets an unauthenticated attacker seize Site Admin — full control of the microsegmentation platform built to contain attackers.
Vulnerabilities
Drupal shipped an out-of-band 'Highly Critical' fix for CVE-2026-9082, an unauthenticated SQL injection in Drupal core affecting every PostgreSQL-backed site. Maintainers warned exploits could land within hours — for a core flaw pre-announced on schedule, the patch window is effectively closed.
Vulnerabilities
Qualys disclosed CVE-2026-46333 — 'ssh-keysign-pwn' — a nine-year-old Linux kernel ptrace flaw that gives an unprivileged user root. Its defining feature is credential theft: the exploit captures SSH keys and shadow-file password hashes, so a patched kernel does not end the exposure.
Vulnerabilities
Microsoft patched UnDefend (CVE-2026-41091) and RedSun (CVE-2026-45498), two Defender zero-days exploited in the wild since April. Their purpose is the security tool itself — one escalates through Defender, the other disables it. Barracuda ties the wave to the researcher behind MiniPlasma.
Vulnerabilities
Microsoft released mitigations for YellowKey (CVE-2026-45585), a BitLocker bypass disclosed by the researcher behind MiniPlasma. A USB port and a reboot defeat the encryption on any TPM-only device — and the only fix is a TPM+PIN configuration change, not a patch.
Threat Intelligence
Verizon's 19th DBIR re-baselines the threat model: vulnerability exploitation hit 31% of breaches up from 20% — now the #1 vector. Credential abuse fell to 13%. AI is shrinking patching windows from months to hours. Third-party breaches up 60% YoY.
AI Security
Google Threat Intelligence Group disclosed the first known AI-developed zero-day used in the wild — a Python 2FA bypass intended for mass exploitation. Google identified the LLM fingerprint and coordinated a patch before the campaign could launch.
Vulnerabilities
Nightmare-Eclipse released MiniPlasma May 13, 2026 — a working SYSTEM-level exploit for cldflt.sys on fully patched Windows 11. The bug is CVE-2020-17103, patched by Microsoft in December 2020. The 2020 PoC still works — and no 2026 patch exists.
Application Security
LayerX disclosed ClaudeBleed on May 6 — a vulnerability in Anthropic's Claude Chrome extension that allowed any other Chrome extension, even one with zero permissions, to send messages to Claude and exfiltrate user data. Anthropic patched in v1.0.70 within 24 hours, but the patch is partial.
Vulnerabilities
cPanel released its second emergency Technical Security Release in 10 days on May 8, patching three new vulnerabilities (CVE-2026-29201, CVE-2026-29202, CVE-2026-29203) just after CVE-2026-41940 compromised an estimated 44,000 servers. The pattern is the story.