Vulnerabilities
Google's Threat Intelligence Group caught attackers exploiting CVE-2026-5426, a hardcoded ASP.NET machineKey in Digital Knowledge's KnowledgeDeliver LMS, to forge ViewState payloads, drop the Godzilla web shell, and stage Cobalt Strike Beacon. The patch alone is not enough.
Vulnerabilities
CVE-2026-48172, a CVSS 10.0 flaw in the LiteSpeed User-End cPanel plugin, lets anyone with a valid cPanel account run code as root. LiteSpeed confirms it is being actively exploited. On shared hosting, one cheap account is now a path to every account on the server.
Vulnerabilities
Trend Micro's own Incident Response team discovered CVE-2026-34926, a directory-traversal zero-day in Apex One, while it was being exploited. CISA added it to the KEV catalog with a June 4 federal deadline. Its modest 6.7 CVSS score conceals an environment-wide blast radius.
Vulnerabilities
Microsoft patched UnDefend (CVE-2026-41091) and RedSun (CVE-2026-45498), two Defender zero-days exploited in the wild since April. Their purpose is the security tool itself — one escalates through Defender, the other disables it. Barracuda ties the wave to the researcher behind MiniPlasma.
Vulnerabilities
Microsoft released mitigations for YellowKey (CVE-2026-45585), a BitLocker bypass disclosed by the researcher behind MiniPlasma. A USB port and a reboot defeat the encryption on any TPM-only device — and the only fix is a TPM+PIN configuration change, not a patch.
AI Security
Google Threat Intelligence Group disclosed the first known AI-developed zero-day used in the wild — a Python 2FA bypass intended for mass exploitation. Google identified the LLM fingerprint and coordinated a patch before the campaign could launch.
Vulnerabilities
Nightmare-Eclipse released MiniPlasma May 13, 2026 — a working SYSTEM-level exploit for cldflt.sys on fully patched Windows 11. The bug is CVE-2020-17103, patched by Microsoft in December 2020. The 2020 PoC still works — and no 2026 patch exists.
Vulnerabilities
Microsoft's February patch for a Windows zero-day actively exploited by Russia's APT28 blocked the remote code execution path — but left behind a zero-click authentication coercion flaw. Akamai researchers found it while testing the fix. That flaw is now CVE-2026-32202, confirmed exploited in the wild, and added
Vulnerabilities
A critical authentication vulnerability in cPanel and WebHost Manager allowed attackers to access hosting control panels without valid credentials — and exploits were confirmed in the wild before the emergency patch was released on April 28, 2026. HOUSTON, TX — cPanel has issued an emergency security update to address a critical flaw
Vulnerabilities
Microsoft Defender LPE (CVE-2026-33825) added to KEV catalog after Huntress confirms wild exploitation; 2 related zero-days remain unpatched. WASHINGTON, D.C. — The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent mandate for all Federal Civilian Executive Branch (FCEB) agencies to patch a high-severity Microsoft Defender zero-day. The vulnerability,
Application Security
In a landmark moment for automated defense, Mozilla has patched 271 vulnerabilities in the latest version of Firefox — all identified by Anthropic’s specialized security model, Mythos. Mountain View, CA — Mozilla has released Firefox 150, an update that may represent the single largest leap in automated browser hardening to date.
Microsoft Ecosystem
The inaugural live hacking event at Microsoft’s Redmond campus resulted in the discovery of nearly 700 vulnerabilities, including over 80 high-impact flaws in Cloud and AI infrastructure. REDMOND, WA — Microsoft has officially concluded its "Zero Day Quest" 2026, awarding a total of $2.3 million to security