Stay ahead of emerging threats with expert analysis from 118 published security articles, vulnerability reports, and cybersecurity insights — updated daily with the latest CVEs, threat actor campaigns, and security advisories. Opening the week of May 18 – May 24, 2026 (Tuesday outlook): the new week kicks off with back-to-back CRITICAL advisories — NGINX rewrite-module flaw CVE-2026-42945 hit active exploitation within days of disclosure on Monday, an 18-year-old bug now sitting on every NGINX-fronted application stack, and Cisco Catalyst SD-WAN CVE-2026-20182 landed Sunday at CVSS 10.0 under active exploitation by UAT-8616 with no workaround. Carrying forward from last week, Microsoft Exchange XSS CVE-2026-42897 remains under active attack with CISA listing in the Known Exploited Vulnerabilities catalog, May 2026 Patch Tuesday's unauthenticated Netlogon and DNS RCE pair stays the priority server-side patch at CVSS 9.8, and Ivanti EPMM CVE-2026-6973 still triggers the 3-day federal deadline for any organization running on-prem mobile device management. If your business depends on an NGINX-fronted application, a Cisco SD-WAN fabric, on-premises Exchange, or Ivanti EPMM, this week's advisories require action today — start with the article-level remediation steps below.
CVE-2025-59528 is a CVSS 10.0 RCE flaw in Flowise AI agent builder with 12,000 exposed instances. Here is who is affected, how to check, and what to patch.
North Korean hackers spent six months building trust with Drift Protocol contributors before stealing $285 million. The operation involved fake personas, conference appearances, and a million-dollar deposit to establish credibility before exploiting VS Code and TestFlight attack vectors.
Read moreSecurity researchers discovered 36 malicious npm packages impersonating Strapi CMS plugins. The packages exploit Redis and PostgreSQL databases, deploy reverse shells, harvest credentials, and target cryptocurrency platforms with hard-coded database credentials.
Read moreNorth Korean hackers drained $285 million from Solana-based Drift Protocol using social engineering to compromise multi-signature approvals. The attack involved no code exploits, just patient manipulation of human trust over several weeks.
Read moreGoogle patched CVE-2026-5281, a high-severity use-after-free vulnerability in Chrome's Dawn WebGPU implementation that is being actively exploited in the wild. This marks the fourth Chrome zero-day of 2026, and CISA has already added it to the Known Exploited Vulnerabilities catalog.
Read moreCheck Point researchers discovered a ChatGPT vulnerability allowing silent data exfiltration via DNS queries from the code execution sandbox. Separately, BeyondTrust found a critical command injection flaw in OpenAI Codex that enabled GitHub token theft through malicious branch names.
Read moreCensys discovered CTRL, a Russian RAT using named pipes and RDP tunneling to evade network monitoring. Built to stay hidden while maintaining full network access.
Read moreIran-linked Handala Hack breached FBI Director Kash Patel email and unleashed wiper malware on Stryker. First destructive attack on US Fortune 500.
Read moreThree critical vulnerabilities in LangChain and LangGraph let attackers steal files from filesystems, siphon API keys and environment secrets, and pillage conversation histories. With 84 million weekly downloads, most enterprise AI deployments are affected.
Read moreSecurity researchers at Cyera disclosed three vulnerabilities in LangChain and LangGraph affecting millions of AI applications. Path traversal, deserialization, and SQL injection flaws expose filesystem contents, environment secrets, and conversation histories.
Read moreOver 340 organizations across five countries compromised in aggressive device code phishing campaign exploiting OAuth device authorization flow. Attackers harvest tokens that survive password resets using PhaaS platform EvilTokens.
Read moreTeamPCP has compromised LiteLLM, a Python package present in 36% of cloud environments. Malicious versions 1.82.7 and 1.82.8 deploy credential harvesters, Kubernetes lateral movement tools, and persistent backdoors.
Read moreOracle patches CVE-2026-21992, a pre-auth RCE in Identity Manager scoring 9.8 CVSS. No credentials needed to exploit. Emergency patches available now.
Read moreA second supply chain attack on Trivy compromised 75 GitHub Actions tags and spawned a credential-stealing worm across 47 npm packages. Check your CI pipeline.
Read moreU.S. authorities dismantled four IoT botnets (AISURU, Kimwolf, JackSkid, Mossad) responsible for the largest DDoS attacks ever recorded. Over 3 million enslaved devices generated attacks exceeding 31 Tbps.
Read moreOver 2,000 Kubernetes clusters compromised through RBAC misconfigurations. Attackers deploy cryptominers via default service accounts. Check your clusters now.
Read moreCritical authentication bypass in Veeam Backup & Replication allows attackers to delete backup repositories without credentials.
Read moreCritical VMware ESXi flaw lets attackers escape guest VMs and execute code on the hypervisor. If you run ESXi, this needs immediate patching.
Read moreSophisticated iOS exploit kit chains six vulnerabilities including three zero-days to achieve complete device takeover. Multiple threat actors including Russian espionage groups and commercial surveillance vendors observed using DarkSword against targets in Ukraine, Saudi Arabia, and Turkey.
Read moreNine critical vulnerabilities in budget IP KVM switches from GL-iNet, Angeet, Sipeed, and JetKVM allow unauthenticated code execution and hardware-level access.
Read moreOur CyberOne MobileAssess platform performs deep static analysis, source code decompilation, and runtime security testing for iOS and Android apps. From one-time assessments to year-long continuous testing, we find what surface-level scanners miss.
Subscribe to our newsletter and get the latest security insights delivered to your inbox.
