Stay ahead of emerging threats with expert analysis from 118 published security articles, vulnerability reports, and cybersecurity insights — updated daily with the latest CVEs, threat actor campaigns, and security advisories. Opening the week of May 18 – May 24, 2026 (Tuesday outlook): the new week kicks off with back-to-back CRITICAL advisories — NGINX rewrite-module flaw CVE-2026-42945 hit active exploitation within days of disclosure on Monday, an 18-year-old bug now sitting on every NGINX-fronted application stack, and Cisco Catalyst SD-WAN CVE-2026-20182 landed Sunday at CVSS 10.0 under active exploitation by UAT-8616 with no workaround. Carrying forward from last week, Microsoft Exchange XSS CVE-2026-42897 remains under active attack with CISA listing in the Known Exploited Vulnerabilities catalog, May 2026 Patch Tuesday's unauthenticated Netlogon and DNS RCE pair stays the priority server-side patch at CVSS 9.8, and Ivanti EPMM CVE-2026-6973 still triggers the 3-day federal deadline for any organization running on-prem mobile device management. If your business depends on an NGINX-fronted application, a Cisco SD-WAN fabric, on-premises Exchange, or Ivanti EPMM, this week's advisories require action today — start with the article-level remediation steps below.
SonicWall discloses a critical pre-authentication RCE vulnerability affecting SMA and SonicOS products.
A critical RCE vulnerability in Atlassian Confluence is being mass-exploited by multiple threat actors.
Read moreIvanti discloses another actively exploited zero-day chain in Connect Secure VPN appliances. CVE-2026-0778 and CVE-2026-0779 allow unauthenticated attackers ...
Read moreA critical vulnerability in Microsoft Teams allows attackers to deliver malware through specially crafted meeting invitations.
Read moreNation-state attackers are actively exploiting a critical zero-day in Palo Alto GlobalProtect VPN to breach defense contractors. If you run GlobalProtect, apply the emergency patch now or isolate affected systems from the network immediately.
Read moreQualys discovered nine vulnerabilities in AppArmor affecting 12.6 million Linux servers. CrackArmor enables unprivileged users to achieve root via confused deputy attacks, bypass container isolation, defeat KASLR, and manipulate security policies. All kernels since 4.11 affected.
Read moreCISA added CVE-2025-68613 to KEV after confirming active exploitation of n8n automation platform. Five critical RCE vulnerabilities (CVSS 9.4-9.5) allow credential theft via encryption key extraction. 24,700 instances exposed. Federal deadline: March 25, 2026.
Read moreSentinelOne documents campaign targeting FortiGate appliances to extract AD/LDAP credentials. Attackers exploit CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858, decrypt config files, and harvest NTDS.dit. Healthcare, government, and MSPs are primary targets.
Read moreJFrog discovered malicious npm package @openclaw-ai/openclawai deploying GhostLoader RAT on macOS. The 11,700-line infostealer harvests Keychain, browser credentials, crypto wallets, SSH keys, cloud creds, and enables browser session cloning. 178 developers compromised.
Read moreIranian APT MuddyWater deploys Dindoor backdoor against US banks, airports, and defense contractors using Deno JavaScript runtime. Detect and defend.
Read moreCritical Veeam Backup flaw lets attackers delete backup repos without credentials. Ransomware gangs exploiting CVE-2026-29849 to eliminate recovery options.
Read moreCISA confirmed active exploitation of CVE-2017-7921 (Hikvision cameras) and CVE-2021-22681 (Rockwell Automation controllers), both CVSS 9.8. Federal agencies must patch by March 26, 2026. Legacy vulnerabilities remain potent weapons in attacker arsenals.
Read moreCISA added CVE-2026-22719 (CVSS 8.1) to the Known Exploited Vulnerabilities catalog after confirming active exploitation. The command injection flaw in VMware Aria Operations allows unauthenticated RCE. Federal agencies must patch by March 24, 2026.
Read moreAkamai confirms APT28 (Fancy Bear/GRU) was actively exploiting CVE-2026-21513 (CVSS 8.8) in the MSHTML Framework before Microsoft's February patch. The attack uses crafted LNK files to bypass Mark-of-the-Web and execute malicious payloads as trusted local content.
Read moreCisco disclosed CVE-2026-20127 (CVSS 10.0), an authentication bypass in Catalyst SD-WAN that sophisticated threat actor UAT-8616 has exploited since 2023. The attack chain creates rogue peers, downgrades software to exploit older CVEs, and achieves root persistence. CISA issued Emergency Directive 26-03 requiring 24-hour patching.
Read moreFormer L3Harris contractor Peter Williams sentenced to 87 months for selling eight zero-day exploits to Russian broker Operation Zero for $4 million. The U.S. government simultaneously sanctioned Operation Zero, its leader Sergey Zelenyuk, and connected entities for acquiring cyber tools harmful to national security.
Read moreUnit 42 documents active exploitation of CVE-2026-1731 (CVSS 9.9) in BeyondTrust Remote Support and PRA. Attackers are deploying web shells, VShell, Spark RAT, and exfiltrating PostgreSQL dumps. CISA confirms ransomware campaigns are leveraging this vulnerability.
Read moreA maximum-severity zero-day in Dell RecoverPoint for Virtual Machines (CVSS 10.0) has been exploited by Chinese state-sponsored hackers since mid-2024. The flaw involves hard-coded Tomcat credentials enabling root access. CISA has added it to the KEV catalog with a 3-day patch deadline.
Read moreFour of the most popular VS Code extensions with over 125 million combined installs contain critical vulnerabilities that could let attackers steal files, execute code, and compromise entire organizations from a developer workstation. Three remain unpatched.
Read moreA critical pre-authentication RCE vulnerability in BeyondTrust Remote Support and Privileged Remote Access is now being actively exploited after a proof-of-concept was published. With a CVSS of 9.9 and approximately 8,500 unpatched on-premise deployments exposed, organizations must patch immediately.
Read moreOur CyberOne MobileAssess platform performs deep static analysis, source code decompilation, and runtime security testing for iOS and Android apps. From one-time assessments to year-long continuous testing, we find what surface-level scanners miss.
Subscribe to our newsletter and get the latest security insights delivered to your inbox.
