Security Articles

Stay ahead of emerging threats with expert analysis from 118 published security articles, vulnerability reports, and cybersecurity insights — updated daily with the latest CVEs, threat actor campaigns, and security advisories. Opening the week of May 18 – May 24, 2026 (Tuesday outlook): the new week kicks off with back-to-back CRITICAL advisories — NGINX rewrite-module flaw CVE-2026-42945 hit active exploitation within days of disclosure on Monday, an 18-year-old bug now sitting on every NGINX-fronted application stack, and Cisco Catalyst SD-WAN CVE-2026-20182 landed Sunday at CVSS 10.0 under active exploitation by UAT-8616 with no workaround. Carrying forward from last week, Microsoft Exchange XSS CVE-2026-42897 remains under active attack with CISA listing in the Known Exploited Vulnerabilities catalog, May 2026 Patch Tuesday's unauthenticated Netlogon and DNS RCE pair stays the priority server-side patch at CVSS 9.8, and Ivanti EPMM CVE-2026-6973 still triggers the 3-day federal deadline for any organization running on-prem mobile device management. If your business depends on an NGINX-fronted application, a Cisco SD-WAN fabric, on-premises Exchange, or Ivanti EPMM, this week's advisories require action today — start with the article-level remediation steps below.

All Articles AdvisoryCyber AttackData BreachExploitMalwareThreat ActorVulnerability
Severity: All Critical High Medium Low
69 articles found
Featured Story
critical
May 19, 2026
criticalCVE AdvisoryVulnerability

CRITICAL: 'MiniPlasma' Windows 0-Day Resurrects 2020 SYSTEM Escalation Bug Microsoft Thought It Killed

A working zero-day exploit dubbed MiniPlasma escalates standard users to SYSTEM on fully patched Windows 11. It abuses cldflt.sys, the same Cloud Filter driver behind CVE-2020-17103 that Microsoft 'fixed' in 2020. PoC is public on GitHub. No patch yet. Assume compromise paths exist on every Windows endpoint until the next Patch Tuesday.

By Danny MercerRead Full Article
critical
CVE AdvisoryVulnerabilityMay 18, 2026

CRITICAL: 18-Year-Old NGINX Rewrite Module Flaw Hits Active Exploitation in Days

A heap buffer overflow lurking in NGINX's ngx_http_rewrite_module since 2008 went from coordinated disclosure to active in-the-wild exploitation in roughly seventy-two hours. CVE-2026-42945 affects every release from 0.6.27 through 1.30.0 across both Open Source and Plus, can crash worker processes trivially, and can reach remote code execution on hosts where ASLR is disabled. Patches are available in NGINX 1.30.1 and 1.31.0.

Read more
critical
CVE AdvisoryVulnerabilityMay 17, 2026

CRITICAL: Cisco Catalyst SD-WAN CVE-2026-20182 Hits CVSS 10.0 with Active Exploitation by UAT-8616

Cisco patched CVE-2026-20182, a CVSS 10.0 authentication bypass in Catalyst SD-WAN Controller and Manager that lets an unauthenticated remote attacker gain administrative access via the vdaemon peering service on UDP/12346. CISA added the flaw to its Known Exploited Vulnerabilities catalog with a federal remediation deadline of May 17, 2026. Threat cluster UAT-8616 is actively exploiting it. No workarounds, only patches.

Read more
critical
CVE AdvisoryVulnerabilityMay 12, 2026

CRITICAL: cPanel WHM Authentication Bypass CVE-2026-41940 Exploited for Two Months Before Patch

cPanel and WHM are bleeding root through CVE-2026-41940, a CVSS 9.8 CRLF-injection authentication bypass that has been exploited in the wild since late February 2026. The April 28 patch is available now, but attackers running automated campaigns from over 2,000 source IPs have been deploying a cross-platform Go backdoor on compromised hosts for two months. Patch immediately and assume breach on any internet-exposed unpatched server.

Read more
critical
CVE AdvisoryVulnerabilityMay 6, 2026

CRITICAL: Palo Alto PAN-OS Zero-Day Hands Attackers Root on Internet-Facing Firewalls (CVE-2026-0300)

CVE-2026-0300 is an unauthenticated buffer overflow in the PAN-OS User-ID Authentication Portal that grants root code execution on PA-Series and VM-Series firewalls. Palo Alto has confirmed limited in-the-wild exploitation against internet-exposed portals. CVSS scores 9.3 for internet-exposed deployments, 8.7 for trusted-network only. Patches roll out from May 13 through May 28, 2026.

Read more
critical
CVE AdvisoryVulnerabilityMay 2, 2026

CRITICAL: Google Patches CVSS 10 Gemini CLI Flaw That Turned CI Workspaces Into Free RCE

A maximum severity CVSS 10.0 flaw in Google Gemini CLI headless mode let any attacker who could drop a .gemini directory into a CI workspace execute code on the runner host. Tracked as GHSA-wpqr-6v78-jr5g, it is fixed in @google/gemini-cli 0.39.1 and 0.40.0-preview.3, plus run-gemini-cli action 0.1.22. Patch immediately and rotate any secrets reachable from affected pipelines.

Read more
critical
CVE AdvisoryVulnerabilityMay 1, 2026

CRITICAL: Google Gemini CLI Earns CVSS 10 By Trusting Every Folder It Touches

Google patched a CVSS 10.0 remote code execution flaw in the Gemini CLI that let attackers hijack CI/CD pipelines through malicious .gemini/ configurations in untrusted workspaces. The advisory ships under GHSA-wpqr-6v78-jr5g without a CVE assigned, and any organization running the run-gemini-cli GitHub Action without a pinned version was carrying the vulnerable code by default.

Read more
critical
CVE AdvisoryVulnerabilityApr 30, 2026

CRITICAL: GitHub Enterprise Server RCE via a Single Git Push (CVE-2026-3854)

Wiz researchers disclosed CVE-2026-3854 on April 28, a critical remote code execution flaw in GitHub Enterprise Server that turns a single authenticated git push into full server compromise. Roughly 88 percent of internet-exposed Enterprise Server instances were unpatched at disclosure. GitHub.com and Enterprise Cloud are already fixed, but self-hosted admins must upgrade to 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, or 3.20.0.

Read more
critical
CVE AdvisoryVulnerabilityApr 25, 2026

CRITICAL: FIRESTARTER Backdoor Survives Cisco Firewall Patches in ArcaneDoor Federal Breach

CISA and the UK NCSC went public with a joint advisory on FIRESTARTER, a stealth implant tied to the UAT-4356 ArcaneDoor crew that survived firmware updates and security patches on a Cisco Firepower device inside a federal civilian agency. The malware chains CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 to gain root on Cisco ASA and FTD appliances, then hooks LINA and persists through reboots until a hard power cycle is performed.

Read more
critical
CVE AdvisoryVulnerabilityApr 22, 2026

CRITICAL: Microsoft Patches CVSS 9.1 ASP.NET Core Flaw Letting Attackers Forge Authentication Cookies on Linux

Microsoft published an advisory for CVE-2026-40372, a CVSS 9.1 elevation-of-privilege flaw in Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6 that lets a network-positioned attacker forge authentication cookies and decrypt protected payloads. The bug primarily affects Linux and macOS deployments where the managed authenticated encryptor computes its HMAC tag over the wrong bytes and skips the comparison entirely. Patch to 10.0.7 immediately and rotate the DataProtection key ring if the application was internet-exposed during the vulnerable window.

Read more

Is Your Mobile App Secure?

Our CyberOne MobileAssess platform performs deep static analysis, source code decompilation, and runtime security testing for iOS and Android apps. From one-time assessments to year-long continuous testing, we find what surface-level scanners miss.

Learn About Mobile Pen TestingMSP Partner Program
Page 1 of 4Next

Stay Informed

Subscribe to our newsletter and get the latest security insights delivered to your inbox.