The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

TeamPCP Supply Chain Campaign: Activity Through 2026-05-17

Published: 2026-05-18

Last Updated: 2026-05-18 20:08:00 UTC

by Kenneth Hartman (Version: 1)

Since the last update, the TeamPCP supply chain campaign produced its loudest stretch since the March Trivy disclosure: an officially confirmed Checkmarx Jenkins plugin compromise and a new self-spreading Mini Shai-Hulud worm across npm and PyPI.

Bottom line up front

Two TeamPCP events broke within 48 hours of each other and doubled attention on the campaign. Checkmarx confirmed its Jenkins AST plugin was trojanized, its third compromise in three months, validating an earlier single-researcher claim. In parallel, a new Mini Shai-Hulud worm poisoned roughly 170 npm and PyPI packages (42 @tanstack packages in about six minutes, downloads above 500 million) and was the first documented npm malware shipping with valid SLSA Build Level 3 provenance, plus a 1-in-6 disk-wipe payload on Israeli and Iranian locale hosts. NHS England issued the campaign's first government alert; CISA stayed silent. Action: audit CI for the indicators below, stop trusting provenance alone, pin and lockfile-verify dependencies.

How this developed

The period opened quiet and derivative: the lead story was PCPJack, a rival worm that evicts TeamPCP before stealing credentials, alongside a single-researcher claim that a Checkmarx Jenkins plugin had been backdoored. Days later it turned loud: Checkmarx officially confirmed that exact Jenkins compromise, and a new Mini Shai-Hulud worm hit the npm and PyPI ecosystems hard. The through-line is escalation: an unconfirmed rumor became a confirmed incident, and the campaign moved from a quiet competitor-eviction story to a high-impact, signed-malware supply chain wave.

What changed, by theme…

Read the full entry: https://isc.sans.edu/diary/TeamPCP+Supply+Chain+Campaign+Activity+Through+20260517/32994/

[Guest Diary] New Malware Libraries means New Signatures

Published: 2026-05-15

Last Updated: 2026-05-15 06:38:33 UTC

by Mark Baggett (Version: 2) _

This is a Guest Diary by Gokul Prema Thangavel, an ISC intern as part of the SANS.edu Bachelor Degree Program.

Introduction

The SHA-256… is one of the most-observed Outlaw / Shellbot artifacts on the public internet. VirusTotal first ingested it on 5 July 2018. It is the SHA-256 of the authorized_keys file written by the campaign whose persistence comment string is mdrfckr, a campaign documented in handler diaries, vendor reports, and independent honeypot research for nearly seven years.

This diary does not announce a new campaign. The file hash, the public key, the mdrfckr comment string, the chattr -ia [.]ssh defensive disarm, the chpasswd account hijack, and the /tmp/secure[.]sh competitor cleanup are all well-described in prior reporting. What this diary does add is one new data point in an existing lineage: between 14 and 21 April 2026, my DShield sensor observed the mdrfckr campaign using a third libssh client version that has not, to my knowledge, been published as part of this campaign’s hassh chronology. The botnet’s authorized_keys file is unchanged across four years. Its SSH client library is on its third documented major version. Detection rules pinned to the older hasshes will miss the current generation.

The point of this diary is to put the prior reports side by side with my April 2026 observation, document the new hassh, and offer detection-engineering guidance for handlers maintaining #mdrfckr#-aware rules.

What is already known…

Read the full entry: https://isc.sans.edu/diary/Guest+Diary+New+Malware+Libraries+means+New+Signatures/32986/

Simple bypass of the link preview function in Outlook Junk folder

Published: 2026-05-14

Last Updated: 2026-05-14 06:08:25 UTC

by Jan Kopriva (Version: 1)

Besides serving as a place where Microsoft Outlook places suspected spam, the Outlook Junk folder has one additional function that can be quite helpful when it comes to identifying malicious messages. Any e-mail placed in this folder is stripped of all formatting, and destinations of all links included in the message become visible to the user, as you can see in the following images which show the same e-mail when it is placed in the inbox, and when it is placed in the Junk folder…

Having access to this functionality is quite advantageous, since it helps easily and safely inspect where a link included in an e-mail might lead. Moving suspicious messages to the Junk folder and viewing them there is correspondingly one of the tips I often give during security awareness training sessions…

Although I will continue to do so, I will now have to add a caveat based on an experience with a phishing message I found in my Junk folder in April…

Read the full entry: https://isc.sans.edu/diary/Simple+bypass+of+the+link+preview+function+in+Outlook+Junk+folder/32990/

Microsoft May 2026 Patch Tuesday (2026.05.12)

https://isc.sans.edu/diary/Microsoft+May+2026+Patch+Tuesday/32980/

Apple Patches Everything (2026.05.11)

https://isc.sans.edu/diary/Apple+Patches+Everything/32976/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2026-31431 - Linux kernel: A vulnerability in crypto: algif_aead has been resolved by reverting to operating out-of-place for improved efficiency and simplicity.

Product: Linux kernel

CVSS Score: 0

** KEV since 2026-05-01 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31431

ISC Diary: https://isc.sans.edu/diary/32968

ISC Podcast: https://isc.sans.edu/podcastdetail/9914

CVE-2016-5195 - Linux Kernel Race Condition Vulnerability

Product: Linux Kernel

CVSS Score: 0

** KEV since 2022-03-03 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2016-5195

ISC Diary: https://isc.sans.edu/diary/32968

CVE-2022-0847 - Linux Kernel Privilege Escalation Vulnerability

Product: Linux Kernel

CVSS Score: 0

** KEV since 2022-04-25 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-0847

ISC Diary: https://isc.sans.edu/diary/32968

CVE-2026-0300 - Palo Alto Networks PAN-OS software is vulnerable to a buffer overflow issue in the User-ID™ Authentication Portal, allowing attackers to execute code with root privileges through specially crafted packets.

Product: Palo Alto Networks PAN-OS

CVSS Score: 9.8

** KEV since 2026-05-06 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0300

ISC Podcast: https://isc.sans.edu/podcastdetail/9922

NVD References:

- https://security.paloaltonetworks.com/CVE-2026-0300

- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-0300

CVE-2026-41940 - cPanel is susceptible to an authentication bypass vulnerability in older versions, enabling remote attackers to gain unauthorized control panel access.

Product: cPanel WHM

CVSS Score: 0

** KEV since 2026-04-30 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-41940

ISC Podcast: https://isc.sans.edu/podcastdetail/9916

CVE-2026-6973 - Ivanti EPMM is vulnerable to improper input validation, allowing a remote authenticated user with administrative access to achieve remote code execution.

Product: Ivanti Endpoint Manager Mobile

CVSS Score: 7.2

** KEV since 2026-05-07 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-6973

NVD References:

- https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US

- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-6973

CVE-2026-42208 - LiteLLM is vulnerable to an unauthenticated attacker exploiting a database query vulnerability in versions 1.81.16 to 1.83.7, allowing unauthorized access and potential data modification.

Product: LiteLLM

CVSS Score: 0

** KEV since 2026-05-08 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42208

CVE-2026-4670, CVE-2026-5174 - Progress Software MOVEit Automation is vulnerable to authentication bypass due to a primary weakness in Progress Software, impacting versions before 2025.0.0 and prior; and privilege escalation due to improper input validation in versions prior to 2025.1.5, 2025.0.9, and 2024.1.8.

Product: Progress MOVEit Automation

CVSS Scores: 7.7 - 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4670

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-5174

ISC Podcast: https://isc.sans.edu/podcastdetail/9918

NVD References: https://community.progress.com/s/article/MOVEit-Automation-Critical-Security-Alert-Bulletin-April-2026-CVE-2026-4670-CVE-2026-5174

CVE-2026-23631 - Redis-server Lua use-after-free may allow remote code execution

Product: Redis

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-23631

ISC Podcast: https://isc.sans.edu/podcastdetail/9924

NVD References: https://github.com/redis/redis/security/advisories/GHSA-8ghh-qpmp-7826

CVE-2026-25588 - RedisTimeSeries RESTORE invalid memory access may allow remote code execution

Product: RedisTimeSeries

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25588

ISC Podcast: https://isc.sans.edu/podcastdetail/9924

NVD References: https://github.com/RedisTimeSeries/RedisTimeSeries/security/advisories/GHSA-7jwr-g5qv-w3gw

CVE-2026-43869 - Apache Thrift: TSSLTransportFactory.java hostname verification

Product: Apache Thrift

CVSS Score: 7.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43869

NVD References: https://lists.apache.org/thread/3hsgl1b69wzq3ry39scqbv2dhyl3j52r

CVE-2026-43870 - Apache Thrift: Node.js web_server.js multi-vulnerability

Product: Apache Thrift

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43870

NVD References: https://lists.apache.org/thread/pgtfq44ltc9t63kxcbqmwqzt45pnhqdy

CVE-2026-42778 - Apache MINA AbstractIoBuffer.getObject() is vulnerable to incomplete fix for CVE-2024-52046 in versions 2.1.0 to 2.1.11 and 2.2.0 to 2.2.6, with the issue resolved in versions 2.1.12 and 2.2.7 by applying the classname allowlist earlier.

Product: Apache MINA

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42778

NVD References: https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0

CVE-2026-42779 - Apache MINA's AbstractIoBuffer.resolveClass() vulnerability allows arbitrary code execution in versions 2.1.X and 2.2.X branches due to a missing fix for CVE-2026-41635.

Product: Apache MINA

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42779

NVD References: https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0

CVE-2026-40682 - Apache OpenNLP DictionaryEntryPersistor allows for XXE via Unsanitized Dictionary Parsing, affecting versions before 2.5.9 and before 3.0.0-M3.

Product: Apache OpenNLP

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40682

NVD References: https://lists.apache.org/thread/r6jpt0qr9nj67gqhppqg7jxf8vsbo0w6

CVE-2026-42027 - Apache OpenNLP ExtensionLoader allows arbitrary class instantiation via model manifest, potentially leading to unauthorized static initializer execution and side effects.

Product: Apache OpenNLP

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42027

NVD References: https://lists.apache.org/thread/ltlo4powjfc0w2w2yyl1o5tc7q1gcb2y

CVE-2026-42809 - Apache Polaris can issue temporary storage credentials during staged table creation before validating the effective table location, allowing attackers to choose a reachable target location.

Product: Apache Polaris

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42809

NVD References: https://lists.apache.org/thread/8tfsr8y7pgq6rdcvjx95hkcr47td671r

CVE-2026-42810 - Apache Polaris accepts literal `*` characters in namespace and table names, causing vulnerabilities in S3 IAM resource patterns and `s3:prefix` conditions.

Product: Apache Polaris

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42810

NVD References: https://lists.apache.org/thread/gg3qq9sqg4hdjmprqy46p40xmln61dm9

CVE-2026-42811 - Apache Polaris is vulnerable to credential-broadening behavior due to a crafted namespace or table name in GCS credentials.

Product: Apache Polaris

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42811

NVD References: https://lists.apache.org/thread/hovn5hmkj9wj7v9cd8sn67svg03klgvg

CVE-2026-42812 - Apache Iceberg is vulnerable to an issue where changing the `write.metadata.path` property can allow attackers to write table metadata to an attacker-chosen location without proper validation.

Product: Apache Iceberg

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42812

NVD References: https://lists.apache.org/thread/wxd2wj3p0smvrk84msv317wg5tp3jtw9

CVE-2026-23918, CVE-2026-24072, CVE-2026-28780, CVE-2026-29168, CVE-2026-29169, CVE-2026-34059 - Multiple vulnerabilities in Apache HTTP Server.

Product: Apache HTTP Server

CVSS Scorea: 7.3 - 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-23918 (double free)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24072 (improper privilege management)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-28780 (heap-based buffer overflow)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-29168 (allocation of resources without limits or throttling)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-29169 (NULL pointer dereference)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34059 (nuffer over-read)

NVD References: https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2026-40010 - Apache Wicket is vulnerable to session fixation attacks if Servlet http web request method changeSessionId is not invoked after session binding, impacting versions 8.0.0 through 8.17.0, 9.0.0, and 10.0.0 through 10.8.0, with the issue resolved in version 10.9.0.

Product: Apache Wicket

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40010

CVE-2026-5081 - Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure due to the use of the UNIQUE_ID environment variable, making session ids easily guessable.

Product: Apache::Session::Generate::ModUniqueId

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-5081

CVE-2025-14543 - Connext Professional (Core Libraries) allows Serialized Data External Linking through Improper Restriction of XML External Entity Reference vulnerability.

Product: RTI Connext Professional

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-14543

NVD References: https://www.rti.com/vulnerabilities/#cve-2025-14543

CVE-2025-71284 - Synway SMG Gateway Management Software is vulnerable to OS command injection in the RADIUS configuration endpoint, allowing unauthenticated remote attackers to achieve remote code execution.

Product: Synway SMG Gateway Management Software

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-71284

NVD References: https://www.vulncheck.com/advisories/synway-smg-gateway-management-software-os-command-injection-via-radius-address

CVE-2026-33446, CVE-2026-33447 - Secure Access buffer overflow vulnerabilities.

Product: Secure Access

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33446

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33447

NVD References:

- https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33446

- https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33447

CVE-2026-35051, CVE-2026-39858 - Traefik authentication bypass vulnerabilities

Product: Traefik

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-35051

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-39858

NVD References:

- https://github.com/traefik/traefik/security/advisories/GHSA-6384-m2mw-rf54

- https://github.com/traefik/traefik/security/advisories/GHSA-5m6w-wvh7-57vm

CVE-2026-42994 - Bitwarden CLI 2026.4.0 from 2026-04-22T21:57Z to 2026-04-22T23:30Z, sourced from npm, contained embedded malicious code due to a Checkmarx supply chain incident.

Product: Bitwarden CLI

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42994

NVD References: https://community.bitwarden.com/t/bitwarden-statement-on-checkmarx-supply-chain-incident/96127

CVE-2026-42482, CVE-2026-42483, CVE-2026-42484 - Buffer overflow vulnerabilities in Hashcat v7.1.2.

Product: Hashcat 7.1.2

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42482

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42483

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42484

NVD References: https://gist.github.com/sgInnora/107f2eb20367e47d58c911e38d56a91f

CVE-2026-37531 - AGL app-framework-main up to version 17.1.12 is vulnerable to a Zip Slip path traversal and TOCTOU race condition during widget installation, allowing for potential file writing anywhere on the filesystem regardless of verification failure.

Product: AGL app-framework-main

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-37531

CVE-2026-37534 - Open-SAE-J1939 allows attackers to write to arbitrary memory via crafted sequence number from the CAN frame.

Product: Open-SAE

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-37534

CVE-2026-37541 - Open Vehicle Monitoring System 3 (OVMS3) 3.3.005 is vulnerable to a buffer overflow in canformat_gvret.cpp, allowing remote attackers to trigger a denial of service or potentially execute arbitrary code.

Product: Open Vehicle Monitoring System OVMS3

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-37541

NVD References: https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381

CVE-2026-42364, CVE-2026-42368 - Vulnerabilities in GeoVision LPC2011/LPC2211 1.10.

Product: GeoVision LPC2011/LPC2211

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42364 (OS command injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42368 (incorrect privilege assignment)

NVD References:

- https://talosintelligence.com/vulnerability_reports/

- https://www.geovision.com.tw/cyber_security.php

CVE-2026-42369, CVE-2026-42370, CVE-2026-7372 - Out of bounds write vulnerabilities in GV-VMS V20.

Product: GeoVision GV-VMS V20

CVSS Scores: 9.0 - 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42369

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42370

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7372

NVD References:

- https://https://talosintelligence.com/vulnerability_reports/

- https://www.geovision.com.tw/cyber_security.php

CVE-2026-7161 - GeoVision GV-IP Device Utility 9.0.5 allows for credentials leak through insufficient encryption in Device Authentication functionality.

Product: Geovision GV-IP Device Utility

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7161

NVD References:

- https://talosintelligence.com/vulnerability_reports/

- https://www.geovision.com.tw/cyber_security.php

CVE-2026-7482 - Ollama before 0.17.1 has a heap out-of-bounds read vulnerability in the GGUF model loader, allowing attackers to leak sensitive data by supplying a malicious GGUF file to the /api/create endpoint and uploading the resulting artifact through the /api/push endpoint.

Product: Ollama

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7482

CVE-2026-25293 - Buffer overflow due to incorrect authorization in PLC FW

Product: Qualcomm QCA7005

CVSS Score: 9.6

GitHub Stars: -1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25293

NVD References: https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html

CVE-2026-42090 - Notesnook had a stored XSS vulnerability in the note export flow that could be escalated to remote code execution in the desktop app prior to versions 3.3.15 for Web/Desktop and 3.3.20 for iOS/Android.

Product: Notesnook

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42090

NVD References: https://github.com/streetwriters/notesnook/security/advisories/GHSA-fjm8-jg78-89h4

CVE-2026-42373 through CVE-2026-42376 - D-Link Hardware has hardcoded telnet backdoors that grants root access to unauthenticated attackers on the local network.

Product: D-Link

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42373 (DIR-605L)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42374 (DIR-600L)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42375 (DIR-600L)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42376 (DIR-456U)

NVD References:

- https://www.securin.io/zero-day/cve-2026-42373-hardcoded-telnet-backdoor-in-d-link-dir-605l-b2-end-of-life-

- https://www.securin.io/zero-day/cve-2026-42374-hardcoded-telnet-backdoor-in-d-link-dir-600l-b1-end-of-life-

- https://www.securin.io/zero-day/cve-2026-42375-hardcoded-telnet-backdoor-in-d-link-dir-600l-a1-end-of-life-

- https://www.securin.io/zero-day/cve-2026-42376-hardcoded-telnet-backdoor-in-d-link-dir-456u-a1-end-of-life-

CVE-2026-7853, CVE-2026-7854 - D-Link DI-8100 16.07.26A1 is vulnerable to remote buffer overflow attacks

Product: D-Link DI-8100

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7853

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7854

CVE-2026-0073 - The adbd_tls_verify_cert vulnerability in auth.cpp of wireless ADB allows for bypass of mutual authentication, potentially leading to remote code execution as shell user without additional privileges.

Product: Google Android

CVSS Score: 8.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0073

ISC Podcast: https://isc.sans.edu/podcastdetail/9922

NVD References: https://source.android.com/docs/security/bulletin/2026/2026-05-01

CVE-2026-42233, CVE-2026-42235, CVE-2026-42238 - n8n open source workflow automation platform vulnerabilities

Product: N8N

CVSS Scores: 9.6 - 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42233 (SQL injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42235 (OAuth)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42238 (code injection)

NVD References:

- https://github.com/n8n-io/n8n/security/advisories/GHSA-r6jc-mpqw-m755

- https://github.com/n8n-io/n8n/security/advisories/GHSA-537j-gqpc-p7fq

- https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-4pvg-prr3-9cxr

CVE-2026-42087, CVE-2026-42088 - OpenC3 COSMOS vulnerabilities

Product: OpenC3 COSMOS

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42087 (SQL injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42088 (execution with unnecessary privileges)

NVD References:

- https://github.com/OpenC3/cosmos/security/advisories/GHSA-v529-vhwc-wfc5

- https://github.com/OpenC3/cosmos/security/advisories/GHSA-2wvh-87g2-89hr

CVE-2026-42796 - Arelle before version 2.39.10 allows unauthenticated remote attackers to execute malicious Python code through the plugins query parameter in the /rest/configure endpoint.

Product: Arelle

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42796

NVD References: https://www.vulncheck.com/advisories/arelle-unauthenticated-rce-via-rest-configure

CVE-2026-24118, CVE-2026-24120, CVE-2026-24781, CVE-2026-26332, CVE-2026-26956 - VM2 is vulnerable to sandbox breakout/escape issues

Product: VM2

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24118

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24120

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24781

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26332

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26956

NVD References:

- https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p

- https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p

- https://github.com/patriksimek/vm2/security/advisories/GHSA-v37h-5mfm-c47c

- https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95

- https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66

CVE-2026-36356 - The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.

Product: GoAhead web server

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-36356

CVE-2026-7411 - Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10 is vulnerable to a path traversal attack that can lead to Remote Code Execution (RCE) and system compromise.

Product: Eclipse BaSyx Java Server SDK

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-7411

NVD References: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423

CVE-2026-38431 - ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI), allowing attackers with permission to create or edit email templates to execute code on the server.

Product: ERPNext v15.103.1

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-38431

CVE-2026-27960 - OpenCTI is vulnerable to privilege escalation in versions 6.6.0 through 6.9.12, allowing unauthenticated attackers to query the API as any existing user, but has been patched in version 6.9.13.

Product: OpenCTI

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27960

NVD References: https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-6vvv-vmfr-xhrx

CVE-2026-38428 - Kestra v1.3.3 and before is vulnerable to SQL Injection due to lack of proper input sanitization, allowing attackers to inject SQL expressions into the database query.

Product: Kestra v1.3.3

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-38428

NVD References: https://github.com/kestra-io/kestra/security/advisories/GHSA-365w-2m69-mp9x

CVE-2026-40281 - Gotenberg allows an unauthenticated attacker to manipulate PDF files and create symlinks or hard links at arbitrary paths by exploiting a vulnerability in versions 8.30.1 and earlier.

Product: Gotenberg

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40281

NVD References: https://github.com/gotenberg/gotenberg/security/advisories/GHSA-q7r4-hc83-hf2q

CVE-2026-40982 - Spring Cloud Config allows directory traversal attacks through specially crafted URLs, affecting versions 3.1.0 through 4.3.2.

Product: Spring Cloud Config

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40982

NVD References: https://spring.io/security/cve-2026-40982

CVE-2026-33587 - Open Notebook v1.8.3 is vulnerable to Server-Side Template Injection (SSTI) due to lack of user input sanitisation, allowing execution of Python code and OS commands on the docker container.

Product: Open-Notebook

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33587

NVD References: https://github.com/lfnovo/open-notebook/security/advisories/GHSA-f35w-wx37-26q7

CVE-2026-41589 - Wish SSH server, versions 2.0.0 to before 2.0.1, is vulnerable to path traversal attacks in the SCP middleware allowing malicious clients to read/write arbitrary files and directories.

Product: Wish SSH server

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-41589

NVD References: https://github.com/charmbracelet/wish/security/advisories/GHSA-xjvp-7243-rg9h

CVE-2026-37709 - Grokability Snipe-IT v.8.4.0 and before allows remote attackers to execute arbitrary code via insecure permissions in UploadedFilesController.php.

Product: Grokability Snipe-IT

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-37709

NVD References: https://github.com/grokability/snipe-it/security/advisories/GHSA-xg82-2hrv-hf64

CVE-2026-42880 - Argo CD versions 3.2.0 to 3.2.11 and 3.3.0 to 3.3.9 have a missing authorization flaw that allows attackers with read-only access to extract plaintext Kubernetes Secret data from etcd.

Product: Argo CD

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42880

NVD References: https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3

CVE-2026-43534 - OpenClaw before 2026.4.10 is vulnerable to input validation allowing malicious hook names to be used for escalating untrusted input into higher-trust agent context.

Product: OpenClaw

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43534

NVD References: https://github.com/openclaw/openclaw/security/advisories/GHSA-7g8c-cfr3-vqqr

CVE-2026-43566 - OpenClaw versions 2026.4.7 before 2026.4.14 have a privilege escalation vulnerability that allows attackers to maintain an owner-like execution context by sending untrusted webhook wake events.

Product: OpenClaw

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43566

NVD References: https://github.com/openclaw/openclaw/security/advisories/GHSA-g2hm-779g-vm32

CVE-2026-43575 - OpenClaw versions 2026.2.21 before 2026.4.10 have an authentication bypass vulnerability in the noVNC helper route, exposing browser session credentials to unauthorized access.

Product: OpenClaw

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43575

NVD References: https://github.com/openclaw/openclaw/security/advisories/GHSA-92jp-89mq-4374

CVE-2026-43578 - OpenClaw versions 2026.3.31 before 2026.4.10 are vulnerable to privilege escalation through untrusted completion content, allowing attackers to run commands with higher privileges.

Product: OpenClaw

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43578

NVD References: https://github.com/openclaw/openclaw/security/advisories/GHSA-g375-h3v6-4873

CVE-2026-43581 - OpenClaw before 2026.4.10 has an improper network binding vulnerability in the sandbox browser CDP relay, allowing attackers to access the Chrome DevTools Protocol on 0.0.0.0 outside of intended local sandbox boundaries.

Product: OpenClaw

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43581

NVD References: https://github.com/openclaw/openclaw/security/advisories/GHSA-525j-hqq2-66r4

CVE-2026-44109 - OpenClaw before 2026.4.15 is vulnerable to an authentication bypass flaw in Feishu webhook and card-action validation, allowing unauthenticated requests to bypass signature verification and execute arbitrary commands.

Product:OpenClaw

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-44109

NVD References: https://github.com/openclaw/openclaw/security/advisories/GHSA-xh72-v6v9-mwhc

CVE-2026-31705 - ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment

Product: Linux Kernel

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31705

CVE-2026-31718 - ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger

Product: Linux Kernel

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-31718

CVE-2026-43011 - The Linux kernel had a vulnerability in net/x25 that could result in a double free of skb.

Product: Linux Kernel

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43011

CVE-2026-43038 - The Linux kernel vulnerability in ip6_err_gen_icmpv6_unreach() has been resolved by clearing the skb2->cb[].

Product: Linux Kernel

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43038

CVE-2026-43039 - Linux kernel is vulnerable to leaking kernel heap contents to userspace due to uninitialized heap memory in the net: ti: icssg-prueth function, which can be resolved by copying the received packet data and removing the skb_mark_for_recycle call.

Product: Linux Kernel

CVSS Score: 9.8

GitHub Stars: -1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43039

CVE-2026-43500 - Linux Kernel RxRPC Page-Cache Write (CVE-2026-43500)

Product: Linux Kernel

CVSS Score: 7.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-43500

*** NO CUSTOMER ACTION REQUIRED ***

CVE-2026-33109 - Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability

Product: Azure Managed Instance for Apache Cassandra

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33109

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33109

CVE-2026-33823 - Microsoft Team Events Portal Information Disclosure Vulnerability

Product: Microsoft Teams

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33823

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33823

CVE-2026-33844 - Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability

Product: Microsoft Azure Managed Instance for Apache Cassandra

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33844

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33844

CVE-2026-35428 - Azure Cloud Shell Spoofing Vulnerability

Product: Azure Cloud Shell

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-35428

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35428

CVE-2026-42826 - Azure DevOps Information Disclosure Vulnerability

Product: Microsoft Azure DevOps

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42826

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42826

CVE-2026-40379 - Microsoft Enterprise Security Token Service (ESTS) Spoofing Vulnerability

Product: Microsoft Enterprise Security Token Service (ESTS)

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40379

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40379

CVE-2026-26129 - M365 Copilot Information Disclosure Vulnerability

Product: Microsoft M365 Copilot

CVSS Score: 7.5

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26129

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26129

CVE-2026-26164 - M365 Copilot Information Disclosure Vulnerability

Product: Microsoft M365 Copilot

CVSS Score: 7.5

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26164

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26164

CVE-2026-33111 - Copilot Chat (Microsoft Edge) Information Disclosure Vulnerability

Product: Microsoft Copilot Chat

CVSS Score: 7.5

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33111

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33111

CVE-2026-34327 - Microsoft Partner Center Spoofing Vulnerability

Product: Microsoft Partner Center

CVSS Score: 8.2

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34327

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34327

CVE-2026-35435 - Azure AI Foundry Elevation of Privilege Vulnerability

Product: Microsoft Azure AI Foundry M365 published agents

CVSS Score: 8.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-35435

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35435

CVE-2026-41105 - Azure Monitor Action Group Notification System Elevation of Privilege Vulnerability

Product: Azure Notification Service

CVSS Score: 8.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-41105

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41105