PatchDay Alert
Subscribe →

Archive

Every issue of the daily digest.

Newest first. Latest issue: Jun 12, 2026. Browse the archive or subscribe via RSS.

Products, platforms, vendors, and exploit signals.

More filters

37 issues shown · from Apr 21, 2026

June 2026

10 issues
  1. Nº037 JUN 12

    MariaDB Galera hits CVSS 10.0: unauthenticated RCE through a clustering feature

    A shell injection in wsrep_notify_cmd gives attackers full code execution on MariaDB Galera clusters with no auth required. Also: a Chrome macOS use-after-free (8.8), a 389 Directory Server heap smash reachable by any domain user (7.6), and a MongoDB server-side JS memory leak (8.8).

    5 CVEs
    1 Crit
    0 KEV
    4 min
  2. Nº036 JUN 11

    Splunk's 9.8 file-write bug steals the show, plus SQL injection via spreadsheet

    Unauthenticated arbitrary file creation in Splunk's PostgreSQL sidecar (CVE-2026-20253, CVSS 9.8), a CVSS 9.6 SQL injection through RVTools .xlsx imports in migration-planner, and an Apache mod_ldap use-after-free at CVSS 8.6. Dulwich on Windows and SQLite FTS5 round out the set.

    5 CVEs
    2 Crit
    0 KEV
    4 min
  3. Nº035 JUN 10
    Patch Tuesday Exploited

    Patch Tuesday June 2026: Ivanti Sentry scores a perfect 10, Chrome V8 already under attack

    3 bugs exploited in the wild (Chrome V8, Cisco SD-WAN Manager, Arista EOS), plus a CVSS 10.0 unauthenticated RCE in Ivanti Sentry, a 9.3 Windows kernel privesc, and a 9.8 deserialization RCE in Nuance PowerScribe.

    6 CVEs
    3 Crit
    3 KEV
    5 min
  4. Nº034 JUN 9

    Chrome sandbox escape at 9.6, a VPN auth bypass at 9.3, and Apache httpd going down easy

    Google Chrome has a click-to-own sandbox escape (CVE-2026-11697, CVSS 9.6), a VPN auth bypass lets unauthenticated attackers tunnel in via deprecated IKEv1 (CVE-2026-50751, CVSS 9.3), and Apache mod_http2 has a no-auth DoS that can knock your web server offline (CVE-2026-49975, CVSS 7.5). Perl DBI and the Cereal C++ library round out the list.

    5 CVEs
    2 Crit
    0 KEV
    4 min
  5. Nº033 JUN 8
    Exploited

    SolarWinds Serv-U DoS exploited in the wild, plus a one-packet Comodo BSOD

    CVE-2026-28318 lets unauthenticated attackers crash Serv-U with a single POST request, and attackers are already doing it. Also: a crafted IPv6 packet blue-screens any Windows host running Comodo Internet Security, a Go MIME parsing CPU bomb, and FRRouting BGP crash bugs.

    5 CVEs
    0 Crit
    1 KEV
    4 min
  6. Nº032 JUN 5

    A perfect 10 in Azure HorizonDB and a Copilot RCE you shouldn't ignore

    CVE-2026-48567 is a CVSS 10.0 unauthenticated auth bypass in Azure HorizonDB. Also today: authenticated RCE in Microsoft Copilot (7.7), a Chrome sandbox escape via ImageCapture (7.5), a WordPress site-takeover in Hybrid Composer (9.8), and a DLL-loading trick in SQLite's sqldiff on Windows (9.8).

    5 CVEs
    3 Crit
    0 KEV
    4 min
  7. Nº031 JUN 4

    OpenShift ClusterRole blows wide open, Cisco UCM goes from SSRF to root

    A CVSS 9.6 privilege escalation in OpenShift Pipelines hands any authenticated user write access to Kueue and cert-manager secrets. Plus a Cisco Unified Communications Manager SSRF-to-root chain (CVSS 8.6) and an overprivileged AWS IAM issue in OpenShift Cloud Credential Operator.

    5 CVEs
    1 Crit
    0 KEV
    4 min
  8. Nº030 JUN 3

    A 9.8 WordPress site takeover, a healthcare RCE, and two NI driver bugs

    ARMember Premium lets unauthenticated attackers reset any admin password (CVSS 9.8). Spacelabs Sentinel has a file-write-to-webshell path on port 8989 (CVSS 9.8). NI-PAL driver flaws give local users a privesc and a blue-screen. LibreChat lets any logged-in user hijack another user's API keys.

    5 CVEs
    2 Crit
    0 KEV
    4 min
  9. Nº029 JUN 2

    SharePoint deser RCE, OpenShift HAProxy injection, and a WordPress SQLi from 2018

    CVE-2026-47294 lets any authenticated SharePoint user run code on your server (CVSS 8.0). CVE-2026-1784 turns OpenShift Route objects into HAProxy config injection (CVSS 8.8). Plus an ancient unauthenticated SQLi in WP AutoSuggest finally gets a CVE.

    5 CVEs
    0 Crit
    0 KEV
    4 min
  10. Nº028 JUN 1
    Exploited

    PAN-OS auth bypass exploited in the wild, plus a 9.8 in Redshift and a Chrome sandbox escape

    Attackers are tunneling through Palo Alto firewalls without credentials right now. Also: Amazon's Redshift Python driver has a CVSS 9.8 RCE via eval(), Chrome's WebGPU layer has a 9.6 sandbox escape, and GitHub CLI is leaking auth tokens to external hosts.

    5 CVEs
    2 Crit
    1 KEV
    4 min

May 2026

19 issues
  1. Nº027 MAY 29

    Go SSH silently trusts revoked host keys, NGINX rewrite bypass, and an Oracle DB takeover path

    CVE-2026-42508 (CVSS 9.1) means your Go SSH tooling ignores @revoked markers in known_hosts. Also: an NGINX rewrite module access-control bypass at CVSS 8.1, a Perl Archive::Tar symlink path traversal at 9.1, and an unauthenticated Oracle Database Net listener takeover at 9.0. None exploited in the wild yet.

    5 CVEs
    4 Crit
    0 KEV
    4 min
  2. Nº026 MAY 28
    Exploited

    Two supply chain poisonings, a cPanel root escalation, and a 9.3 XWiki RCE

    Nx Console and TanStack were both hijacked briefly on public registries. Any cPanel user can escalate to root via LiteSpeed plugin. XWiki's REST API lets unauthenticated attackers import executable packages (CVSS 9.3). Four of today's five are exploited in the wild.

    5 CVEs
    2 Crit
    4 KEV
    4 min
  3. Nº025 MAY 27

    Go SSH host key bypass scores 9.1, NGINX rewrite bug close behind at 8.1

    A Go knownhosts library flaw lets revoked SSH keys pass verification unchecked. Also: NGINX rewrite module exploit (8.1), Linux kernel privesc via skbuff corruption (7.8), dnsmasq DNS poisoning risk (7.5), and curl cookie leaks hitting Azure Linux packages.

    5 CVEs
    1 Crit
    0 KEV
    4 min
  4. Nº024 MAY 26
    Exploited

    Drupal SQLi exploited in the wild, plus a perfect-10 DNS poisoning bug in Unbound

    CVE-2026-9082 is an unauth SQLi in Drupal Core already being exploited. CVE-2026-42960 scores CVSS 10.0 for DNS cache poisoning in Unbound on Azure Linux. Also: rsync memory leak (8.1), Memcached SASL timing side channel (8.1), and a Windows DWM privesc (7.8).

    5 CVEs
    1 Crit
    1 KEV
    4 min
  5. Nº023 MAY 22

    UniFi OS scores a perfect 10.0 RCE, ConnectWise Automate agents can't verify their own updates

    Unauthenticated command injection on UniFi OS devices, a supply-chain plugin verification bypass in ConnectWise Automate (CVSS 8.8), a privilege escalation in LiteLLM, and RCE in three ManageEngine products.

    5 CVEs
    1 Crit
    0 KEV
    4 min
  6. Nº022 MAY 21

    Cisco Secure Workload scores a perfect 10.0: unauth cross-tenant takeover

    Also: a use-after-free in Chrome's DOM engine (CVSS 8.8), a no-click heap overflow in Microsoft Defender's scan engine (CVSS 8.1), an Azure privesc via symlink, and a Splunk session cookie leak.

    5 CVEs
    1 Crit
    0 KEV
    4 min
  7. Nº021 MAY 20

    Keycloak session fixation, a DoS-in-a-packet for 389 DS, and a chroot that does nothing

    Five fixes today: Keycloak SSO hijack (CVE-2026-7507, CVSS 7.5), 389 Directory Server DoS via oversized LDAP controls (CVE-2026-9064, CVSS 7.5), Firefox/Thunderbird privesc (CVE-2026-8970, CVSS 7.3), and two local privilege bugs in PluginScript and haveged where security checks exist but never enforce. None exploited in the wild yet.

    5 CVEs
    0 Crit
    0 KEV
    4 min
  8. Nº020 MAY 19

    Apache Thrift 9.4 RCE headlines a quiet five-patch day

    A critical unauthenticated bug in Thrift's Node.js server, a Linux kernel USB gadget privesc, curl SMB connection reuse, a Go panic-crash on Windows, and an FRRouting BGP daemon crasher. Nothing exploited in the wild yet.

    5 CVEs
    1 Crit
    0 KEV
    4 min
  9. Nº019 MAY 18

    PostgreSQL buffer overflow, NGINX rewrite bypass, and a ksmbd file handle hijack

    Three 8.0+ CVSS bugs across PostgreSQL's refint module, NGINX's rewrite engine, and Linux's in-kernel SMB server. None exploited in the wild yet, but the PostgreSQL and ksmbd bugs let authenticated attackers run arbitrary SQL or steal other users' files. GnuTLS DTLS crash and an APM symlink leak round out the set.

    5 CVEs
    0 Crit
    0 KEV
    4 min
  10. Nº018 MAY 15

    Cisco SD-WAN scores a perfect 10.0, plus dnsmasq and Go HTTP/2 DoS bugs

    CVE-2026-20182 lets unauthenticated attackers hijack your entire SD-WAN fabric through vSmart/vManage. Also on the list: a CVSS 8.4 dnsmasq bug with sparse details, a Go net/http2 infinite loop, a GnuTLS auth bypass, and a Twisted DNS crash.

    5 CVEs
    1 Crit
    0 KEV
    4 min
  11. Nº017 MAY 14

    OpenTelemetry's Azure auth extension doesn't actually check your tokens

    A CVSS 8.1 bypass in azureauthextension lets any valid Azure token past your OTel collector. Also: two SOGo SQL injection bugs (PostgreSQL, MariaDB), a busted IPv6 allow-list in Auth Proxy, and a Zoom Rooms installer DLL hijack on Windows.

    5 CVEs
    0 Crit
    0 KEV
    4 min
  12. Nº016 MAY 13
    Patch Tuesday

    Patch Tuesday May 2026: DNS and Netlogon RCEs hit 9.8, Hyper-V guest escape, plus 2 Dynamics 9.9s

    Two unauthenticated Windows server bugs (DNS heap overflow, Netlogon stack overflow) top the list at CVSS 9.8. A Hyper-V use-after-free scores 9.3 and likely enables guest-to-host escape. Dynamics 365 on-prem has a pair of critical RCEs (9.9 and 9.1), Azure Entra ID leaks tokens at 9.3, and FortiSandbox takes unauthenticated code execution at 9.8. Nothing exploited in the wild yet, but the DNS and Netlogon bugs won't stay quiet long.

    20 CVEs
    11 Crit
    0 KEV
    16 min
  13. Nº015 MAY 12

    A 9.9 SSRF-to-cred-theft in FireFighter's Jira bot, plus PgBouncer pre-auth overflow

    FireFighter's unauthenticated Jira bot endpoint hands attackers your AWS IAM creds on IMDSv1 clusters (CVE-2026-42864, CVSS 9.9). Also: a pre-auth buffer overflow in PgBouncer SCRAM handling (CVE-2026-6665, CVSS 8.1), a Go checksum bypass that poisons builds (CVE-2026-42501, CVSS 7.5), and a Linux kernel rxrpc privesc (CVE-2026-43500, CVSS 7.8).

    5 CVEs
    1 Crit
    0 KEV
    4 min
  14. Nº014 MAY 8

    Linux ksmbd RCE at 9.8, Azure Cloud Shell injection at 9.6, and a Thrift TLS bypass

    Two critical, no-auth bugs top the list: a use-after-free in Linux's in-kernel SMB server (CVE-2026-31718, CVSS 9.8) and command injection in Azure Cloud Shell (CVE-2026-35428, CVSS 9.6). Also covers a hostname verification skip in Apache Thrift's Java TLS transport and an info leak in Edge Copilot Chat.

    5 CVEs
    2 Crit
    0 KEV
    4 min
  15. Nº013 MAY 7

    Gotenberg SSRF scores 9.4, Apache httpd double-free enables RCE

    A deny-list bypass in Gotenberg lets unauthenticated attackers hit your internal APIs (CVE-2026-42596, CVSS 9.4). Apache HTTP Server's mod_http2 has a double-free that could mean remote code execution on any internet-facing instance (CVE-2026-23918, CVSS 8.8). Bandit WebSocket OOM, Kiota credential leaks, and a Linux vidtv kernel bug round it out.

    5 CVEs
    1 Crit
    0 KEV
    4 min
  16. Nº012 MAY 6

    CVSS 10 in Eclipse BaSyx, unauthenticated admin in OpenCTI, and a no-auth RCE in MeiG IoT

    Five CVEs today, none exploited yet but three are unauthenticated and critical. Eclipse BaSyx Java Server SDK scores a perfect 10 via path traversal to RCE, OpenCTI 6.6-6.9.12 hands out admin API access with no credentials, and MeiG FORGE_SLT711 devices allow OS command injection over HTTP. Also: a libssh2 integer overflow (CVSS 7.3) and a Realtek Wi-Fi kernel driver that ships debug ioctls with zero access control (CVSS 7.7).

    5 CVEs
    3 Crit
    0 KEV
    4 min
  17. Nº011 MAY 5

    A 9.8 kernel-level RCE in Linux ksmbd and 4 more you should know about

    Unauthenticated remote code execution in the Linux in-kernel SMB server (CVE-2026-31705, CVSS 9.8), plus an Axios DoS, a Norton Secure VPN privesc, an Amazon WorkSpaces local-to-SYSTEM bug, and a FRR routing daemon flaw on Azure Linux.

    5 CVEs
    1 Crit
    0 KEV
    4 min
  18. Nº010 MAY 4

    GoBGP double-tap: two 7.3 parser bugs that can kill your BGP sessions

    Two unauthenticated crashes in GoBGP's MRT and AIGP parsers, plus unpatched auth bypasses in MindsDB and yudao-cloud with public exploits already circulating. Prefect's WebSocket endpoint is wide open too.

    5 CVEs
    0 Crit
    0 KEV
    4 min
  19. Nº009 MAY 1

    WordPress auth bypass in one GET request, plus RCE in Krayin CRM

    CVE-2026-7567 (CVSS 9.8) lets anyone log into WordPress as a temporary user with a single crafted request. Krayin CRM's compose email function has RCE (CVSS 8.1), and the Pallets Click library has a command injection bug worth checking your Python tooling for.

    5 CVEs
    1 Crit
    0 KEV
    4 min

April 2026

8 issues
  1. Nº008 APR 30

    ksmbd RCE, a Wazuh cluster takeover, and an OpenSSL use-after-free

    Linux's in-kernel SMB server has a CVSS 9.8 buffer bug that looks like unauthenticated RCE. Wazuh cluster sync has a 9.0 path traversal to code execution. OpenSSL's DANE verification has a use-after-free (CVSS 8.1, EPSS near zero) worth watching but not panicking over.

    5 CVEs
    4 Crit
    0 KEV
    4 min
  2. Nº007 APR 29
    ChromeMicrosoftApache Pony Mail

    Chrome sandbox escape chain, a WattBox sticker-to-root bug, and a dead Apache project

    Two Chrome use-after-free bugs (CVE-2026-7343 + CVE-2026-7341, both CVSS 9.8) chain renderer compromise to full sandbox escape on Windows. Snap One WattBox 800/820 PDUs authenticate diagnostics endpoints with the MAC address printed on the label. Apache Pony Mail (Lua) has a 9.8 account takeover with no fix coming because the project is retired.

    5 CVEs
    5 Crit
    0 KEV
    4 min
  3. Nº006 APR 28
    RouterVPNNetwork Appliance

    Five 9.8s on SOHO routers: Totolink and D-Link firmware is Swiss cheese

    Four public command injection exploits hit the Totolink A8000RU and one buffer overflow nails the D-Link DI-8100. All CVSS 9.8, all pre-auth, all with public exploit code. If either device is in your stack, pull it off the internet now.

    5 CVEs
    5 Crit
    0 KEV
    4 min
  4. Nº005 APR 27
    RouterWordPressApache MINA

    5 bugs at CVSS 9.8: Apache MINA's filter bypassed twice, WordPress plugin to admin in one click

    Two deserialization bypasses in Apache MINA let attackers slip past the allowlist for RCE, a WordPress privilege escalation hands out admin roles, and a pair of Totolink router command injections have public exploits. All 9.8, none exploited in the wild yet.

    5 CVEs
    5 Crit
    0 KEV
    4 min
  5. Nº004 APR 24
    MicrosoftWindows

    Two perfect 10s: Entra ID SSRF and Bing RCE, both unauth, both wide open

    Microsoft Entra ID Entitlement Management has a CVSS 10.0 SSRF that needs no login, and Bing has a CVSS 10.0 deserialization RCE in the same boat. Hackage-server adds two 9.9 stored XSS bugs, plus a 9.8 crasher in Delta Electronics NAS gear.

    5 CVEs
    5 Crit
    0 KEV
    4 min
  6. Nº003 APR 23
    WordPressCMS

    Paperclip CVSS 10.0 unauth RCE, plus a 9.9 in FunnelFormsPro and Froxlor

    Six API calls and no credentials give attackers full control of default Paperclip installs. FunnelFormsPro (WordPress) and Froxlor both carry 9.9 code execution bugs, and Borg SPM 2007 has two 9.8s that will never be patched.

    5 CVEs
    5 Crit
    0 KEV
    4 min
  7. Nº002 APR 22
    WordPressCMS

    AVideo CVSS 10: one WebSocket message owns every viewer, no click needed

    A perfect-score stored XSS in AVideo's YPTSocket hits all connected browsers instantly. Also: Flowise command injection (9.9), ElectricSQL SQL injection that gives full PostgreSQL read/write (9.9), an unauth WordPress SMTP hijack via Sendmachine (9.8), and a Firefox DOM security bypass (9.8).

    5 CVEs
    5 Crit
    0 KEV
    4 min
  8. Nº001 APR 21
    ExchangeSpinnakerMicrosoft

    Four perfect 10s and a 9.9 sandbox escape: Spinnaker, Perl, and OpenClaw all need attention

    Two Spinnaker RCEs (CVE-2026-32613, CVE-2026-32604) let attackers run code through pipeline expressions and gitrepo artifact injection. A 9.9 OpenClaw sandbox escape (CVE-2026-41329) bypasses privilege boundaries. Perl's Storable and Net::Dropbear round out the list with legacy crypto and deserialization bugs, both CVSS 10.0. None are exploited in the wild yet.

    5 CVEs
    5 Crit
    0 KEV
    4 min