16 May 2026
MS Windows DNS Client designated as CVE-2026-41096, carries a severe CVSS score of 9.8 out of 10.
MS Windows DNS Client designated as CVE-2026-41096, carries a severe CVSS score of 9.8 out of 10.
Fragnesia漏洞的編號CVE-2026-46300,CVSS嚴重度評分為7.8,存在Linux核心的XFRM ESP-in-TCP子系統。資安廠商Wiz表示,能修改核心頁面快取中的唯讀檔案內容。
The Xint Code team also uncovered a missing validation bug in PostgreSQL, hidden for 20 years, allowing attackers to write arbitrary code.
Tracked as CVE-2026-0300, the vulnerability has been described as a buffer overflow affecting the User-ID Authentication Portal (Captive Portal) service of PAN-OS software.
CVE-2026-23918 (CVSS score: 8.8), has been described as a case of “double free and possible RCE” in the HTTP/2 protocol handling. This issue has been addressed in version 2.4.67.
Proof-of-concept exploit code for a critical remote code execution flaw in protobuf.js, JavaScript implementation of Google’s Protocol Buffers; a popular tool in the Node Package Manager (npm) registry.
Remote access trojan called STX RAT emerged as a serious cybersecurity threat in 2026.
Veeam has patched multiple flaws including critical remote code execution (RCE) vulnerabilities CVE-2026-21666, CVE-2026-21667, CVE-2026-21669, CVE-2026-21708.
Fortinet released 7 vulnerabilities across its core enterprise products, including FortiManager, FortiAnalyzer, FortiSwitchAXFixed, and FortiSandbox.
CVE-2026-20841 and reveals that malicious actors may be able to trick Windows 11 users into clicking a malicious link inside a Markdown (.md) file opened in Notepad.
The AgreeTo add-in for Outlook has been hijacked and turned into a phishing kit that stole more than 4,000 Microsoft account credentials.
iOS, iPadOS, macOS Tahoe, tvOS, watchOS, and visionOS updates to address a zero-day flaw. CVE-2026-20700 (CVSS score: N/A), has been described as a memory corruption issue in dyld, Apple’s Dynamic
CVE-2026-20841 – malicious actors may be able to trick Windows 11 users into clicking a malicious link inside a Markdown (.md) file opened in Notepad.
The Patch Tuesday also addresses five “Critical” vulnerabilities, 3 of which are elevation of privileges flaws and 2 information disclosure flaws.
F5 security exposure affecting BIG-IP, NGINX, and container services; stem from denial-of-service (DoS) risks and configuration weaknesses, potentially disrupting WAF & Kubernetes ingress.
A PowerShell-based malware named TAMECAT targeting login credentials stored in Microsoft Edge and Chrome browsers.
CVE-2026-24858 (CVSS score: 9.4) affects FortiManager and FortiAnalyzer; may also include FortiWeb and FortiSwitch Manager.
Web shell named “EncystPHP.” enhance remote command execution, persistence mechanisms, and web shell deployment to resolve FreePBX vulnerability CVE-2025-64328.
Unpatched IIS servers are injected malicious web shells, executed PowerShell scripts, and deployed the BadIIS malware, including hardcoded regional configurations tailored to specific countries.
WorldLeaks claims 1.4TB Nike design and manufacturing data stolen; WorldLeaks (successor to Hunters International) do file theft over encryption.
