23 May 2026
CVE-2026-9082 “highly critical” SQL injection vulnerability on sites using PostgreSQL; discovered by Google/Mandiant; affects Drupal’s database abstraction API.
CVE-2026-9082 “highly critical” SQL injection vulnerability on sites using PostgreSQL; discovered by Google/Mandiant; affects Drupal’s database abstraction API.
Windows flaws, YellowKey and GreenPlasma, has released PoC for a Windows privilege escalation zero-day flaw that grants attackers SYSTEM privileges on fully patched Windows systems.
Tracked as CVE-2026-0300, the flaw affects the User-ID Authentication Portal (Captive Portal) and has already seen limited real-world exploitation.
The vulnerability, tracked as CVE-2026-42945 (CVSS score: 9.2), is a heap buffer overflow in ngx_http_rewrite_module affecting NGINX versions 0.6.27 through 1.30.0, according to VulnCheck.
The most critical of these flaws, dubbed “YellowKey,” enables a total bypass of BitLocker encryption, granting attackers completely unrestricted access to locked system drives.
Following Dirty Frag, Fragnesia, and other Linux kernel vulnerabilities making themselves known in recent days, the latest now is ssh-keysign-pwn.
MS Windows DNS Client designated as CVE-2026-41096, carries a severe CVSS score of 9.8 out of 10.
Fragnesia漏洞的編號CVE-2026-46300,CVSS嚴重度評分為7.8,存在Linux核心的XFRM ESP-in-TCP子系統。資安廠商Wiz表示,能修改核心頁面快取中的唯讀檔案內容。
The Xint Code team also uncovered a missing validation bug in PostgreSQL, hidden for 20 years, allowing attackers to write arbitrary code.
Tracked as CVE-2026-0300, the vulnerability has been described as a buffer overflow affecting the User-ID Authentication Portal (Captive Portal) service of PAN-OS software.
CVE-2026-23918 (CVSS score: 8.8), has been described as a case of “double free and possible RCE” in the HTTP/2 protocol handling. This issue has been addressed in version 2.4.67.
Proof-of-concept exploit code for a critical remote code execution flaw in protobuf.js, JavaScript implementation of Google’s Protocol Buffers; a popular tool in the Node Package Manager (npm) registry.
Remote access trojan called STX RAT emerged as a serious cybersecurity threat in 2026.
Veeam has patched multiple flaws including critical remote code execution (RCE) vulnerabilities CVE-2026-21666, CVE-2026-21667, CVE-2026-21669, CVE-2026-21708.
Fortinet released 7 vulnerabilities across its core enterprise products, including FortiManager, FortiAnalyzer, FortiSwitchAXFixed, and FortiSandbox.
CVE-2026-20841 and reveals that malicious actors may be able to trick Windows 11 users into clicking a malicious link inside a Markdown (.md) file opened in Notepad.
The AgreeTo add-in for Outlook has been hijacked and turned into a phishing kit that stole more than 4,000 Microsoft account credentials.
iOS, iPadOS, macOS Tahoe, tvOS, watchOS, and visionOS updates to address a zero-day flaw. CVE-2026-20700 (CVSS score: N/A), has been described as a memory corruption issue in dyld, Apple’s Dynamic
CVE-2026-20841 – malicious actors may be able to trick Windows 11 users into clicking a malicious link inside a Markdown (.md) file opened in Notepad.
The Patch Tuesday also addresses five “Critical” vulnerabilities, 3 of which are elevation of privileges flaws and 2 information disclosure flaws.
