Security Alerts

CVE-2026-45447, a heap user-after-free bug used for PKCS#7 (Public-Key Cryptography Standard #7) verification; patches 18 vulnerabilities including a high-severity issue that could allow remote code execution.

CVE-2026-44963 allowing remote code execution (RCE) on the Backup Server by an authenticated domain user. It impacts Veeam Backup & Replication 12.3.2.4465 and all earlier versions of 12 builds.

CVE-2026-4480 allowing unauthenticated attackers to achieve remote code execution (RCE) on affected systems; carries CVSS v3.1 score of 10.0, highlighting its severe impact and ease of exploitation.

“PinTheft,” was publicly disclosed on May 19, 2026. The vulnerability was fixed in the mainline Linux kernel tree. A proof-of-concept exploit was published along with public disclosure.

Tracked as CVE-2026-9256 and publicly nicknamed nginx-poolslip, the vulnerability affects both NGINX Plus and NGINX Open Source, and can be triggered by a remote, unauthenticated attacker over plain HTTP.

CVE-2026-41091, MS Defender local privilege escalation (LPE) flaw known as RedSun, and CVE-2026-45498 is known as UnDefend, a security flaw according to a security researcher known as “Nightmare Eclipse”.

CVE-2026-9082 “highly critical” SQL injection vulnerability on sites using PostgreSQL; discovered by Google/Mandiant; affects Drupal’s database abstraction API.

Windows flaws, YellowKey and GreenPlasma, has released PoC for a Windows privilege escalation zero-day flaw that grants attackers SYSTEM privileges on fully patched Windows systems.

Tracked as CVE-2026-0300, the flaw affects the User-ID Authentication Portal (Captive Portal) and has already seen limited real-world exploitation.

The vulnerability, tracked as CVE-2026-42945 (CVSS score: 9.2), is a heap buffer overflow in ngx_http_rewrite_module affecting NGINX versions 0.6.27 through 1.30.0, according to VulnCheck.

The most critical of these flaws, dubbed “YellowKey,” enables a total bypass of BitLocker encryption, granting attackers completely unrestricted access to locked system drives.

Following Dirty Frag, Fragnesia, and other Linux kernel vulnerabilities making themselves known in recent days, the latest now is ssh-keysign-pwn.

MS Windows DNS Client designated as CVE-2026-41096, carries a severe CVSS score of 9.8 out of 10.

Fragnesia漏洞的編號CVE-2026-46300，CVSS嚴重度評分為7.8，存在Linux核心的XFRM ESP-in-TCP子系統。資安廠商Wiz表示，能修改核心頁面快取中的唯讀檔案內容。

The Xint Code team also uncovered a missing validation bug in PostgreSQL, hidden for 20 years, allowing attackers to write arbitrary code.

Tracked as CVE-2026-0300, the vulnerability has been described as a buffer overflow affecting the User-ID Authentication Portal (Captive Portal) service of PAN-OS software.

CVE-2026-23918 (CVSS score: 8.8), has been described as a case of “double free and possible RCE” in the HTTP/2 protocol handling. This issue has been addressed in version 2.4.67.

Proof-of-concept exploit code for a critical remote code execution flaw in protobuf.js, JavaScript implementation of Google’s Protocol Buffers; a popular tool in the Node Package Manager (npm) registry.

Remote access trojan called STX RAT emerged as a serious cybersecurity threat in 2026.

Veeam has patched multiple flaws including critical remote code execution (RCE) vulnerabilities CVE-2026-21666, CVE-2026-21667, CVE-2026-21669, CVE-2026-21708.