News CVE-2026-42897: Exchange Server XSS exploited against Outlook on the web — mitigation via EEMS May 15, 2026 / May 15, 2026 by Alex Mira | Leave a Comment CVE-2026-42897 is an actively exploited XSS spoofing flaw in Microsoft Exchange Server targeting Outlook on the web. No patch yet—enable Exchange Emergency Mitigation Service (EEMS) and monitor Microsoft’s advisories. Read more » CVE-2026-42897 EEMS Microsoft Exchange OWA Security advisory XSS
News CVE-2026-43500: Linux rxrpc shared‑fragment bug tied to “Dirty Frag” page‑cache writes May 14, 2026 / May 14, 2026 by Alex Mira | Leave a Comment CVE-2026-43500 fixes a Linux rxrpc flaw in how shared packet fragments are handled. It’s linked to the “Dirty Frag” chain enabling page‑cache writes and local root. Update kernels promptly. Read more » CVE-2026-43500 Dirty Frag Linux kernel Privilege escalation rxrpc Security updates vulnerability
News SAP patches critical Commerce Cloud RCE and S/4HANA SQL injection (CVE-2026-34263, CVE-2026-34260) May 14, 2026 / May 14, 2026 by Alex Mira | Leave a Comment SAP’s May 2026 updates fix two critical issues: unauthenticated RCE in Commerce Cloud (CVE-2026-34263) and authenticated SQL injection in S/4HANA Enterprise Search (CVE-2026-34260). Read more » CVE-2026-34260 CVE-2026-34263 S/4HANA SAP SAP Commerce Cloud Security updates Vulnerabilities
News CVE-2026-42945: NGINX rewrite-module bug tied to PCRE captures and “?” in replacements May 13, 2026 / May 13, 2026 by Alex Mira | Leave a Comment CVE-2026-42945 affects NGINX’s rewrite module under specific PCRE capture and replacement patterns, causing a heap overflow and worker restarts; code execution may be possible if ASLR is disabled. Version and patch details are not yet clear. Read more » CVE-2026-42945 NGINX PCRE Reverse Proxy Security advisory vulnerability Web Security
News Claude Code CVE-2026-39861: symlink-assisted sandbox escape fixed May 13, 2026 / May 13, 2026 by Alex Mira | Leave a Comment A GitHub advisory for CVE-2026-39861 details a symlink-based sandbox escape in Claude Code, now fixed. A separate CVE in jotty.page (CVE-2026-42564) addresses an unauthenticated path traversal fixed in 1.22.0. Read more » Claude Code cve Path Traversal Sandbox Security advisory Symlink
News CVE-2026-43284: Linux fixes an ESP decryption flaw tied to “Dirty Frag” reports May 11, 2026 / May 11, 2026 by Alex Mira | Leave a Comment Linux has patched CVE-2026-43284 in the xfrm/ESP input path to avoid unsafe in-place decryption on shared fragments. Media link it to the “Dirty Frag” LPE chain, but only parts are confirmed. Here’s what’s known and what to do next. Read more » CVE-2026-43284 ESP IPsec kernel linux security vulnerability
News Ivanti EPMM updates address multiple flaws (CVE-2026-5786/5787/5788/6973/7821) May 10, 2026 / May 10, 2026 by Alex Mira | Leave a Comment Ivanti’s May 2026 advisory fixes five EPMM flaws spanning access control, certificate validation, and admin-level RCE prerequisites. Here’s what’s confirmed and what to do now. Read more » Access control Certificate validation CVE-2026-5786 EPMM Ivanti Security advisory Vulnerabilities
News CVE-2026-43284: Fix for in‑place decryption on shared skb fragments in Linux’s ESP path May 10, 2026 / May 10, 2026 by Alex Mira | Leave a Comment CVE-2026-43284 fixes a Linux kernel ESP receive-path flaw where in-place decryption could occur on shared skb fragments. Here’s what’s confirmed and how to proceed. Read more » CVE-2026-43284 ESP IPsec Kernel update Linux kernel Networking security vulnerability
News CVE-2026-26956: vm2 sandbox escape in 3.10.4 enables host code execution, patch available May 7, 2026 / May 7, 2026 by Alex Mira | Leave a Comment CVE-2026-26956 allows a vm2 sandbox escape in version 3.10.4, enabling host code execution under specific Node.js 25 settings. NVD says it’s patched in 3.10.5. Read more » cve JavaScript security Node.js Sandbox vm2 vulnerability WebAssembly
News Security Critical cPanel Vulnerability CVE-2026-41940 Actively Exploited: What Website Owners and Hosting Providers Need to Know May 4, 2026 / May 4, 2026 by Corentin C | Leave a Comment CVE-2026-41940 is a critical cPanel and WHM authentication bypass vulnerability actively exploited in the wild. Learn who is affected, what attackers can do, and how to patch. Read more » cpanel cve cve-2026-41940 security vulnerability web hosting
