News Pwn2Own Berlin 2026 day two: Exchange, Windows 11, and AI tooling fall to fresh zero-days May 17, 2026 / May 17, 2026 by Alex Mira | Leave a Comment Pwn2Own Berlin 2026 day two delivered 15 new zero-days—spanning Microsoft Exchange, Windows 11, RHEL Workstations, NVIDIA Container Toolkit, and AI coding agents—triggering $385,750 in awards and setting up a busy patch cycle. Read more » AI security Microsoft Exchange NVIDIA Container Toolkit Pwn2Own Red Hat Enterprise Linux Windows 11 Zero-day
News CVE-2026-42897: Exchange Server XSS exploited against Outlook on the web — mitigation via EEMS May 15, 2026 / May 15, 2026 by Alex Mira | Leave a Comment CVE-2026-42897 is an actively exploited XSS spoofing flaw in Microsoft Exchange Server targeting Outlook on the web. No patch yet—enable Exchange Emergency Mitigation Service (EEMS) and monitor Microsoft’s advisories. Read more » CVE-2026-42897 EEMS Microsoft Exchange OWA Security advisory XSS
News CVE-2026-43500: Linux rxrpc shared‑fragment bug tied to “Dirty Frag” page‑cache writes May 14, 2026 / May 14, 2026 by Alex Mira | Leave a Comment CVE-2026-43500 fixes a Linux rxrpc flaw in how shared packet fragments are handled. It’s linked to the “Dirty Frag” chain enabling page‑cache writes and local root. Update kernels promptly. Read more » CVE-2026-43500 Dirty Frag Linux kernel Privilege escalation rxrpc Security updates vulnerability
News SAP patches critical Commerce Cloud RCE and S/4HANA SQL injection (CVE-2026-34263, CVE-2026-34260) May 14, 2026 / May 14, 2026 by Alex Mira | Leave a Comment SAP’s May 2026 updates fix two critical issues: unauthenticated RCE in Commerce Cloud (CVE-2026-34263) and authenticated SQL injection in S/4HANA Enterprise Search (CVE-2026-34260). Read more » CVE-2026-34260 CVE-2026-34263 S/4HANA SAP SAP Commerce Cloud Security updates Vulnerabilities
News CVE-2026-42945: NGINX rewrite-module bug tied to PCRE captures and “?” in replacements May 13, 2026 / May 13, 2026 by Alex Mira | Leave a Comment CVE-2026-42945 affects NGINX’s rewrite module under specific PCRE capture and replacement patterns, causing a heap overflow and worker restarts; code execution may be possible if ASLR is disabled. Version and patch details are not yet clear. Read more » CVE-2026-42945 NGINX PCRE Reverse Proxy Security advisory vulnerability Web Security
News Claude Code CVE-2026-39861: symlink-assisted sandbox escape fixed May 13, 2026 / May 13, 2026 by Alex Mira | Leave a Comment A GitHub advisory for CVE-2026-39861 details a symlink-based sandbox escape in Claude Code, now fixed. A separate CVE in jotty.page (CVE-2026-42564) addresses an unauthenticated path traversal fixed in 1.22.0. Read more » Claude Code cve Path Traversal Sandbox Security advisory Symlink
News CVE-2026-43284: Linux fixes an ESP decryption flaw tied to “Dirty Frag” reports May 11, 2026 / May 11, 2026 by Alex Mira | Leave a Comment Linux has patched CVE-2026-43284 in the xfrm/ESP input path to avoid unsafe in-place decryption on shared fragments. Media link it to the “Dirty Frag” LPE chain, but only parts are confirmed. Here’s what’s known and what to do next. Read more » CVE-2026-43284 ESP IPsec kernel linux security vulnerability
News Ivanti EPMM updates address multiple flaws (CVE-2026-5786/5787/5788/6973/7821) May 10, 2026 / May 10, 2026 by Alex Mira | Leave a Comment Ivanti’s May 2026 advisory fixes five EPMM flaws spanning access control, certificate validation, and admin-level RCE prerequisites. Here’s what’s confirmed and what to do now. Read more » Access control Certificate validation CVE-2026-5786 EPMM Ivanti Security advisory Vulnerabilities
News CVE-2026-43284: Fix for in‑place decryption on shared skb fragments in Linux’s ESP path May 10, 2026 / May 10, 2026 by Alex Mira | Leave a Comment CVE-2026-43284 fixes a Linux kernel ESP receive-path flaw where in-place decryption could occur on shared skb fragments. Here’s what’s confirmed and how to proceed. Read more » CVE-2026-43284 ESP IPsec Kernel update Linux kernel Networking security vulnerability
News CVE-2026-26956: vm2 sandbox escape in 3.10.4 enables host code execution, patch available May 7, 2026 / May 7, 2026 by Alex Mira | Leave a Comment CVE-2026-26956 allows a vm2 sandbox escape in version 3.10.4, enabling host code execution under specific Node.js 25 settings. NVD says it’s patched in 3.10.5. Read more » cve JavaScript security Node.js Sandbox vm2 vulnerability WebAssembly
