News with the context that makes it useful, plus what it means for people running the affected systems.
CVE-2026-23111 is a Linux nf_tables privilege escalation, CVSS 7.8. A full working exploit dropped June 8. Patches available since February — if you haven't applied them yet, now is the deadline.
CVE-2026-46243 (CIFSwitch) is a Linux kernel LPE in the CIFS client, CVSS 7.8. Public PoC available since 27 May 2026. Patches are out — patch and reboot.
Kubernetes 1.33 når end-of-life 28 juni 2026. Inga fler säkerhetspatchar. Kör du on-prem eller K3s utan extended support är det en hård deadline — tre uppgraderingshopp väntar.
Traefik v3.7.4 (5 June 2026) fixes six bugs: axios security bump, Redis write-timeout, BackendTLSPolicy for Kubernetes Gateway API, and a TLS SNI keepalive bug.
Grafana 13.0.2 shipped June 2 with seven security-only fixes. Path traversal in Loki and Tempo are the most critical -- upgrade if you run 13.0.0 or 13.0.1.
CVE-2026-28318: unauthenticated POST crashes SolarWinds Serv-U. CVSS 7.5, CISA KEV listed June 5, deadline June 19. Apply Serv-U 15.5.4 Hotfix 1.
Vault 2.0.2 removes cap_ipc_lock from the binary at build time, reversing a change made in 2.0.1. Without action, vault mlock container workloads can no longer pin secrets in memory -- check your securityContext and Helm values before upgrading.
CVE-2026-45247 Mirasvit Magento RCE via PHP deserialization in the Cache Warmer extension. CVSS 9.8. Active exploitation confirmed. Patch to 1.11.12.
CVE-2026-20230 affects Cisco Unified CM WebDialer. SSRF leads to arbitrary file write and root privilege escalation. Advisory published June 3, PoC confirmed.
CVE-2022-0492 is a logic bug in Linux cgroups v1 that lets a local attacker escape a container and get root on the host. CISA added it to KEV on June 2, 2026. Active exploitation is confirmed.
Docker Engine 29.5.3 patches CVE-2026-46680 via containerd 2.2.4 -- a flaw where containers with oversized USER IDs silently run as root despite runAsNonRoot: true.
CVE-2026-9256 (Poolslip) is a heap buffer overflow in NGINX's rewrite module affecting versions 0.1.17 through 1.31.0. Patching for Rift in May left you exposed. You need 1.30.2 or 1.31.1.
Google's June 2026 Android Security Bulletin includes CVE-2025-48595, an integer overflow in Framework that enables local privilege escalation. Google confirms active targeted exploitation. CISA added it to KEV on June 2 with a federal remediation deadline of June 5.
Seven kernel branches shipped June 1. Three security fixes land in 7.0.11 — TCP ISN leak, tap stack leak, and a keyring race. Dirty Frag is now half-patched: CVE-2026-43500 fixed, CVE-2026-43284 still open upstream.
OpenTofu 1.12.1 patches multiple SSH vulnerabilities in the underlying golang.org/x/crypto library, including hangs, panics, and a cert revocation bypass. All v1.12.0 users should upgrade.
Prometheus 3.12.0 (released May 28) patches two security issues: STACKIT service discovery exposed credentials in plaintext via the config endpoint, and remote write receivers had no limit on snappy decompression size.
CVE-2026-34040 lets attackers bypass Docker AuthZ plugins with a padded API request — upgrade to Moby 29.3.1 or later.
PAN-OS GlobalProtect has an authentication bypass via forged override cookies. Exploitation confirmed since May 17. Patch or disable the feature now.
The 23 May batch release patched a UDP/IPsec corruption bug, a ptrace vulnerability, and the Copy Fail LPE across all active LTS branches.
OpenSSH 10.3 patches five CVEs including a privilege escalation via legacy scp. Juniper confirmed Junos OS and Junos Evolved are affected.
Docker Engine 29.5.1 patches three vulnerabilities in docker cp, including one that let a malicious container execute arbitrary code as root on the host by hijacking the decompression binary lookup.
CVE-2026-9082 is an unauthenticated SQL injection in Drupal core affecting all PostgreSQL-backed installations from 8.9 through 11.3.9. CISA added it to the KEV catalog on May 22 — active exploitation confirmed.
CVE-2026-20182: CVSS 10.0 auth bypass in Cisco SD-WAN, exploited by UAT-8616. No credentials needed. Patch now and audit SSH authorized_keys for backdoors.
Day 2 of Pwn2Own Berlin 2026 yielded 15 zero-days and $385,750 in prizes. Exchange fell to a three-bug RCE chain. Cursor AI and OpenAI Codex were exploited too.
CVE-2026-42945 is a critical heap buffer overflow in NGINX's rewrite module, present since 2008. Unauthenticated remote attackers can crash worker processes or achieve RCE. Patch now.
CVE-2026-45585 (YellowKey) gives an attacker shell access to a BitLocker volume using physical access and a USB drive. PoC is public, no patch exists. Enable TPM+PIN to block it.
Wimer Hazenberg migrated his full production stack from US to European cloud services. Here is what moved, what stayed, and the friction at each step.
Needle is a 26M parameter model built for function calling. Beats 270M+ rivals on benchmarks, runs on CPU without a GPU. Route tool dispatch locally and skip the API call.
Forgejo is a self-hosted Git forge with a GitHub-compatible API. Here is what the migration actually involves and why self-hosted git is a real choice again.
CloakBrowser patches 49–57 Chromium fingerprinting vectors at the C++ level, not via JS. Bot detectors that assume JS-layer stealth are looking in the wrong place.
Debian 14 is the first distro to hard-gate on reproducible builds. 414 packages are currently blocked from testing. What this means for maintainers and downstream users.
12 CVEs in vm2 disclosed May 7, 2026 — CVSS 9.1-10.0, all sandbox escapes. Patched in 3.11.2. If you run untrusted code under vm2, update today.
CVE-2026-41940 is a critical cPanel/WHM auth bypass via CRLF injection. CVSS 9.8. Shadowserver counted 44,000 compromised IPs by April 30. Patch now.
Microsoft's 2011 Secure Boot certificates expire in June 2026. May 12 Patch Tuesday ships the 2023 replacements. Deferring to June leaves no margin.
OpenClaw connects your AI model to 50+ messaging channels. The core gateway works. The plugin ecosystem has a 20% malicious skill rate and two active CVEs.
Linux 7.0 is out. SHA-1 module signing removed, NFSv4.0 becomes kconfig-optional, lazy preemption replaces the old default. Audit your config before upgrading.
CVE-2026-31431 (Copy Fail) is a Linux kernel LPE, CVSS 7.8. Working PoC is public. CISA KEV. Patches out for Ubuntu, Debian, AlmaLinux, and RHEL.
Vault 2.0 is IBM rebranding 1.21, not a ground-up rebuild. Three breaking changes to check before upgrading: Azure auth precedence flipped, sys/rekey and two other endpoints now require a token, unauthenticated rekey scripts fail silently.
Trivy 0.70.0 is the first release after the March supply chain incident. New features landed, but the rotated GPG key for deb/rpm will silently break CI.
Traefik 3.6.14 patches five CVEs. The critical one: CVE-2026-40912 bypasses ForwardAuth, BasicAuth, and DigestAuth via percent-encoded paths. Upgrade now.
Wazuh 4.14.5 hid five security advisories in routine release notes. One is a pre-auth stack overflow on port 1514. Upgrade today — a PoC lands in late July.
Wazuh 5.0 beta rewrites agent state handling and replaces Filebeat with a native indexer connector. 4.x agents need upgrading before they reconnect. What changes, what breaks, and when stable lands.