Docker AuthZ bypass via oversized request body
CVE-2026-34040 lets attackers bypass Docker AuthZ plugins with a padded API request — upgrade to Moby 29.3.1 or later.
Security
Articles in Security
CVE-2026-0257: GlobalProtect auth bypass, active
PAN-OS GlobalProtect has an authentication bypass via forged override cookies. Exploitation confirmed since May 17. Patch or disable the feature now.
You Can't Patch Your Way Out of Copilot Cowork
PromptArmor achieved 5/5 file exfiltration from M365 tenants via Copilot Cowork with no CVE assigned — because the flaw is in the architecture, not the code.
Langflow CORS Flaw: Your AI Stack's Master Key
CVE-2025-34291 in Langflow is a CVSS 9.4 chain that hands an attacker your entire SaaS stack — API keys, OAuth tokens, database credentials — from a single page visit. CISA added it to KEV on May 21 with a June 4 federal deadline.
Docker cp Was a Root Hole: Three CVEs Fixed
Docker Engine 29.5.1 patches three vulnerabilities in docker cp, including one that let a malicious container execute arbitrary code as root on the host by hijacking the decompression binary lookup.
Drupal SQL Injection CVE-2026-9082: Patch Now
CVE-2026-9082 is an unauthenticated SQL injection in Drupal core affecting all PostgreSQL-backed installations from 8.9 through 11.3.9. CISA added it to the KEV catalog on May 22 — active exploitation confirmed.
nginx patches buffer overflow in rewrite module, CVE-2026-9256
CVE-2026-9256: buffer overflow in the nginx rewrite module affects all versions to 1.31.0. Fixed in 1.30.2 stable and 1.31.1 mainline. Apply now.
shell-quote CVE-2026-9277: newline slips past regex
shell-quote 1.8.4 fixes CVE-2026-9277 (CVSS 8.1): a newline in a .op token bypasses escaping because JavaScript's /(.)/g does not match line terminators.
HAProxy HTTP/3 parser lets one empty packet smuggle requests
CVE-2026-33555: HAProxy HTTP/3 parser skips body size validation on stream close. One zero-byte QUIC DATA frame enables request smuggling. Patch via DSA-6291.
HPLIP CVE-2026-8631: unauthenticated RCE via printer driver
HPLIP 3.26.4 patches CVE-2026-8631 (CVSS 9.3): unauthenticated remote command injection via the HP printer driver daemon. No interaction required — update now.
OpenVPN patches handshake data leak and denial of service
OpenVPN 2.6.14 patches two unauthenticated CVEs: a DoS via malformed packet and a handshake data leak. Debian DSA-6289-1 covers Bookworm and Trixie.
Apache OFBiz: auth bypass to RCE, default password still ships
CVE-2026-45434 (CVSS 9.8) in Apache OFBiz chains auth bypass to Groovy RCE. Default password 'ofbiz' ships on 10+ demo accounts. Fixed in 24.09.06.
Twig sandbox bypassed via a single quote in template name
CVE-2026-46633 in Twig lets a single quote in a template name inject arbitrary PHP into the cache file. Twig sandbox does not block it. Fixed in Twig 3.26.0.
BIND 9 patches six CVEs, DNS resolvers in the crosshairs
BIND 9 patches six CVEs on May 20. CVE-2026-5950 lets unauthenticated remote attackers exhaust resolver memory. Update to 9.18.49, 9.20.23, or 9.21.22.
rsync 3.4.3 patches six CVEs, two reachable without daemon mode
rsync 3.4.3 fixes six CVEs released May 20. CVE-2026-43618 (CVSS 8.1) leaks client memory from any pull against a malicious server -- no daemon config required.
Evince and Atril: opening a PDF can run arbitrary code on Linux
Evince and Atril have an argument injection bug in ev_spawn(). Opening a crafted PDF on GNOME or MATE runs arbitrary code. No patch — avoid untrusted PDFs.
CVE-2026-46680: containerd patched across all active branches
CVE-2026-46680 patched across all four active containerd branches on May 20. Pick up 2.3.1, 2.2.4, 2.0.9, or 1.7.32 depending on which branch you run.
After the Patch: CVE-2026-46333 Recovery
CVE-2026-46333 lets unprivileged users steal SSH host keys and shadow passwords. Here is how to patch, mitigate, rotate keys, and audit for breach.
How to harden your Wazuh cluster after the 2026 CVEs
How to lock down your wazuh cluster in 2026 after CVE-2026-25769 and CVE-2026-30893 — five concrete hardening steps for production deployments.