Colten A | PatchDay Alert

Oliver Buchannon

Colten A

Colten runs PatchDayAlert, a daily CVE brief for IT admins and MSPs. Built out of frustration with triaging NVD at 7am. Reads every reply.

Jun 5, 2026

•

5 min read

A perfect 10 in Azure HorizonDB and a Copilot RCE you shouldn't ignore

CVE-2026-48567 is a CVSS 10.0 unauthenticated auth bypass in Azure HorizonDB. Also today: authenticated RCE in Microsoft Copilot (7.7), a Chrome sandbox escape via ImageCapture (7.5), a WordPress site-takeover in Hybrid Composer (9.8), and a DLL-loading trick in SQLite's sqldiff on Windows (9.8).

Jun 4, 2026

•

5 min read

OpenShift ClusterRole blows wide open, Cisco UCM goes from SSRF to root

OpenShift ClusterRole CVSS 9.6 privilege escalation grants authenticated users secret access. Plus Cisco UCM SSRF-to-root (8.6) and AWS IAM flaws. Critical patches urgent.

Jun 3, 2026

•

5 min read

A 9.8 WordPress site takeover, a healthcare RCE, and two NI driver bugs

ARMember Premium lets unauthenticated attackers reset any admin password (CVSS 9.8). Spacelabs Sentinel has a file-write-to-webshell path on port 8989 (CVSS 9.8). NI-PAL driver flaws give local users a privesc and a blue-screen. LibreChat lets any logged-in user hijack another user's API keys.

Jun 2, 2026

•

5 min read

SharePoint deser RCE, OpenShift HAProxy injection, and a WordPress SQLi from 2018

CVE-2026-47294 lets any authenticated SharePoint user run code on your server (CVSS 8.0). CVE-2026-1784 turns OpenShift Route objects into HAProxy config injection (CVSS 8.8). Plus an ancient unauthenticated SQLi in WP AutoSuggest finally gets a CVE.

Jun 1, 2026

•

5 min read

PAN-OS auth bypass exploited in the wild, plus a 9.8 in Redshift and a Chrome sandbox escape

Attackers are tunneling into Palo Alto firewalls without credentials (CVE-2026-0257). Also: a CVSS 9.8 RCE in Amazon's Redshift Python driver via eval(), a CVSS 9.6 Chrome WebGPU sandbox escape, and a GitHub CLI token leak.

May 22, 2026

•

3 min read

UniFi OS scores a perfect 10.0 RCE, ConnectWise Automate agents can't verify their own updates

Unauthenticated command injection on UniFi OS devices, a supply-chain plugin verification bypass in ConnectWise Automate (CVSS 8.8), a privilege escalation in LiteLLM, and RCE in three ManageEngine products.

May 21, 2026

•

3 min read

Cisco Secure Workload scores a perfect 10.0: unauth cross-tenant takeover

Also: a use-after-free in Chrome's DOM engine (CVSS 8.8), a no-click heap overflow in Microsoft Defender's scan engine (CVSS 8.1), an Azure privesc via symlink, and a Splunk session cookie leak.

May 20, 2026

•

3 min read

Keycloak session fixation, a DoS-in-a-packet for 389 DS, and a chroot that does nothing

Five fixes today: Keycloak SSO hijack (CVE-2026-7507, CVSS 7.5), 389 Directory Server DoS via oversized LDAP controls (CVE-2026-9064, CVSS 7.5), Firefox/Thunderbird privesc (CVE-2026-8970, CVSS 7.3), and two local privilege bugs in PluginScript and haveged where security checks exist but never enforce. None exploited in the wild yet.

May 19, 2026

•

3 min read

Apache Thrift 9.4 RCE headlines a quiet five-patch day

A critical unauthenticated bug in Thrift's Node.js server, a Linux kernel USB gadget privesc, curl SMB connection reuse, a Go panic-crash on Windows, and an FRRouting BGP daemon crasher. Nothing exploited in the wild yet.

May 18, 2026

•

4 min read

PostgreSQL buffer overflow, NGINX rewrite bypass, and a Linux SMB handle hijack

Three 8.1+ CVSS bugs hit core infrastructure: PostgreSQL's refint module (CVE-2026-6637, 8.8), NGINX's rewrite module (CVE-2026-42945, 8.1), and Linux ksmbd's durable handle reconnect (CVE-2026-31717, 8.8). None exploited in the wild yet, but all are network-reachable.

May 15, 2026

•

3 min read

Cisco SD-WAN scores a perfect 10.0, plus dnsmasq and Go HTTP/2 DoS bugs

CVE-2026-20182 lets unauthenticated attackers hijack your entire SD-WAN fabric through vSmart/vManage. Also on the list: a CVSS 8.4 dnsmasq bug with sparse details, a Go net/http2 infinite loop, a GnuTLS auth bypass, and a Twisted DNS crash.

May 14, 2026

•

3 min read

OpenTelemetry's Azure auth extension doesn't actually check your tokens

A CVSS 8.1 bypass in azureauthextension lets any valid Azure token past your OTel collector. Also: two SOGo SQL injection bugs (PostgreSQL, MariaDB), a busted IPv6 allow-list in Auth Proxy, and a Zoom Rooms installer DLL hijack on Windows.

May 13, 2026

•

6 min read

Patch Tuesday May 2026: DNS and Netlogon RCEs hit 9.8, Hyper-V guest escape, plus 2 Dynamics 9.9s

Two unauthenticated Windows server bugs (DNS heap overflow, Netlogon stack overflow) top the list at CVSS 9.8. A Hyper-V use-after-free scores 9.3 and likely enables guest-to-host escape. Dynamics 365 on-prem has a pair of critical RCEs (9.9 and 9.1), Azure Entra ID leaks tokens at 9.3, and FortiSandbox takes unauthenticated code execution at 9.8. Nothing exploited in the wild yet, but the DNS and Netlogon bugs won't stay quiet long.

May 12, 2026

•

10 min read

A 9.9 SSRF-to-cred-theft in FireFighter's Jira bot, plus PgBouncer pre-auth overflow

FireFighter's unauthenticated Jira bot endpoint hands attackers your AWS IAM creds on IMDSv1 clusters (CVE-2026-42864, CVSS 9.9). Also: a pre-auth buffer overflow in PgBouncer SCRAM handling (CVE-2026-6665, CVSS 8.1), a Go checksum bypass that poisons builds (CVE-2026-42501, CVSS 7.5), and a Linux kernel rxrpc privesc (CVE-2026-43500, CVSS 7.8).

May 8, 2026

•

11 min read

Linux ksmbd RCE at 9.8, Azure Cloud Shell injection at 9.6, and a Thrift TLS bypass

Two critical, no-auth bugs top the list: a use-after-free in Linux's in-kernel SMB server (CVE-2026-31718, CVSS 9.8) and command injection in Azure Cloud Shell (CVE-2026-35428, CVSS 9.6). Also covers a hostname verification skip in Apache Thrift's Java TLS transport and an info leak in Edge Copilot Chat.

May 7, 2026

•

11 min read

Gotenberg SSRF scores 9.4, Apache httpd double-free enables RCE

A deny-list bypass in Gotenberg lets unauthenticated attackers hit your internal APIs (CVE-2026-42596, CVSS 9.4). Apache HTTP Server's mod_http2 has a double-free that could mean remote code execution on any internet-facing instance (CVE-2026-23918, CVSS 8.8). Bandit WebSocket OOM, Kiota credential leaks, and a Linux vidtv kernel bug round it out.

May 6, 2026

•

11 min read

CVSS 10 in Eclipse BaSyx, unauthenticated admin in OpenCTI, and a no-auth RCE in MeiG IoT

Five CVEs today, none exploited yet but three are unauthenticated and critical. Eclipse BaSyx Java Server SDK scores a perfect 10 via path traversal to RCE, OpenCTI 6.6-6.9.12 hands out admin API access with no credentials, and MeiG FORGE_SLT711 devices allow OS command injection over HTTP. Also: a libssh2 integer overflow (CVSS 7.3) and a Realtek Wi-Fi kernel driver that ships debug ioctls with zero access control (CVSS 7.7).

May 5, 2026

•

11 min read

A 9.8 kernel-level RCE in Linux ksmbd and 4 more you should know about

Unauthenticated remote code execution in the Linux in-kernel SMB server (CVE-2026-31705, CVSS 9.8), plus an Axios DoS, a Norton Secure VPN privesc, an Amazon WorkSpaces local-to-SYSTEM bug, and a FRR routing daemon flaw on Azure Linux.

May 4, 2026

•

11 min read

GoBGP double-tap: two 7.3 parser bugs that can kill your BGP sessions

Two unauthenticated crashes in GoBGP's MRT and AIGP parsers, plus unpatched auth bypasses in MindsDB and yudao-cloud with public exploits already circulating. Prefect's WebSocket endpoint is wide open too.

May 1, 2026

•

9 min read

WordPress auth bypass in one GET request, plus RCE in Krayin CRM

CVE-2026-7567 (CVSS 9.8) lets anyone log into WordPress as a temporary user with a single crafted request. Krayin CRM's compose email function has RCE (CVSS 8.1), and the Pallets Click library has a command injection bug worth checking your Python tooling for.

Apr 30, 2026

•

9 min read

ksmbd RCE, a Wazuh cluster takeover, and an OpenSSL use-after-free

Linux's in-kernel SMB server has a CVSS 9.8 buffer bug that looks like unauthenticated RCE. Wazuh cluster sync has a 9.0 path traversal to code execution. OpenSSL's DANE verification has a use-after-free (CVSS 8.1, EPSS near zero) worth watching but not panicking over.

Apr 29, 2026

•

7 min read

Chrome sandbox escape chain, a WattBox sticker-to-root bug, and a dead Apache project

Two Chrome use-after-free bugs (CVE-2026-7343 + CVE-2026-7341, both CVSS 9.8) chain renderer compromise to full sandbox escape on Windows. Snap One WattBox 800/820 PDUs authenticate diagnostics endpoints with the MAC address printed on the label. Apache Pony Mail (Lua) has a 9.8 account takeover with no fix coming because the project is retired.

Apr 28, 2026

•

6 min read

Five 9.8s on SOHO routers: Totolink and D-Link firmware is Swiss cheese

Four public command injection exploits hit the Totolink A8000RU and one buffer overflow nails the D-Link DI-8100. All CVSS 9.8, all pre-auth, all with public exploit code. If either device is in your stack, pull it off the internet now.

Apr 27, 2026

•

6 min read

5 bugs at CVSS 9.8: Apache MINA's filter bypassed twice, WordPress plugin to admin in one click

Two deserialization bypasses in Apache MINA let attackers slip past the allowlist for RCE, a WordPress privilege escalation hands out admin roles, and a pair of Totolink router command injections have public exploits. All 9.8, none exploited in the wild yet.

Apr 24, 2026

•

6 min read

Two perfect 10 vulns: Entra ID SSRF and Bing RCE, both unauth, both wide open

Microsoft Entra ID Entitlement Management has a CVSS 10.0 SSRF that needs no login, and Bing has a CVSS 10.0 deserialization RCE in the same boat. Hackage-server adds two 9.9 stored XSS bugs, plus a 9.8 crasher in Delta Electronics NAS gear.