PatchDay Alert: 2026-06-03
|
|
|
TODAY'S CALL
Two 9.8s on the board today, but neither is being exploited in the wild yet. The scarier one: ARMember Premium for WordPress stores password reset keys in plaintext, and paired with existing SQLi bugs, that's unauthenticated admin takeover. If you manage WordPress sites running ARMember, stop reading and go patch. The rest of the list is lower severity but worth a look.
|
|
DO FIRST
| • |
Upgrade LibreChat to 0.8.3-rc1 or later, which fixes the IDOR in the API keys endpoint
(CVE-2026-31942)
|
| • |
Update NI-PAL to the latest version above 26.3.0 through NI Package Manager or your Linux package manager
(CVE-2026-8036)
|
| • |
Update NI-PAL to the latest version above 26.3.0 through NI Package Manager or your Linux package manager
(CVE-2026-8035)
|
| • |
Update the ARMember Premium plugin to a version newer than 7.3.1 immediately
(CVE-2026-5076)
|
| • |
Upgrade Sentinel to version 11.6.0 or later
(CVE-2026-0611)
|
|
|
Clear the most in the fewest moves
2 updates close
multiple CVEs at once. Each row is one maintenance decision.
| ACTION |
CVES |
URGENCY |
IMPACT |
|
Update the ARMember Premium plugin to a version newer than 7.3.1 immediately
|
6
1 critical
|
Patch immediately, internet-facing only
|
—
|
|
Update NI-PAL to the latest version above 26.3.0 through NI Package Manager or your Linux package manager
|
4
|
Monitor and patch, local access required
|
Endpoint reboot
|
|
|
TOP THREAT TODAY
|
|
Any authenticated LibreChat user can overwrite another user's API key configuration (OpenAI, Anthropic, Azure, etc.) by injecting a userId parameter into the PUT /api/keys request. An attacker could swap a victim's keys for attacker-controlled ones, silently routing their conversations through a malicious proxy, or just break things by stuffing in invalid keys. The root cause is a classic object-spread-after-assignment bug in JavaScript, so exploitation is trivial for anyone with a valid login.
Who's affected: Anyone self-hosting LibreChat 0.7.6 or earlier
| |
Patch this week.
Upgrade LibreChat to 0.8.3-rc1 or later, which fixes the IDOR in the API keys endpoint.
Exposure:
Network-reachable systems
|
NVD
Ref 1
|
|
|
CVE-2026-8036
CVSS 7.1
|
HIGH
|
A local authenticated user can exploit an input validation bug in the NI-PAL driver to read arbitrary system memory, which can lead to privilege escalation. You need a local account to pull this off, so it's not remotely exploitable, but it's a clean path from normal user to SYSTEM/root on any box running NI hardware drivers.
Affects: Engineers and sysadmins running National Instruments hardware with NI-PAL 26.3.0 or earlier on Windows or Linux
| |
Patch this week.
Update NI-PAL to the latest version above 26.3.0 through NI Package Manager or your Linux package manager.
Exposure:
Local / adjacent access only
·
Op impact:
Endpoint reboot
|
NVD
Ref 1
|
|
CVE-2026-8035
CVSS 7.1
|
HIGH
|
A local authenticated user can crash the NI-PAL kernel driver by triggering a NULL pointer dereference, causing a system-level denial of service. Exploitation requires local access, so it's not remotely triggerable, but it can blue-screen or panic the host. On shared lab or test systems, that's disruptive.
Affects: Engineers and sysadmins running National Instruments hardware with NI-PAL 26.3.0 or earlier on Windows or Linux
| |
Monitor and patch.
Update NI-PAL to the latest version above 26.3.0 through NI Package Manager or your Linux package manager.
Exposure:
Local / adjacent access only
·
Op impact:
Endpoint reboot
|
ONE UPDATE · 4 CVEs
NVD
Ref 1
|
|
CVE-2026-5076
CVSS 9.8
|
CRITICAL
|
ARMember Premium for WordPress stores plaintext password reset keys in user meta. When combined with the SQL injection bugs in CVE-2026-5073 or CVE-2026-5074, an unauthenticated attacker can extract those plaintext keys and reset any user's password, including admin accounts. That's full site takeover with zero authentication required.
Affects: WordPress site owners and hosts running ARMember Premium plugin version 7.3.1 or earlier
| |
Patch immediately for internet-facing systems.
Update the ARMember Premium plugin to a version newer than 7.3.1 immediately. If no fix is available yet, deactivate the plugin until one ships.
Exposure:
Internet-facing systems
|
ONE UPDATE · 6 CVEs
1 CRITICAL
NVD
Ref 1
Ref 2
|
|
CVE-2026-0611
CVSS 9.8
|
CRITICAL
|
Spacelabs Healthcare Sentinel exposes a deprecated .NET Remoting HTTP channel on port 8989 that lets an unauthenticated attacker read and write arbitrary files. An attacker can drop an ASPX webshell into the IIS wwwroot directory for full remote code execution. The saving grace: port 8989 is not exposed in a default install. You're only vulnerable if someone explicitly opened that port to the network through config or firewall changes.
Affects: Healthcare IT teams running Spacelabs Healthcare Sentinel versions 10.5.x through 11.x.x before 11.6.0, especially if port 8989 has been exposed
| |
Patch within 24 hours for internet-facing systems.
Upgrade Sentinel to version 11.6.0 or later. As an immediate mitigation, block inbound traffic to port 8989 at the firewall if you cannot patch right away.
Exposure:
Internet-facing systems
·
Op impact:
Service restart
|
NVD
Ref 1
Ref 2
|
|
Community Signal Check
|
PAN-OS GlobalProtect authentication bypass CVE-2026-0257 exploited for weeks
Attackers are forging authentication override cookies to bypass GlobalProtect VPN login on PAN-OS firewalls. Exploitation started around May 17, and CISA added CVE-2026-0257 to KEV with a June 1 federal deadline. Upgrade PAN-OS now, or disable authentication override cookies as a stopgap.
Palo Alto PSIRT
•
active_exploitation
|
|
Windows Netlogon RCE CVE-2026-41089 exploited in the wild, patch domain controllers now
CVE-2026-41089 is a stack-based buffer overflow in Windows Netlogon that gives attackers unauthenticated remote code execution on domain controllers. Exploitation started almost immediately after disclosure. Every supported Windows Server version is affected, so patch your DCs first and watch for unusual Netlogon RPC traffic.
BleepingComputer
•
active_exploitation
|
|
Two Microsoft Defender zero-days (CVE-2026-41091, CVE-2026-45498) exploited in real intrusions
CVE-2026-41091 (CVSS 7.8, privilege escalation) and CVE-2026-45498 (CVSS 4.0, denial of service) in Microsoft Defender were dropped as zero-days and are confirmed exploited in the wild. Huntress has seen both used in real intrusions. CISA's KEV deadline is June 3.
The Hacker News
•
active_exploitation
|
|
KB5089549 Windows 11 update fails with 0x800f0922 on small EFI partitions
The May 2026 Windows 11 security update KB5089549 rolls back with error 0x800f0922 on machines whose EFI System Partition has 10 MB or less free. Microsoft released KB5089573 on May 26 to fix it. If you're seeing failed installs, apply Known Issue Rollback or push KB5089573.
BleepingComputer
•
broken_patch
|
|
|
SECURE BOOT ·
21 days until Microsoft Secure Boot certificates begin expiring (June 24, 2026).
How to remediate →
|
|
Also patched this window
Lower-priority items that cleared the enterprise filter. Scan for anything in your estate.
8.8
CVE-2025-15656
Incorrect Privilege Assignment vulnerability in Mojoomla School Management allows Privilege Escalation.
|
8.1
CVE-2026-39555
Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection.
|
7.6
CVE-2025-15655
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mojoomla School Management allows SQL Injection.
|
7.5
CVE-2026-45685
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard.
|
7.5
CVE-2026-40780
Authentication Bypass Using an Alternate Path or Channel vulnerability in Liquid Web / StellarWP BookIt allows Password Recovery Exploitation.
|
7.1
CVE-2026-42654
Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Swings Wallet System for WooCommerce…
|
8.8
CVE-2026-49143
BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /_log HTTP handler that allows…
|
8.2
CVE-2026-28299
SolarWinds Web Help Desk is found to be affected by a denial-of-service vulnerability, which when exploited, could…
|
8.0
CVE-2026-35482
Prior to version 2.0-M5-2606, a sandbox escape vulnerability in the alf.io extension script engine allows…
|
7.5
CVE-2026-45678
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard.
|
Plus 8 more this window. See
NVD
for the full list.
|
|
Recent from the blog
One CERT says it's exploited, Microsoft says it isn't, and you patch anyway
A pre-auth SYSTEM RCE on every domain controller doesn't need an exploitation rumor to earn the top of your patch queue. The interesting pa…
Enforcing and proving BitLocker TPM+PIN across an Intune fleet
Requiring a startup PIN is one toggle. Landing it on already-encrypted devices and proving it took across the whole fleet is the actual wor…
Gogs has a critical RCE and no one is coming to fix it
Rapid7 found a push-button remote code execution flaw in Gogs, shipped a Metasploit module with it, and ran 72 days from report to publicat…
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
|
What if your job search ran automatically 24/7?
AIApply is your AI Career Agent working 24/7 to find the best jobs online, tailor every application to your profile, and automatically apply on your behalf so you can spend less time job hunting and more time landing interviews.
