In partnership with
PatchDay Alert: 2026-05-12
|
|
DAILY BRIEF · MAY 12, 2026
|
|
Nothing is on fire in the wild today, but one of these is ugly on paper. FireFighter's Jira bot has a wide-open, unauthenticated SSRF (CVE-2026-42864, CVSS 9.9) that lets anyone with network access steal AWS IAM creds from unprotected EC2/EKS metadata endpoints. If you run FireFighter anywhere near a cloud workload, patch before lunch.
|
|
TOP THREAT TODAY
|
|
A buffer overflow in PgBouncer's SCRAM authentication handling could let an attacker crash the connection pooler or potentially run code on the host. Exploitation requires the attacker to reach PgBouncer's listening port and initiate a SCRAM auth exchange, but no valid credentials are needed to trigger the overflow.
Who's affected: Anyone running PgBouncer 1.25.1-1 on Azure Linux 3.0, especially if PgBouncer is exposed beyond localhost
| |
Patch this week.
Update the pgbouncer package on Azure Linux 3.0 to the patched version available in the azl3 repository.
|
NVD
MSRC
|
|
|
CVE-2026-42864
CVSS 9.9
|
CRITICAL
|
FireFighter's Jira bot endpoint is wide open: no authentication despite what the docstring claims. An unauthenticated attacker who can reach the ingress can make the pod fetch any URL they choose, then read the response back as a Jira attachment. On EC2/EKS clusters that haven't enforced IMDSv2, this is a straight path to stealing the pod's AWS IAM credentials.
Affects: Teams running FireFighter (incident management app) versions before 0.0.54, particularly on AWS EKS or EC2
| |
Patch immediately.
Upgrade FireFighter to 0.0.54 or later. If you can't upgrade immediately, block unauthenticated access to POST /api/v2/firefighter/raid/jira_bot at your ingress layer and enforce IMDSv2 on all EC2/EKS nodes.
|
NVD
Ref 1
|
|
CVE-2026-43500
CVSS 7.8
EPSS 0.01%
|
HIGH
|
A bug in the Linux kernel's rxrpc subsystem fails to properly unshare DATA and RESPONSE packets when paged fragments are present. A local attacker could exploit this to escalate privileges. You need local access to trigger it, which lowers the real-world risk for most environments.
Affects: Anyone running Azure Linux 3.0 with kernel 6.6.138.1-1
| |
Patch this week.
Update the kernel package on Azure Linux 3.0 via `tdnf update kernel` and reboot.
|
NVD
MSRC
|
|
CVE-2026-42501
CVSS 7.5
EPSS 0.01%
|
HIGH
|
A malicious Go module proxy can serve modules that bypass the checksum database verification in `cmd/go`. This means a compromised or rogue proxy could slip tampered code into your Go builds without the checksum mismatch being caught. If you build Go code in CI/CD pipelines or on dev machines that pull from untrusted proxies, you're at risk of supply chain compromise.
Affects: Anyone building Go projects on Azure Linux 3.0 using Go 1.25.x (before the fix) or Go 1.26.2-1
| |
Patch this week.
Update the golang package on Azure Linux 3.0 via `tdnf update golang` to the patched version.
|
NVD
MSRC
|
|
CVE-2026-38568
CVSS 8.1
|
HIGH
|
HireFlow v1.2 has no object-level authorization on candidate and interview endpoints. Any authenticated user can read every other user's candidate profiles and interview notes just by incrementing the integer ID in the URL. This is a full horizontal privilege escalation: one valid account gives access to the entire dataset.
Affects: Anyone running HireFlow v1.2 (self-hosted or otherwise accessible to multiple users)
| |
Patch within 24 hours.
Upgrade HireFlow past v1.2 to a version with proper object-level authorization. If no patch is available yet, restrict access to the application at the network layer and audit access logs for enumeration patterns on /candidate/ and /interview/ endpoints.
|
NVD
Ref 1
Ref 2
|
|
Community Signal Check
|
PAN-OS Captive Portal RCE exploited in the wild, patch or restrict access now (CVE-2026-0300)
Attackers are exploiting CVE-2026-0300, a buffer overflow in PAN-OS's Captive Portal service that gives unauthenticated remote code execution as root on PA-Series and VM-Series firewalls. Patches roll out between May 13 and May 28 depending on your PAN-OS branch. Until then, lock down Authentication Portal access to trusted internal IPs or disable it entirely if you don't need it.
Palo Alto Networks
•
active_exploitation
|
|
Cisco Crosswork Network Controller and NSO vulnerable to unauthenticated DoS (CVE-2026-20188)
CVE-2026-20188 (CVSS 7.5) lets unauthenticated remote attackers crash Cisco Crosswork Network Controller 7.1 and earlier, plus NSO 6.4 and earlier. CNC 7.2 and NSO 6.4.1.3 are patched. If you run either product, upgrade now.
Cisco PSIRT
•
vendor_advisory
|
|
CISA adds Ivanti EPMM zero-day to KEV catalog (CVE-2026-6973)
CISA confirmed zero-day exploitation of CVE-2026-6973, an input validation bug in Ivanti Endpoint Manager Mobile that lets authenticated admin users get remote code execution. Federal deadline is May 10, 2026. If you run EPMM, treat this as urgent regardless of whether you're under a BOD.
BleepingComputer
•
active_exploitation
|
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
|
Voice dictation that doesn't mangle your syntax.
Most dictation tools choke on technical language. Wispr Flow doesn't. It understands code syntax, framework names, and developer jargon — so you can dictate directly into your IDE and send without fixing.
Use it everywhere: Cursor, VS Code, Warp, Slack, Linear, Notion, your browser. Flow sits at the system level, so there's nothing to install per app. Tap and talk.
Developers use Flow to write documentation 4x faster, give coding agents richer context, and respond to Slack without breaking focus. 89% of messages go out with zero edits. Free on Mac, Windows, and iPhone.
