In partnership with
PatchDay Alert: 2026-05-26
|
|
DAILY BRIEF · MAY 26, 2026
|
|
Drop what you're doing if you run Drupal. CVE-2026-9082 is a SQL injection in Drupal Core's database abstraction layer, no auth required, and attackers are already exploiting it in the wild. Behind that, a CVSS 10.0 DNS cache poisoning bug in Unbound on Azure Linux and an rsync memory leak round out a busy Memorial Day queue.
|
|
Clear the most in the fewest moves
3 updates close
multiple CVEs at once. Start here.
|
11
Update the Unbound package on Azure Linux 3.0 to the patched version via `tdnf update unbound` and restart the service.
· 11 CVEs, 2 critical
|
|
6
Update rsync to 3.4.3 or later via `tdnf update rsync` on Azure Linux 3.0, or your distro's package manager elsewhere.
· 6 CVEs
|
|
2
Update memcached to 1.6.42 or later via `tdnf update memcached` on Azure Linux 3.0, then restart the service.
· 2 CVEs
|
|
| |
SECURE BOOT CERTIFICATE DEADLINE
29 days until Microsoft Secure Boot certificates begin expiring (June 24, 2026).
How to remediate →
|
|
|
TOP THREAT TODAY
|
|
SQL injection in Drupal Core's database abstraction API lets an attacker send crafted requests to escalate privileges and run arbitrary code on the server. No authentication is required, and attackers are already exploiting this in the wild. EPSS is 0.17 (95th percentile), which confirms real-world interest despite the lack of a published CVSS score.
Who's affected: Anyone running a Drupal site, especially internet-facing instances on any hosting platform.
| |
Patch immediately.
Apply the latest Drupal Core security release from drupal.org right now, then audit access logs for unusual POST activity against database-facing endpoints.
|
NVD
KEV
|
|
|
CVE-2026-42960
CVSS 10.0
EPSS 0.03%
|
CRITICAL
|
Unbound on Azure Linux 3.0 is vulnerable to DNS cache poisoning through promiscuous authority-section records. An attacker can inject forged DNS answers into the resolver cache, redirecting traffic for arbitrary domains. CVSS 10.0, though EPSS is very low (0.0003) and there's no known exploitation yet.
Affects: Azure Linux 3.0 operators running Unbound 1.19.1-5 as a DNS resolver.
| |
Patch within 24 hours.
Update the Unbound package on Azure Linux 3.0 to the patched version via `tdnf update unbound` and restart the service.
|
ONE UPDATE · 11 CVEs
2 CRITICAL
NVD
MSRC
Ref 1
|
|
CVE-2026-43618
CVSS 8.1
EPSS 0.06%
|
HIGH
|
An integer overflow in rsync before 3.4.3 can leak sensitive data during file transfers. An attacker who controls or compromises an rsync endpoint could trigger the overflow to read memory contents they shouldn't have access to. CVSS 8.1, no known exploitation yet.
Affects: Azure Linux 3.0 operators running rsync 3.4.1-2, and anyone using rsync below 3.4.3 for backup or file sync jobs.
| |
Patch this week.
Update rsync to 3.4.3 or later via `tdnf update rsync` on Azure Linux 3.0, or your distro's package manager elsewhere.
|
ONE UPDATE · 6 CVEs
NVD
MSRC
Ref 1
|
|
CVE-2026-47783
CVSS 8.1
EPSS 0.08%
|
HIGH
|
Memcached before 1.6.42 has a timing side channel in SASL authentication. The server exits its username-check loop early when it finds a valid user, which lets an attacker figure out valid usernames by measuring response times. This is a prerequisite for credential-stuffing or brute-force attacks, not direct code execution.
Affects: Azure Linux 3.0 operators running memcached 1.6.27-4 with SASL authentication enabled.
| |
Patch this week.
Update memcached to 1.6.42 or later via `tdnf update memcached` on Azure Linux 3.0, then restart the service.
|
ONE UPDATE · 2 CVEs
NVD
MSRC
Ref 1
|
|
CVE-2026-34336
CVSS 7.8
EPSS 0.05%
|
HIGH
|
A buffer over-read in the Windows DWM (Desktop Window Manager) Core Library lets a logged-in attacker escalate privileges locally. This requires an attacker to already have code execution on the box, so it's a post-compromise escalation path, not a remote entry point. CVSS 7.8, no exploitation reported yet.
Affects: Windows sysadmins running Windows 10 versions 1607, 1809, or 21H2 on 32-bit or x64 systems.
| |
Patch this week.
Apply the latest cumulative update for your Windows 10 build via Windows Update or WSUS.
|
NVD
MSRC
Ref 1
Ref 2
|
|
Also patched this window
Lower-priority items that cleared the enterprise filter. Scan for anything in your estate.
7.5
CVE-2026-5947 · azl3 bind 9.20.21-1 on azure linux 3.0
SIG(0) validation during query flood may lead to undefined behavior
|
8.1
CVE-2026-8711 · azl3 nginx 1.28.3-1 on azure linux 3.0
NGINX JavaScript vulnerability
|
8.1
CVE-2026-31771 · platform:linux-kernel
Bluetooth: hci_event: move wake reason storage into validated event handlers
|
10.0
CVE-2026-41104 · deserialization of untrusted data in microsoft planetary computer pro
Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose…
|
10.0
CVE-2026-23652
Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an…
|
9.8
CVE-2025-71210 · trendmicro:apex_one
A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code…
|
9.3
CVE-2026-41090
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an…
|
9.1
CVE-2026-33843 · authentication bypass using an alternate path or channel in microsoft azure active directory b2c
Authentication bypass using an alternate path or channel in Microsoft Azure Active Directory B2C allows an unauthorized…
|
8.8
CVE-2026-45659 · microsoft:sharepoint
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a…
|
8.8
CVE-2026-8992 · appliance:ivanti
An improper certificate validation vulnerability in Ivanti Secure Access Client before 22.8R6 allows a remote…
|
10.0
CVE-2026-47280 · improper authentication in azure resource manager (arm)
Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a…
|
10.0
CVE-2026-42901 · origin validation error in microsoft entra id
Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges over a network.
|
10.0
CVE-2026-40412 · unrestricted upload of file with dangerous type in azure orbital spatio
Unrestricted upload of file with dangerous type in Azure Orbital Spatio allows an unauthorized attacker to execute code…
|
9.9
CVE-2026-40411 · improper input validation in azure virtual network gateway
Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network.
|
8.2
CVE-2018-25372 · meddream pacs server premium
MedDream PACS Server Premium 6.7.1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to…
|
9.6
CVE-2026-8670 · insufficient session expiration vulnerability in syslink software ag avantra on linux, windows
Insufficient session expiration vulnerability in syslink software AG Avantra on Linux, Windows allows Reusing Session…
|
8.8
CVE-2026-35430 · authorization bypass through user-controlled key in azure privileged identity management (pim)
Authorization bypass through user-controlled key in Azure Privileged Identity Management (PIM) allows an authorized…
|
7.1
CVE-2018-25352 · cms:wordpress
WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection vulnerability that allows…
|
7.5
CVE-2026-48829 · in gnu sasl before 2.2.3, digest-md5
In GNU SASL before 2.2.3, DIGEST-MD5 has a NULL pointer dereference affecting both clients and servers, via a known…
|
7.5
CVE-2026-8671
Insertion of sensitive information into log file vulnerability in syslink software AG Avantra on Linux, Windows allows…
|
7.1
CVE-2026-7325 · devolutions:devolutions_server
Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged…
|
10.0
CVE-2026-33712
Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the preview chat endpoint (POST…
|
Plus 26 more this window. See
NVD
for the full list.
|
|
Community Signal Check
|
Microsoft Exchange CVE-2026-42897 XSS zero-day exploited in the wild
Attackers are exploiting CVE-2026-42897, a CVSS 8.1 cross-site scripting bug in Exchange Server that enables spoofing attacks against internet-facing deployments. Microsoft confirmed the zero-day two days after May 2026 Patch Tuesday and published temporary mitigations while a full fix is still in progress. If you run on-prem Exchange, apply those mitigations now.
SecurityAffairs
•
active_exploitation
|
|
KnowledgeDeliver LMS zero-day CVE-2026-5426 exploited to drop BLUEBEAM web shell
Mandiant caught attackers exploiting CVE-2026-5426, an unauth RCE in KnowledgeDeliver LMS caused by reused ASP.NET machine keys across customer installs. The chain goes from insecure ViewState deserialization to an in-memory web shell (BLUEBEAM) to Cobalt Strike. If you run KnowledgeDeliver with default ASP.NET configs, rotate your machine keys immediately and check for web shell artifacts.
Cybersecurity News / Mandiant
•
active_exploitation
|
|
NGINX CVE-2026-42945 heap buffer overflow under active exploitation
CVE-2026-42945 is a CVSS 9.2 heap buffer overflow in NGINX's rewrite module, affecting versions 0.6.27 through 1.30.0, and attackers are already using it to crash workers or get RCE with crafted HTTP requests. VulnCheck also flagged parallel exploitation of two openDCIM bugs (CVE-2026-28515, CVE-2026-28517) dropping PHP web shells. Patch NGINX past 1.30.0 and audit any openDCIM installs you're running.
The Hacker News / VulnCheck
•
active_exploitation
|
|
|
Recent from the blog
Microsoft patched a SYSTEM bug in 2020. It still works in 2026.
A pseudonymous researcher published MiniPlasma, a working PoC for CVE-2020-17103, and the only thing standing between you and a SYSTEM shel…
SonicWall patched CVE-2024-12802 and left the bug in place on Gen6
The firmware update closes the code path but does not rewrite the LDAP config the exploit actually uses. On Gen6, that distinction is the w…
The patch window went negative. Now what?
Mandiant's mean time-to-exploit is negative seven days. NVD gave up on enriching most of the catalog. Here's what the next 24 months of pat…
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
|
Scale Your IRL Campaigns Like Digital Ads
Out Of Home advertising has long been effective but hard to scale—until now. AdQuick makes it simple to plan, deploy, and measure campaigns with the same efficiency and insight you expect from online marketing tools.
Marketers agree: OOH is powerful for brand growth, driving new customers, and reinforcing messaging. AdQuick makes it easy, intuitive, and data-driven—so you can treat real-world campaigns like any other digital channel.
