|
|
DAILY BRIEF · MAY 8, 2026
|
|
Two criticals landed this morning, neither exploited in the wild yet, but both ugly enough to move on now. CVE-2026-31718 is a use-after-free in ksmbd, the in-kernel Linux SMB server, with a CVSS 9.8 and no auth required. Right behind it, CVE-2026-35428 is a command injection bug in Azure Cloud Shell at CVSS 9.6. Three more round out the list, all 7.x, all worth a look before the weekend.
|
|
TOP THREAT TODAY
|
|
An attacker can remotely inject SQL through the user-save endpoint in SourceCodester Pharmacy Sales and Inventory System 1.0. No authentication appears to be required, and a public exploit already exists. If you're running this app, anyone on the network can read or modify your database.
Who's affected: Anyone running SourceCodester Pharmacy Sales and Inventory System 1.0
| |
Patch immediately.
Take the application offline or block access to /ajax.php?action=save_user immediately, then apply a vendor patch or replace the software. There is no known official fix at this time, so restricting network access is your best short-term move.
|
NVD
Ref 1
Ref 2
|
|
|
CVE-2026-31718
CVSS 9.8
EPSS 0.06%
|
CRITICAL
|
A use-after-free bug in ksmbd (the in-kernel SMB server on Linux) lets a remote attacker potentially execute code or crash the system by triggering a race condition through durable file handle scavenging. CVSS 9.8 makes this critical. If you expose ksmbd to the network, an attacker may not need credentials to trigger it.
Affects: Linux sysadmins running ksmbd, especially Azure Linux 3.0 with kernel 6.6.137.1-2
| |
Patch within 24 hours.
Update to the patched Azure Linux 3.0 kernel package. If you can't patch right away, disable ksmbd and fall back to Samba's userspace smbd.
|
NVD
MSRC
|
|
CVE-2026-35428
CVSS 9.6
|
CRITICAL
|
A command injection bug in Azure Cloud Shell lets an unauthenticated attacker spoof actions over the network. CVSS 9.6 puts this near the top of the severity scale. Microsoft hasn't published deep technical details yet, but the combination of command injection and no auth requirement makes this one to act on fast.
Affects: Teams using Azure Cloud Shell in their Azure tenants
| |
Patch immediately.
Check the Microsoft Security Response Center for an updated advisory and apply any available mitigation or service-side fix. Review Azure Cloud Shell activity logs for anomalous commands.
|
NVD
Ref 1
|
|
CVE-2026-43869
CVSS 7.3
EPSS 0.03%
|
HIGH
|
Apache Thrift's TSSLTransportFactory in Java doesn't properly verify hostnames during TLS connections. An attacker in a network position to intercept traffic (think man-in-the-middle) could impersonate a Thrift service endpoint without triggering a certificate error. This only matters if your Java services use Thrift's built-in TLS transport.
Affects: Java developers and sysadmins running services that use Apache Thrift's TLS transport, especially Azure Linux 3.0 with thrift 0.15.0-5
| |
Patch this week.
Update the Apache Thrift package to a version with the hostname verification fix. On Azure Linux 3.0, update via your package manager.
|
NVD
MSRC
|
|
CVE-2026-33111
CVSS 7.5
|
HIGH
|
A command injection flaw in Copilot Chat within Microsoft Edge lets an unauthenticated attacker leak information over the network. CVSS 7.5 with an information disclosure impact. If your users rely on Edge's Copilot Chat, an attacker could potentially extract sensitive data from chat sessions or the browser context.
Affects: Anyone managing Microsoft Edge deployments with Copilot Chat enabled
| |
Patch this week.
Update Microsoft Edge to the latest version through Windows Update, WSUS, or your browser management tool. If you can't update quickly, consider disabling Copilot Chat via Edge group policy.
|
NVD
Ref 1
|
|
Community Signal Check
|
PAN-OS User-ID Authentication Portal RCE exploited in the wild, no patch yet
CVE-2026-0300 (CVSS 9.3) is an unauthenticated buffer overflow in PAN-OS's User-ID Authentication Portal that gives attackers root. Attackers are already exploiting it in limited attacks, and Palo Alto doesn't expect a patch until May 13. If your Authentication Portal is internet-facing, restrict it to trusted zones or disable it now.
Palo Alto Networks / Wiz
•
active_exploitation
|
|
Ivanti EPMM zero-day CVE-2026-6973 exploited in limited attacks
Ivanti confirmed limited exploitation of CVE-2026-6973 (CVSS 7.2), an input validation bug in on-prem EPMM that lets an authenticated admin get RCE. Update to EPMM 12.6.1.1, 12.7.0.1, or 12.8.0.1. Cloud-hosted Ivanti Neurons for MDM is not affected.
Cyberscoop / Ivanti
•
active_exploitation
|
|
Linux kernel 'Copy Fail' bug CVE-2026-31431 exploited for root escalation
CVE-2026-31431 (CVSS 7.8) is a logic flaw in the Linux kernel's crypto subsystem that lets a local attacker escalate to root. Public exploit code works across most major distros shipped since 2017, and attackers are using it for container breakout in multi-tenant cloud setups. Patch your kernels and audit for unexpected privilege changes on shared infrastructure.
Unit 42
•
active_exploitation
|
|
April 2026 Windows Server patches cause LSASS crashes and reboot loops on DCs
KB5082063 is bricking domain controllers. LSASS crashes after install, sending Server 2025 DCs into reboot loops. Microsoft shipped out-of-band fixes, so grab those before you roll the April cumulative to any DC.
BleepingComputer
•
broken_patch
|
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
|
