|
|
|
TODAY'S CALL
Rough day for supply chains. A poisoned Nx Console extension hit the VS Code marketplace, malicious TanStack packages landed on npm, and a cPanel/LiteSpeed privilege escalation is giving shared hosting admins nightmares. All three are exploited in the wild. If your team auto-updates VS Code extensions or pulls from npm without lockfiles, stop reading and start checking.
|
| |
SECURE BOOT CERTIFICATE DEADLINE
27 days until Microsoft Secure Boot certificates begin expiring (June 24, 2026).
How to remediate →
|
|
|
TOP THREAT TODAY
|
|
CVE-2026-48027
CRITICAL
EXPLOITED
|
|
A compromised version of the Nx Console VS Code extension (18.95.0) was pushed to both the Visual Studio Marketplace and OpenVSX on May 19. It was live for roughly 18 to 36 minutes depending on the registry. If your team auto-updates extensions or anyone installed it during that window, you may be running malicious code in your editor right now.
Who's affected: Any developer or CI runner using the Nx Console extension for VS Code, especially if extensions auto-update
| |
Patch immediately given active exploitation.
Check your installed Nx Console version immediately. If you're on 18.95.0, uninstall it, upgrade to 18.100.0, rotate any credentials or tokens accessible from your dev environment, and audit recent git commits for unexpected changes.
Exposure:
Active exploitation (KEV)
·
Restart:
Per vendor advisory
|
NVD
KEV
Ref 1
Ref 2
|
|
|
CVE-2026-48172
EPSS 7.96%
|
EXPLOITED
|
Any cPanel user account on a server running the LiteSpeed cPanel Plugin can escalate to root by abusing the user-facing plugin interface to run arbitrary scripts. This is not a theoretical bug: it's exploited in the wild. If you host multiple customers on a shared cPanel/LiteSpeed box, every account on that server is a potential root compromise.
Affects: Hosting providers and sysadmins running LiteSpeed web server with the LiteSpeed cPanel Plugin on shared or reseller hosting environments
| |
Patch immediately given active exploitation.
Update the LiteSpeed cPanel Plugin to the latest patched version through WHM's plugin manager immediately. If no patch is available yet, disable or restrict the user-facing LiteSpeed plugin until one ships, and audit your servers for signs of unauthorized root-level activity.
Exposure:
Active exploitation (KEV)
·
Restart:
Per vendor advisory
|
NVD
KEV
|
|
CVE-2026-45321
EPSS 0.03%
|
EXPLOITED
|
Attackers published malicious versions of TanStack packages to npm that contained credential-stealing malware, using a trusted package identity. If your projects pulled in a compromised TanStack release, your build servers and developer machines may have leaked secrets. This is a supply-chain attack, not a code-level bug you can reason about from a changelog.
Affects: Frontend and full-stack developers using TanStack libraries (TanStack Query, TanStack Router, TanStack Table, etc.) via npm, plus any CI/CD pipelines that install these packages
| |
Patch immediately given active exploitation.
Audit your lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml) for any TanStack package versions flagged in the advisory. Pin to a known-good version, rotate any secrets or tokens on machines that installed a compromised version, and review npm audit output for related warnings.
Exposure:
Active exploitation (KEV)
·
Restart:
Per vendor advisory
|
NVD
KEV
|
|
CVE-2026-8398
EPSS 0.04%
|
EXPLOITED
|
Daemon Tools Lite has an unspecified vulnerability with high impact on confidentiality, integrity, and availability. It's confirmed exploited in the wild, but details are sparse. If you have Daemon Tools Lite installed on endpoints in your environment, treat this as a local privilege escalation or code execution vector until more information surfaces.
Affects: Windows sysadmins and endpoint managers with Daemon Tools Lite deployed on workstations or servers
| |
Patch within 24 hours given active exploitation.
Update Daemon Tools Lite to the latest version from the vendor. If your environment doesn't need it, uninstall it entirely. If you can't patch immediately, restrict execution of Daemon Tools binaries via application control policies until you can.
Exposure:
Active exploitation (KEV)
·
Restart:
Per vendor advisory
|
NVD
KEV
|
|
CVE-2026-33137
CVSS 9.3
EPSS 0.02%
|
CRITICAL
|
An unauthenticated attacker can import a malicious XAR package into XWiki through the REST API endpoint `/wikis/{wikiName}`, with no login required. That's a straight path to remote code execution on any internet-facing XWiki instance, since XAR packages can contain executable wiki content. CVSS 9.3, though not yet exploited in the wild.
Affects: Anyone running XWiki Platform with the REST server component, especially internet-facing instances
| |
Patch within 24 hours for internet-facing systems.
Upgrade the xwiki-platform-rest-server component to the patched version listed in the XWiki security advisory. If you can't patch immediately, block unauthenticated access to the `/rest/wikis/` endpoint at your reverse proxy or WAF.
Exposure:
Internet-facing systems
·
Restart:
Per vendor advisory
|
NVD
Ref 1
Ref 2
|
|
Community Signal Check
|
NGINX heap overflow CVE-2026-42945 exploited in the wild within hours of disclosure
CVE-2026-42945 is a heap buffer overflow in NGINX's ngx_http_rewrite_module, affecting versions 0.6.27 through 1.30.0. Unauthenticated attackers can crash worker processes or get remote code execution with crafted HTTP requests. This bug has been hiding in the codebase since 2008, and exploitation is happening fast, so patch or upgrade today.
The Hacker News
•
active_exploitation
|
|
Cisco SD-WAN CVE-2026-20182 auth bypass exploited as a zero-day, CVSS 10.0
Attackers are exploiting a broken peering authentication mechanism in Cisco Catalyst SD-WAN Controller/Manager to register rogue devices inside your fabric and move laterally. CVSS 10.0, no auth required. CISA set a May 17 patch deadline, so if you run SD-WAN, this one's already overdue.
BleepingComputer
•
active_exploitation
|
|
Microsoft confirms active exploitation of Exchange Server XSS (CVE-2026-42897), no full patch yet
Microsoft confirmed attackers are exploiting CVE-2026-42897, an XSS bug in on-prem Exchange Server (CVSS 8.1). There's no permanent fix yet. Microsoft released temporary mitigations on May 20, so apply those now and watch for the full patch.
Security Affairs
•
active_exploitation
|
|
Microsoft Defender privilege escalation CVE-2026-41091 exploited in the wild
CVE-2026-41091 is a privilege escalation bug in Microsoft Defender (CVSS 7.8) that lets attackers jump to SYSTEM via improper link resolution. Huntress observed it exploited in the wild, sometimes chained with CVE-2026-45498, a Defender DoS flaw. Check that your Defender definitions and platform updates are current.
The Hacker News
•
active_exploitation
|
|
|
Also patched this window
Lower-priority items that cleared the enterprise filter. Scan for anything in your estate.
9.3
CVE-2026-23734
XWiki Platform has path traversal via resources parameter in ssx and jsx endpoints when using leading slash
|
7.3
CVE-2025-70103
Heap buffer overflow vulnerability in libjxl 0.12.0 via crafted PBM images to the jxl::extras::DecodeImagePNM function in file lib/extras/dec/pnm.cc.
|
9.1
CVE-2026-42508
Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts
|
7.5
CVE-2026-4890
CVE-2026-4890
|
7.5
CVE-2026-6276
stale custom cookie host causes cookie leak
|
8.1
CVE-2026-9256
NGINX ngx_http_rewrite_module vulnerability
|
7.8
CVE-2026-46300 · platform:linux-kernel
net: skbuff: preserve shared-frag marker during coalescing
|
9.0
CVE-2026-45721
Algernon is a small self-contained pure-Go web server.
|
8.5
CVE-2026-4480
A flaw was found in the Samba printing subsystem.
|
8.1
CVE-2026-8994 · microsoft:exchange
The Login with NEAR plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.3.3.
|
Plus 91 more this window. See
NVD
for the full list.
|
|
Recent from the blog
Hotpatch was supposed to be the smoother path
KB5087424 broke 32-bit printing on Windows Server 2022, and the no-reboot delivery model that was supposed to reduce friction has no fix pa…
Microsoft patched a SYSTEM bug in 2020. It still works in 2026.
A pseudonymous researcher published MiniPlasma, a working PoC for CVE-2020-17103, and the only thing standing between you and a SYSTEM shel…
SonicWall patched CVE-2024-12802 and left the bug in place on Gen6
The firmware update closes the code path but does not rewrite the LDAP config the exploit actually uses. On Gen6, that distinction is the w…
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
|
