Threat Intel · Updated Hourly
Live cybersecurity intel, straight from the sources crews trust.
Actively exploited vulnerabilities (CISA KEV), recently disclosed CVEs (NVD), and the cybersecurity newsroom — all in one place. We refresh on the hour so what you see is what's hitting the wire.
Updated 32 min ago
CISA Known Exploited Vulnerabilities
What's being actively exploited right now — Endpoint
These aren't theoretical. Every CVE below is on CISA's KEV catalog — meaning U.S. federal civilian agencies are required to patch them, because attackers are actively using them in the wild.
CVE-2026-34926
Actively exploited
Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability
Trend Micro Apex One (on-premise) contains a directory traversal vulnerability that could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations.
Read advisory at NVD →
CVE-2026-41091
Actively exploited
Microsoft Defender Link Following Vulnerability
Microsoft Defender contains a link following vulnerability that allows an authorized attacker to elevate privileges locally.
Read advisory at NVD →
CVE-2026-45498
Actively exploited
Microsoft Defender Denial of Service Vulnerability
Microsoft Defender contains an unspecified vulnerability that allows for denial of service.
Read advisory at NVD →
CVE-2026-33825
Actively exploited
Microsoft Defender Insufficient Granularity of Access Control Vulnerability
Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally.
Read advisory at NVD →
CVE-2025-68645
Actively exploited
Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.
Read advisory at NVD →
CVE-2025-54948
Actively exploited
Trend Micro Apex One OS Command Injection Vulnerability
Trend Micro Apex One Management Console (on-premise) contains an OS command injection vulnerability that could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations.
Read advisory at NVD →
See the full Endpoint catalog (6 entries) →
Filtered to Endpoint. Search, sort, and paginate the rest on the full catalog page.
Want crew who know what to do when one of these lands in their inbox? Start the free hour-long course →
NVD · Recent Disclosures
Recently disclosed CVEs (last 7 days)
Newly published vulnerabilities from the National Vulnerability Database, ranked by CVSS score. Critical-first so you see the worst at the top.
| CVE | CVSS | Severity | Published | Description |
|---|---|---|---|---|
| CVE-2026-44523 | 10 | CRITICAL | May 14, 2026 | Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4. |
| CVE-2026-20182 | 10 | CRITICAL | May 14, 2026 | May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks. A vulnera… |
| CVE-2026-26191 | 9.8 | CRITICAL | May 14, 2026 | Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet's software installer pipeline could allow a crafted software package to execute arbitrary commands as root (macOS/Linux) or SYSTEM (Windows) on managed endpoints when an uninstall is triggered. When a software package (.pkg, .deb, .rpm, .exe, or .msi) is uploa… |
| CVE-2026-41315 | 9.8 | CRITICAL | May 14, 2026 | mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentication on the /modify_crond and /start_task interfaces, it is possible to modify the default built-in scheduled tasks and start them, achieving RCE. |
| CVE-2026-42589 | 9.8 | CRITICAL | May 14, 2026 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A \n embedded in a JSON key splits the ExifTool stdin stream into a new argum… |
| CVE-2026-44484 | 9.8 | CRITICAL | May 14, 2026 | PyTorch Lightning is a deep learning framework to pretrain and finetune AI models. Versions 2.6.2 and 2.6.2 have introduced functionality consistent with a credential harvesting mechanism. |
| CVE-2026-8511 | 9.6 | CRITICAL | May 14, 2026 | Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) |
| CVE-2026-41615 | 9.6 | CRITICAL | May 14, 2026 | Exposure of sensitive information to an unauthorized actor in Microsoft Authenticator allows an unauthorized attacker to disclose information over a network. |
| CVE-2026-44482 | 9.6 | CRITICAL | May 14, 2026 | soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local command execution on the user's machine. The application exposes a preload API (win… |
| CVE-2026-44592 | 9.4 | CRITICAL | May 14, 2026 | Gradient is a nix-based continuous integration system. In 1.1.0, when GRADIENT_DISCOVERABLE=true (the default, and the NixOS module default), anyone who can reach /proto can register as a worker without any credentials by sending a fresh, never-registered worker UUID. The resulting session has PeerAuth::Open, i.e. it sees jobs from every organisation, and c… |
| CVE-2026-42596 | 9.4 | CRITICAL | May 14, 2026 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, the default deny-lists used by Gotenberg's downloadFrom feature and webhook feature are bypassable. Because the filter is regex-based and case-sensitive, an unauthenticated attacker can supply URLs such as http://[::ffff:127.0.0.1]:... and reach loopback or private HTTP services tha… |
| CVE-2026-44542 | 9.1 | CRITICAL | May 14, 2026 | FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with… |
| CVE-2026-42555 | 9.1 | CRITICAL | May 14, 2026 | Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.0 to before 13.23.0, and com.ritense.valtimo:contract from 13.4.0 to before 13.23.0 evaluate Spring Expression Language (SpEL) expressions from user-supplied input using StandardEvaluationContext, whi… |
| CVE-2026-45375 | 9 | CRITICAL | May 14, 2026 | SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar (community marketplace) renders the name and version fields of a package's plugin.json (and the equivalent theme.json / template.json / widget.json / icon.json) into the Settings → Marketplace UI without HTML escaping. The kernel-side helper sanitizePackageDisplay… |
| CVE-2026-42457 | 9 | CRITICAL | May 14, 2026 | vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external scripts within the platform's browser context. In the worst ca… |
| CVE-2026-8577 | 8.8 | HIGH | May 14, 2026 | Integer overflow in Fonts in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) |
| CVE-2026-8558 | 8.8 | HIGH | May 14, 2026 | Out of bounds write in Fonts in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8555 | 8.8 | HIGH | May 14, 2026 | Use after free in GTK in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8551 | 8.8 | HIGH | May 14, 2026 | Use after free in Downloads in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8549 | 8.8 | HIGH | May 14, 2026 | Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8544 | 8.8 | HIGH | May 14, 2026 | Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8540 | 8.8 | HIGH | May 14, 2026 | Type Confusion in V8 in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8532 | 8.8 | HIGH | May 14, 2026 | Integer overflow in XML in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8531 | 8.8 | HIGH | May 14, 2026 | Heap buffer overflow in WebML in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8529 | 8.8 | HIGH | May 14, 2026 | Heap buffer overflow in Codecs in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted video file. (Chromium security severity: High) |
Phishing emails carry these payloads. Train crew to spot the trigger →
From the Cybersecurity Newsroom
What's making cyber headlines
Hand-picked feeds from Krebs on Security, The Hacker News, BleepingComputer, and SANS ISC. Headlines link to the original source — full credit, no scraping.
BleepingComputer
Chinese hackers hijack auth flow, spy on isolated network for a decade
Chinese hackers took control of a target organization's authentication stack and maintained persistence for 10 years, with full visibility into the administrative activity. [...]
Jun 13, 2026
Read at source →
The Hacker News
Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication
Splunk has released security updates to address a critical security flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution. The vulnerability, tracked as CVE-2026-20253, is rated 9.8 on the CVSS scoring system.…
Jun 13, 2026
Read at source →
BleepingComputer
US Gov asks Anthropic to ban 'foreign national' access to Fable, Mythos
The US government has ordered Anthropic to block all foreign nationals from accessing Fable 5 and Mythos 5, forcing the company to suspend both models worldwide. Anthropic is complying but disputes the basis, calling the cited jailbreak narrow and the capability widely available…
Jun 13, 2026
Read at source →
The Hacker News
U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals
Anthropic said on Friday it will "abruptly disable" its most advanced artificial intelligence (AI) models, Claude Fable 5 and Mythos 5, for all users after the U.S. government ordered it to suspend access to the models for foreign nationals, whether inside or outside the U.S., c…
Jun 13, 2026
Read at source →
BleepingComputer
Maine disables data breach notification portal after fake disclosures
Maine has taken its public data breach reporting portal offline after fraudulent breach disclosures were published on the state's website, prompting a review of procedures to prevent abuse in the future. [...]
Jun 12, 2026
Read at source →
The Hacker News
Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit
Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them. The malware is a Rust binary built to harvest developer secrets. When it lands with root, it can…
Jun 12, 2026
Read at source →
The Hacker News
Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing
Google on Friday said it's pursuing legal action against a Chinese cybercrime network, accusing it of using its Gemini artificial intelligence (AI) agent to send phishing text messages targeting Americans. The network is said to be behind the development and management of a phis…
Jun 12, 2026
Read at source →
BleepingComputer
phpBB forum fixes auth bypass bug lurking for a decade
A 10-year-old authentication bypass vulnerability discovered in the phpBB forum software allows an attacker to log in as any user, including administrators. [...]
Jun 12, 2026
Read at source →
The Hacker News
China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade
Instead of hiding on the laptops and servers defenders watch most closely, a China-nexus group spent close to a decade hidden inside the Linux login system itself. Sygnia, which tracks the group as Velvet Ant, says it backdoored the PAM and OpenSSH components that decide who is…
Jun 12, 2026
Read at source →
BleepingComputer
Ukrainian national pleads guilty to role in Conti ransomware operation
A Ukrainian national extradited from Ireland to the United States last year has pleaded guilty to conspiracy charges tied to the Conti ransomware operation. [...]
Jun 12, 2026
Read at source →
SANS Internet Storm Center
ISC Stormcast For Friday, June 12th, 2026 https://isc.sans.edu/podcastdetail/9970, (Fri, Jun 12th)
Jun 12, 2026
Read at source →
SANS Internet Storm Center
ISC Stormcast For Thursday, June 11th, 2026 https://isc.sans.edu/podcastdetail/9968, (Thu, Jun 11th)
Jun 11, 2026
Read at source →
Headlines and snippets © their respective publishers; links go directly to the original sources.
IoT · The overlooked threat surface
IoT on yachts: what most owners miss
Yachts pack more network-connected gadgets than a small office — cameras, AV controllers, smart locks, sensors, infotainment. Most of it ships with weak defaults and never gets patched. Here are the three archetypes we keep seeing in incident reports.
01
Cameras · DVRs
The camera you forgot to patch
IP cameras (Hikvision, Dahua, Axis), smart doorbells, and baby monitors aboard frequently ship with hardcoded creds, open telnet, or unpatched RTSP stacks. One compromised camera = a foothold on the yacht LAN, often with privileged network access for "remote viewing."
Train crew on device hygiene →
02
AV · Control
Crestron, Lutron, Control4, Savant
AV/lighting/climate controllers expose web admin panels and REST APIs that historically ship with weak auth. They share the same LAN as crew laptops and bridge systems, so a compromise gets full lateral access. Patch cadence is usually "never" without a dedicated integrator.
Train crew on segmentation →
03
Guest gear
The "smart" bits guests bring aboard
Chromecasts, Sonos, AirPlay receivers, Bluetooth speakers, smart TVs. Every one is an unmanaged endpoint that broadcasts on the network and can bridge guest devices into the yacht's primary VLAN if segmentation is loose. They're also notorious for shipping with mDNS/UPnP scanning enabled.
Train crew on guest policy →
Why this matters at sea
Most of these attacks start with a person, not a firewall
Phishing, hostile marina Wi-Fi, guest data slip-ups — the techniques behind the headlines are the same ones that target crew inboxes every day. We turn the latest threats into 60 minutes of role-aware training crew actually finish.