Threat Intel · Updated Hourly
Live cybersecurity intel, straight from the sources crews trust.
Actively exploited vulnerabilities (CISA KEV), recently disclosed CVEs (NVD), and the cybersecurity newsroom — all in one place. We refresh on the hour so what you see is what's hitting the wire.
Updated 44 min ago
CISA Known Exploited Vulnerabilities
What's being actively exploited right now — IoT
These aren't theoretical. Every CVE below is on CISA's KEV catalog — meaning U.S. federal civilian agencies are required to patch them, because attackers are actively using them in the wild.
CVE-2017-7921
Actively exploited
Hikvision Multiple Products Improper Authentication Vulnerability
Multiple Hikvision products contain an improper authentication vulnerability that could allow a malicious user to escalate privileges on the system and gain access to sensitive information.
Read advisory at NVD →
CVE-2025-1316
Actively exploited
Edimax IC-7100 IP Camera OS Command Injection Vulnerability
Edimax IC-7100 IP camera contains an OS command injection vulnerability due to improper input sanitization that allows an attacker to achieve remote code execution via specially crafted requests. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Read advisory at NVD →
CVE-2021-40407
Actively exploited
Reolink RLC-410W IP Camera OS Command Injection Vulnerability
Reolink RLC-410W IP cameras contain an authenticated OS command injection vulnerability in the device network settings functionality.
Read advisory at NVD →
CVE-2019-11001
Actively exploited
Reolink Multiple IP Cameras OS Command Injection Vulnerability
Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W IP cameras contain an authenticated OS command injection vulnerability. This vulnerability allows an authenticated admin to use the "TestEmail" functionality to inject and run OS commands as root.
Read advisory at NVD →
CVE-2021-33045
Actively exploited
Dahua IP Camera Authentication Bypass Vulnerability
Dahua IP cameras and related products contain an authentication bypass vulnerability when the loopback device is specified by the client during authentication.
Read advisory at NVD →
CVE-2021-33044
Actively exploited
Dahua IP Camera Authentication Bypass Vulnerability
Dahua IP cameras and related products contain an authentication bypass vulnerability when the NetKeyboard type argument is specified by the client during authentication.
Read advisory at NVD →
See the full IoT catalog (6 entries) →
Filtered to IoT. Search, sort, and paginate the rest on the full catalog page.
Want crew who know what to do when one of these lands in their inbox? Start the free hour-long course →
NVD · Recent Disclosures
Recently disclosed CVEs (last 7 days)
Newly published vulnerabilities from the National Vulnerability Database, ranked by CVSS score. Critical-first so you see the worst at the top.
| CVE | CVSS | Severity | Published | Description |
|---|---|---|---|---|
| CVE-2026-44523 | 10 | CRITICAL | May 14, 2026 | Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4. |
| CVE-2026-20182 | 10 | CRITICAL | May 14, 2026 | May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks. A vulnera… |
| CVE-2026-26191 | 9.8 | CRITICAL | May 14, 2026 | Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet's software installer pipeline could allow a crafted software package to execute arbitrary commands as root (macOS/Linux) or SYSTEM (Windows) on managed endpoints when an uninstall is triggered. When a software package (.pkg, .deb, .rpm, .exe, or .msi) is uploa… |
| CVE-2026-41315 | 9.8 | CRITICAL | May 14, 2026 | mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentication on the /modify_crond and /start_task interfaces, it is possible to modify the default built-in scheduled tasks and start them, achieving RCE. |
| CVE-2026-42589 | 9.8 | CRITICAL | May 14, 2026 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A \n embedded in a JSON key splits the ExifTool stdin stream into a new argum… |
| CVE-2026-44484 | 9.8 | CRITICAL | May 14, 2026 | PyTorch Lightning is a deep learning framework to pretrain and finetune AI models. Versions 2.6.2 and 2.6.2 have introduced functionality consistent with a credential harvesting mechanism. |
| CVE-2026-8511 | 9.6 | CRITICAL | May 14, 2026 | Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) |
| CVE-2026-41615 | 9.6 | CRITICAL | May 14, 2026 | Exposure of sensitive information to an unauthorized actor in Microsoft Authenticator allows an unauthorized attacker to disclose information over a network. |
| CVE-2026-44482 | 9.6 | CRITICAL | May 14, 2026 | soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local command execution on the user's machine. The application exposes a preload API (win… |
| CVE-2026-44592 | 9.4 | CRITICAL | May 14, 2026 | Gradient is a nix-based continuous integration system. In 1.1.0, when GRADIENT_DISCOVERABLE=true (the default, and the NixOS module default), anyone who can reach /proto can register as a worker without any credentials by sending a fresh, never-registered worker UUID. The resulting session has PeerAuth::Open, i.e. it sees jobs from every organisation, and c… |
| CVE-2026-42596 | 9.4 | CRITICAL | May 14, 2026 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, the default deny-lists used by Gotenberg's downloadFrom feature and webhook feature are bypassable. Because the filter is regex-based and case-sensitive, an unauthenticated attacker can supply URLs such as http://[::ffff:127.0.0.1]:... and reach loopback or private HTTP services tha… |
| CVE-2026-44542 | 9.1 | CRITICAL | May 14, 2026 | FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with… |
| CVE-2026-42555 | 9.1 | CRITICAL | May 14, 2026 | Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.0 to before 13.23.0, and com.ritense.valtimo:contract from 13.4.0 to before 13.23.0 evaluate Spring Expression Language (SpEL) expressions from user-supplied input using StandardEvaluationContext, whi… |
| CVE-2026-45375 | 9 | CRITICAL | May 14, 2026 | SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar (community marketplace) renders the name and version fields of a package's plugin.json (and the equivalent theme.json / template.json / widget.json / icon.json) into the Settings → Marketplace UI without HTML escaping. The kernel-side helper sanitizePackageDisplay… |
| CVE-2026-42457 | 9 | CRITICAL | May 14, 2026 | vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external scripts within the platform's browser context. In the worst ca… |
| CVE-2026-8577 | 8.8 | HIGH | May 14, 2026 | Integer overflow in Fonts in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) |
| CVE-2026-8558 | 8.8 | HIGH | May 14, 2026 | Out of bounds write in Fonts in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8555 | 8.8 | HIGH | May 14, 2026 | Use after free in GTK in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8551 | 8.8 | HIGH | May 14, 2026 | Use after free in Downloads in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8549 | 8.8 | HIGH | May 14, 2026 | Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8544 | 8.8 | HIGH | May 14, 2026 | Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8540 | 8.8 | HIGH | May 14, 2026 | Type Confusion in V8 in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8532 | 8.8 | HIGH | May 14, 2026 | Integer overflow in XML in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8531 | 8.8 | HIGH | May 14, 2026 | Heap buffer overflow in WebML in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8529 | 8.8 | HIGH | May 14, 2026 | Heap buffer overflow in Codecs in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted video file. (Chromium security severity: High) |
Phishing emails carry these payloads. Train crew to spot the trigger →
From the Cybersecurity Newsroom
What's making cyber headlines
Hand-picked feeds from Krebs on Security, The Hacker News, BleepingComputer, and SANS ISC. Headlines link to the original source — full credit, no scraping.
BleepingComputer
Chinese hackers hijack auth flow, spy on isolated network for a decade
Chinese hackers took control of a target organization's authentication stack and maintained persistence for 10 years, with full visibility into the administrative activity. [...]
Jun 13, 2026
Read at source →
The Hacker News
Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication
Splunk has released security updates to address a critical security flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution. The vulnerability, tracked as CVE-2026-20253, is rated 9.8 on the CVSS scoring system.…
Jun 13, 2026
Read at source →
BleepingComputer
US Gov asks Anthropic to ban 'foreign national' access to Fable, Mythos
The US government has ordered Anthropic to block all foreign nationals from accessing Fable 5 and Mythos 5, forcing the company to suspend both models worldwide. Anthropic is complying but disputes the basis, calling the cited jailbreak narrow and the capability widely available…
Jun 13, 2026
Read at source →
The Hacker News
U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals
Anthropic said on Friday it will "abruptly disable" its most advanced artificial intelligence (AI) models, Claude Fable 5 and Mythos 5, for all users after the U.S. government ordered it to suspend access to the models for foreign nationals, whether inside or outside the U.S., c…
Jun 13, 2026
Read at source →
BleepingComputer
Maine disables data breach notification portal after fake disclosures
Maine has taken its public data breach reporting portal offline after fraudulent breach disclosures were published on the state's website, prompting a review of procedures to prevent abuse in the future. [...]
Jun 12, 2026
Read at source →
The Hacker News
Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit
Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them. The malware is a Rust binary built to harvest developer secrets. When it lands with root, it can…
Jun 12, 2026
Read at source →
The Hacker News
Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing
Google on Friday said it's pursuing legal action against a Chinese cybercrime network, accusing it of using its Gemini artificial intelligence (AI) agent to send phishing text messages targeting Americans. The network is said to be behind the development and management of a phis…
Jun 12, 2026
Read at source →
BleepingComputer
phpBB forum fixes auth bypass bug lurking for a decade
A 10-year-old authentication bypass vulnerability discovered in the phpBB forum software allows an attacker to log in as any user, including administrators. [...]
Jun 12, 2026
Read at source →
The Hacker News
China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade
Instead of hiding on the laptops and servers defenders watch most closely, a China-nexus group spent close to a decade hidden inside the Linux login system itself. Sygnia, which tracks the group as Velvet Ant, says it backdoored the PAM and OpenSSH components that decide who is…
Jun 12, 2026
Read at source →
BleepingComputer
Ukrainian national pleads guilty to role in Conti ransomware operation
A Ukrainian national extradited from Ireland to the United States last year has pleaded guilty to conspiracy charges tied to the Conti ransomware operation. [...]
Jun 12, 2026
Read at source →
SANS Internet Storm Center
ISC Stormcast For Friday, June 12th, 2026 https://isc.sans.edu/podcastdetail/9970, (Fri, Jun 12th)
Jun 12, 2026
Read at source →
SANS Internet Storm Center
ISC Stormcast For Thursday, June 11th, 2026 https://isc.sans.edu/podcastdetail/9968, (Thu, Jun 11th)
Jun 11, 2026
Read at source →
Headlines and snippets © their respective publishers; links go directly to the original sources.
IoT · The overlooked threat surface
IoT on yachts: what most owners miss
Yachts pack more network-connected gadgets than a small office — cameras, AV controllers, smart locks, sensors, infotainment. Most of it ships with weak defaults and never gets patched. Here are the three archetypes we keep seeing in incident reports.
01
Cameras · DVRs
The camera you forgot to patch
IP cameras (Hikvision, Dahua, Axis), smart doorbells, and baby monitors aboard frequently ship with hardcoded creds, open telnet, or unpatched RTSP stacks. One compromised camera = a foothold on the yacht LAN, often with privileged network access for "remote viewing."
Train crew on device hygiene →
02
AV · Control
Crestron, Lutron, Control4, Savant
AV/lighting/climate controllers expose web admin panels and REST APIs that historically ship with weak auth. They share the same LAN as crew laptops and bridge systems, so a compromise gets full lateral access. Patch cadence is usually "never" without a dedicated integrator.
Train crew on segmentation →
03
Guest gear
The "smart" bits guests bring aboard
Chromecasts, Sonos, AirPlay receivers, Bluetooth speakers, smart TVs. Every one is an unmanaged endpoint that broadcasts on the network and can bridge guest devices into the yacht's primary VLAN if segmentation is loose. They're also notorious for shipping with mDNS/UPnP scanning enabled.
Train crew on guest policy →
Why this matters at sea
Most of these attacks start with a person, not a firewall
Phishing, hostile marina Wi-Fi, guest data slip-ups — the techniques behind the headlines are the same ones that target crew inboxes every day. We turn the latest threats into 60 minutes of role-aware training crew actually finish.