Threat Intel · Updated Hourly
Live cybersecurity intel, straight from the sources crews trust.
Actively exploited vulnerabilities (CISA KEV), recently disclosed CVEs (NVD), and the cybersecurity newsroom — all in one place. We refresh on the hour so what you see is what's hitting the wire.
Updated 48 min ago
CISA Known Exploited Vulnerabilities
What's being actively exploited right now — Network gear
These aren't theoretical. Every CVE below is on CISA's KEV catalog — meaning U.S. federal civilian agencies are required to patch them, because attackers are actively using them in the wild.
CVE-2026-20245
Actively exploited
Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerability
Cisco Catalyst SD-WAN Manager formerly SD-WAN vManage contains an improper encoding or escaping of output vulnerability. This vulnerability could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system.
Read advisory at NVD →
CVE-2026-0257
Actively exploited
Palo Alto Networks PAN-OS Authentication Bypass Vulnerability
Palo Alto Networks PAN-OS contains an authentication bypass vulnerability that allows attackers to bypass security restrictions and establish an unauthorized VPN connection.
Read advisory at NVD →
CVE-2026-20182
Actively exploited
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
Cisco Catalyst SD-WAN Controller & Manager contain an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.
Read advisory at NVD →
CVE-2026-0300
Actively exploited
Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability
Palo Alto Networks PAN-OS contains an out-of-bounds write vulnerability in the User-ID Authentication Portal (aka Captive Portal) service that can allow an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.
Read advisory at NVD →
CVE-2025-29635
Actively exploited
D-Link DIR-823X Command Injection Vulnerability
D-Link DIR-823X contains a command injection vulnerability that allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Read advisory at NVD →
CVE-2026-20122
Actively exploited
Cisco Catalyst SD-WAN Manager Incorrect Use of Privileged APIs Vulnerability
Cisco Catalyst SD-WAN Manager contains an incorrect use of privileged APIs vulnerability due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected syst…
Read advisory at NVD →
CVE-2026-20133
Actively exploited
Cisco Catalyst SD-WAN Manager Exposure of Sensitive Information to an Unauthorized Actor Vulnerability
Cisco Catalyst SD-WAN Manager contains an exposure of sensitive information to an unauthorized actor vulnerability that could allow remote attackers to view sensitive information on affected systems.
Read advisory at NVD →
CVE-2026-20128
Actively exploited
Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format Vulnerability
Cisco Catalyst SD-WAN Manager contains a storing passwords in a recoverable format vulnerability that allows an authenticated, local attacker to gain DCA user privileges by accessing a credential file for the DCA user on the filesystem as a low-privileged user.
Read advisory at NVD →
CVE-2026-21643
Actively exploited
Fortinet FortiClient EMS SQL Injection Vulnerability
Fortinet FortiClient EMS contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
Read advisory at NVD →
CVE-2026-35616
Actively exploited
Fortinet FortiClient EMS Improper Access Control Vulnerability
Fortinet FortiClient EMS contains an improper access control vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
Read advisory at NVD →
CVE-2025-53521
Actively exploited
F5 BIG-IP Stack-Based Buffer Overflow Vulnerability
F5 BIG-IP APM contains a stack-based buffer overflow vulnerability that could allow a threat actor to achieve remote code execution.
Read advisory at NVD →
CVE-2026-20131
Actively exploited
Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management Deserialization of Untrusted Data Vulnerabili…
Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management contain a deserialization of untrusted data vulnerability in the web-based management interface that could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device.
Read advisory at NVD →
See the full Network gear catalog (69 entries) →
Filtered to Network gear. Search, sort, and paginate the rest on the full catalog page.
Want crew who know what to do when one of these lands in their inbox? Start the free hour-long course →
NVD · Recent Disclosures
Recently disclosed CVEs (last 7 days)
Newly published vulnerabilities from the National Vulnerability Database, ranked by CVSS score. Critical-first so you see the worst at the top.
| CVE | CVSS | Severity | Published | Description |
|---|---|---|---|---|
| CVE-2026-44523 | 10 | CRITICAL | May 14, 2026 | Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4. |
| CVE-2026-20182 | 10 | CRITICAL | May 14, 2026 | May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks. A vulnera… |
| CVE-2026-26191 | 9.8 | CRITICAL | May 14, 2026 | Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet's software installer pipeline could allow a crafted software package to execute arbitrary commands as root (macOS/Linux) or SYSTEM (Windows) on managed endpoints when an uninstall is triggered. When a software package (.pkg, .deb, .rpm, .exe, or .msi) is uploa… |
| CVE-2026-41315 | 9.8 | CRITICAL | May 14, 2026 | mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentication on the /modify_crond and /start_task interfaces, it is possible to modify the default built-in scheduled tasks and start them, achieving RCE. |
| CVE-2026-42589 | 9.8 | CRITICAL | May 14, 2026 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A \n embedded in a JSON key splits the ExifTool stdin stream into a new argum… |
| CVE-2026-44484 | 9.8 | CRITICAL | May 14, 2026 | PyTorch Lightning is a deep learning framework to pretrain and finetune AI models. Versions 2.6.2 and 2.6.2 have introduced functionality consistent with a credential harvesting mechanism. |
| CVE-2026-8511 | 9.6 | CRITICAL | May 14, 2026 | Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) |
| CVE-2026-41615 | 9.6 | CRITICAL | May 14, 2026 | Exposure of sensitive information to an unauthorized actor in Microsoft Authenticator allows an unauthorized attacker to disclose information over a network. |
| CVE-2026-44482 | 9.6 | CRITICAL | May 14, 2026 | soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local command execution on the user's machine. The application exposes a preload API (win… |
| CVE-2026-44592 | 9.4 | CRITICAL | May 14, 2026 | Gradient is a nix-based continuous integration system. In 1.1.0, when GRADIENT_DISCOVERABLE=true (the default, and the NixOS module default), anyone who can reach /proto can register as a worker without any credentials by sending a fresh, never-registered worker UUID. The resulting session has PeerAuth::Open, i.e. it sees jobs from every organisation, and c… |
| CVE-2026-42596 | 9.4 | CRITICAL | May 14, 2026 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, the default deny-lists used by Gotenberg's downloadFrom feature and webhook feature are bypassable. Because the filter is regex-based and case-sensitive, an unauthenticated attacker can supply URLs such as http://[::ffff:127.0.0.1]:... and reach loopback or private HTTP services tha… |
| CVE-2026-44542 | 9.1 | CRITICAL | May 14, 2026 | FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with… |
| CVE-2026-42555 | 9.1 | CRITICAL | May 14, 2026 | Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.0 to before 13.23.0, and com.ritense.valtimo:contract from 13.4.0 to before 13.23.0 evaluate Spring Expression Language (SpEL) expressions from user-supplied input using StandardEvaluationContext, whi… |
| CVE-2026-45375 | 9 | CRITICAL | May 14, 2026 | SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar (community marketplace) renders the name and version fields of a package's plugin.json (and the equivalent theme.json / template.json / widget.json / icon.json) into the Settings → Marketplace UI without HTML escaping. The kernel-side helper sanitizePackageDisplay… |
| CVE-2026-42457 | 9 | CRITICAL | May 14, 2026 | vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external scripts within the platform's browser context. In the worst ca… |
| CVE-2026-8577 | 8.8 | HIGH | May 14, 2026 | Integer overflow in Fonts in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) |
| CVE-2026-8558 | 8.8 | HIGH | May 14, 2026 | Out of bounds write in Fonts in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8555 | 8.8 | HIGH | May 14, 2026 | Use after free in GTK in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8551 | 8.8 | HIGH | May 14, 2026 | Use after free in Downloads in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8549 | 8.8 | HIGH | May 14, 2026 | Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8544 | 8.8 | HIGH | May 14, 2026 | Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8540 | 8.8 | HIGH | May 14, 2026 | Type Confusion in V8 in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8532 | 8.8 | HIGH | May 14, 2026 | Integer overflow in XML in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8531 | 8.8 | HIGH | May 14, 2026 | Heap buffer overflow in WebML in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8529 | 8.8 | HIGH | May 14, 2026 | Heap buffer overflow in Codecs in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted video file. (Chromium security severity: High) |
Phishing emails carry these payloads. Train crew to spot the trigger →
From the Cybersecurity Newsroom
What's making cyber headlines
Hand-picked feeds from Krebs on Security, The Hacker News, BleepingComputer, and SANS ISC. Headlines link to the original source — full credit, no scraping.
BleepingComputer
Chinese hackers hijack auth flow, spy on isolated network for a decade
Chinese hackers took control of a target organization's authentication stack and maintained persistence for 10 years, with full visibility into the administrative activity. [...]
Jun 13, 2026
Read at source →
The Hacker News
Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication
Splunk has released security updates to address a critical security flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution. The vulnerability, tracked as CVE-2026-20253, is rated 9.8 on the CVSS scoring system.…
Jun 13, 2026
Read at source →
BleepingComputer
US Gov asks Anthropic to ban 'foreign national' access to Fable, Mythos
The US government has ordered Anthropic to block all foreign nationals from accessing Fable 5 and Mythos 5, forcing the company to suspend both models worldwide. Anthropic is complying but disputes the basis, calling the cited jailbreak narrow and the capability widely available…
Jun 13, 2026
Read at source →
The Hacker News
U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals
Anthropic said on Friday it will "abruptly disable" its most advanced artificial intelligence (AI) models, Claude Fable 5 and Mythos 5, for all users after the U.S. government ordered it to suspend access to the models for foreign nationals, whether inside or outside the U.S., c…
Jun 13, 2026
Read at source →
BleepingComputer
Maine disables data breach notification portal after fake disclosures
Maine has taken its public data breach reporting portal offline after fraudulent breach disclosures were published on the state's website, prompting a review of procedures to prevent abuse in the future. [...]
Jun 12, 2026
Read at source →
The Hacker News
Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit
Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them. The malware is a Rust binary built to harvest developer secrets. When it lands with root, it can…
Jun 12, 2026
Read at source →
The Hacker News
Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing
Google on Friday said it's pursuing legal action against a Chinese cybercrime network, accusing it of using its Gemini artificial intelligence (AI) agent to send phishing text messages targeting Americans. The network is said to be behind the development and management of a phis…
Jun 12, 2026
Read at source →
BleepingComputer
phpBB forum fixes auth bypass bug lurking for a decade
A 10-year-old authentication bypass vulnerability discovered in the phpBB forum software allows an attacker to log in as any user, including administrators. [...]
Jun 12, 2026
Read at source →
The Hacker News
China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade
Instead of hiding on the laptops and servers defenders watch most closely, a China-nexus group spent close to a decade hidden inside the Linux login system itself. Sygnia, which tracks the group as Velvet Ant, says it backdoored the PAM and OpenSSH components that decide who is…
Jun 12, 2026
Read at source →
BleepingComputer
Ukrainian national pleads guilty to role in Conti ransomware operation
A Ukrainian national extradited from Ireland to the United States last year has pleaded guilty to conspiracy charges tied to the Conti ransomware operation. [...]
Jun 12, 2026
Read at source →
SANS Internet Storm Center
ISC Stormcast For Friday, June 12th, 2026 https://isc.sans.edu/podcastdetail/9970, (Fri, Jun 12th)
Jun 12, 2026
Read at source →
SANS Internet Storm Center
ISC Stormcast For Thursday, June 11th, 2026 https://isc.sans.edu/podcastdetail/9968, (Thu, Jun 11th)
Jun 11, 2026
Read at source →
Headlines and snippets © their respective publishers; links go directly to the original sources.
IoT · The overlooked threat surface
IoT on yachts: what most owners miss
Yachts pack more network-connected gadgets than a small office — cameras, AV controllers, smart locks, sensors, infotainment. Most of it ships with weak defaults and never gets patched. Here are the three archetypes we keep seeing in incident reports.
01
Cameras · DVRs
The camera you forgot to patch
IP cameras (Hikvision, Dahua, Axis), smart doorbells, and baby monitors aboard frequently ship with hardcoded creds, open telnet, or unpatched RTSP stacks. One compromised camera = a foothold on the yacht LAN, often with privileged network access for "remote viewing."
Train crew on device hygiene →
02
AV · Control
Crestron, Lutron, Control4, Savant
AV/lighting/climate controllers expose web admin panels and REST APIs that historically ship with weak auth. They share the same LAN as crew laptops and bridge systems, so a compromise gets full lateral access. Patch cadence is usually "never" without a dedicated integrator.
Train crew on segmentation →
03
Guest gear
The "smart" bits guests bring aboard
Chromecasts, Sonos, AirPlay receivers, Bluetooth speakers, smart TVs. Every one is an unmanaged endpoint that broadcasts on the network and can bridge guest devices into the yacht's primary VLAN if segmentation is loose. They're also notorious for shipping with mDNS/UPnP scanning enabled.
Train crew on guest policy →
Why this matters at sea
Most of these attacks start with a person, not a firewall
Phishing, hostile marina Wi-Fi, guest data slip-ups — the techniques behind the headlines are the same ones that target crew inboxes every day. We turn the latest threats into 60 minutes of role-aware training crew actually finish.