Threat Intel · Updated Hourly
Live cybersecurity intel, straight from the sources crews trust.
Actively exploited vulnerabilities (CISA KEV), recently disclosed CVEs (NVD), and the cybersecurity newsroom — all in one place. We refresh on the hour so what you see is what's hitting the wire.
Updated 50 min ago
CISA Known Exploited Vulnerabilities
What's being actively exploited right now — Ransomware-linked
These aren't theoretical. Every CVE below is on CISA's KEV catalog — meaning U.S. federal civilian agencies are required to patch them, because attackers are actively using them in the wild.
CVE-2026-35273
Actively exploited
Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability
Oracle PeopleSoft Enterprise PeopleTools contains a missing authentication for critical function vulnerability which could allow an unauthenticated attacker to obtain takeover of PeopleSoft Enterprise PeopleTools.
Read advisory at NVD →
CVE-2026-50751
Actively exploited
Check Point Security Gateway Improper Authentication Vulnerability
Check Point Security Gateway contains an improper authentication vulnerability in IKEv1 key exchange that could allow an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password.
Read advisory at NVD →
CVE-2026-48027
Actively exploited
Nx Console Embedded Malicious Code Vulnerability
Nx Console contains an embedded malicious code vulnerability that allowed a malicious version of Nx Console to be published. The compromised extension fetched an obfuscated payload that could harvested credentials from multiple sources on disk and in memory.
Read advisory at NVD →
CVE-2026-45321
Actively exploited
TanStack Unspecified Vulnerability
TanStack contains an unspecified vulnerability that allowed malicious versions of the product to be published to the npm registry to publish credential-stealing malware under a trusted identity.
Read advisory at NVD →
CVE-2026-41940
Actively exploited
WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability
WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
Read advisory at NVD →
CVE-2024-1708
Actively exploited
ConnectWise ScreenConnect Path Traversal Vulnerability
ConnectWise ScreenConnect contains a path traversal vulnerability which could allow an attacker to execute remote code or directly impact confidential data and critical systems.
Read advisory at NVD →
CVE-2024-57728
Actively exploited
SimpleHelp Path Traversal Vulnerability
SimpleHelp contains a path traversal vulnerability that allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user.
Read advisory at NVD →
CVE-2024-57726
Actively exploited
SimpleHelp Missing Authorization Vulnerability
SimpleHelp contains a missing authorization vulnerability that could allow low-privileged technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role.
Read advisory at NVD →
CVE-2023-27351
Actively exploited
PaperCut NG/MF Improper Authentication Vulnerability
PaperCut NG/MF contains an improper authentication vulnerability that could allow remote attackers to bypass authentication on affected installations via the SecurityRequestFilter class.
Read advisory at NVD →
CVE-2024-27199
Actively exploited
JetBrains TeamCity Relative Path Traversal Vulnerability
JetBrains TeamCity contains a relative path traversal vulnerability that could allow limited admin actions to be performed.
Read advisory at NVD →
CVE-2023-21529
Actively exploited
Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability
Microsoft Exchange Server contains a deserialization of untrusted data that allows an authenticated attacker to achieve remote code execution.
Read advisory at NVD →
CVE-2026-20131
Actively exploited
Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management Deserialization of Untrusted Data Vulnerabili…
Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management contain a deserialization of untrusted data vulnerability in the web-based management interface that could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device.
Read advisory at NVD →
See the full Ransomware-linked catalog (62 entries) →
Filtered to Ransomware-linked. Search, sort, and paginate the rest on the full catalog page.
Want crew who know what to do when one of these lands in their inbox? Start the free hour-long course →
NVD · Recent Disclosures
Recently disclosed CVEs (last 7 days)
Newly published vulnerabilities from the National Vulnerability Database, ranked by CVSS score. Critical-first so you see the worst at the top.
| CVE | CVSS | Severity | Published | Description |
|---|---|---|---|---|
| CVE-2026-44523 | 10 | CRITICAL | May 14, 2026 | Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability is fixed in 0.19.4. |
| CVE-2026-20182 | 10 | CRITICAL | May 14, 2026 | May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks. A vulnera… |
| CVE-2026-26191 | 9.8 | CRITICAL | May 14, 2026 | Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet's software installer pipeline could allow a crafted software package to execute arbitrary commands as root (macOS/Linux) or SYSTEM (Windows) on managed endpoints when an uninstall is triggered. When a software package (.pkg, .deb, .rpm, .exe, or .msi) is uploa… |
| CVE-2026-41315 | 9.8 | CRITICAL | May 14, 2026 | mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentication on the /modify_crond and /start_task interfaces, it is possible to modify the default built-in scheduled tasks and start them, achieving RCE. |
| CVE-2026-42589 | 9.8 | CRITICAL | May 14, 2026 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A \n embedded in a JSON key splits the ExifTool stdin stream into a new argum… |
| CVE-2026-44484 | 9.8 | CRITICAL | May 14, 2026 | PyTorch Lightning is a deep learning framework to pretrain and finetune AI models. Versions 2.6.2 and 2.6.2 have introduced functionality consistent with a credential harvesting mechanism. |
| CVE-2026-8511 | 9.6 | CRITICAL | May 14, 2026 | Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) |
| CVE-2026-41615 | 9.6 | CRITICAL | May 14, 2026 | Exposure of sensitive information to an unauthorized actor in Microsoft Authenticator allows an unauthorized attacker to disclose information over a network. |
| CVE-2026-44482 | 9.6 | CRITICAL | May 14, 2026 | soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload executed locally in the Electron app. This means attacker-controlled SoundCloud track metadata can lead to local command execution on the user's machine. The application exposes a preload API (win… |
| CVE-2026-44592 | 9.4 | CRITICAL | May 14, 2026 | Gradient is a nix-based continuous integration system. In 1.1.0, when GRADIENT_DISCOVERABLE=true (the default, and the NixOS module default), anyone who can reach /proto can register as a worker without any credentials by sending a fresh, never-registered worker UUID. The resulting session has PeerAuth::Open, i.e. it sees jobs from every organisation, and c… |
| CVE-2026-42596 | 9.4 | CRITICAL | May 14, 2026 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, the default deny-lists used by Gotenberg's downloadFrom feature and webhook feature are bypassable. Because the filter is regex-based and case-sensitive, an unauthenticated attacker can supply URLs such as http://[::ffff:127.0.0.1]:... and reach loopback or private HTTP services tha… |
| CVE-2026-44542 | 9.1 | CRITICAL | May 14, 2026 | FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with… |
| CVE-2026-42555 | 9.1 | CRITICAL | May 14, 2026 | Valtimo is an open-source business process automation platform. com.ritense.valtimo:document from 12.0.0 to before 12.32.0, com.ritense.valtimo:case from 13.0.0 to before 13.23.0, and com.ritense.valtimo:contract from 13.4.0 to before 13.23.0 evaluate Spring Expression Language (SpEL) expressions from user-supplied input using StandardEvaluationContext, whi… |
| CVE-2026-45375 | 9 | CRITICAL | May 14, 2026 | SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar (community marketplace) renders the name and version fields of a package's plugin.json (and the equivalent theme.json / template.json / widget.json / icon.json) into the Settings → Marketplace UI without HTML escaping. The kernel-side helper sanitizePackageDisplay… |
| CVE-2026-42457 | 9 | CRITICAL | May 14, 2026 | vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external scripts within the platform's browser context. In the worst ca… |
| CVE-2026-8577 | 8.8 | HIGH | May 14, 2026 | Integer overflow in Fonts in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) |
| CVE-2026-8558 | 8.8 | HIGH | May 14, 2026 | Out of bounds write in Fonts in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8555 | 8.8 | HIGH | May 14, 2026 | Use after free in GTK in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8551 | 8.8 | HIGH | May 14, 2026 | Use after free in Downloads in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8549 | 8.8 | HIGH | May 14, 2026 | Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8544 | 8.8 | HIGH | May 14, 2026 | Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8540 | 8.8 | HIGH | May 14, 2026 | Type Confusion in V8 in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8532 | 8.8 | HIGH | May 14, 2026 | Integer overflow in XML in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8531 | 8.8 | HIGH | May 14, 2026 | Heap buffer overflow in WebML in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
| CVE-2026-8529 | 8.8 | HIGH | May 14, 2026 | Heap buffer overflow in Codecs in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted video file. (Chromium security severity: High) |
Phishing emails carry these payloads. Train crew to spot the trigger →
From the Cybersecurity Newsroom
What's making cyber headlines
Hand-picked feeds from Krebs on Security, The Hacker News, BleepingComputer, and SANS ISC. Headlines link to the original source — full credit, no scraping.
BleepingComputer
Chinese hackers hijack auth flow, spy on isolated network for a decade
Chinese hackers took control of a target organization's authentication stack and maintained persistence for 10 years, with full visibility into the administrative activity. [...]
Jun 13, 2026
Read at source →
The Hacker News
Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication
Splunk has released security updates to address a critical security flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution. The vulnerability, tracked as CVE-2026-20253, is rated 9.8 on the CVSS scoring system.…
Jun 13, 2026
Read at source →
BleepingComputer
US Gov asks Anthropic to ban 'foreign national' access to Fable, Mythos
The US government has ordered Anthropic to block all foreign nationals from accessing Fable 5 and Mythos 5, forcing the company to suspend both models worldwide. Anthropic is complying but disputes the basis, calling the cited jailbreak narrow and the capability widely available…
Jun 13, 2026
Read at source →
The Hacker News
U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals
Anthropic said on Friday it will "abruptly disable" its most advanced artificial intelligence (AI) models, Claude Fable 5 and Mythos 5, for all users after the U.S. government ordered it to suspend access to the models for foreign nationals, whether inside or outside the U.S., c…
Jun 13, 2026
Read at source →
BleepingComputer
Maine disables data breach notification portal after fake disclosures
Maine has taken its public data breach reporting portal offline after fraudulent breach disclosures were published on the state's website, prompting a review of procedures to prevent abuse in the future. [...]
Jun 12, 2026
Read at source →
The Hacker News
Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit
Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them. The malware is a Rust binary built to harvest developer secrets. When it lands with root, it can…
Jun 12, 2026
Read at source →
The Hacker News
Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing
Google on Friday said it's pursuing legal action against a Chinese cybercrime network, accusing it of using its Gemini artificial intelligence (AI) agent to send phishing text messages targeting Americans. The network is said to be behind the development and management of a phis…
Jun 12, 2026
Read at source →
BleepingComputer
phpBB forum fixes auth bypass bug lurking for a decade
A 10-year-old authentication bypass vulnerability discovered in the phpBB forum software allows an attacker to log in as any user, including administrators. [...]
Jun 12, 2026
Read at source →
The Hacker News
China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade
Instead of hiding on the laptops and servers defenders watch most closely, a China-nexus group spent close to a decade hidden inside the Linux login system itself. Sygnia, which tracks the group as Velvet Ant, says it backdoored the PAM and OpenSSH components that decide who is…
Jun 12, 2026
Read at source →
BleepingComputer
Ukrainian national pleads guilty to role in Conti ransomware operation
A Ukrainian national extradited from Ireland to the United States last year has pleaded guilty to conspiracy charges tied to the Conti ransomware operation. [...]
Jun 12, 2026
Read at source →
SANS Internet Storm Center
ISC Stormcast For Friday, June 12th, 2026 https://isc.sans.edu/podcastdetail/9970, (Fri, Jun 12th)
Jun 12, 2026
Read at source →
SANS Internet Storm Center
ISC Stormcast For Thursday, June 11th, 2026 https://isc.sans.edu/podcastdetail/9968, (Thu, Jun 11th)
Jun 11, 2026
Read at source →
Headlines and snippets © their respective publishers; links go directly to the original sources.
IoT · The overlooked threat surface
IoT on yachts: what most owners miss
Yachts pack more network-connected gadgets than a small office — cameras, AV controllers, smart locks, sensors, infotainment. Most of it ships with weak defaults and never gets patched. Here are the three archetypes we keep seeing in incident reports.
01
Cameras · DVRs
The camera you forgot to patch
IP cameras (Hikvision, Dahua, Axis), smart doorbells, and baby monitors aboard frequently ship with hardcoded creds, open telnet, or unpatched RTSP stacks. One compromised camera = a foothold on the yacht LAN, often with privileged network access for "remote viewing."
Train crew on device hygiene →
02
AV · Control
Crestron, Lutron, Control4, Savant
AV/lighting/climate controllers expose web admin panels and REST APIs that historically ship with weak auth. They share the same LAN as crew laptops and bridge systems, so a compromise gets full lateral access. Patch cadence is usually "never" without a dedicated integrator.
Train crew on segmentation →
03
Guest gear
The "smart" bits guests bring aboard
Chromecasts, Sonos, AirPlay receivers, Bluetooth speakers, smart TVs. Every one is an unmanaged endpoint that broadcasts on the network and can bridge guest devices into the yacht's primary VLAN if segmentation is loose. They're also notorious for shipping with mDNS/UPnP scanning enabled.
Train crew on guest policy →
Why this matters at sea
Most of these attacks start with a person, not a firewall
Phishing, hostile marina Wi-Fi, guest data slip-ups — the techniques behind the headlines are the same ones that target crew inboxes every day. We turn the latest threats into 60 minutes of role-aware training crew actually finish.