Ghost 3.24.0–6.19.0 Content API SQLi leaked Admin API keys and injected ClickFix loaders into posts. Patch to 6.19.1+, rotate keys, and grep post bodies.
Actively exploited unauth RCE (CVSS 10.0) in Joomla JCE ≤2.9.99.4 via profile import, now in CISA KEV. Patch to 2.9.99.7, then hunt rogue profiles and webshells.
Vitest's UI/api WebSocket skips Origin checks (CSWSH), so a malicious page can call saveTestFile and rerun to run code on your dev machine. Fixed in 1.6.1 / 2.1.9 / 3.0.5.
Android 14–16/16-qpr2 patch CVE-2025-48595, a Framework integer-overflow EoP Google flags as under limited, targeted exploitation. In CISA KEV with a 2026-06-05 deadline. Includes the 06-01 vs 06-05 patch-level split.
RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498) are confirmed exploited and in CISA KEV. A patched Windows isn't enough: how to check your Defender engine 1.1.26040.8 / platform 4.18.26040.7.
CVE-2026-5426 zero-day: KnowledgeDeliver's shared ASP.NET machineKey → ViewState RCE → Godzilla in memory → Cobalt Strike via JS tampering. Hunting starts at Event ID 1316.
After Rift, two more nginx CVEs landed in late May 2026: njs js_fetch_proxy heap overflow CVE-2026-8711 and a second rewrite-module heap overflow CVE-2026-9256. Both pre-auth, CVSS v4.0 9.2, config-specific. Concrete grep checks and patch paths.
Walking through Dirty Pipe (CVE-2022-0847) from a 2026 angle: one uninitialized pipe_buffer.flags bit kept PIPE_BUF_FLAG_CAN_MERGE alive into splice'd pages, plus patched-kernel checks for distros and containers.
Microsoft assigned CVE-2026-45585 to YellowKey: strip autofstx.exe from WinRE BootExecute and move TPM-only BitLocker to TPM+PIN. No patch ETA; Chaotic Eclipse claims a TPM+PIN bypass PoC.