#CVE

Composer CVE-2026-45793: GITHUB_TOKEN leaks to CI logs via regex miss

Composer 2.9.8/2.2.28 fix CVE-2026-45793: GitHub's new GITHUB_TOKEN includes hyphens that Composer's old regex rejects, leaking the token into CI logs as plaintext.

Fragnesia (CVE-2026-46300): Linux page cache LPE survives Dirty Frag mitigations

Fragnesia (CVE-2026-46300) overwrites the Linux page cache via XFRM ESP-in-TCP. The Dirty Frag workaround still applies, but IPsec hosts need to check side effects first.

Microsoft May 2026 Patch Tuesday: Netlogon, DNS Client RCE vs ZeroLogon/SIGRed

137 CVEs, no zero-days. Netlogon and DNS Client RCEs (both CVSS 9.8) lead — compared against ZeroLogon/SIGRed, with patch priority tiers and detection notes for SOC teams.

nginx CVE-2026-42945: rewrite heap overflow in 0.6.27–1.30.0, RCE without ASLR

CVE-2026-42945 hits nginx 0.6.27–1.30.0 rewrite module with heap overflow. CVSS 9.2 but only fires on specific rewrite+capture+set patterns. How to check with nginx -T and what to patch.

NIST NVD goes risk-based: which SCA tools still miss Deferred CVEs

NVD API queries: kernel CVEs return Analyzed but SuperAGI CVE-2026-6584 stays Deferred with no CPE. Maps Snyk, Trivy, Grype, Dependabot, OSV-Scanner reliance on NVD vs GHSA/OSV.

Ollama CVE-2026-7482: crafted GGUF leaks heap memory from exposed API servers

Out-of-bounds read in Ollama's GGUF loader before 0.17.1. If your Ollama API is network-accessible, a crafted model file can exfiltrate env vars, API keys, system prompts, and conversation fragments from process memory.

PCPJack credential stealer chains 5 CVEs to worm through Docker, Kubernetes, Redis, and RayML

SentinelOne's PCPJack report broken down: initial access via Next.js and WordPress CVEs, lateral movement through Docker sockets, Kubernetes Secrets, Redis cron rewrite, and RayML job injection. IOCs and hardening steps included.

PAN-OS CVE-2026-0300 root RCE via Captive Portal already exploited with AD enumeration and SOCKS tunneling

PA-Series and VM-Series with User-ID Authentication Portal exposed to untrusted traffic. CL-STA-1132 achieved root RCE, wiped crash logs, enumerated AD, and deployed EarthWorm and ReverseSocks5. Patches start May 13; interim mitigations and forensic indicators for exposed portals.

Linux Dirty Frag (CVE-2026-43284) Gets Root Through ESP and RxRPC Page Cache Writes

Dirty Frag is a local privilege escalation that writes to the Linux page cache via ESP-in-UDP and RxRPC receive paths. The algif_aead workaround from Copy Fail doesn't help, and the two attack paths complement each other to bypass Ubuntu's AppArmor restrictions on user namespaces.

CVE-2026-0073: EVP_PKEY_cmp misuse in Wireless ADB gives adjacent attackers shell RCE on Android 14–16

Android's May 2026 bulletin patches CVE-2026-0073, a Wireless ADB auth bypass from mishandled EVP_PKEY_cmp return values. Adjacent network attackers bypass mutual TLS and get shell-level RCE on Android 14 through 16-qpr2. AOSP diff and impact breakdown included.

CVE-2026-26268: Git Hooks as a Sandbox Escape in Cursor

CVE-2026-26268, fixed in Cursor 2.5, allowed AI agents to rewrite insufficiently protected .git config and Git hooks, leading to out-of-sandbox RCE on the next Git operation.

Linux Kernel Copy Fail (CVE-2026-31431) Rewrites the Page Cache to Get Root

CVE-2026-31431 Copy Fail is a Linux kernel local privilege escalation bug that lets an unprivileged user write 4 controlled bytes into the page cache via AF_ALG + algif_aead. On containers and CI runners it turns into host compromise.