Actively exploited unauth RCE (CVSS 10.0) in Joomla JCE ≤2.9.99.4 via profile import, now in CISA KEV. Patch to 2.9.99.7, then hunt rogue profiles and webshells.
google-cloud-aiplatform 1.139.0/1.140.0 had a predictable Model.upload staging bucket: pre-create that GCS bucket and you get model-swap RCE with no victim creds. Fixed in 1.148.0.
CVE-2026-5426 zero-day: KnowledgeDeliver's shared ASP.NET machineKey → ViewState RCE → Godzilla in memory → Cobalt Strike via JS tampering. Hunting starts at Event ID 1316.
After Rift, two more nginx CVEs landed in late May 2026: njs js_fetch_proxy heap overflow CVE-2026-8711 and a second rewrite-module heap overflow CVE-2026-9256. Both pre-auth, CVSS v4.0 9.2, config-specific. Concrete grep checks and patch paths.
137 CVEs, no zero-days. Netlogon and DNS Client RCEs (both CVSS 9.8) lead — compared against ZeroLogon/SIGRed, with patch priority tiers and detection notes for SOC teams.
CVE-2026-42945 hits nginx 0.6.27–1.30.0 rewrite module with heap overflow. CVSS 9.2 but only fires on specific rewrite+capture+set patterns. How to check with nginx -T and what to patch.
PA-Series and VM-Series with User-ID Authentication Portal exposed to untrusted traffic. CL-STA-1132 achieved root RCE, wiped crash logs, enumerated AD, and deployed EarthWorm and ReverseSocks5. Patches start May 13; interim mitigations and forensic indicators for exposed portals.
Android's May 2026 bulletin patches CVE-2026-0073, a Wireless ADB auth bypass from mishandled EVP_PKEY_cmp return values. Adjacent network attackers bypass mutual TLS and get shell-level RCE on Android 14 through 16-qpr2. AOSP diff and impact breakdown included.
CVE-2026-34197 (CVSS 8.8), an RCE in Apache ActiveMQ Classic that lurked for 13 years, was added to the CISA KEV catalog. Authenticated attackers can achieve remote code execution via the Jolokia API. Affects versions below 5.19.4 and 6.0.0–6.2.2.
A CVSS 9.4 file upload vulnerability in ShowDoc, disclosed in 2020, was first observed being exploited in the wild by VulnCheck Canaries in April 2026. Over 2,000 exposed instances remain, primarily in China.
Adobe released a patch on April 11, 2026 for a Prototype Pollution RCE in Acrobat Reader that had been exploited since December 2025. CVSS 8.6, Priority 1. Apply within 72 hours.