Ghost 3.24.0–6.19.0 Content API SQLi leaked Admin API keys and injected ClickFix loaders into posts. Patch to 6.19.1+, rotate keys, and grep post bodies.
Actively exploited unauth RCE (CVSS 10.0) in Joomla JCE ≤2.9.99.4 via profile import, now in CISA KEV. Patch to 2.9.99.7, then hunt rogue profiles and webshells.
Vitest's UI/api WebSocket skips Origin checks (CSWSH), so a malicious page can call saveTestFile and rerun to run code on your dev machine. Fixed in 1.6.1 / 2.1.9 / 3.0.5.
Android 14–16/16-qpr2 patch CVE-2025-48595, a Framework integer-overflow EoP Google flags as under limited, targeted exploitation. In CISA KEV with a 2026-06-05 deadline. Includes the 06-01 vs 06-05 patch-level split.
Two CRLF-adjacent bugs, two different checks. Smuggling is a proxy↔Tomcat HTTP/1.1 framing mismatch (tomcat-embed-core version, CVE-2026-24880); splitting is CRLF in sendRedirect/setHeader/RestTemplate. With a grep checklist.
RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498) are confirmed exploited and in CISA KEV. A patched Windows isn't enough: how to check your Defender engine 1.1.26040.8 / platform 4.18.26040.7.
CVE-2026-5426 zero-day: KnowledgeDeliver's shared ASP.NET machineKey → ViewState RCE → Godzilla in memory → Cobalt Strike via JS tampering. Hunting starts at Event ID 1316.
After Rift, two more nginx CVEs landed in late May 2026: njs js_fetch_proxy heap overflow CVE-2026-8711 and a second rewrite-module heap overflow CVE-2026-9256. Both pre-auth, CVSS v4.0 9.2, config-specific. Concrete grep checks and patch paths.
Microsoft assigned CVE-2026-45585 to YellowKey: strip autofstx.exe from WinRE BootExecute and move TPM-only BitLocker to TPM+PIN. No patch ETA; Chaotic Eclipse claims a TPM+PIN bypass PoC.
Chaotic Eclipse's MiniPlasma takes SYSTEM on fully patched Windows 11 May 2026 by re-triggering CVE-2020-17103 in cldflt.sys, the same bug James Forshaw reported in 2020 and Microsoft supposedly fixed that December. Will Dormann confirmed the PoC works; the latest Insider Canary blocks it. No new CVE assigned yet, and the regression sits next to the actively exploited CVE-2025-62221 in the same driver.