Security & Risk
50 analyses
Vulnerability in the SetIntegrationRequest policy of Apigee received a 9.2 on the CVSS and allows for the exfiltration of service account tokens, but relies on an insecure prior configuration in the API proxy.
A crafted request allows remote code execution without authentication in WebSphere 8.5 and 9.0 Web Server Plug-ins. On the same day, IBM published another 9.8 vulnerability in Engineering Lifecycle Management.
Vulnerability in KubeVirt's virt-handler allows a user with edit permissions in a single namespace to hijack the CRI-O socket and compromise the entire node. Red Hat has published errata for affected lines starting from 4.12.
An unauthenticated vulnerability in GitHub Enterprise Server has received a CVSS score of 9.2 and allows redirection of internal calls to leak credentials. Fixes are available in builds 3.16.20, 3.17.17, 3.18.11, and 3.19.8.
In the early hours of 22 May, an agent with organisational access to GitHub rewrote 502 historical tags of four PHP packages, injecting a backdoor that exfiltrates cloud credentials, CI/CD tokens, and Kubernetes secrets without visible alerts.
The extortion group CoinbaseCartel claimed access to the domain panasonic.aero on 22 May 2026. Panasonic Avionics serves more than 200 airlines and covers approximately 70% of the global fleet of aircraft equipped with IFE systems.
GitHub's CISO attributed the breach of 3,800 internal repositories to a malicious version of the Nx Console extension for VS Code, linked to a supply chain attack against TanStack's npm packages on 11 May.
The TeamPCP group compromised a GitHub employee's device with a tampered VS Code extension to exfiltrate approximately 3,800 internal repositories. The company confirms that customer data was not affected.
Without requiring authentication, CVE-2026-9082 has been scored 20/25 in Drupal's risk system and may lead to remote code execution in installations using PostgreSQL. Patch available this Thursday.
The Nitrogen group claims to have exfiltrated 8 TB across 11 million files from Foxconn, including technical drawings of Apple projects, Google, and Nvidia. AppleInsider confirmed today the presence of Apple server schematics in the leaked material.
Critical vulnerability CVE-2026-42945, present in NGINX since 2008, was actively exploited three days after proof of concept publication. It affects all versions between 0.6.27 and 1.30.0, responsible for 32.8% of global web servers.
SAP S/4HANA receives a fix for SQL injection with CVSS 9.6 in the same month that over half of global customers complete their migration to the version. FortiAuthenticator and FortiSandbox are updated against access control vulnerabilities, and n8n accumulates five CVEs with 9.4.