Security & Risk
50 analyses
CVE-2026-20182 Allows Authentication Bypass on Catalyst SD-WAN Controller and Escalation to Root. Group Identified as UAT-8616 Was Already Modifying NETCONF Settings on Compromised Systems. CISA Demanded Fix Within Three Days.
CVE-2026-42897 allows execution of JavaScript via opened email in Outlook Web Access. CISA mandated remediation by 29 May. The flaw affects Exchange Server 2016, 2019, and Subscription Edition, but does not impact Exchange Online.
A supply chain attack on the TanStack project release pipeline compromised 84 artefacts in 42 npm packages, impacting OpenAI, which confirmed the compromise of application signing keys for Windows, macOS, iOS, and Android, and initiated the re-release of all apps with new certificates.
Grafana Labs confirmed on 17 May that a third party obtained an access token for the company's corporate GitHub and downloaded part of the source code. The company refused the ransom demand from the CoinbaseCartel group, citing guidance from the FBI to justify its stance.
A buffer overflow in the NGINX rewrite module, present in the code since 2008, led F5 to issue an emergency patch after VulnCheck recorded exploitation attempts against honeypots. The vulnerability has a CVSS score of 9.2 and affects versions 0.6.27 to 1.30.0.
The annual report analysed 22,052 incidents and 12,195 confirmed breaches, doubling the weight attributed to suppliers and partners as vectors of compromise.
Launched on 12 May, the platform uses GPT-5.5 to identify vulnerabilities, validate fixes, and accelerate the patch cycle in corporate environments. Cisco, CrowdStrike, and Palo Alto are already integrating the product.
The first quarter of 2026 recorded 2,122 organisations as victims of ransomware, the second largest Q1 in history. The significant change: the ten largest groups concentrated 71% of the attacks, signalling a consolidation of the criminal ecosystem and more sophisticated attacks.
Incidents of software supply chain attacks more than doubled globally in 2025, exposing critical gaps in enterprise preparedness. The attack on tj-actions in March 2025 compromised CI/CD pipelines in thousands of repositories. The XZ Utils case from 2024, where an attacker spent two years building trust before inserting a backdoor, set the standard for the modern threat.
The Trump administration has authorised the sale of Nvidia H200 chips to China, a reversal of the bipartisan restriction policy established since 2022. Congress reacts with bills to reverse the decision. For technology executives, this scenario reshapes the geopolitical risk landscape of the AI supply chain.
63% of organisations worldwide have implemented Zero Trust at least partially. However, 35% of initiatives reported failures that harmed the organisation. Gartner projects that 75% of US federal agencies will struggle to implement Zero Trust policies by the end of 2026. Organisations with mature programmes report 50% fewer breaches and reduce the average cost of a breach by 43%.
Cyber insurance premiums have fallen by 22% from the peak in 2022 and fell an additional 6% in 2025. In 2024, global policies recorded a decrease in total premium for the first time. For 2026, insurers are forecasting a turnaround with a rise of 15% to 20%, driven by the acceleration of attacks on critical infrastructure and the increasing sophistication of AI-enabled fraud.