Exchange Server XSS CVE-2026-42897 Exploited via Crafted Email
May 19, 2026
Microsoft confirmed active exploitation of CVE-2026-42897, an XSS flaw in on-premises Exchange Server triggered when victims open malicious emails in
CVE Vulnerability Alerts
Exchange Server XSS CVE-2026-42897 Exploited via Crafted Email
Microsoft confirmed active exploitation of CVE-2026-42897, an XSS flaw in on-premises Exchange Server triggered when victims open malicious emails in OWA.
PraisonAI CVE-2026-44338 Exploited 3h44m After Public Disclosure
Attackers began exploiting a missing-authentication flaw in PraisonAI's Flask API server 3 hours and 44 minutes after the CVE-2026-44338 advisory was published on May 11.
Burst Statistics CVE-2026-8181 Draws 7,400 Attacks in 24 Hours
Wordfence blocked over 7,400 attacks against CVE-2026-8181 in the Burst Statistics WordPress plugin within 24 hours of disclosure, with 115,000 sites still unpatched.
NGINX CVE-2026-42945 Under Active Exploitation After F5 Patch Drop
VulnCheck confirmed in-the-wild exploitation of NGINX CVE-2026-42945, a critical heap overflow, within days of F5's patch; 5.7 million servers are exposed.
18-Year NGINX Flaw CVE-2026-42945 Enables Unauthenticated RCE
Security researcher depthfirst disclosed CVE-2026-42945, an 18-year heap overflow in NGINX's rewrite module enabling unauthenticated RCE. CVSS 9.2 critical.
Linux Kernel Fragnesia CVE-2026-46300 Grants Root via Page Cache
CVE-2026-46300 Fragnesia is a third Linux kernel LPE enabling root access via page cache corruption with no race condition required. Patches available.
Microsoft May 2026 Patch Tuesday: SharePoint RCE, NTLM Zero-Day
Microsoft's May 2026 Patch Tuesday fixes two actively exploited flaws including a zero-day NTLM hash leak requiring no user interaction to trigger.
SAP S/4HANA SQL Injection CVE-2026-34260 Rated CVSS 9.6
SAP's May 2026 Security Patch Day fixes CVE-2026-34260, a CVSS 9.6 SQL injection in S/4HANA Enterprise Search that lets authenticated attackers read or delete ERP ...
Public PoC Drops for CVSS 9.8 Android Zero-Click CVE-2026-0073
Security group BARGHEST released a public PoC for CVE-2026-0073, a CVSS 9.8 zero-click RCE in Android's debug bridge daemon affecting Android 14, 15, and 16.
Dell DSA-2026-047: CVSS 9.8 Hard-Coded Credentials in ECS Storage
Dell advisory DSA-2026-047 patches a CVSS 9.8 hard-coded credentials flaw in Dell ECS and ObjectScale that grants unauthenticated filesystem access to enterprise storage.
PraisonAI CVE-2026-44338 Exploited 3h44m After Public Disclosure
May 19, 2026
Attackers began exploiting a missing-authentication flaw in PraisonAI’s Flask API server 3 hours and 44 minutes after the CVE-2026-44338 advisory
Burst Statistics CVE-2026-8181 Draws 7,400 Attacks in 24 Hours
May 19, 2026
Wordfence blocked over 7,400 attacks against CVE-2026-8181 in the Burst Statistics WordPress plugin within 24 hours of disclosure, with 115,000
NGINX CVE-2026-42945 Under Active Exploitation After F5 Patch Drop
May 19, 2026
VulnCheck confirmed in-the-wild exploitation of NGINX CVE-2026-42945, a critical heap overflow, within days of F5’s patch; 5.7 million servers are
18-Year NGINX Flaw CVE-2026-42945 Enables Unauthenticated RCE
May 14, 2026
Security researcher depthfirst disclosed CVE-2026-42945, an 18-year heap overflow in NGINX’s rewrite module enabling unauthenticated RCE. CVSS 9.2 critical.
Linux Kernel Fragnesia CVE-2026-46300 Grants Root via Page Cache
May 14, 2026
CVE-2026-46300 Fragnesia is a third Linux kernel LPE enabling root access via page cache corruption with no race condition required.
Microsoft May 2026 Patch Tuesday: SharePoint RCE, NTLM Zero-Day
May 13, 2026
Microsoft’s May 2026 Patch Tuesday fixes two actively exploited flaws including a zero-day NTLM hash leak requiring no user interaction
SAP S/4HANA SQL Injection CVE-2026-34260 Rated CVSS 9.6
May 13, 2026
SAP’s May 2026 Security Patch Day fixes CVE-2026-34260, a CVSS 9.6 SQL injection in S/4HANA Enterprise Search that lets authenticated
Public PoC Drops for CVSS 9.8 Android Zero-Click CVE-2026-0073
May 13, 2026
Security group BARGHEST released a public PoC for CVE-2026-0073, a CVSS 9.8 zero-click RCE in Android’s debug bridge daemon affecting
Dell DSA-2026-047: CVSS 9.8 Hard-Coded Credentials in ECS Storage
May 13, 2026
Dell advisory DSA-2026-047 patches a CVSS 9.8 hard-coded credentials flaw in Dell ECS and ObjectScale that grants unauthenticated filesystem access
Trending
Daily Briefing Newsletter
Subscribe to the Daily Security Review Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.