NYC Health + Hospitals Breach Exposes 1.8M Patients’ Fingerprints
May 21, 2026
Hackers spent 77 days inside NYC Health + Hospitals via a vendor breach, stealing fingerprints, medical records, and SSNs from
Security Spotlight
NYC Health + Hospitals Breach Exposes 1.8M Patients’ Fingerprints
Hackers spent 77 days inside NYC Health + Hospitals via a vendor breach, stealing fingerprints, medical records, and SSNs from 1.8 million patients.
Anthropic Silently Fixed Claude Code Null-Byte Sandbox Escape
A null-byte sandbox bypass in Claude Code allowed credential exfiltration via prompt injection, present from October 2025 until Anthropic's silent March patch.
CVE-2026-3102: ExifTool Image Injection Runs Shell Commands on macOS
CVE-2026-3102 in ExifTool's SetMacOSTags lets a crafted image execute shell commands on macOS; the flaw is patched in ExifTool 13.50 after Kaspersky disclosure.
SonicWall Gen6 MFA Bypass CVE-2024-12802 Left Open by Incomplete Patch
SonicWall's patch for CVE-2024-12802 needed a manual LDAP reconfiguration most admins skipped, leaving Gen6 VPN open to MFA bypass and ransomware access.
Drupal Issues Highly Critical Patch, Exploits Expected Within Hours
Drupal warned a highly critical vulnerability in versions 11.3.x through 10.5.x could be exploited within hours of its May 20, 2026 patch release date.
Tycoon2FA Adds Device-Code Attack to Bypass Microsoft 365 MFA
Tycoon2FA's latest update adds device-code phishing that hands attackers a valid Microsoft 365 OAuth token without requiring the victim's password or MFA code.
SAP S/4HANA SQL Injection CVE-2026-34260 Rated CVSS 9.6
SAP's May 2026 Security Patch Day fixes CVE-2026-34260, a CVSS 9.6 SQL injection in S/4HANA Enterprise Search that lets authenticated attackers read or delete ERP ...
Dell DSA-2026-047: CVSS 9.8 Hard-Coded Credentials in ECS Storage
Dell advisory DSA-2026-047 patches a CVSS 9.8 hard-coded credentials flaw in Dell ECS and ObjectScale that grants unauthenticated filesystem access to enterprise storage.
NVIDIA GeForce NOW Breach Exposes Armenian Users’ Data
NVIDIA confirmed a GeForce NOW data breach via Armenian partner GFN.am, exposing names, emails, and phone numbers of users registered before March 9, 2026.
Fake OpenAI Repo Trended on Hugging Face Before Malware Found
A fraudulent OpenAI repository reached Hugging Face's trending list while distributing infostealing malware targeting credentials and access tokens.
Anthropic Silently Fixed Claude Code Null-Byte Sandbox Escape
May 21, 2026
A null-byte sandbox bypass in Claude Code allowed credential exfiltration via prompt injection, present from October 2025 until Anthropic’s silent
CVE-2026-3102: ExifTool Image Injection Runs Shell Commands on macOS
May 21, 2026
CVE-2026-3102 in ExifTool’s SetMacOSTags lets a crafted image execute shell commands on macOS; the flaw is patched in ExifTool 13.50
SonicWall Gen6 MFA Bypass CVE-2024-12802 Left Open by Incomplete Patch
May 21, 2026
SonicWall’s patch for CVE-2024-12802 needed a manual LDAP reconfiguration most admins skipped, leaving Gen6 VPN open to MFA bypass and
Drupal Issues Highly Critical Patch, Exploits Expected Within Hours
May 20, 2026
Drupal warned a highly critical vulnerability in versions 11.3.x through 10.5.x could be exploited within hours of its May 20,
Tycoon2FA Adds Device-Code Attack to Bypass Microsoft 365 MFA
May 19, 2026
Tycoon2FA’s latest update adds device-code phishing that hands attackers a valid Microsoft 365 OAuth token without requiring the victim’s password
SAP S/4HANA SQL Injection CVE-2026-34260 Rated CVSS 9.6
May 13, 2026
SAP’s May 2026 Security Patch Day fixes CVE-2026-34260, a CVSS 9.6 SQL injection in S/4HANA Enterprise Search that lets authenticated
Dell DSA-2026-047: CVSS 9.8 Hard-Coded Credentials in ECS Storage
May 13, 2026
Dell advisory DSA-2026-047 patches a CVSS 9.8 hard-coded credentials flaw in Dell ECS and ObjectScale that grants unauthenticated filesystem access
NVIDIA GeForce NOW Breach Exposes Armenian Users’ Data
May 11, 2026
NVIDIA confirmed a GeForce NOW data breach via Armenian partner GFN.am, exposing names, emails, and phone numbers of users registered
Fake OpenAI Repo Trended on Hugging Face Before Malware Found
May 11, 2026
A fraudulent OpenAI repository reached Hugging Face’s trending list while distributing infostealing malware targeting credentials and access tokens.
Trending
Daily Briefing Newsletter
Subscribe to the Daily Security Review Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.