An AI-discovered bug hidden in NGINX since 2008 lets anyone on the internet crash NGINX worker processes or, with ASLR disabled, run code on the server using a single crafted HTTP request. The flaw, named NGINX Rift (CVE-2026-42945, CVSS 9.2), sits in the rewrite module that powers URL rewriting in almost every NGINX deployment. It triggers when a config uses a rewrite directive with unnamed regex captures and a question mark, followed by another rewrite, if, or set directive - a common pattern in API gateway setups. NGINX runs roughly a third of the websites on the public internet.
A researcher who calls themselves Chaotic Eclipse - and who has weaponized every prior Windows flaw they have leaked this year - dropped working proof-of-concept code for two unpatched zero-days on May 12. YellowKey lets anyone with physical access to a Windows 11 or Server 2022/2025 machine plug in a USB stick, hold CTRL during a reboot into the Windows Recovery Environment, and get a shell with full access to the BitLocker-protected drive. GreenPlasma is a privilege escalation against the CTFMON service that hands an unprivileged user a path to SYSTEM. Independent researchers including Will Dormann and Kevin Beaumont have confirmed that YellowKey works as advertised.
Six days after Dirty Frag was patched, researcher William Bowling and the V12 Security team disclosed Fragnesia - a separate Linux kernel bug in the same ESP-in-TCP networking code that lets any unprivileged local user become root in one command. The public proof-of-concept overwrites /usr/bin/su in memory using a logic flaw that loses track of shared socket-buffer fragments, then re-runs su to drop into a root shell. The on-disk binary is left untouched, which makes the change harder to spot. Tracked as CVE-2026-46300 (CVSS 7.8), it follows Copy Fail (April 29) and Dirty Frag (May 7) in the same family.
Bitdefender researchers documented a China-linked espionage group called FamousSparrow repeatedly compromising an Azerbaijani oil and gas company between late December 2025 and late February 2026. Each time the victim cleaned up, the attackers came back through the same unpatched Microsoft Exchange Server and dropped a new backdoor - first Deed RAT (a ShadowPad relative used by several Chinese groups), then TernDoor. The group overlaps with the Earth Estries cluster, which itself overlaps with Salt Typhoon. This is the first time FamousSparrow has been seen targeting South Caucasus energy infrastructure, a region whose role in supplying gas to Europe grew sharply after Russia's Ukraine transit deal expired.
Socket researchers found more than 150 RubyGems packages doing something the registry was never built to do: smuggling scraped data out of UK council websites. The malicious gems fetch pages from Lambeth, Wandsworth, and Southwark's public meeting portals, bundle the responses into a normal-looking .gem archive, and push it back to RubyGems using a hardcoded API key. The attacker then downloads the data as a public gem version. Whether GemStuffer is registry spam, a worm being tested, or a deliberate trial of package-registry abuse, the mechanics are intentional - and it landed the same week RubyGems froze new account signups over a separate flood of malicious packages.
Quest KACE has a year-old maximum-severity authentication bypass (CVE-2025-32975, CVSS 10.0). Hunt.io researchers now report that an attacker exploited an unpatched KACE appliance at a Boston-area managed services provider called HIQ - then left their entire toolkit on a publicly accessible server with directory listing turned on. The exfiltrated 512 MB MariaDB dump turned out to contain the full appliance-managed endpoint list for over 60 named client organizations spanning law enforcement, government, healthcare, education, and private companies. None of those 60-plus organizations had any KACE relationship of their own - they were just customers of the MSP that ran it unpatched.
The Gentlemen, the second most prolific public ransomware operation of 2026 with over 320 listed victims, has had its own internal database leaked. Check Point Research and others obtained the data after a breach of the group's hosting provider 4VPS exposed their Rocket backend. The leak unmasks roughly 9 named operators centered on an administrator known as zeta88 (aka hastalamuerte), who built the RaaS panel in three days using DeepSeek and Qwen AI coding assistants, runs payouts, and joins encryption events personally. Internal chats also confirm chain-victimization: in April the group hit a UK software consultancy and then weaponized stolen client credentials to compromise one of the consultancy's customers in Turkey.
BWH Hotels - the global hospitality group behind Best Western, WorldHotels, and Sure Hotels, with 4,000+ properties in over 100 countries and 53 million loyalty members - has disclosed that attackers were inside one of its guest reservation web applications for more than six months. The intrusion ran from October 14, 2025, to April 22, 2026, when BWH finally detected unauthorized activity. The hackers accessed names, email addresses, phone numbers, postal addresses, reservation numbers, stay dates, and any special requests for an undisclosed number of guests. Payment data sat with a third-party processor and was not affected. No threat actor has claimed the breach so far.
Skoda Auto, the Volkswagen Group's Czech-built carmaker with 34,000 employees and 27 billion euros in annual sales, disclosed that attackers exploited a flaw in its German online shop software to access customer data. The breach hit shop.skoda-auto.de, not Skoda's global systems or the Skoda Connect portal. Exposed information includes names, addresses, email addresses, phone numbers, order history, account data, and password hashes. Payment card details were not stored on the affected system. Skoda took the shop offline, patched the flaw, and engaged external forensics, but admitted its server logs cannot retrospectively confirm exactly what data was copied out during the intrusion window.
OpenLoop Health, an Iowa-based telehealth infrastructure company that supplies clinicians and prescription processing to dozens of consumer telehealth platforms, has confirmed via the HHS breach portal that a January 2026 incident affected 716,000 individuals. Attackers were inside its systems for only one day - January 7 to 8 - but exfiltrated names, addresses, email addresses, dates of birth, and medical information. Social Security numbers and electronic health records were not accessed. A threat actor called Stuckin2019 claimed responsibility and put samples on a hacking forum; OpenLoop reportedly paid them and the listing was taken down. Because OpenLoop is white-label, affected patients enrolled through many different consumer telehealth brands.