Researchers at Calif.io disclosed Squidbleed, a Heartbleed-style memory leak in the widely used Squid web proxy that exposes one user's cleartext HTTP traffic, including passwords, cookies, and session tokens, to anyone else allowed to use the same proxy. The flaw (CVE-2026-47729) is a heap over-read in Squid's decades-old FTP directory parser and is present in the default configuration of every Squid version. To exploit it, an attacker needs proxy access and must point the proxy at an FTP server they control. Only cleartext HTTP and TLS-intercepting setups are exposed; normal HTTPS tunnels are not. A proof-of-concept is public.
Attackers are mass-exploiting a flaw in Gravity SMTP, a WordPress email plugin installed on about 100,000 sites, to harvest credentials without any login. The bug (CVE-2026-4020) leaves a REST API endpoint with a permission check that always passes, so a single unauthenticated request returns a 365 KB system report containing API keys, secrets, and OAuth tokens for connected email services like Amazon SES, Mailjet, and Zoho, plus detailed software-stack information. Wordfence has blocked more than 17 million attempts, with activity spiking around June 6 and 7. A patch shipped in version 2.1.5, but updating does not revoke keys attackers may have already grabbed.
Cisco has patched serious flaws in Identity Services Engine (ISE), the platform many organizations use to control who and what connects to their network. The most severe is a critical remote-code-execution bug that can give an attacker root-level control of the appliance. A second flaw, CVE-2026-20190, is an unauthenticated information-disclosure issue caused by weak authorization checks, letting a remote attacker pull sensitive data, including hashed credentials, that could fuel follow-on attacks and lateral movement. All versions of ISE and ISE-PIC are affected, though which flaws apply varies by release. Cisco has not reported active exploitation, but ISE sits at the heart of network access control.