RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: information-disclosure (2 articles)Clear
vulnerability
CVE-2026-7482CVE-2026-42248CVE-2026-42249
2026-05-11

Critical Ollama flaw lets unauthenticated attackers read server memory - 300,000 instances exposed (CVE-2026-7482)

Researchers at Cyera disclosed a critical bug in Ollama, the open-source tool that runs large language models locally on laptops and servers. The flaw, called Bleeding Llama (CVE-2026-7482), lets anyone with network access send a malformed model file and read raw process memory back - which typically contains API keys, environment variables, system prompts, and other users' chat history. Ollama ships without authentication by default, so an estimated 300,000 instances are exposed on the internet. Ollama 0.17.1 fixes it. Separately, Striga disclosed two unpatched Ollama Windows desktop flaws (CVE-2026-42248 and CVE-2026-42249) that chain into persistent code execution at login.

ollamallmai-toolinginformation-disclosurerce
Check
Inventory all Ollama instances across servers and developer laptops. Check whether any are reachable from outside their host or trusted network, and verify the running version.
Affected
Ollama versions before 0.17.1 on every platform (CVE-2026-7482, CVSS 9.1, unauthenticated heap out-of-bounds read in the GGUF model loader exploitable via /api/create and /api/push). Ollama Windows desktop client on all currently-released builds (CVE-2026-42248 and CVE-2026-42249, CVSS 7.7 each, unpatched). Internet-exposed and developer-laptop instances are at highest risk.
Fix
Upgrade all Ollama servers to 0.17.1 or later immediately to fix Bleeding Llama. Restrict the Ollama API to localhost or an internal network only - never expose port 11434 to the internet. Place an authenticating reverse proxy in front of any shared Ollama deployment. For Windows desktop clients, monitor for an update that addresses CVE-2026-42248 and CVE-2026-42249; consider blocking auto-update traffic until a patched build ships.
vulnerability
CVE-2026-20133CVE-2026-20128CVE-2026-20122
2026-04-21

Cisco Catalyst SD-WAN Manager flaw added to CISA KEV with 4-day federal patch deadline - actively exploited (CVE-2026-20133)

CISA added a Cisco Catalyst SD-WAN Manager information disclosure flaw to its Known Exploited Vulnerabilities catalog on Monday, ordering federal agencies to patch by Friday, April 24 - an unusually aggressive 4-day deadline that reflects confirmed active exploitation. CVE-2026-20133 is an unauthenticated remote flaw in the SD-WAN Manager (formerly vManage) API, caused by insufficient file system access restrictions. An attacker can access the API and read sensitive information from the underlying operating system - including credentials that enable follow-on attacks. Cisco patched it in late February alongside two other SD-WAN Manager flaws (CVE-2026-20128 and CVE-2026-20122, both also added to KEV this week and confirmed exploited in the wild). Catalyst SD-WAN Manager is used to centrally manage up to 6,000 SD-WAN devices from one dashboard, making it a high-value target. Oddly, Cisco's PSIRT still says they have no evidence of public exploitation - contradicting CISA. CISA is treating its own intelligence as authoritative and has issued Emergency Directive 26-03 plus a Hunt & Hardening Guide for Cisco SD-WAN. Over the past several years CISA has tagged 91 Cisco vulnerabilities as exploited in the wild, six used by ransomware operations.

ciscosd-wancatalystcisa-kevactively-exploitedinformation-disclosureemergency-directive
Check
If you run Cisco Catalyst SD-WAN Manager (or the old vManage), patch today. CISA's 4-day federal deadline is the clearest signal yet that exploitation is widespread.
Affected
Cisco Catalyst SD-WAN Manager (formerly vManage) running versions prior to the February 2026 security update. Three CVEs are in play: CVE-2026-20133 (unauthenticated information disclosure, just added to KEV), CVE-2026-20128 (recoverable password storage), and CVE-2026-20122 (incorrect privileged API use). All three are confirmed exploited in the wild.
Fix
Apply Cisco's February 2026 security update for Catalyst SD-WAN Manager which fixes all three CVEs. If patching is delayed beyond April 24, follow CISA's Hunt & Hardening Guidance for Cisco SD-WAN Devices - restrict API access to trusted admin IPs only and review API access logs for unusual file-system-related requests over the past 60 days. Rotate any credentials stored on the SD-WAN Manager, as CVE-2026-20128 exposes them in recoverable format.