RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: xss (2 articles)Clear
breach
2026-05-12

Instructure confirms ShinyHunters used Canvas XSS flaws to deface school login portals and pressure ransom

Instructure confirms that ShinyHunters exploited multiple cross-site scripting flaws in Canvas to deface school login portals on May 7, demanding the company and individual schools negotiate ransom by May 12. The flaws are in user-generated-content features of the free Free-for-Teacher Canvas environment and let the attacker grab authenticated admin sessions. This was a second hit following the original breach disclosed a week earlier that ShinyHunters claims netted 3.6 terabytes covering 8,809 educational organizations and 275 million student, teacher, and staff records. Instructure has taken Free-for-Teacher offline and applied additional safeguards; main Canvas has been restored since May 9.

shinyhuntersinstructurecanvasxssextortion
Check
If your school uses Canvas, check whether students or staff saw the defaced login page on May 7. Review browser logs for any extension that interacted with injected ransom content.
Affected
Canvas instances accessed through the Free-for-Teacher environment between May 7 and Instructure taking it offline. The exploited cross-site scripting flaws sit in user-generated-content features that allowed JavaScript injection. Schools and universities running the paid Canvas LMS are also exposed to the underlying data breach that ShinyHunters used for extortion leverage.
Fix
Wait for Instructure's official statement on which XSS vulnerabilities were exploited and when Free-for-Teacher returns. For paid Canvas tenants, assume usernames, email addresses, course names, enrollment information, and direct messages were part of the 3.6TB leak and treat affected accounts as phishing targets. Force-rotate any API tokens issued for Canvas integrations and audit external integrations that accepted user-generated content.
vulnerability
CVE-2025-48700
2026-04-24

Over 10,500 Zimbra servers still vulnerable to actively-exploited XSS as CISA gives federal agencies just three days to patch (CVE-2025-48700)

Shadowserver scan data published Friday shows over 10,500 Zimbra Collaboration Suite instances still unpatched against CVE-2025-48700, a Classic-UI XSS that Synacor fixed in June 2025 but CISA only added to KEV on April 20. Exposed servers split nearly evenly between Asia (3,794) and Europe (3,793). The flaw triggers when a victim simply views a crafted email - no clicks - and runs JavaScript inside their authenticated session for mailbox theft and MFA backup-code retrieval. Zimbra is a recurring APT target: Russia's Winter Vivern, APT29, and APT28 have all run Zimbra-XSS campaigns against NATO and Ukrainian targets.

zimbrasynacorxsscisa-kevactively-exploitedshadowserverapt28apt29
Check
If you run Zimbra anywhere - including subsidiaries, acquired companies, and overseas regional offices - confirm patch status against CVE-2025-48700 today.
Affected
Zimbra Collaboration Suite 8.8.15, 9.0, 10.0, and 10.1 without the June 2025 security patches. Exploitation requires a user to view a crafted email in the Classic UI; servers using only the Modern UI are not exposed via this specific flaw, but related issues are addressed by the same patch. CVSS 6.1.
Fix
Apply the June 2025 patches across all instances. Where immediate patching is impossible, switch users to the Modern UI as a stopgap and remove webmail from direct internet exposure. Audit the past 60 days of mailbox audit logs for unusual TGZ archive creation, MFA backup-code retrieval, application-password generation, and bulk address-book access. Rotate application passwords issued during the vulnerable window.