Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7

Bad Epoll Linux kernel flaw lets any local user gain root, including on Android

A newly disclosed Linux kernel vulnerability called Bad Epoll lets an ordinary user with no special privileges take full control of a machine as root, and it affects Linux desktops, servers, and Android. Tracked as CVE-2026-46242, the flaw is a use-after-free in epoll, a core Linux feature for watching many files or connections at once that programs and browsers rely on and cannot simply turn off. Two parts of the kernel try to free the same object at once, letting an attacker corrupt kernel memory and climb to root. It is a race-condition bug, harder to exploit than recent deterministic Linux flaws, but a working exploit exists and a fix is available.

Check
Identify Linux servers, workstations, and Android devices in your environment and check their kernel versions against the Bad Epoll fix, prioritizing multi-user systems and anything where untrusted users can run code.
Affected
Linux desktops, servers, and Android devices on kernels without the Bad Epoll fix (CVE-2026-46242); any local user, or code already running with low privileges, can exploit the flaw to gain root.
Fix
Apply the kernel updates that fix Bad Epoll as they reach your distributions and Android devices; there is no workaround, since epoll cannot be disabled, so patching is the only real mitigation.

Seven flaws in the FatFs library expose millions of embedded devices, mostly unpatched

Researchers at runZero disclosed seven vulnerabilities in FatFs, a tiny filesystem library that lets devices read FAT and exFAT media like USB drives and SD cards and that is bundled into the firmware of countless embedded and industrial products. The most serious, CVE-2026-6682, is an integer overflow when mounting a FAT32 volume that can lead to memory corruption and code execution, and several bugs are reachable through firmware update flows, not just physical media. The hard part is patching: FatFs is maintained by a single developer who did not respond to the researchers, so most of the memory-corruption flaws have no upstream fix and downstream vendors may never learn they are affected.

Check
Inventory devices and firmware that bundle the FatFs library, especially anything that mounts USB, SD-card, or externally supplied filesystem images or accepts firmware updates, and ask vendors whether their products include FatFs.
Affected
Embedded, industrial, and consumer devices that bundle FatFs to read FAT or exFAT media (CVE-2026-6682 and six others); malicious media or update images can crash devices or corrupt memory toward code execution.
Fix
Where possible, restrict which USB, SD-card, and update-image sources a device will mount, isolate affected devices, and press vendors for firmware updates, since most of these flaws have no upstream fix.

SharePoint remote code execution flaw added to CISA KEV after active exploitation

CISA has added a SharePoint remote code execution flaw to its Known Exploited Vulnerabilities catalog after confirming active exploitation, months after Microsoft rated it less likely to be attacked. The bug (CVE-2026-45659, CVSS 8.8) comes from unsafe deserialization of untrusted data and lets an authenticated attacker with only Site Member permissions run code on a SharePoint server over the network, with low complexity and no user interaction. Microsoft patched it in May for SharePoint Server Subscription Edition, 2019, and Enterprise 2016. On-premises SharePoint is a repeated target because it holds sensitive data and is often internet-facing, and it has a long history of weaponized code execution flaws.

Check
Confirm the May 2026 SharePoint updates are applied to all on-premises servers, restrict internet exposure, and hunt for web shells, unexpected scheduled tasks, and unauthorized file changes on internet-facing SharePoint.
Affected
On-premises SharePoint Server Subscription Edition, 2019, and Enterprise 2016 missing the May 2026 patch (CVE-2026-45659); any authenticated user with Site Member permissions can run code remotely on the server.
Fix
Apply Microsoft's May 2026 SharePoint updates now, limit SharePoint to trusted networks or a VPN, tighten privileged access, and run a compromise assessment on internet-facing servers given confirmed exploitation.

Adobe patches seven critical code execution flaws in ColdFusion and Campaign Classic

Adobe has released patches for seven critical, top-rated code execution vulnerabilities in its ColdFusion web application platform and Campaign Classic marketing tool. Six of the flaws affect ColdFusion 2025 and 2023 and stem from unrestricted file uploads, improper input validation, and path traversal, each allowing arbitrary code execution; the seventh, in Campaign Classic, is an authorization flaw with the same impact on on-premises installations. All can be exploited in low-complexity attacks without user interaction. Adobe says it is not aware of any active exploitation but assigned its highest deployment priority, urging admins to patch quickly, since ColdFusion has repeatedly been targeted by attackers and ransomware crews.

Check
Identify ColdFusion 2025 and 2023 servers and on-premises Campaign Classic instances, confirm their update levels, and prioritize any that are internet-facing for immediate patching.
Affected
ColdFusion 2025 and 2023 before Update 10 and Update 21, and on-premises Adobe Campaign Classic before build 9397; unauthenticated or low-privilege attackers can achieve arbitrary code execution in low-complexity attacks.
Fix
Install ColdFusion 2025 Update 10, ColdFusion 2023 Update 21, and Campaign Classic build 9397 within days, as Adobe advises, and restrict these platforms from direct internet exposure where possible.

Unpatched Argo CD flaw lets attackers take over Kubernetes clusters

Researchers at Synacktiv disclosed an unpatched flaw in Argo CD, the popular GitOps tool for deploying to Kubernetes, that can lead to full cluster takeover. The problem is in repo-server, the component that turns Git repository files into Kubernetes manifests: its internal gRPC service requires no authentication, so anyone who can reach it on the cluster network can send a crafted request and run commands. Synacktiv reported it about eighteen months ago, but there is still no fix and no CVE, so it went public to warn users. With no patch, the practical defense is network isolation using Kubernetes network policies.

Check
Check whether Kubernetes network policies restrict access to Argo CD's repo-server and Redis, using kubectl get networkpolicy across namespaces; Helm installs leave these policies off by default, exposing the ports cluster-wide.
Affected
Argo CD deployments where the repo-server's unauthenticated internal service is reachable from the wider cluster network; any workload that can reach it can run commands and take over the cluster.
Fix
Enable Kubernetes network policies so only Argo CD components can reach the repo-server and Redis ports, isolate Argo CD on the cluster network, and watch for an official fix to apply.

Cursor flaws let a poisoned prompt escape the AI coding sandbox and run commands

Researchers at Cato AI Labs detailed two flaws, dubbed DuneSlide, in the AI code editor Cursor that let a prompt-injection attack break out of the sandbox Cursor uses to contain the commands its agent runs. The attacker never types anything: they plant instructions in content the agent reads on the user's behalf, such as a connected MCP service or a web page. One flaw abuses a working-directory setting to get an attacker path added to the allowed-write list, letting injected commands overwrite the sandbox helper itself and then run with no sandbox. Both are rated 9.8 and are fixed in Cursor 3.0; every earlier version is affected, so users should update.

Check
Confirm Cursor is updated to 3.0 or later on developer machines, and review whether your AI coding agents can be steered by content they read from MCP servers, web pages, or repositories.
Affected
Developers running Cursor versions before 3.0 (CVE-2026-50548 and CVE-2026-50549); a prompt injection hidden in content the agent reads can escape the command sandbox and run arbitrary commands on the machine.
Fix
Update Cursor to 3.0 or later, keep the agent's command sandbox enabled, and treat everything an AI coding agent reads, from MCP tools to web pages, as potentially hostile rather than trusted.

Critical Kemp LoadMaster flaw gives unauthenticated attackers root on edge appliances

A critical flaw in Progress Kemp LoadMaster lets an unauthenticated attacker run commands as root on the appliance by sending a crafted request to its API. Rated 9.8, the bug (CVE-2026-8037) sits in a function meant to sanitize input before it reaches a shell command, and LoadMaster's position as an edge load balancer and application delivery controller makes a pre-authentication flaw especially dangerous, since it can turn a protective choke point into a direct foothold. Progress patched it in early June, and researchers at watchTowr published a full technical write-up with a working proof-of-concept on June 29. No exploitation has been reported yet, but Progress also makes MOVEit, a past mass-exploitation target.

Check
Identify Progress Kemp LoadMaster appliances with the API enabled, confirm their versions, and determine whether the management API is reachable from untrusted networks or the internet, the exposure this flaw needs.
Affected
Kemp LoadMaster GA 7.2.63.1 and earlier and LTSF 7.2.54.17 and earlier with the API enabled (CVE-2026-8037); an unauthenticated attacker who can reach the API gains root on an edge device.
Fix
Update to LoadMaster GA 7.2.63.2 or LTSF 7.2.54.18, and question whether the management API needs to be reachable at all, restricting it to trusted management networks or disabling it where unused.

Windows Defender BlueHammer flaw now used by ransomware gangs for SYSTEM access

CISA has updated its Known Exploited Vulnerabilities catalog to warn that ransomware gangs are now exploiting BlueHammer, a Microsoft Defender privilege-escalation flaw. The bug (CVE-2026-33825) lets a local attacker who already has a foothold escalate to SYSTEM by abusing Defender's file-remediation logic, giving them access to password hashes and the control needed to disable defenses and prepare systems for encryption. It was leaked with proof-of-concept code by a researcher in early April as a protest over Microsoft's disclosure process, exploited as a zero-day, then patched on April 14. It cannot be used for remote compromise on its own, but it strengthens attackers after initial access.

Check
Confirm the April 2026 Microsoft Defender update is applied across all Windows systems, and review endpoint logs for local privilege escalation, suspicious local-account access, and attempts to dump or read password hashes.
Affected
Windows systems missing the April 2026 Defender patch (CVE-2026-33825); after gaining initial access, attackers use the flaw to reach SYSTEM privileges, dump password hashes, and disable defenses ahead of ransomware.
Fix
Ensure the Microsoft Defender update is installed everywhere, prioritize systems exposed to phishing or stolen-credential access, and monitor for privilege-escalation behavior, since this flaw is now part of active ransomware playbooks.

Citrix patches six NetScaler flaws, including a CitrixBleed-style memory leak

Citrix has released fixes for six vulnerabilities in NetScaler ADC and NetScaler Gateway, including a high-severity memory-disclosure flaw that researchers place in the same class as the 2023 CitrixBleed bug. That flaw (CVE-2026-8451, rated 8.8) leaks small amounts of memory through malformed SAML requests and shares a root cause with an earlier NetScaler bug that was exploited within days of disclosure. The bulletin also covers an unauthenticated arbitrary file read and several denial-of-service issues, with CVSS scores from 6.9 to 8.8. No exploitation has been reported yet, but NetScaler appliances have drawn more than 20 entries on CISA's exploited-vulnerabilities list in three years, several used in ransomware.

Check
Inventory NetScaler ADC and Gateway appliances and their configurations, checking whether they run as SAML identity providers, expose management IPs, or use HTTP/2, and confirm which builds they are on.
Affected
NetScaler ADC and Gateway appliances on affected builds (CVE-2026-8451 and five others); SAML identity-provider setups risk memory disclosure, and other configurations face arbitrary file read or denial of service.
Fix
Update to NetScaler ADC and Gateway 14.1-72.61 or later fixed builds, and for the HTTP/2 denial-of-service flaw, manually set the Http2SmallWndTimeout parameter, since patching alone does not fully close it.

Critical Oracle E-Business Suite flaw now exploited for unauthenticated takeover

Attackers have begun exploiting a critical flaw in Oracle E-Business Suite, the financial and operations platform used by large enterprises, threat intelligence firm Defused reports. The bug (CVE-2026-46817), rated 9.8, sits in the File Transmission component of Oracle Payments and lets an unauthenticated attacker with HTTP access take over the system through a low-complexity attack. Oracle patched it in its May 2026 update, but exploitation began over the weekend despite no public proof-of-concept existing, meaning attackers built their own. Observed payloads attempt to read sensitive system files. Shadowserver tracks more than 450 EBS instances exposed online, many in North America and Asia, with unknown numbers still unpatched.

Check
Identify internet-facing Oracle E-Business Suite instances, confirm whether the May 2026 Critical Patch Update is applied, and review logs for suspicious requests to the Payments component and unexpected system-file access.
Affected
Oracle E-Business Suite versions 12.2.3 through 12.2.15 with the Payments component reachable over HTTP (CVE-2026-46817); unauthenticated attackers can fully compromise the system, and a private exploit is already in use.
Fix
Apply Oracle's May 2026 Critical Patch Update immediately, restrict EBS access to trusted networks, and run a compromise assessment if patching was delayed, since exploitation is underway without public exploit code.