A wave of critical patches landed across enterprise vendors. Fortinet shipped fixes for two unauthenticated code-execution flaws (CVE-2026-44277 in FortiAuthenticator, CVE-2026-26083 in FortiSandbox / FortiSandbox Cloud / FortiSandbox PaaS, both CVSS 9.1). SAP patched a 9.6-rated SQL injection in S/4HANA and a missing-auth check in SAP Commerce that allows unauthenticated code execution. Ivanti Xtraction got a fix for arbitrary file read and write. Broadcom patched a VMware Fusion macOS local-privilege-escalation (CVE-2026-41702). And the n8n automation platform shipped five CVSS 9.4 issues, including XML-driven prototype pollution that authenticated workflow editors could turn into RCE.
A researcher who goes by Chaotic Eclipse has dropped working proof-of-concept code on GitHub for a Windows local privilege escalation that gives SYSTEM access on fully patched Windows 11 Pro and Windows Server 2025. The bug lives in the Cloud Filter driver cldflt.sys and is, the researcher says, the same flaw Google Project Zero reported to Microsoft as CVE-2020-17103 in 2020, which Microsoft said it fixed in December 2020. The original Google PoC works unmodified. May 2026 Patch Tuesday updates do not stop it. The same researcher has dropped several other Windows zero-days in recent weeks, all of which were quickly seen in real attacks.
The 18-year-old heap overflow in NGINX's rewrite module, CVE-2026-42945, disclosed last week as part of the 'Rift' bug cluster, is now seeing real exploitation attempts. AI-native security firm VulnCheck says its honeypot networks have caught attackers probing the flaw, though the goal of the campaigns is not yet clear. The vulnerability lets an unauthenticated attacker crash NGINX worker processes by sending crafted HTTP requests. Turning that crash into remote code execution requires the target host to have Address Space Layout Randomization (ASLR) disabled, which is uncommon by default, but the worker-crash denial-of-service is exploitable on its own and rated urgent.
Microsoft has flipped its position on Edge keeping saved passwords decrypted in memory the moment the browser launches. After originally telling the researcher who reported it that the behavior was 'by design' and not a security issue, Microsoft now says future Edge builds will stop loading the password store into memory at startup. The fix is already live in the Canary channel and will reach Stable, Beta, Dev, and Extended Stable in build 148. The original disclosure came with a working tool that lets an administrator on a shared Windows machine dump other users' Edge passwords by reading process memory.
Microsoft has refused to issue a CVE for what an outside researcher and the CERT Coordination Center both describe as a privilege escalation in Azure Backup for Azure Kubernetes Service. The flaw lets a user holding only the low-privileged 'Backup Contributor' Azure role gain cluster-admin on AKS clusters, which Microsoft dismissed by saying the attacker 'already held administrator access.' CERT/CC validated the bug and tracked it as VU#284781. The researcher says Microsoft also tried to get MITRE to reject the submission as 'AI-generated content,' then quietly added new permission checks, suggesting a silent patch even as Microsoft says 'no product changes were made.'
Just two days after a 138-fix Patch Tuesday that listed no zero-days, Microsoft disclosed CVE-2026-42897, an Exchange Server XSS-to-spoofing flaw it has tagged 'Exploitation Detected.' The bug is rated CVSS 8.1 and reported by an anonymous researcher. An unauthenticated attacker emails a crafted message; if the victim opens it in Outlook Web Access and meets certain interaction conditions, arbitrary JavaScript runs in the browser session context, enabling spoofing and session abuse. On-prem Exchange Server 2016, 2019, and Subscription Edition are affected; Exchange Online is not. No permanent patch exists yet, only mitigation through the Exchange Emergency Mitigation Service.
The second day of Pwn2Own Berlin 2026 added $385,750 across 15 unique zero-days, bringing the running total to $908,750 across 39 zero-days. The headline was Orange Tsai of DEVCORE chaining three bugs to gain SYSTEM-level remote code execution on Microsoft Exchange Server, taking the $200,000 top prize and pushing his event total past $375,000. Other day-two wins included a Windows 11 integer-overflow LPE, a Red Hat Enterprise Linux for Workstations root, a use-after-free in NVIDIA Container Toolkit, and AI-category exploits against LM Studio, Cursor, OpenAI Codex, and Anthropic Claude Desktop (the last as a collision with a previously known bug).
Three concurrent WordPress plugin issues are putting millions of sites at risk. Funnel Builder, used on 40,000+ WooCommerce sites, is being actively exploited: an unauthenticated attacker hits an unprotected checkout endpoint, modifies global plugin settings, and injects JavaScript skimmers into checkout pages. Avada Builder, with 1 million installs and bundled with the Avada theme, ships fixes in 3.15.3 for CVE-2026-4782 (CVSS 6.5 arbitrary file read by Subscriber-level users, exposes wp-config.php) and CVE-2026-4798 (CVSS 7.5 unauthenticated time-based blind SQL injection when WooCommerce was used then deactivated). Burst Statistics CVE-2026-8181 is an auth bypass already being exploited on 200,000 sites.
Cisco disclosed and patched a second perfect-score authentication bypass in its Catalyst SD-WAN Controller and Manager (formerly vSmart and vManage). The bug, CVE-2026-20182 (CVSS 10.0), was found by Rapid7 while investigating the earlier CVE-2026-20127 wave, and lives in the same vdaemon service over DTLS port 12346. An unauthenticated attacker can become a trusted peer of the controller, log in as a privileged internal account, hit the NETCONF interface, and rewrite the entire SD-WAN fabric. Cisco Talos already attributes limited in-the-wild exploitation to UAT-8616, an actor with operational-relay-box ties that has been targeting Cisco SD-WAN since 2023.
Exim, the open-source mail transfer agent that ships as default on Debian and powers a large slice of internet mail, has a critical use-after-free in how it parses message bodies sent with the BDAT chunking extension over TLS. The flaw, CVE-2026-45185 (CVSS 9.8) and nicknamed Dead.Letter by discoverer XBOW, triggers when a TLS connection closes via close_notify mid-BDAT and Exim then processes one more cleartext byte. That byte gets written into already-freed memory, corrupting the heap, and XBOW turned it into an unauthenticated RCE primitive. Only Exim builds compiled with USE_GNUTLS=yes are affected; OpenSSL builds are not.