Google has released the June 2026 Android security patches addressing 124 vulnerabilities, including CVE-2025-48595, a high-severity Android Framework flaw under limited, targeted exploitation. Local attackers can abuse it to gain code execution and escalate privileges on Android 14 or later. Google fixed 18 critical vulnerabilities this cycle across System, Framework, and Qualcomm closed-source components; the most severe is a critical Framework flaw enabling remote privilege escalation with no user interaction. Two patch levels shipped (2026-06-01 and 2026-06-05). CISA added CVE-2025-48595 to its KEV catalog the same day. Pixel devices get updates immediately; other vendors typically lag. Similar Android Framework flaws have historically been abused by commercial spyware.
Hackers are exploiting CVE-2026-8206, a critical privilege-escalation flaw in the Kirki - Freeform Page Builder WordPress plugin, to take over any account including administrators. Defiant's Wordfence blocked over 222 attempts against customers in 24 hours. The plugin is active on more than 500,000 sites; the bug was introduced in version 6.0.0 and affects up to 6.0.6 (nearly 40% of the userbase). It stems from a custom REST password-reset endpoint that accepts an arbitrary email: when a username is supplied, the plugin sends a valid reset link to the attacker-controlled address instead of the owner's. The vendor fixed it in 6.0.7 on May 18; admins should upgrade or disable immediately.
Rapid7 has disclosed CVE-2026-0826, a critical unauthenticated stack-based buffer overflow in HP Poly VoIP phones that gives a remote attacker root-level code execution. Discovered during zero-day research against a Poly VVX 450, the flaw sits in SDP parsing for ICE-enabled phones: the device copies a candidate attribute into a 256-byte stack buffer without a length check, so an oversized ICE candidate in a crafted SIP INVITE overflows the stack and can overwrite the program counter. NX is enabled but ASLR misbehaves, loading shared libraries at fixed addresses that make a ROP chain practical. An attacker needs no authentication. Patches are available for affected models.
CISA has added CVE-2022-0492 to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The four-year-old Linux kernel flaw is an improper-authentication issue in the cgroups v1 release_agent feature that can be abused for container escape and privilege escalation to root on the host. It is well known among container-security researchers as a path to breaking out of misconfigured containers lacking AppArmor/SELinux or seccomp restrictions. Its appearance on KEV signals active in-the-wild abuse, likely in cloud and container environments. FCEB agencies must remediate by the BOD 22-01 deadline; all organizations running container workloads on older kernels should patch and verify hardening immediately.
The Centre for Cybersecurity Belgium (CCB) has warned that threat actors are now exploiting CVE-2026-41089, a critical Windows Netlogon vulnerability that Microsoft patched during the May 2026 Patch Tuesday. Netlogon is a core Windows Server RPC service that authenticates users and services on domain-based networks. The flaw is a stack-based buffer overflow that lets an unauthenticated attacker send a specially crafted network request to a domain controller and gain remote code execution without signing in or any prior access. It impacts all currently supported Windows Server versions, including the latest release. Because domain controllers are high-value targets, successful exploitation can lead to full domain compromise.
CISA has added CVE-2024-21182, an unspecified vulnerability in Oracle WebLogic Server, to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. WebLogic is a widely deployed Java EE application server that frequently sits on internet-facing infrastructure, making it a recurring target for initial access and cryptomining campaigns. Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed flaws by the assigned deadline, and CISA urges all organizations to prioritize patching. Oracle addressed the flaw in a prior Critical Patch Update; organizations running unpatched WebLogic instances should apply the relevant CPU and audit for signs of exploitation immediately.
Hackers are actively exploiting CVE-2026-8732, a critical unauthenticated flaw in the WP Maps Pro WordPress plugin that lets attackers create rogue administrator accounts. The plugin, a premium interactive-map and store-locator tool with over 15,800 sales on Envato Market, is affected in versions 6.1.0 and older. The flaw stems from a 'temporary access' feature meant to let vendor support staff troubleshoot customer sites: the AJAX endpoint was reachable by unauthenticated users and relied only on a nonce exposed in frontend JavaScript. A crafted request creates a new administrator user, generates a passwordless login URL, and sends it to a remote system. Researcher David Brown reported it.
SpaceX security engineer Asim Manizada has disclosed CIFSwitch, a Linux kernel local privilege escalation in the CIFS subsystem that lets an unprivileged user forge cifs.spnego key descriptions and trick the kernel's key-request mechanism into running cifs.upcall as root. CIFS (Common Internet File System) mounts and accesses files across a network; when a share uses Kerberos, the kernel asks the user-space cifs-utils helper to authenticate. The CIFS subsystem fails to verify that cifs.spnego key requests originate from the kernel's CIFS client, so a local attacker can supply a forged key and gain root. It affects cifs-utils 6.14 and higher, plus some older variants, across multiple distributions.
Palo Alto Networks has confirmed that CVE-2026-0257 (CVSS 7.8), a GlobalProtect authentication-bypass flaw in PAN-OS and Prisma Access, is under active exploitation. The flaw lets attackers bypass authentication and establish an unauthorized VPN connection; it affects firewalls with a GlobalProtect portal or gateway when authentication-override cookies are enabled and a specific certificate configuration exists. Rapid7 identified successful exploitation across numerous customers dating back to May 17, with a second wave on May 21, attributed to the same threat actor; in two cases the attacker received a VPN IP and reached the internal network. CISA added the CVE to its KEV catalog on May 29.
Permiso Security has disclosed ChatGPhish, a vulnerability in OpenAI ChatGPT that abuses the assistant's implicit trust in Markdown links and images sourced from third-party pages it has just summarized. The chatgpt.com response renderer auto-fetches those images and surfaces the links as live clickable elements inside the trusted assistant UI. An attacker who appends a small payload to any web page a victim later asks ChatGPT to summarize can leak the victim's IP, User-Agent, and Referer via attacker-hosted images, render fake system-style security alerts, plant malicious clickable links, and serve a QR code from an S3 bucket to bypass desktop URL filters via the victim's phone.