CVE Index

A threat actor gained access via compromised FortiGate SSL VPN credentials and deployed three publicly available Nightmare-Eclipse privilege escalation tools just eight days after release. A previously undocumented Go-ba

A critical out-of-bounds read vulnerability (CVE-2026-7482, CVSS 9.1) in Ollama enables unauthenticated attackers to exfiltrate entire process memory from over 300,000 servers. Two additional unpatched Windows vulnerabil

Twelve critical vulnerabilities in the widely-used vm2 Node.js sandbox library allow attackers to escape isolation and execute arbitrary code on host systems. Three vulnerabilities scored perfect 10.0 CVSS ratings, affec

Twelve critical vulnerabilities in the widely-used vm2 Node.js sandbox library allow attackers to escape isolation and execute arbitrary code on host systems. Three vulnerabilities scored perfect 10.0 CVSS ratings, affec

Twelve critical vulnerabilities in the widely-used vm2 Node.js sandbox library allow attackers to escape isolation and execute arbitrary code on host systems. Three vulnerabilities scored perfect 10.0 CVSS ratings, affec

Twelve critical vulnerabilities in the widely-used vm2 Node.js sandbox library allow attackers to escape isolation and execute arbitrary code on host systems. Three vulnerabilities scored perfect 10.0 CVSS ratings, affec

Twelve critical vulnerabilities in the widely-used vm2 Node.js sandbox library allow attackers to escape isolation and execute arbitrary code on host systems. Three vulnerabilities scored perfect 10.0 CVSS ratings, affec

Twelve critical vulnerabilities in the widely-used vm2 Node.js sandbox library allow attackers to escape isolation and execute arbitrary code on host systems. Three vulnerabilities scored perfect 10.0 CVSS ratings, affec

Twelve critical vulnerabilities in the widely-used vm2 Node.js sandbox library allow attackers to escape isolation and execute arbitrary code on host systems. Three vulnerabilities scored perfect 10.0 CVSS ratings, affec

A critical out-of-bounds read vulnerability (CVE-2026-7482, CVSS 9.1) in Ollama enables unauthenticated attackers to exfiltrate entire process memory from over 300,000 servers. Two additional unpatched Windows vulnerabil

A critical out-of-bounds read vulnerability (CVE-2026-7482, CVSS 9.1) in Ollama enables unauthenticated attackers to exfiltrate entire process memory from over 300,000 servers. Two additional unpatched Windows vulnerabil

Twelve critical vulnerabilities in the widely-used vm2 Node.js sandbox library allow attackers to escape isolation and execute arbitrary code on host systems. Three vulnerabilities scored perfect 10.0 CVSS ratings, affec

Twelve critical vulnerabilities in the widely-used vm2 Node.js sandbox library allow attackers to escape isolation and execute arbitrary code on host systems. Three vulnerabilities scored perfect 10.0 CVSS ratings, affec

Twelve critical vulnerabilities in the widely-used vm2 Node.js sandbox library allow attackers to escape isolation and execute arbitrary code on host systems. Three vulnerabilities scored perfect 10.0 CVSS ratings, affec

Twelve critical vulnerabilities in the widely-used vm2 Node.js sandbox library allow attackers to escape isolation and execute arbitrary code on host systems. Three vulnerabilities scored perfect 10.0 CVSS ratings, affec

Twelve critical vulnerabilities in the widely-used vm2 Node.js sandbox library allow attackers to escape isolation and execute arbitrary code on host systems. Three vulnerabilities scored perfect 10.0 CVSS ratings, affec

Twelve critical vulnerabilities in the widely-used vm2 Node.js sandbox library allow attackers to escape isolation and execute arbitrary code on host systems. Three vulnerabilities scored perfect 10.0 CVSS ratings, affec

Twelve critical vulnerabilities in the widely-used vm2 Node.js sandbox library allow attackers to escape isolation and execute arbitrary code on host systems. Three vulnerabilities scored perfect 10.0 CVSS ratings, affec

New credential theft framework PCPJack exploits five CVEs to spread worm-like across cloud environments while deliberately removing TeamPCP artifacts. The campaign targets Docker, Kubernetes, and multiple cloud services

New credential theft framework PCPJack exploits five CVEs to spread worm-like across cloud environments while deliberately removing TeamPCP artifacts. The campaign targets Docker, Kubernetes, and multiple cloud services

New credential theft framework PCPJack exploits five CVEs to spread worm-like across cloud environments while deliberately removing TeamPCP artifacts. The campaign targets Docker, Kubernetes, and multiple cloud services

New credential theft framework PCPJack exploits five CVEs to spread worm-like across cloud environments while deliberately removing TeamPCP artifacts. The campaign targets Docker, Kubernetes, and multiple cloud services

New credential theft framework PCPJack exploits five CVEs to spread worm-like across cloud environments while deliberately removing TeamPCP artifacts. The campaign targets Docker, Kubernetes, and multiple cloud services

A use-after-free in Chrome

An auth bypass in cPanel/WHM was exploited as a zero-day from February 23 to April 28, compromising 44,000+ servers before a patch existed. 1.5 million servers remain at risk.

Microsoft

Microsoft

Microsoft

A 9-year-old Linux kernel bug in the AEAD crypto interface lets any local user overwrite any file

A command injection vulnerability in four end-of-life D-Link router models has been exploited by a Mirai variant since November 2025. D-Link confirmed no patch is coming. The only fix is hardware replacement.

GRU-affiliated APT28 exploited unpatched TP-Link routers to perform DNS hijacking against NATO members and Ukraine, capturing M365 credentials via adversary-in-the-middle infrastructure.

Anthropic

TeamPCP threat actors compromised 42 TanStack packages and infiltrated npm/PyPI repositories from Mistral AI, UiPath, OpenSearch, and Guardrails AI using GitHub Actions OIDC token hijacking. The worm produces validly att

CVE-2026-44338, a critical authentication bypass in PraisonAI

Critical heap buffer overflow in NGINX versions 0.6.27 through 1.30.0 is being actively exploited in the wild. The vulnerability, introduced in 2008, allows unauthenticated attackers to crash worker processes or achieve

Critical heap buffer overflow in NGINX versions 0.6.27 through 1.30.0 is being actively exploited in the wild. The vulnerability, introduced in 2008, allows unauthenticated attackers to crash worker processes or achieve

Critical heap buffer overflow in NGINX versions 0.6.27 through 1.30.0 is being actively exploited in the wild. The vulnerability, introduced in 2008, allows unauthenticated attackers to crash worker processes or achieve

Critical heap buffer overflow in NGINX versions 0.6.27 through 1.30.0 is being actively exploited in the wild. The vulnerability, introduced in 2008, allows unauthenticated attackers to crash worker processes or achieve

Anonymous researcher Chaotic Eclipse disclosed two critical Windows zero-days: YellowKey enables BitLocker bypass through Windows Recovery Environment in minutes, while GreenPlasma allows SYSTEM-level privilege escalatio

A newly disclosed Windows zero-day vulnerability dubbed MiniPlasma allows unprivileged users to escalate to SYSTEM-level access through a flaw in the Print Spooler service. Proof-of-concept code is now publicly available