Windows MiniPlasma - Zero-Day Exploit Gives SYSTEM Access
What changed vs yesterday
Confidence: High
Yesterday's bundle led with Cisco Catalyst SD-WAN and Funnel Builder because both were active-exploitation priorities. Today's delta is different. Windows MiniPlasma is the only NEW finding in the 18 May source set, and it carries the strongest operational signal in the current material: SYSTEM-level access, a released PoC, and confirmed active exploitation.
The practical shift is simple. Keep Cisco and Funnel Builder in urgent owner queues, but move Windows exposure review to the front of today's discussion. For Cisco, retain the explicit identifier CVE-2026-20182 and the CISA KEV context so remediation owners can map it cleanly. Do not attach a CVE or CVSS score to MiniPlasma unless a later source provides one. The current material does not include either.
Finding 1: Windows MiniPlasma is a new active-exploitation item
Confidence: High
BleepingComputer describes a new Windows zero-day exploit called MiniPlasma. The reported impact is SYSTEM-level access, with proof-of-concept code released and active exploitation confirmed in the current material. That combination makes it a live exposure question, not a routine patch note.
Security teams should start with asset and telemetry review rather than broad assumptions. Identify Windows systems with higher operational or administrative value, check endpoint detection coverage, review privilege-escalation alerts, and watch for vendor guidance or later identifiers. Until Microsoft or another primary source assigns a new CVE, track this by the MiniPlasma name and source URL. The public PoC references historical CVE-2020-17103 as related prior research; that should not be treated as a new MiniPlasma CVE assignment.
Update: Cisco SD-WAN remains an active-exploitation patch priority
Confidence: High
The Record source states that CISA has ordered federal agencies to patch an actively exploited bug in Cisco SD-WAN systems. The identifier to track is CVE-2026-20182, Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability, which CISA added to the Known Exploited Vulnerabilities catalog. This is not today's new lead because Cisco SD-WAN was already the centre of yesterday's bundle, but it still belongs in the urgent queue.
For owners, the action has not softened. Confirm whether Cisco Catalyst SD-WAN Controller or Manager components are exposed, verify patch or mitigation state for CVE-2026-20182, and keep the item visible to network and infrastructure owners. Use today's update as a check on completion, not a reason to rewrite the story from scratch.
Update: Funnel Builder for WooCommerce remains checkout-skimming risk
Confidence: High
The Hacker News source states that a critical Funnel Builder flaw continues to be actively exploited for WooCommerce checkout skimming. That points directly at ecommerce payment flows, where small delays can become customer-impacting incidents.
Teams running WooCommerce should confirm whether Funnel Builder is installed, check plugin version and mitigation status, and inspect checkout pages for injected scripts or unexpected form behaviour. Treat any revenue-generating store as a priority review.
Update: American Lending Center breach is a lower-confidence incident signal
Confidence: Low
SecurityWeek reports that American Lending Center disclosed a breach affecting 123,000 individuals. The current source set gives this item low confidence and does not frame it as a patchable software vulnerability.
The value for clients is sector awareness. Lending and financial-services teams can use it to review third-party data handling, notification readiness, and retention controls. It should not be treated as evidence of a new exploitable product flaw.
Update: Chrome 148 belongs in browser hygiene checks
Confidence: Low
SecurityWeek reports that Chrome 148 patches critical vulnerabilities. The current source set does not include CVE identifiers or active-exploitation evidence for this item.
That keeps the response measured. Confirm that managed-browser updates are landing, especially on privileged endpoints and shared workstations. Avoid calling this a known exploited browser emergency unless stronger source data appears.
Update: Grafana token breach shows developer-platform exposure
Confidence: Medium
The Hacker News source states that a Grafana GitHub token breach led to codebase download and an extortion attempt. Active exploitation is not confirmed, but the incident is still a useful reminder that developer-platform credentials can become incident paths.
Review token scope, rotation cadence, repository access, and monitoring for unusual clone or download activity. The strongest action is credential hygiene, not panic over the wider Grafana ecosystem.
Update: Azure no-CVE rejection creates a tracking gap
Confidence: Medium
BleepingComputer reports that Microsoft rejected a critical Azure vulnerability report and did not issue a CVE. The missing CVE is a material caveat because scanner, ticketing, and dashboard workflows often depend on formal identifiers.
Cloud teams should log this as a watchpoint, map whether the affected service area is relevant, and wait for stronger vendor or researcher detail before making estate-wide claims. The operational risk is the tracking gap as much as the reported vulnerability itself.
Update: NGINX public PoC raises watch pressure, not confirmed exploitation
Confidence: Medium
SecurityWeek reports that public proof-of-concept code exists for a critical NGINX vulnerability. The caveat matters: active exploitation has not been confirmed in the current sweep.
Owners should identify exposed NGINX Open Source and NGINX Plus deployments, verify applicability, and prepare patches or mitigations where exposure exists. This is a validation and readiness task, not a confirmed incident.
Update: TanStack remains a developer-device supply-chain follow-up
Confidence: Medium
The Hacker News source states that a TanStack npm supply-chain attack affected two OpenAI employee devices and forced macOS updates. The current source set does not say customer environments are actively exploited.
Developer and platform teams should check macOS update completion, package history, lockfiles, token rotation, and endpoint telemetry. Keep the claim narrow: this is a developer-device and supply-chain follow-up.
Why This Matters
Today's useful signal is the separation between a fresh active-exploitation lead and ongoing remediation work. Windows MiniPlasma needs immediate triage because the source set records SYSTEM access, PoC release, and active exploitation. Cisco SD-WAN and Funnel Builder still matter, but they are continuity items from yesterday's urgent queue; Cisco remains CVE-2026-20182 / CISA KEV remediation work, not an unnamed SD-WAN item.
- Recommended Actions
- Open a same-day triage item for Windows MiniPlasma, tracked by name until a CVE or vendor identifier exists.
- Review high-value Windows endpoints for privilege-escalation telemetry and EDR coverage.
- Confirm Cisco SD-WAN CVE-2026-20182 patch or mitigation state with network owners.
- Check WooCommerce sites for Funnel Builder exposure and checkout-page tampering.
- Keep Azure no-CVE, NGINX PoC, Grafana token, TanStack, Chrome 148, and American Lending Center items in watch or hygiene queues according to owner relevance.
All findings grounded in a13e intelligence sweeps through 05:30 UTC 18 May 2026.
Cisco SD-WAN: KEV-Listed Auth Bypass Leads Today’s Queue
What changed vs yesterday
Confidence: High
Yesterday’s pack was dominated by Cisco SD-WAN remediation, TanStack/OpenAI supply-chain checks, Linux Kernel/Fragnesia, GitLab, and a broad BSI advisory queue. Today is narrower. The reviewed source set marks Cisco SD-WAN and Funnel Builder as active-exploitation items, so they take priority over the lower-confidence breach, browser, research, cloud, supply-chain, and NGINX watchpoints.
Finding 1: Cisco Catalyst SD-WAN CVE-2026-20182 is KEV-listed and needs immediate triage
Confidence: High
CISA has ordered United States federal agencies to address Cisco Catalyst SD-WAN CVE-2026-20182 by 17 May 2026. CISA’s Known Exploited Vulnerabilities catalogue describes it as a Cisco Catalyst SD-WAN Controller authentication bypass affecting Controller and Manager, allowing an unauthenticated remote attacker to bypass authentication and obtain administrative privileges. Cisco’s advisory records CVSS 10.0 severity.
Treat this as an immediate exposure, patch-verification, and hunting task. Identify Cisco Catalyst SD-WAN Controller and Manager deployments, confirm affected versions and fixed-state, review exposed administrative and control-plane paths, and follow CISA ED 26-03 plus Cisco guidance. Use CVE-2026-20182 as the tracking identifier; do not route this as an unnamed Cisco patch order.
Finding 2: Funnel Builder for WooCommerce is being abused for checkout skimming
Confidence: High
The Hacker News reporting in the source set says a critical Funnel Builder flaw is under active exploitation and is being used for WooCommerce checkout skimming. That makes this a direct ecommerce risk rather than a generic plugin advisory.
Teams running WooCommerce should check whether Funnel Builder is installed, verify plugin version and patch status, and look for checkout-page tampering or unexpected payment-form behaviour. If the plugin is present on revenue-generating stores, treat review and remediation as urgent.
Finding 3: American Lending Center breach is an incident watchpoint
Confidence: Low
SecurityWeek reports that American Lending Center experienced a breach affecting 123,000 individuals. The source set includes it as a finding, but it is an incident report rather than a patchable vulnerability item.
The decision value is mainly sector awareness. Financial-services and lending organisations should compare the report against their own third-party, data-retention, and breach-notification controls, but should not treat it as evidence of a new exploitable software flaw.
Finding 4: Chrome 148 patching should stay in endpoint hygiene queues
Confidence: Low
SecurityWeek reports that Chrome 148 patches critical vulnerabilities. The source set does not include CVE identifiers or active-exploitation evidence for this item.
That keeps the action measured: confirm managed-browser update cadence and check that high-risk endpoints are not lagging behind. Without identifiers in the source set, avoid overstating this as a known exploited browser emergency.
Finding 5: LABScon Breach Alpha is useful context, not a vulnerability alert
Confidence: Low
SentinelOne’s LABScon25 replay, Breach Alpha: Trading on Cyber Fallout, is included as a research signal. The source describes it as insight into the financial implications of cyber breaches, not as a direct vulnerability.
Use it for executive context and tabletop thinking. Do not route it as a patch ticket or incident unless separate evidence links it to a live exposure.
Finding 6: Microsoft Azure no-CVE rejection creates a tracking gap
Confidence: Medium
BleepingComputer reports that Microsoft rejected a critical Azure vulnerability report and did not issue a CVE. The source flags the absence of a CVE as a caveat because it makes normal vulnerability tracking harder.
Cloud teams should log the issue as a watchpoint, review whether the reported service area is relevant to their Azure estate, and wait for stronger vendor or researcher detail before making broad claims. The risk is not only the technical report. It is also the operational gap created when a cloud issue has no CVE for scanners, tickets, and dashboards.
Finding 7: OpenAI/TanStack remains a developer-device supply-chain follow-up
Confidence: High
The Record, The Hacker News, and BleepingComputer reporting in the source set describe OpenAI asking macOS users to update after a TanStack npm supply-chain attack affected employee devices. This is high-confidence supply-chain reporting, but the source does not mark active exploitation in customer environments.
Developer teams should review macOS patch completion, npm package history, lockfiles, token rotation, and endpoint telemetry for affected developer devices. Keep the wording narrow: this is a TanStack/OpenAI supply-chain follow-up, not evidence that every npm environment is compromised.
Finding 8: NGINX PoC publication raises exploit-development risk
Confidence: Medium
SecurityWeek reports that proof-of-concept code has been published for a critical NGINX vulnerability. The source does not mark active exploitation for this item, but public PoC code changes the risk timeline.
NGINX owners should identify internet-facing NGINX Open Source and NGINX Plus deployments, verify whether the reported vulnerability applies, and prioritise patching or mitigations where public exposure exists. The right posture is fast validation, not panic.
Why This Matters
Today’s bundle separates urgent exploitation response from noisy security news. Cisco Catalyst SD-WAN CVE-2026-20182 and Funnel Builder deserve immediate owner action. The other findings matter too, but mostly as tracking, hygiene, or enrichment work until better identifiers, exploit evidence, or vendor detail appears.
- Recommended Actions
- Patch or validate exposure for Cisco Catalyst SD-WAN Controller and Manager systems affected by CVE-2026-20182.
- Treat CVE-2026-20182 as CISA KEV-listed and follow CISA ED 26-03 plus Cisco advisory guidance.
- Identify WooCommerce sites using Funnel Builder and check for checkout skimming or page tampering.
- Confirm Chrome managed-update completion, especially on privileged endpoints.
- Track the Azure no-CVE report outside normal CVE-only queues.
- Review OpenAI/TanStack-related developer-device controls, including macOS updates, lockfiles, tokens, and endpoint telemetry.
- Inventory exposed NGINX deployments and watch for exploitation signals tied to the published PoC.
All findings grounded in a13e intelligence sweeps through 05:30 UTC 17 May 2026.
CVE-2026-20182, PAN-OS CVE-2026-0264 and Windows BitLocker Zero-Days Set the 15 May Response Queue
Finding: CISA KEV CVE-2026-20182 needs immediate triage
Confidence: High
CISA has added CVE-2026-20182 to the Known Exploited Vulnerabilities catalogue, and The curated source set marks active exploitation as yes. The brief does not include a CVSS score or detailed product context for this entry, so the immediate task is to identify the affected technology from authoritative CISA or vendor guidance and move it into the exploited-vulnerability queue.
For federal agencies, KEV inclusion creates a binding remediation requirement. For private-sector teams, it is still a strong signal: treat CVE-2026-20182 as exploited until proven out of scope, map exposure quickly and avoid waiting for a fuller daily narrative before assigning ownership.
Finding: Windows BitLocker and CTFMON zero-days widen the Microsoft watchpoint
Confidence: High
The source set cites The Hacker News reporting Windows zero-days that can bypass BitLocker and lead to privilege escalation through CTFMON. The curated record marks active exploitation as yes, but no CVE identifier is present in the curated finding.
That lack of CVE detail matters. This is not yet a clean patch-ticket story. It is a monitoring and readiness story: confirm where BitLocker is a critical control, review high-value Windows assets, watch Microsoft channels for identifiers or mitigations, and prepare endpoint teams to act once official guidance lands.
Finding: PAN-OS CVE-2026-0264 exposes critical unauthenticated RCE risk
Confidence: High
Palo Alto Networks is the source for CVE-2026-0264, a heap-based buffer overflow in PAN-OS DNS Proxy and DNS Server components. The curated record lists CVSS 9.8 and describes the possible impact as unauthenticated remote code execution. Active exploitation is marked no in the source data.
Even without exploitation reporting, this needs fast exposure work. Check internet-facing or high-trust PAN-OS appliances first, especially where DNS Proxy or DNS Server functions are enabled. Patch planning should sit with the network security owners, not only the generic vulnerability-management queue.
Finding: PAN-OS CVE-2026-0258 adds SSRF exposure in IKEv2 certificate URL fetching
Confidence: Medium
Palo Alto Networks also disclosed CVE-2026-0258, a server-side request forgery issue in PAN-OS IKEv2 certificate URL fetching. The curated record lists CVSS 6.5 and no active exploitation.
This is lower priority than CVE-2026-0264, but it belongs in the same PAN-OS review cycle. Teams should confirm affected versions, look at IKEv2 certificate handling and align remediation with the critical RCE update where possible.
Finding: PAN-OS CVE-2026-0256 is a web-interface stored XSS issue
Confidence: Medium
CVE-2026-0256 is a stored cross-site scripting vulnerability in the PAN-OS web interface. The curated record lists CVSS 6.1 and no active exploitation.
The practical control remains familiar: restrict management-plane access, patch affected versions and avoid exposing administrative interfaces to broad networks. It should not displace CVE-2026-0264, but it should be included in the same change window if the affected estate overlaps.
Finding: Siemens SIMATIC CVE-2024-47704 needs OT owner review
Confidence: Low
CISA published an ICS advisory for Siemens SIMATIC, including CVE-2024-47704. The curated record marks this finding low confidence because the curated brief contains limited detail on affected versions and impact.
That does not make the advisory unimportant. It means OT and engineering owners should validate applicability against deployed Siemens SIMATIC assets before security teams assign severity. Treat this as an exposure-discovery task, then escalate if affected production systems are found.
Finding: Siemens Simcenter Femap CVE-2025-12659 needs engineering-software validation
Confidence: Low
CISA also published an advisory for Siemens Simcenter Femap, including CVE-2025-12659. The source detail in the curated brief is limited, so confidence remains low.
Organisations using Simcenter Femap should check installed versions and vendor guidance. If the software is used in sensitive engineering workflows, confirm whether the issue affects file handling, project integrity or workstation exposure before setting remediation priority.
Update: OPNsense WID-SEC-2026-1344 remains in the firewall patch queue
Confidence: Medium
BSI CERT-Bund updated WID-SEC-2026-1344 for multiple OPNsense vulnerabilities, including CVE-2026-44193 and CVE-2026-44195. The curated record marks active exploitation as no.
Keep OPNsense in the network security patch queue, with priority for internet-facing gateways and environments where firewall downtime would affect incident response. The advisory is not today’s lead because there is no exploitation signal in the source data, but it is still relevant operational work.
Why This Matters
Today’s change is not one story. It is three parallel pressure points. CISA KEV means CVE-2026-20182 has exploitation evidence and needs immediate triage. The Windows item lacks CVEs, so it needs monitoring discipline rather than invented certainty. PAN-OS CVE-2026-0264 gives network teams a named, critical RCE to check now.
The useful split for clients is simple: exploited items first, critical exposed infrastructure second, and lower-confidence industrial advisories through owner validation.
- Recommended Actions
- Triage CVE-2026-20182 against CISA and vendor guidance, then assign exploited-vulnerability ownership.
- Monitor Microsoft channels for identifiers and mitigations tied to the BitLocker and CTFMON zero-days.
- Check PAN-OS exposure to CVE-2026-0264, especially DNS Proxy and DNS Server usage on high-trust or internet-facing appliances.
- Bundle PAN-OS CVE-2026-0258 and CVE-2026-0256 into the same affected-version review where possible.
- Validate Siemens SIMATIC and Simcenter Femap applicability with OT and engineering owners before escalating severity.
- Keep OPNsense WID-SEC-2026-1344 in the network patch queue, prioritised by exposure.
All findings grounded in a13e intelligence sweeps through 05:30 UTC 15 May 2026.
Microsoft Bug Leaker and BitLocker Zero-Day Put Exploited Windows Issues Back on Watch
Finding: Mystery Microsoft bug leaker keeps the zero-days coming
Confidence: High
The 14 May source set cites The Register reporting that an anonymous source continues to disclose Microsoft zero-day vulnerabilities. The finding is marked high confidence and active exploitation is noted in the source data, but no CVE identifier is available in the brief.
That makes this a response-readiness issue rather than a normal patch-ticket item. Microsoft owners should watch for vendor identifiers, mitigation guidance and any product-specific detail that moves the issue from a broad zero-day warning into a concrete exposure check.
Finding: Windows BitLocker zero-day gives access to protected drives, PoC released
Confidence: High
The source set adds a BleepingComputer-sourced report on a Windows BitLocker zero-day with a public proof of concept. The source text says the issue can give access to protected drives and records active exploitation as yes. It does not include a CVE.
Treat BitLocker as a priority validation area today. Confirm where BitLocker is relied on as a compensating control, review configuration baselines and prepare to act quickly if Microsoft publishes formal mitigation or update guidance.
Finding: Prometheus Azure AD CVE-2026-42151 exposes OAuth client secrets through config API
Confidence: High
MSRC is the source for CVE-2026-42151, which The source material describes as a Prometheus Azure AD remote write issue that can expose OAuth client secrets through a configuration API. The source set records CVSS 7.5 and no active exploitation.
This is not the loudest story of the day, but it is the cleanest exposure check. Teams using Prometheus remote write with Azure AD integration should review affected deployments, protect stored secrets and apply available Microsoft guidance.
Update: Red Hat Advanced Cluster Management CVE-2026-29063 remains in the Kubernetes queue
Confidence: Medium
The source set lists BSI CERT-Bund WID-SEC-2026-1367 as an updated advisory for Red Hat Advanced Cluster Management and Multicluster engine for Kubernetes. The brief associates CVE-2026-29063 with possible code execution or denial of service and marks active exploitation as no.
Keep this in the Kubernetes platform maintenance queue. Prioritise internet-reachable or high-trust management planes, but do not let it displace today's actively exploited Microsoft zero-day watchpoints.
Finding: Oracle Java SE WID-SEC-2025-1569 is no longer active in the curated list
Confidence: Medium
The source set marks Oracle Java SE WID-SEC-2025-1569 as resolved because it is no longer active in the curated list or threat tracker. That is a publishing signal, not proof that every estate has completed remediation.
Leave any local Oracle Java patch obligations in normal asset and vulnerability-management workflows. For today's client brief, it drops out of the active threat narrative.
Finding: GlobalProtect App CVE-2026-0251 adds local privilege-escalation work
Confidence: Medium
Palo Alto Networks is the source for CVE-2026-0251, which The source material describes as local privilege-escalation vulnerabilities in the GlobalProtect App. The source set records CVSS 6.5 and no active exploitation.
Endpoint teams should include GlobalProtect App versions in their patch checks. The risk is local elevation, so prioritise shared workstations, administrator endpoints and systems where VPN client compromise would meaningfully increase access.
Finding: PAN-OS CVE-2026-0261 allows authenticated admin command injection
Confidence: Medium
The source set adds Palo Alto Networks CVE-2026-0261 for PAN-OS authenticated admin command injection. The finding is medium confidence, CVSS 6.5 and has no active exploitation reported in the brief.
This is still important because administrative access to PAN-OS is sensitive by design. Restrict management-plane access, review administrator account hygiene and schedule the vendor update for affected appliances.
Finding: PAN-OS CVE-2026-0262 creates denial-of-service risk in traffic parsing
Confidence: Medium
Palo Alto Networks CVE-2026-0262 covers denial-of-service vulnerabilities in PAN-OS network traffic parsing. The source set records CVSS 6.5 and no active exploitation.
Network teams should treat this as resilience work. Patch planning should start with devices that handle critical traffic paths or sit at chokepoints where downtime would affect incident response, remote access or production operations.
Finding: GlobalProtect and PAN-OS CVE-2026-0257 authentication bypass needs exposure checks
Confidence: Medium
The source set lists Palo Alto Networks CVE-2026-0257 for GlobalProtect and PAN-OS authentication bypass vulnerabilities. The source data marks it medium confidence, CVSS 6.5 and no active exploitation.
Even without exploitation reporting, authentication bypass belongs high in the Palo Alto review queue. Confirm affected versions, patch status and whether GlobalProtect portals or gateways are exposed to untrusted networks.
Update: Microsoft Edge CVE-2026-40416, CVE-2026-41107 and CVE-2026-42838 remain a browser patch item
Confidence: Medium
The source set records BSI CERT-Bund WID-SEC-2026-1425 as an updated Microsoft Edge advisory. The finding metadata names CVE-2026-40416, and the summary also references CVE-2026-41107 and CVE-2026-42838. No active exploitation is reported.
This should move through standard browser update channels. Give priority to managed environments where Edge is used for privileged portals, cloud administration or sensitive internal applications.
Why This Matters
The main change from yesterday is urgency. Yesterday's Microsoft story was a broad Patch Tuesday queue. Today's lead is a pair of active zero-day watchpoints, one tied to BitLocker and another tied to further anonymous Microsoft disclosures.
There is also a practical split in the work. The Microsoft zero-day items need monitoring and mitigation readiness because The source material does not provide CVEs. Prometheus CVE-2026-42151 and the Palo Alto Networks CVEs are more conventional exposure and patch checks.
- Recommended Actions
- Monitor Microsoft channels for identifiers and guidance tied to the anonymous zero-day disclosures and the BitLocker proof of concept.
- Review BitLocker configurations and note systems where drive protection is a critical control.
- Check Prometheus Azure AD remote write deployments for CVE-2026-42151 exposure and protect OAuth client secrets.
- Keep Red Hat Advanced Cluster Management CVE-2026-29063 in the Kubernetes platform patch queue.
- Patch or schedule Palo Alto Networks PAN-OS and GlobalProtect items, especially CVE-2026-0257 and CVE-2026-0261.
- Continue standard Microsoft Edge update coverage for CVE-2026-40416, CVE-2026-41107 and CVE-2026-42838.
All findings grounded in a13e intelligence sweeps through 05:30 UTC 14 May 2026.
Ivanti Active Exploitation Leads 11 May Security Brief
Finding: CISA mandates patching for actively exploited Ivanti flaw
Confidence: High
CISA has directed federal agencies to patch an Ivanti vulnerability that the available source set describes as actively exploited as a zero-day. The available source is BleepingComputer reporting on the CISA directive, and today’s brief does not provide a specific CVE for this item.
That missing CVE matters. Security teams should not invent one or assume the issue maps to a known bulletin without checking their Ivanti estate. The right move is to identify deployed Ivanti products, compare them with CISA and vendor guidance, and prioritise any affected internet-facing systems.
Finding: Go runtime and tooling advisories add development-platform risk
Confidence: Medium
today’s source set adds a cluster of Go-related vulnerabilities from MSRC: CVE-2026-39836, CVE-2026-33811, CVE-2026-42499, CVE-2026-39820, CVE-2026-41889 and CVE-2026-42501. The reported issues span panic or crash conditions, quadratic string concatenation in net/mail, SQL injection in pgx and a malicious module proxy bypass.
This is not a single perimeter patch. It is an engineering exposure question. Organisations should identify Go services, CI images, module dependencies and developer workstations, then decide where patched toolchains or dependency updates are needed first.
Update: Microsoft Azure DevOps CVE-2026-42826 remains in triage
Confidence: High
Previously covered 2026-05-10; today's delta: the independent review matched this advisory to prior publication, so it is an UPDATED DevOps-platform exposure item rather than a new finding.
BSI CERT-Bund WID-SEC-2026-1414 tracks CVE-2026-42826 as an information disclosure vulnerability in Microsoft Azure DevOps. the available source data does not provide an explicit CVSS score. Azure DevOps owners should review the advisory, confirm whether their environment is affected, and check whether project data, pipeline metadata or build-related information could be exposed.
Finding: Vim CVE-2026-44656 needs baseline review
Confidence: Medium
MSRC lists CVE-2026-44656 as an OS command injection vulnerability in Vim via path completion. today’s brief treats this as a new finding and does not include active-exploitation evidence.
The practical response is inventory-led. Vim is often present on servers, developer systems and administrative workstations, including places where it is rarely thought of as a front-line application. Platform teams should confirm where Vim is installed and apply vendor or distribution fixes as they become available.
Update: Node.js WID-SEC-2026-0843 remains a multi-CVE patch item
Confidence: High
today’s source set marks Node.js WID-SEC-2026-0843 as UPDATED. It includes CVE-2024-36137, CVE-2026-21637 and other vulnerabilities, but the available source data does not provide specific CVSS scores for each CVE.
That makes version control more useful than severity language. Application owners should inventory Node.js runtimes across production, CI and build systems, then update supported branches in line with the advisory.
Why This Matters
The important change today is prioritisation. Ivanti has active-exploitation urgency. Go and Vim add new engineering work. Azure DevOps and Node.js remain important, but they should be handled as updates with the limits of the source data made clear.
This separation helps teams avoid two bad outcomes: missing an actively exploited product family, or treating every advisory in the same emergency lane.
- Recommended Actions
- Identify Ivanti deployments immediately and compare them with current CISA and vendor guidance.
- Assess Go applications, build images and module dependencies for the six CVEs named in today’s brief.
- Review Vim exposure for CVE-2026-44656 and patch through vendor or distribution channels.
- Keep Azure DevOps CVE-2026-42826 in triage as an updated information disclosure advisory.
- Update Node.js runtimes covered by WID-SEC-2026-0843, prioritising exposed services and CI systems.
- Do not assign CVSS scores or CVE IDs where the available source data did not provide them.
All findings grounded in a13e intelligence sweeps through 05:30 UTC 11 May 2026.
MetInfo CMS CVE-2026-29014 Exploitation Report Leads Today’s Risk Queue
Finding: MetInfo CMS CVE-2026-29014 has reported active exploitation
Confidence: High
The Hacker News, citing VulnCheck findings, reports active exploitation of MetInfo CMS CVE-2026-29014, a remote code execution vulnerability listed with CVSS 9.8 in the daily packet. That source-qualified exploitation report changes the operational priority, even though the source set classifies the finding as unchanged.
This is not a broad “everything is on fire” signal. It is a focused web-application remediation item. Teams that run MetInfo CMS should verify version exposure, apply the relevant fix path, and check whether internet-facing instances have signs of suspicious activity.
Stable / watching: cPanel/WHM CVE-2026-29201 remains a high-severity hosting patch item
Confidence: High
The available material keeps cPanel/WHM in the watchlist with fixes released for three vulnerabilities, including CVE-2026-29201 and CVSS 9.0. The source data does not state active exploitation, so this should not be handled the same way as MetInfo CMS.
For hosting providers and organisations that manage shared web estates, the practical step is simple: confirm whether cPanel or WHM is deployed, identify the maintenance window, and verify that fixed versions have been applied.
Stable / watching: Firewalld CVE-2026-4948 needs local privilege review
Confidence: Medium
CVE-2026-4948 remains in the unchanged set as a Firewalld issue where a local unprivileged user can modify firewall state due to D-Bus setter mis-authorisation. That makes it a host hardening and privilege-boundary concern rather than an internet-scale exploitation headline in the available evidence.
Linux platform teams should map Firewalld usage, confirm distribution-level updates, and treat exposed multi-user systems as higher priority than tightly controlled single-purpose hosts.
Stable / watching: Gnutls CVE-2026-3832 affects certificate trust decisions
Confidence: Medium
The source set continues to track CVE-2026-3832 as a Gnutls security bypass where a crafted OCSP response may allow revoked server certificates to be accepted. The available material does not add exploitation evidence, but the security impact is still important for systems that rely on Gnutls for TLS validation.
This belongs with platform and application owners who manage Linux libraries, package baselines and certificate-validation paths. Update planning should prioritise systems where revoked-certificate handling is security-critical.
Stable / watching: KDE KCoreAddons CVE-2026-41526 remains on the remediation watchlist
Confidence: Medium
NVD identifies CVE-2026-41526 as a KDE KCoreAddons issue involving KShell::quoteArgs handling of shell metacharacters. The available material does not provide active-exploitation evidence or named victims.
Linux desktop and application owners should check whether KDE KCoreAddons is present in supported baselines, follow distribution or upstream KDE guidance, and avoid inflating severity beyond the evidence.
Finding: Microsoft Azure DevOps CVE-2026-42826 is today’s new advisory
Confidence: High
The only NEW finding in the 10 May source set is Microsoft Azure DevOps CVE-2026-42826, described by BSI CERT-Bund WID-SEC-2026-1414 as an information disclosure vulnerability. The available source data does not provide an explicit CVSS score.
Azure DevOps often sits close to code, pipelines, artefacts and deployment credentials. Owners should confirm whether the advisory applies to their environment, review Microsoft guidance, and check whether sensitive project data or build metadata could be exposed under the affected conditions.
Finding: Node.js WID-SEC-2026-0843 updates a multi-CVE advisory
Confidence: High
The source set marks Node.js WID-SEC-2026-0843 as UPDATED. The advisory covers CVE-2024-36137, CVE-2026-21637, CVE-2026-21710, CVE-2026-21711, CVE-2026-21712, CVE-2026-21713, CVE-2026-21714, CVE-2026-21715, CVE-2026-21716 and CVE-2026-21717.
The source data does not include specific CVSS scores for each Node.js CVE, so the right response is version-led rather than rhetoric-led. Application owners should inventory Node.js runtimes, identify exposed services and CI/CD dependencies, then update to supported patched releases.
Why This Matters
Today’s useful change is priority. Yesterday’s story was a broad patch queue. Today’s story separates a source-qualified MetInfo CMS exploitation report from a new Azure DevOps disclosure advisory, an updated Node.js package of CVEs, and several unchanged watchlist items.
That separation prevents two mistakes: treating every advisory like an emergency, or missing the one item with a credible exploitation report.
- Recommended Actions
- Patch or remove exposed MetInfo CMS instances affected by CVE-2026-29014, then check for suspicious activity.
- Review Microsoft Azure DevOps exposure for CVE-2026-42826 and follow Microsoft or BSI guidance.
- Inventory Node.js runtimes and update affected branches covered by WID-SEC-2026-0843.
- Keep cPanel/WHM CVE-2026-29201, Firewalld CVE-2026-4948, Gnutls CVE-2026-3832 and KDE KCoreAddons CVE-2026-41526 on the remediation board.
- Do not assign emergency severity to items where the available source material lacks exploitation evidence.
All findings grounded in a13e intelligence sweeps through 05:30 UTC 10 May 2026.
Palo Alto Networks PAN-OS CVE-2026-0300 — Exposed Captive Portals Face Critical RCE Risk
Finding: CVE-2026-0300 exposes PAN-OS User-ID Authentication Portals to unauthenticated RCE
Confidence: High
Palo Alto Networks’ advisory for CVE-2026-0300 describes a buffer overflow in the PAN-OS User-ID™ Authentication Portal, also known as Captive Portal. The vendor states that a remote unauthenticated attacker can execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets.
NHS England alert CC-4777 independently summarises the issue as unauthenticated remote code execution with root privileges on exposed Palo Alto PAN-OS firewalls. Palo Alto assigns CVSS v4.0 9.3 Critical severity and marks exploit maturity as attacked. This moves the item beyond a thin advisory queue and into immediate exposure triage.
Exploitation is limited, but exposed portals are the urgent risk boundary
Confidence: High
Palo Alto reports limited exploitation targeting User-ID Authentication Portals exposed to untrusted IP addresses or the public internet. NHS England states that Palo Alto is aware of limited in-the-wild exploitation and that NHS England National CSOC assesses further exploitation as highly likely.
The operational distinction matters. This is not a generic “all PAN-OS devices are equally exposed” story. The highest-risk condition is a PA-Series or VM-Series firewall configured to use User-ID Authentication Portal with response pages enabled on an interface reachable from untrusted or internet traffic.
Affected branches are PAN-OS 12.1, 11.2, 11.1, and 10.2 under specific portal exposure conditions
Confidence: High
Palo Alto lists affected PAN-OS release lines across 12.1, 11.2, 11.1, and 10.2, with fixed releases pending across multiple maintenance branches. The advisory states that Prisma Access, Cloud NGFW, and Panorama appliances are not impacted.
Affected organisations should verify both software branch and configuration. The exposure condition requires User-ID Authentication Portal to be enabled and an interface management profile with response pages enabled on an external or internet-accessible interface. Version checks alone are not enough if the portal remains reachable from untrusted networks.
Mitigation is available before patches land
Confidence: High
Palo Alto says fixes are planned in upcoming PAN-OS releases, with fixed-version ETAs listed for 13 May and 28 May 2026 depending on branch and maintenance line. NHS England similarly says patches are expected on 13 May and 28 May and strongly encourages affected organisations to apply them when released.
Until those patches are available, the control is configuration. Disable User-ID Authentication Portal if it is not required. If it is required, restrict access to trusted zones or trusted internal IP addresses and disable response pages on external Layer 3 interfaces where untrusted or internet traffic can ingress. Palo Alto also notes that customers with Threat Prevention can block attacks by enabling Threat ID 510019 from Applications and Threats content version 9097-10022, with PAN-OS 11.1 or later required for that Threat ID support.
Queue hygiene note: the 04:33 a13e review changes the low-confidence queue
Confidence: High
The earlier 03:25 daily brief predated the 2026-05-07 04:33 a13e review. That later review records that the previous BSI WID set, including WID-SEC-2026-1366, 1383, 1379, 1363, 1381, 1377, 1380, and 1370, was already excluded or ledgered. Those items should not be presented as the freshest queue without that caveat.
The 04:33 a13e review instead promotes six newer low-confidence inventory items: Keycloak WID-SEC-2026-1330, Asterisk/pjproject WID-SEC-2026-1378, Dell BIOS WID-SEC-2026-1382, Django WID-SEC-2026-1373, MinIO WID-SEC-2026-1376, and Kernel WID-SEC-2026-1385. the 04:33 review rates all six as LOW confidence / UNVERIFIED single-source BSI advisories with no confirmed active exploitation, IOCs, or named victims in the available corpus.
Why This Matters
CVE-2026-0300 combines three traits that should trigger fast action: exposed edge infrastructure, unauthenticated remote code execution, and root-level impact. The existence of limited exploitation means teams should not wait for patch availability before reducing exposure.
The rest of the day’s queue is different. Keycloak, Asterisk/pjproject, Dell BIOS, Django, MinIO, and Kernel entries are useful inventory prompts, not emergency findings. Treating those low-confidence BSI items with the same urgency as CVE-2026-0300 would blur the response priority.
- Recommended Actions
- Identify PA-Series and VM-Series firewalls running PAN-OS 12.1, 11.2, 11.1, or 10.2.
- Check whether User-ID Authentication Portal/Captive Portal is enabled.
- Confirm whether response pages are enabled on any external or internet-accessible Layer 3 interface.
- Disable User-ID Authentication Portal where it is not required.
- Where the portal is required, restrict access to trusted zones or trusted internal IP addresses and remove response-page exposure from untrusted ingress paths.
- Track Palo Alto fixed releases expected on 13 May and 28 May 2026 and schedule branch-appropriate patching when available.
All findings grounded in a13e intelligence sweeps through 04:33 UTC 07 May 2026.
MOVEit Automation CVE-2026-4670, Critical Authentication Bypass Leads a Fresh Patch Queue
Finding: MOVEit Automation authentication bypass, CVE-2026-4670
Confidence: Medium
Progress MOVEit Automation versions before 2025.1.5, 2025.0.9, and 2024.1.8 are affected by a critical authentication bypass tracked as CVE-2026-4670 and WID-SEC-2026-1336. BSI CERT-Bund lists the advisory, and BleepingComputer reports the fixed version branches, giving this item enough corroboration to lead today’s public content.
The risk is straightforward: managed file transfer automation often sits close to sensitive data flows, partner connectivity, and scheduled operational jobs. Internet-facing MOVEit Automation nodes should be treated as the first inventory target, followed by internal systems with privileged automation workflows.
Update: Linux Copy Fail active exploitation confirmed, CVE-2026-31431
Confidence: High
CISA has added Linux Copy Fail, CVE-2026-31431, to the Known Exploited Vulnerabilities Catalog with a remediation due date of 2026-05-15. BleepingComputer also reports exploitation activity, which changes the posture from local privilege-escalation exposure to active exploitation pressure.
This is an update rather than a new finding, but it is the most urgent operational item in today’s evidence. Linux estate owners should identify affected kernels, prioritise internet-facing and high-value systems, and align remediation to the CISA KEV deadline.
Finding: Ubuntu Exim CVE-2026-40685 and curl CVE-2026-4873 fixes
Confidence: Medium
Ubuntu USN-8228-1 fixes Exim issues including CVE-2026-40685, described in the source material as malformed JSON header parsing that could lead to arbitrary code execution and information disclosure. Mail relays and exposed Exim hosts deserve early attention because mail infrastructure often has broad reach and uneven maintenance windows.
Ubuntu USN-8227-1 fixes curl connection-reuse issues including CVE-2026-4873, CVE-2026-5545, and CVE-2026-5773. The main concern is sensitive-information exposure in workloads that use curl or libcurl for authenticated service-to-service requests.
Finding: BSI advisories widen the watch list
Confidence: Low
BSI CERT-Bund lists new advisories for Rancher, D-LINK M60, OPNsense, IBM Langflow, Qt, Langflow, Keycloak, FreeBSD, GnuTLS, Wireshark, vm2, and Bitwarden CLI. These are useful watch signals, but many currently have limited readable detail and should not be overstated without vendor confirmation, CVE mapping, or affected-version detail.
The practical move is not panic patching. Build an owner-mapped inventory for Rancher, OPNsense, D-LINK M60, Keycloak, Langflow, and Qt-bearing applications, then enrich each advisory against vendor pages before raising customer-specific severity.
Why This Matters
Today’s change is quality, not volume. The MOVEit Automation item gives security teams a specific new critical application to check, and the Linux Copy Fail KEV listing gives patch teams a dated exploitation-driven deadline.
The broader BSI set matters because it touches control-plane software, perimeter devices, identity, developer tools, and application runtimes. Most of those items still need enrichment, but they are good triggers for asset discovery now.
- Recommended Actions
- Upgrade MOVEit Automation to 2025.1.5, 2025.0.9, or 2024.1.8 or later, starting with internet-facing automation nodes.
- Inventory Linux kernels for CVE-2026-31431 exposure and schedule remediation before the 2026-05-15 CISA KEV due date.
- Patch Ubuntu Exim and curl packages where deployed, especially mail relays and systems using authenticated curl/libcurl requests.
- Inventory Rancher, OPNsense, D-LINK M60, Keycloak, Langflow, and Qt-bearing applications, then restrict exposed admin surfaces.
- Enrich low-confidence BSI WID advisories with vendor references, affected versions, and CVE mappings before escalating severity.
All findings grounded in a13e intelligence sweeps through 03:25 UTC 05 May 2026.
Cisco Catalyst SD-WAN — 32 New Source Findings
What changed vs yesterday
Confidence: High
Yesterday led on CISA KEV CVE-2026-20182, Windows BitLocker/CTFMON monitoring and PAN-OS CVE-2026-0264. Today’s collection is different: it contains 32 NEW findings and no active-exploitation claim. The practical task is to verify exposure, assign owners, and enrich BSI-only advisories before stronger customer language is used.
Finding 1: Cisco Catalyst SD-WAN Controller and Manager need first attention
Confidence: Medium
The highest-priority item is the Cisco Catalyst SD-WAN Controller/Manager pair. BSI marks the Controller issue as critical, with CVSS 9.0, and NCSC-NL corroborates remediation for the SD-WAN platform family.
The action is concrete: verify fixed versions, check exposed administrative paths, and pair Controller and Manager remediation rather than treating them as separate queues.
Finding 2: TanStack/OpenAI supply-chain reporting needs developer-side checks
Confidence: High
The Register, BleepingComputer and The Hacker News report OpenAI as a named victim in a TanStack npm supply-chain compromise. The public reporting does not frame this as current active exploitation in customer environments, but it is still a high-confidence developer-supply-chain watchpoint.
Review lockfiles, developer-device telemetry, token rotation, npm cache history, and macOS patch completion. Keep the language narrow: the finding is about reported supply-chain compromise and exposure validation, not a broader claim about all npm users.
Finding 3: Linux Kernel and GitLab items widen the remediation queue
Confidence: Medium
The Linux Kernel Fragnesia item has BSI coverage and The Register corroboration of root-level impact reporting. Separate Linux Kernel BSI records mean kernel triage should not stop at one named issue.
GitLab also enters the queue through a BSI advisory affecting source-code and CI/CD paths. The immediate task is to verify self-managed GitLab exposure and patch level, then route remediation to platform owners.
Finding 4: BSI advisory backlog is broad, but most items remain unverified
Confidence: Unverified
The collection includes identity, edge, collaboration, mail, CI/CD, database, endpoint-management, and web-platform items: Microsoft Authenticator, Exchange, NGINX, Mattermost, GitHub Copilot, TeamViewer DEX, aria2, OpenShift, Flowise, HCL BigFix, PostgreSQL, Strapi, MISP, FortiOS, Fleet, Exim, Tomcat, Aruba, BigBlueButton, FortiAuthenticator, Nextcloud, Adobe Connect, Magento, Safari, and MongoDB.
Most are single-source BSI/CERT-Bund records with CVSS values withheld or unknown. That matters. These should drive discovery and enrichment, not inflated “known exploited” messaging.
Complete finding queue
1. UPDATE: Cisco Catalyst SD-WAN Controller critical admin-rights issue
Confidence: Medium
BSI marks the Controller issue critical and NCSC-NL states Cisco Catalyst SD-WAN Controller and Manager vulnerabilities are remediated. Verify fixed versions and exposed admin paths. Reference: WID-SEC-2026-1534. Active exploitation: no. CVSS: 9.0.
2. UPDATE: Cisco Catalyst SD-WAN Manager multiple vulnerabilities
Confidence: Medium
BSI lists SD-WAN Manager and NCSC-NL corroborates remediation for the platform family. Pair Manager checks with Controller remediation. Reference: WID-SEC-2026-1540. Active exploitation: no.
3. OpenAI named in TanStack npm supply-chain compromise
Confidence: High
The Register, BleepingComputer, and The Hacker News report OpenAI as a named victim in a TanStack npm supply-chain compromise. Review lockfiles, developer-device telemetry, token rotation, and macOS patch completion. Reference: TANSTACK-OPENAI-2026-05. Active exploitation: no.
4. Linux Kernel Fragnesia privilege escalation
Confidence: Medium
BSI lists a Fragnesia Linux Kernel administrator-rights issue; The Register corroborates root-level impact reporting. Route to Linux fleet owners for distro and kernel patch mapping. Reference: WID-SEC-2026-1530. Active exploitation: no.
5. GitLab multiple vulnerabilities
Confidence: Low
BSI added GitLab vulnerabilities affecting source-code and CI/CD paths. Verify self-managed GitLab exposure and patch level. Reference: WID-SEC-2026-1523. Active exploitation: no.
6. Linux Kernel multiple vulnerabilities
Confidence: Low
Separate BSI Linux Kernel batch means kernel triage should not be limited to Fragnesia. Enrich affected kernel branches and distro errata. Reference: WID-SEC-2026-1531. Active exploitation: no.
7. Microsoft Authenticator information disclosure
Confidence: Low
BSI added a Microsoft Authenticator information-disclosure advisory. Route to identity and mobile-fleet owners for impact enrichment. Reference: WID-SEC-2026-1537. Active exploitation: no.
8. Microsoft Exchange Server XSS and spoofing
Confidence: Low
BSI added an Exchange Server XSS/spoofing advisory. Check internet-facing Exchange assets and patch state. Reference: WID-SEC-2026-1536. Active exploitation: no.
9. NGINX Open Source and NGINX Plus multiple vulnerabilities
Confidence: Low
BSI added NGINX Open Source and NGINX Plus vulnerabilities. Prioritize public web-edge and reverse-proxy inventory. Reference: WID-SEC-2026-1527. Active exploitation: no.
10. Mattermost Server multiple vulnerabilities
Confidence: Low
BSI added Mattermost Server vulnerabilities. Collaboration platforms may hold credentials, files, and incident-response discussions. Reference: WID-SEC-2026-1529. Active exploitation: no.
11. Microsoft GitHub Copilot code execution
Confidence: Low
BSI added a GitHub Copilot code-execution advisory. Validate developer tenant, extension, and endpoint exposure. Reference: WID-SEC-2026-1521. Active exploitation: no.
12. TeamViewer DEX code execution
Confidence: Low
BSI added a TeamViewer DEX code-execution advisory. Remote support tooling should be assigned because of high trust. Reference: WID-SEC-2026-1522. Active exploitation: no.
13. aria2 security-bypass issue
Confidence: Low
BSI added an aria2 security-bypass advisory and the sweep notes it as unpatched. Check automation and build-pipeline use. Reference: WID-SEC-2026-1524. Active exploitation: no.
14. Red Hat OpenShift code execution and information disclosure
Confidence: Low
BSI added a distinct OpenShift advisory for code execution and information disclosure. Map affected versions and hosted workloads. Reference: WID-SEC-2026-1550. Active exploitation: no.
15. Flowise multiple vulnerabilities enable code execution
Confidence: Low
BSI added Flowise multiple vulnerabilities with code-execution impact. Check exposed Flowise or internal AI-workflow deployments and restrict admin access pending patch confirmation. Reference: WID-SEC-2026-1554. Active exploitation: no.
16. HCL BigFix data manipulation and XSS
Confidence: Low
BSI added an HCL BigFix advisory covering data manipulation and XSS. Endpoint-management consoles carry high blast radius. Reference: WID-SEC-2026-1549. Active exploitation: no.
17. PostgreSQL multiple vulnerabilities
Confidence: Low
BSI added PostgreSQL multiple vulnerabilities. Prioritize multi-tenant, internet-facing, or regulated-service databases. Reference: WID-SEC-2026-1544. Active exploitation: no.
18. Strapi multiple vulnerabilities
Confidence: Low
BSI added Strapi multiple vulnerabilities. Inventory public Strapi admin panels and API backends. Reference: WID-SEC-2026-1552. Active exploitation: no.
19. MISP and MISP Modules multiple vulnerabilities
Confidence: Low
BSI added a MISP and MISP Modules advisory. Check threat-intelligence platforms, SOC tooling, and CTI lab instances for MISP exposure. Reference: WID-SEC-2026-1547. Active exploitation: no.
20. Linux Kernel denial-of-service advisory
Confidence: Low
BSI added a Linux Kernel denial-of-service advisory distinct from earlier Fragnesia and broad kernel records. Queue kernel-owner enrichment. Reference: WID-SEC-2026-1555. Active exploitation: no.
21. Fortinet FortiOS privilege-escalation advisory
Confidence: Low
BSI added a Fortinet FortiOS privilege-escalation advisory. Route to edge and network owners for inventory and fixed-version lookup. Reference: WID-SEC-2026-1492. Active exploitation: no.
22. Fleet multiple-vulnerability advisory
Confidence: Low
BSI added a Fleet advisory. Check endpoint-management and device-fleet management inventories. Reference: WID-SEC-2026-1553. Active exploitation: no.
23. Exim code-execution advisory
Confidence: Low
BSI added an Exim code-execution advisory. Identify internet-facing mail transfer agents and enrich upstream fixed versions. Reference: WID-SEC-2026-1505. Active exploitation: no.
24. Apache Tomcat multiple vulnerabilities
Confidence: Low
BSI added Apache Tomcat multiple vulnerabilities. Map Tomcat versions in application hosting and middleware estates. Reference: WID-SEC-2026-1514. Active exploitation: no.
25. Aruba AOS-8 Instant AP and AOS-10 AP multiple vulnerabilities
Confidence: Low
BSI added an Aruba AOS AP advisory. Identify managed Aruba AP estates, team, firmware branch, and maintenance window. Reference: WID-SEC-2026-1515. Active exploitation: no.
26. BigBlueButton cross-site scripting
Confidence: Low
BSI added a BigBlueButton XSS advisory. Check education, webinar, and internal meeting deployments for public exposure and custom theme/plugin risk. Reference: WID-SEC-2026-1501. Active exploitation: no.
27. FortiAuthenticator code execution
Confidence: Low
BSI added a FortiAuthenticator code-execution advisory. Map instances and administrative exposure; notify identity owners after vendor fixed-version enrichment. Reference: WID-SEC-2026-1509. Active exploitation: no.
28. Nextcloud multiple vulnerabilities
Confidence: Low
BSI added a Nextcloud multiple-vulnerability advisory. Inventory externally reachable Nextcloud and managed file-sharing deployments. Reference: WID-SEC-2026-1517. Active exploitation: no.
29. Adobe Connect multiple vulnerabilities
Confidence: Low
BSI added an Adobe Connect advisory. Identify training and webinar environments, then enrich fixed versions. Reference: WID-SEC-2026-1496. Active exploitation: no.
30. Adobe Magento multiple vulnerabilities
Confidence: Low
BSI added an Adobe Magento advisory. Map ecommerce estates using Magento or Adobe Commerce and collect update status. Reference: WID-SEC-2026-1497. Active exploitation: no.
31. Apple Safari multiple vulnerabilities
Confidence: Low
BSI added an Apple Safari advisory. Confirm macOS and iOS browser patch cadence, especially for privileged endpoints. Reference: WID-SEC-2026-1543. Active exploitation: no.
32. MongoDB multiple vulnerabilities
Confidence: Low
BSI added a MongoDB advisory. Map MongoDB exposure and managed-service ownership before customer escalation. Reference: WID-SEC-2026-1516. Active exploitation: no.
Why This Matters
The value today is not a single dramatic exploit story. It is a clean list of assets and product families that need ownership, version mapping, and remediation evidence. That keeps customer communication honest whilst still giving operations teams a practical queue.
- Recommended Actions
- Start with Cisco Catalyst SD-WAN Controller/Manager fixed-version verification and exposed-admin-path review.
- Route Linux Kernel, GitLab, TanStack/OpenAI, MISP, Fleet, FortiOS, Exim, Tomcat, FortiAuthenticator, Aruba, Nextcloud, Magento and MongoDB checks to the right owners.
- Treat LOW / UNVERIFIED BSI-only items as enrichment tasks until vendor, NVD, KEV or exploitation evidence appears.
- Keep prior unchanged stories out of today’s customer narrative unless new corroboration changes their status.
All findings grounded in a13e intelligence sweeps through 05:49 UTC 16 May 2026.
Microsoft Patch Tuesday, SharePoint and Word RCEs Set the 13 May Patch Queue
Finding: Microsoft May 2026 Patch Tuesday gives teams a broad patch window
Confidence: Medium
The 13 May source materials includes BleepingComputer reporting that Microsoft’s May 2026 Patch Tuesday fixes 120 flaws and says active exploitation is confirmed somewhere in the release. The same source line does not identify the exploited CVEs, so the right client-facing position is urgent patch management without claiming exploitation of the specific SharePoint, Word or Azure items listed below.
Put Microsoft patch review at the front of today’s queue. Security teams should confirm update coverage across servers, endpoints and cloud-connected Microsoft services, then watch for any follow-up vendor or community reporting that names exploited CVEs from the release.
Finding: Microsoft SharePoint Server CVE-2026-40365 and CVE-2026-33110 require priority checks
Confidence: High
MSRC entries in the 13 May intake list two SharePoint Server remote-code-execution vulnerabilities, CVE-2026-40365 and CVE-2026-33110. The intake records CVE-2026-40365 with CVSS 8.8 and marks active exploitation as no for the SharePoint finding.
SharePoint usually sits close to collaboration data and identity-backed workflows, so exposure matters. Organisations running SharePoint Server should identify affected instances, check whether the relevant updates are already installed, and prioritise externally reachable or high-trust deployments first.
Finding: Azure Logic Apps CVE-2026-42823 adds cloud privilege risk
Confidence: High
Microsoft source material lists CVE-2026-42823 as an Azure Logic Apps elevation-of-privilege vulnerability with CVSS 7.8 and no active exploitation indicated for that specific CVE. Put it near the top of the Azure review queue, especially where Logic Apps connects workflows, identities and service integrations.
Teams should confirm which subscriptions and workflows could be affected, then apply the relevant Microsoft guidance. If Logic Apps has privileged connectors or sensitive automation paths, treat those environments as higher priority.
Finding: Microsoft Word CVE-2026-40366 keeps endpoint patching in scope
Confidence: High
MSRC lists CVE-2026-40366 as a Microsoft Word remote-code-execution vulnerability. The intake records CVSS 7.8 and marks active exploitation as no for this item.
The operational risk is user-facing rather than server-side. Endpoint and productivity teams should confirm Office update deployment, prioritise users who regularly handle external documents, and keep mail and document-handling controls aligned with the patch rollout.
Finding: Microsoft spoofing items sit behind the RCE and privilege work
Confidence: Low
The intake lists three lower-confidence Microsoft spoofing vulnerabilities: Azure Machine Learning Notebook CVE-2026-33833, M365 Copilot for Desktop CVE-2026-41614 and Microsoft 365 Copilot for Android CVE-2026-41100. Each is marked CVSS 6.5, with no active exploitation indicated in the source material.
These should not displace the SharePoint, Word or Azure Logic Apps work. Still, give them an owner where Copilot or Azure Machine Learning is deployed to users handling sensitive data or privileged workflows.
Update: Red Hat Enterprise Linux libsoup advisories remain in the maintenance queue
Confidence: Medium
BSI CERT-Bund updated WID-SEC-2026-0305 for Red Hat Enterprise Linux libsoup vulnerabilities including CVE-2026-0719 and CVE-2026-1761. The intake also lists WID-SEC-2025-2830 for libsoup CVE-2025-12105 denial of service. The source material notes that BSI CVSS values are not explicitly provided, so severity language should stay measured.
RHEL owners should check affected packages and schedule updates according to exposure and service criticality. These advisories matter, but today’s highest urgency remains the Microsoft patch queue.
Why This Matters
Today’s change is a shift from watchpoints to patch execution. The Microsoft release is broad, includes multiple high-impact items, and has some active exploitation reported somewhere in the wider set. That combination is enough to justify fast review, even though the source material does not tie exploitation to the named SharePoint, Word or Azure Logic Apps CVEs.
The wording matters. Overstating exploitation gives teams the wrong risk picture. Underplaying the patch window would be a mistake too.
- Recommended Actions
- Review Microsoft May 2026 Patch Tuesday coverage across servers, endpoints and cloud-connected services.
- Prioritise SharePoint Server CVE-2026-40365 and CVE-2026-33110 for affected on-premise deployments.
- Confirm Azure Logic Apps exposure to CVE-2026-42823, especially where workflows use privileged connectors.
- Push Microsoft Word CVE-2026-40366 updates through endpoint patching for users handling external documents.
- Assign owners for Azure Machine Learning Notebook CVE-2026-33833, M365 Copilot for Desktop CVE-2026-41614 and Microsoft 365 Copilot for Android CVE-2026-41100.
- Queue Red Hat Enterprise Linux libsoup updates for CVE-2026-0719, CVE-2026-1761 and CVE-2025-12105 after the most exposed Microsoft systems are covered.
All findings grounded in a13e intelligence sweeps through 05:30 UTC 13 May 2026.
AI-Assisted Exploit Reports Add a Watchpoint Alongside Azure, WireGuard and PHP-FPM Advisories
Finding: AI-assisted exploit-development reports require focused monitoring
Confidence: Unverified
Reporting in the source set says attackers used AI during exploit development for a web administration tool and in a 2FA bypass context, citing BleepingComputer and The Hacker News. The source set marks this item as active exploitation, but it does not provide enough evidence to support claims about broad scale or generalised campaign reach.
The safe interpretation is narrower and still useful. Security teams should review externally exposed web administration tools, authentication bypass indicators, 2FA exception handling, unusual login flows and administrative access anomalies. The priority is to validate exposure and monitoring coverage, not to assume a wider pattern than the evidence supports.
Finding: Azure Linux kernel, WireGuard and PHP-FPM advisories add review work
Confidence: Medium
The source set lists Ubuntu USN-8255-2 for Linux kernel packages in Azure environments, with CVE-2023-2640 named in the brief. It also lists MSRC entries for WireGuard CVE-2026-31579 and PHP-FPM CVE-2026-6735.
These are practical inventory questions. Azure Linux kernel owners should check the Ubuntu notice. WireGuard and PHP-FPM owners should confirm whether the affected components are deployed and whether internet-facing paths, status endpoints or administrative surfaces change the priority.
Finding: Node.js and Mozilla remain updated patch-planning items
Confidence: High
BSI CERT-Bund WID-SEC-2026-0843 remains in the current source set for Node.js, including CVE-2024-36137 and CVE-2026-21637. The upstream materials also list BSI advisories WID-SEC-2026-1296 and WID-SEC-2026-1228 for Mozilla Firefox, Firefox ESR and Thunderbird.
The available source data does not provide explicit CVSS scores for the bundled CVEs. That limits severity language. Application and endpoint teams should still plan updates, especially where Node.js runtimes, browsers or mail clients are exposed to untrusted content.
Finding: Lower-confidence Red Hat denial-of-service updates should stay in the queue
Confidence: Low
The source set includes updated BSI CERT-Bund advisories for Red Hat Enterprise Linux libtpms CVE-2025-49133 and Red Hat OpenShift logrus CVE-2025-65637. Both are denial-of-service items without active exploitation indicated in the source set.
These should not displace the higher-exposure work above. They do belong in the maintenance queue for Red Hat and OpenShift owners, with priority guided by affected asset exposure and operational criticality.
Why This Matters
Today's useful signal is not that AI creates an immediate broad-exploitation emergency. The useful signal is that exploit-development assistance is moving into real attacker workflows, and exposed administrative and authentication surfaces are still the places where small weaknesses can turn into outsized access.
At the same time, the most concrete work remains familiar: map affected software, confirm exposure, and patch or mitigate where vendor advisories apply. The risk queue is elevated because there are several moving parts, not because every item has the same evidential weight.
- Recommended Actions
- Review exposed web administration tools and 2FA flows for unusual behaviour, failed bypass attempts and administrative access anomalies.
- Check Azure Linux kernel exposure against Ubuntu USN-8255-2 and CVE-2023-2640.
- Check WireGuard CVE-2026-31579 applicability through MSRC guidance.
- Review PHP-FPM CVE-2026-6735, especially where status endpoints are reachable or exposed through web paths.
- Continue Node.js WID-SEC-2026-0843 and Mozilla WID-SEC-2026-1296 / WID-SEC-2026-1228 patch planning.
- Queue Red Hat Enterprise Linux libtpms CVE-2025-49133 and OpenShift logrus CVE-2025-65637 after higher-exposure systems are addressed.
All findings grounded in a13e intelligence materials through 05:30 UTC 12 May 2026.
New BSI Advisories and Ivanti EPMM Active Watchpoint
Finding: Ivanti EPMM CVE-2026-6973 remains the active-exploitation watchpoint
Confidence: Medium
CISA continues to list Ivanti EPMM CVE-2026-6973 in the Known Exploited Vulnerabilities catalogue. There is no new technical detail in the current source set, so this is not a fresh vulnerability story. It is still the item most likely to matter first for teams that operate mobile-device management or edge-facing EPMM infrastructure.
The practical message is simple: do not let the broader patch queue distract from a known exploited entry. Asset owners should confirm whether Ivanti EPMM is present, verify patch or mitigation status, and keep remediation evidence visible until the risk is closed.
Finding: Cisco Unity Connection WID-SEC-2026-1388 needs collaboration-owner triage
Confidence: Low
BSI CERT-Bund lists WID-SEC-2026-1388 as a high-severity advisory for Cisco Unity Connection. The available source set does not include CVE identifiers, affected versions, fixed releases, exploitation reporting or named victims.
That keeps confidence low, but the asset class is important. Unity Connection can sit close to collaboration and voice infrastructure. Teams should confirm whether the product is deployed, identify the owning team, and watch Cisco channels for version-specific patch guidance.
Finding: Microsoft Azure WID-SEC-2026-1419 is an exposure-mapping prompt
Confidence: Low
BSI CERT-Bund lists WID-SEC-2026-1419 as a high-severity Microsoft Azure advisory. No CVE list, exploit detail or tenant-specific mitigation detail was present in the available material.
Cloud teams should treat this as an ownership and exposure question, not as proof of active compromise. The useful first step is to route the WID item to tenant owners, then check whether Microsoft publishes affected-service or configuration detail that changes the priority.
Finding: Microsoft Teams WID-SEC-2026-1413 raises information-disclosure review
Confidence: Low
BSI CERT-Bund lists WID-SEC-2026-1413 as a high-severity Microsoft Teams information-disclosure advisory. The source set does not provide a CVE, a Microsoft advisory reference, affected client versions, or exploit evidence.
Teams is widely deployed, so even thin signals deserve routing. Security and tenant administrators should check for official Microsoft follow-up and be ready to assess data-exposure implications if affected versions or service conditions become clearer.
Finding: Red Hat OpenShift Tempo WID-SEC-2026-1415 reaches observability and middleware dependencies
Confidence: Low
BSI CERT-Bund lists WID-SEC-2026-1415 as a high-severity advisory for Red Hat OpenShift Tempo and Apache Thrift. The available evidence does not include affected component versions, fixed builds, CVE identifiers or exploit status.
This belongs with platform and observability owners. Confirm whether OpenShift Tempo is in use, identify Apache Thrift exposure through SBOM or package inventory, and wait for vendor-specific detail before assigning emergency severity.
Finding: Golang Go WID-SEC-2026-1437 affects runtime and build-environment tracking
Confidence: Low
BSI CERT-Bund lists WID-SEC-2026-1437 as a medium-severity advisory for Golang Go. The current source set lacks CVE detail, fixed Go versions and exploitation evidence.
Go advisories can matter beyond servers because the runtime and toolchain may be embedded in build processes. Package owners should record which Go versions are used for builds and deployed services, then prepare update planning once official fixed-version detail is available.
Finding: IBM MQ WID-SEC-2026-1431 adds a messaging-middleware disclosure item
Confidence: Low
BSI CERT-Bund lists WID-SEC-2026-1431 as a medium-severity IBM MQ information-disclosure advisory. No affected-version table, vendor fix reference, CVE identifier or exploitation signal was present in the available material.
IBM MQ often supports sensitive application flows. Owners should map deployed versions, identify external or cross-zone broker exposure, and follow IBM channels for precise update guidance.
Finding: MISP WID-SEC-2026-1424 touches threat-intelligence platform hygiene
Confidence: Low
BSI CERT-Bund lists WID-SEC-2026-1424 as a medium-severity cross-site scripting advisory for MISP. The current source set does not provide a CVE, affected-version range, proof of exploitation or vendor patch note.
MISP instances may hold sensitive indicators, community feeds and internal enrichment data. Administrators should confirm version ownership, review user and sharing boundaries, and prepare an update path once the vendor detail is available.
Finding: Microsoft 365 Copilot Business Chat WID-SEC-2026-1411 needs tenant-owner review
Confidence: Low
BSI CERT-Bund lists WID-SEC-2026-1411 as a medium-severity information-disclosure advisory for Microsoft 365 Copilot Business Chat. The available evidence does not include affected tenant configurations, a CVE identifier or confirmed exploitation.
Because Copilot Business Chat can sit near enterprise content, the review should go to the people who own Microsoft 365 data boundaries. Confirm enablement status, sensitivity labels and administrator ownership, then watch for Microsoft detail that clarifies actual exposure.
Finding: Mozilla Firefox and Firefox ESR WID-SEC-2026-1427 moves into endpoint update planning
Confidence: Low
BSI CERT-Bund lists WID-SEC-2026-1427 as a medium-severity advisory for Mozilla Firefox and Firefox ESR. The current source set does not include the underlying CVE set, fixed releases or exploitation evidence.
Browser updates are familiar work, but they still need discipline. Endpoint owners should check managed Firefox and ESR channels, confirm update cadence, and prioritise high-exposure user groups if Mozilla publishes corroborating detail.
Finding: etcd WID-SEC-2026-1400 is a cluster dependency to locate quickly
Confidence: Low
BSI CERT-Bund lists WID-SEC-2026-1400 as a medium-severity etcd security-bypass advisory. The source material does not include affected versions, exploit conditions, CVE identifiers or fixed builds.
etcd can be critical to Kubernetes and distributed systems. Platform teams should confirm where etcd is present, check cluster ownership, and be ready to patch once fixed-version guidance appears.
Why This Matters
Today’s change is not a single confirmed emergency. It is a split workload: one known exploited Ivanti EPMM item that should stay on the remediation board, plus ten new BSI CERT-Bund advisories that need owner routing and vendor follow-up.
The new WID items are broad enough to create coordination friction. They touch collaboration tools, cloud services, observability, middleware, development runtimes, threat-intelligence platforms, browsers and cluster dependencies. Thin evidence makes the work less dramatic, not less necessary.
- Recommended Actions
- Keep Ivanti EPMM CVE-2026-6973 visible until patch or mitigation evidence is confirmed.
- Assign owners for Cisco Unity Connection, Azure, Teams, OpenShift Tempo, Go, IBM MQ, MISP, Microsoft 365 Copilot Business Chat, Firefox ESR and etcd.
- Treat the ten new BSI CERT-Bund WID entries as low-confidence until vendor advisories, CVEs, affected versions or fixed releases appear.
- Prioritise exposure checks for externally reachable collaboration, messaging, tenant and cluster-control assets.
- Track vendor channels for affected-version detail before escalating the new WID items beyond the available evidence.
- Because cross-publication dedup verification could not be completed, run a manual overlap check before publication.
All findings grounded in a13e intelligence sweeps through 05:30 UTC 09 May 2026.
Bitwarden CLI npm WID-SEC-2026-1348, Compromised Package Risk Hits Security Tooling
Finding: Bitwarden CLI npm compromised package, WID-SEC-2026-1348
Confidence: Low
BSI CERT-Bund reports a compromised Bitwarden CLI npm package, tracked as WID-SEC-2026-1348, with potential credential theft and information exfiltration impact. The source set does not provide a CVE, affected package version range, fixed version, or exploitation timeline, so treat this as a high-priority enrichment item, not a complete incident profile.
This leads today’s coverage for one reason: password-manager tooling sits close to secrets. If a compromised CLI package reached developer laptops, CI images, automation hosts, or jump boxes, the response may need package removal, execution-history checks, token review, and credential rotation. Start with systems where npm-installed security tools handle production, customer, cloud, or source-control credentials.
Finding: BusyBox code execution or denial-of-service advisory, WID-SEC-2026-1356
Confidence: Low
BSI CERT-Bund lists a high-severity BusyBox advisory under WID-SEC-2026-1356, described in the reviewed material as code execution or denial of service. BusyBox matters because it is often present inside routers, appliances, containers, embedded Linux systems, and operational technology-adjacent devices where software ownership can be unclear.
There is not enough detail in the source set to name affected versions or fixed packages. The practical action is inventory first: identify exposed appliances and container base images that include BusyBox, then wait for vendor or distribution confirmation before raising customer-specific severity.
Finding: OpenCTI administrator-rights issues, WID-SEC-2026-1357 and WID-SEC-2026-1362
Confidence: Low
BSI CERT-Bund lists two OpenCTI advisories involving administrator-rights acquisition, tracked as WID-SEC-2026-1357 and WID-SEC-2026-1362. The reviewed material does not include exploit detail, affected versions, or a CVE mapping.
OpenCTI deserves attention because many teams use it as a system of record for threat intelligence, enrichment, and investigation workflows. Administrator compromise can mean more than platform control. It can also create bad intelligence, altered indicators, or misleading internal trust decisions. Treat OpenCTI as privileged infrastructure: restrict administrative access, review recent role changes, and confirm patch status as soon as vendor detail is available.
Finding: Google Android, WhatsApp, and WDR201A widen the mobile and edge watch list
Confidence: Low
BSI CERT-Bund lists a Google Android administrator-code execution advisory under WID-SEC-2026-1360 and multiple Meta WhatsApp vulnerabilities under WID-SEC-2026-1361. Tenable also lists CVE-2026-41923 for WDR201A WiFi Extender hardware V2.1 running firmware LFMZX28040922V1.02.
None of these items has enough detail in the source set to justify alarmist treatment. They do point to familiar weak spots: managed mobile patch lag, executive messaging exposure, and small-office or remote-worker network devices that sit outside clean asset ownership. MDM owners and network teams should confirm whether these products exist in managed environments.
Update: Weaver E-cology exploitation reported after March update, CVE-2026-22679
Confidence: Low
BleepingComputer reports exploitation of an unauthenticated remote code execution issue in Weaver E-cology 10.0 builds before 2026-03-12, tracked as CVE-2026-22679. The reported path involves an exposed debug API or RPC route that can lead to command execution.
This is an update rather than today’s lead new item. It still needs quick handling where Weaver E-cology is exposed: verify build dates, move to 2026-03-12 or later, restrict debug and API paths, and review Java-process outbound activity for callback behaviour.
Why This Matters
Today’s coverage is about trust boundaries. Bitwarden CLI touches secrets-handling tooling. BusyBox touches embedded systems and containers. OpenCTI touches intelligence workflow integrity. Android, WhatsApp, and WDR201A touch mobile and edge exposure.
Most of the new advisories are low-confidence because the available source detail is thin. That should shape the response. Do the exposure checks now, enrich with vendor sources, and reserve stronger severity language for findings with confirmed affected versions, patches, or exploitation.
- Recommended Actions
- Check developer workstations, CI runners, container images, and automation hosts for npm-installed Bitwarden CLI exposure linked to WID-SEC-2026-1348.
- Prepare credential-rotation guidance if suspect Bitwarden CLI package execution is confirmed.
- Inventory BusyBox in exposed appliances, containers, routers, and managed edge devices, then map findings to vendor or distribution advisories.
- Treat OpenCTI as privileged infrastructure: review administrator-role changes, restrict admin access, and confirm update status.
- Confirm Android and WhatsApp patch posture with MDM owners, especially for executives and high-risk roles.
- Identify any WDR201A WiFi Extender use in offices, labs, temporary networks, or remote-worker kits.
- For Weaver E-cology, verify builds are 2026-03-12 or later and restrict exposed debug/API paths.
All findings grounded in a13e intelligence sweeps through 03:25 UTC 06 May 2026.
Argo CD, Android, NetBox, Ollama, Redis, RabbitMQ and Velociraptor - New BSI Patch Queue
Finding: Argo CD WID-SEC-2026-1383 puts GitOps exposure on the review list
Confidence: Unverified
BSI CERT-Bund lists WID-SEC-2026-1383 as a high-severity information disclosure advisory for Argo CD. The available source set does not include a CVE, affected-version table, vendor advisory, exploitation report, indicators of compromise, or named victim.
That keeps confidence low, but it does not make the item irrelevant. Argo CD often sits close to deployment metadata, repository references and operational context. Security teams should identify externally reachable Argo CD instances, confirm ownership, and route the advisory to the platform team for version and patch review.
Finding: Android WID-SEC-2026-1360 needs fleet-owner mapping before severity escalation
Confidence: Unverified
BSI CERT-Bund lists WID-SEC-2026-1360 for Google Android with administrator-level code execution wording. No CVE or vendor bulletin was present in the available source set, so this should not be treated as a fully corroborated Android emergency.
The practical step is fleet mapping. Mobile and endpoint teams should check whether supported enterprise builds, OEM update channels and managed-device baselines map to the BSI item. If vendor detail appears, this can move from watch item to scheduled update action.
Finding: IBM App Connect Enterprise Certified Container WID-SEC-2026-1407 reaches integration middleware
Confidence: Unverified
BSI CERT-Bund lists WID-SEC-2026-1407 as multiple vulnerabilities in IBM App Connect Enterprise Certified Container. The source set does not provide affected images, fixed tags, exploit status or CVE identifiers.
Integration middleware can carry sensitive data paths between systems, so ownership matters even where evidence is thin. Teams running IBM App Connect in containers should identify image versions, deployment owners and update windows, then wait for vendor-specific detail before assigning emergency severity.
Finding: NetBox WID-SEC-2026-1355 flags code-execution risk in infrastructure source-of-truth tooling
Confidence: Unverified
BSI CERT-Bund lists WID-SEC-2026-1355 for NetBox with code-execution wording. The available corpus does not corroborate the item with vendor detail, a CVE record or exploitation evidence.
NetBox commonly holds infrastructure inventory, IP address management and configuration context. That makes exposure review sensible. Confirm whether NetBox is internet-facing, whether authentication and plugin boundaries are controlled, and whether current versions align with any vendor follow-up.
Finding: Ollama WID-SEC-2026-1379 is an AI-platform exposure prompt
Confidence: Unverified
BSI CERT-Bund lists WID-SEC-2026-1379 as an Ollama information disclosure advisory. No active exploitation, CVE or vendor advisory was present in the available source material.
The useful action is not panic, it is exposure hygiene. Ollama deployments should be checked for host binding, reverse-proxy configuration, authentication assumptions and reachable model endpoints. Teams experimenting with local AI services should make sure those services have not drifted into production-like exposure without the same controls.
Finding: Red Hat ACM/MCE WID-SEC-2026-1367 affects Kubernetes management review
Confidence: Unverified
BSI CERT-Bund lists WID-SEC-2026-1367 for Red Hat Advanced Cluster Management and Multicluster Engine for Kubernetes, with remote execution and availability-risk wording. The source set does not include CVE identifiers, fixed package versions or exploit details.
Kubernetes management planes deserve careful routing. Identify whether Red Hat ACM or MCE is deployed, confirm cluster-management ownership, and prepare a patch window once vendor advisories provide affected-version detail.
Finding: Red Hat Enterprise Linux libsoup WID-SEC-2026-1409 is a dependency-tracking item
Confidence: Unverified
BSI CERT-Bund lists WID-SEC-2026-1409 as an information disclosure item for Red Hat Enterprise Linux libsoup. The available source set does not include the dependency versions affected or a vendor fix reference.
This belongs in platform dependency tracking. Linux owners should map where libsoup is present through package inventory and follow Red Hat-specific update channels before assigning business impact.
Finding: Redis WID-SEC-2026-1370 warrants fast inventory, even at low confidence
Confidence: Unverified
BSI CERT-Bund lists WID-SEC-2026-1370 as multiple code-execution vulnerabilities in Redis. The source set lacks CVE detail and exploitation evidence, so the confidence label stays low.
Redis is often deployed as a cache, queue, session store or internal data service. That ubiquity makes basic exposure checks worthwhile. Confirm version ownership, authentication, network binding and whether any Redis instance is reachable from untrusted networks.
Finding: RabbitMQ WID-SEC-2026-1397 adds broker patch management to the queue
Confidence: Unverified
BSI CERT-Bund lists WID-SEC-2026-1397 as multiple vulnerabilities in RabbitMQ. No active exploitation, CVE list or vendor advisory appeared in the available source set.
Message brokers can sit on critical application paths. Owners should identify deployed RabbitMQ versions, check management interface exposure and prepare for patch scheduling if vendor confirmation follows.
Finding: Rapid7 Velociraptor WID-SEC-2026-1368 touches defensive tooling
Confidence: Unverified
BSI CERT-Bund lists WID-SEC-2026-1368 as multiple vulnerabilities in Rapid7 Velociraptor. The available source set does not show CVE identifiers, affected builds, exploitation or vendor confirmation.
Defensive tooling is still infrastructure. DFIR teams should confirm whether Velociraptor servers and clients are deployed, verify management-plane exposure, and watch for vendor detail before escalating.
Why This Matters
Today’s change is the breadth of the patch queue, not evidence of a live campaign. The affected product set crosses deployment automation, mobile devices, integration containers, infrastructure inventory, AI tooling, Kubernetes management, Linux dependencies, Redis, RabbitMQ and DFIR tooling.
That spread is operationally awkward. It requires coordination across several owners, and thin source detail makes prioritisation harder. The right response is disciplined inventory: find the assets, assign owners, collect vendor detail, then patch in the order that matches exposure and business importance.
- Recommended Actions
- Assign owners for Argo CD, Android fleet management, IBM App Connect containers, NetBox, Ollama, Red Hat ACM/MCE, RHEL libsoup, Redis, RabbitMQ and Velociraptor.
- Treat all ten WID entries as low-confidence or unverified until vendor advisories, CVEs or affected-version details appear.
- Prioritise exposure checks for internet-facing Argo CD, NetBox, Ollama, Redis, RabbitMQ and Velociraptor services.
- Confirm Redis and RabbitMQ are not reachable from untrusted networks and have authentication controls aligned with internal policy.
- Track vendor channels for affected versions, fixed releases and severity updates.
- Manual publication note: because cross-publication dedup verification could not be completed, compare this queue against recent public posts before release.
All findings grounded in a13e intelligence sweeps through 05:30 UTC 08 May 2026.
Act on today's threats
Map your detection gaps or generate Sigma rules from the intel above.