Intelligence · Updated daily

Security Intelligence

AI-analysed threats, vulnerabilities and campaigns. Not just what happened — what it means, who's affected, and what to do about it.

RSS feedCVE index632 entries

Vulnerabilities Malware Campaigns Supply Chain Policy Tools

Page 4 of 26

76–100 of 632

highCampaignActive

Coordinated SEO poisoning and AI chatbot manipulation drives GPU mining malware distribution

Threat actors are executing a multi-vector cryptojacking campaign targeting high-performance computing systems through SEO poisoning and AI chatbot manipulation to distribute GPU mining malware. This hybrid approach exploits both traditional search ranking tactics and emerging AI recommendation systems to reach victims.

28 May 2026Systems with high-performance GPUs, Users of AI chatbot services, Search engine users

highVulnerabilityActive

XWiki Platform Path Traversal in Resource Endpoints – Configuration File Disclosure

XWiki's ssx and jsx endpoints fail to sanitize the resource parameter when leading slashes are present, allowing unauthenticated path traversal to read sensitive files like WEB-INF/xwiki.cfg. The PoC demonstrates reliable, low-complexity exploitation that could expose database credentials and system configuration.

CVE-2026-23734

27 May 2026XWiki/xwiki-platform (<16.10.17), XWiki/xwiki-platform (<17.4.9), XWiki/xwiki-platform (<17.10.3) +1

criticalVulnerabilityActive

XWiki Platform Unauthenticated XAR Import via REST API - Authentication Bypass

The POST /wikis/{wikiName} endpoint in XWiki Platform lacks authentication checks, allowing unauthenticated attackers to import XAR files and modify wiki content. This is a high-impact authentication bypass affecting content integrity and availability.

CVE-2026-33137

27 May 2026XWiki Platform <16.10.17, XWiki Platform 17.0-17.4.8, XWiki Platform 17.10.0-17.10.2 +1

highCampaignActive

Multi-vector cryptojacking campaign exploits SEO poisoning, ScreenConnect, and .NET tools to target GPU resources

Threat actors are running a coordinated cryptojacking operation that uses SEO poisoning and AI chatbot abuse to distribute malicious sites, then deploys ScreenConnect and Microsoft .NET utilities as initial access and persistence mechanisms to hijack GPU resources on high-performance systems.

27 May 2026ScreenConnect, Microsoft .NET utilities, High-performance computing systems

informationalToolEmerging

AppOmni's Marlin AI automates SaaS misconfiguration investigation while preserving human control over remediation

AppOmni has released Marlin AI, a tool that autonomously investigates SaaS security misconfigurations and traces their blast radius across enterprise environments, stopping short of automatic remediation. This represents incremental progress in scaling SaaS security operations but raises questions about investigation accuracy and false positive rates.

27 May 2026SaaS platforms (general)

highCampaignActive

MuddyWater Escalates Multi-Sector Espionage with DLL Side-Loading Across Nine Countries

MuddyWater, an Iranian state-linked threat actor, has conducted a coordinated espionage campaign in Q1 2026 targeting organisations across industrial manufacturing, education, public sector, finance, and professional services in nine countries using DLL side-loading techniques.

27 May 2026Industrial and electronics manufacturing organisations, Education sector, Public sector bodies +2

highCampaignActive

Lithuania's state registry breach exposes 600,000 records: implications for EU critical infrastructure

Foreign attackers gained unauthorised access to 600,000 records from Lithuania's Centre of Registers, which manages property and legal entity data. This represents a significant compromise of state administrative infrastructure with potential implications for identity fraud and state surveillance.

27 May 2026Centre of Registers (Lithuania), Lithuanian state property records system, Lithuanian legal entity records system

criticalVulnerabilityActive

KnowledgeDeliver zero-day exploitation reveals active targeting of education infrastructure via web shell deployment

A previously unknown vulnerability in KnowledgeDeliver LMS was exploited in the wild to install Godzilla web shells on victim servers. This represents active compromise of educational infrastructure with potential for persistent access and lateral movement.

27 May 2026KnowledgeDeliver

highMalwareActive

ACR Stealer Distributed via Claude Impersonation Page

A phishing campaign is distributing ACR Stealer through fake Claude AI pages. This represents an active social engineering threat targeting users seeking legitimate AI tools.

26 May 2026Users seeking Claude AI, Claude (reputation/trust)

highCampaignContained

Dutch Law Enforcement Dismantles Russian Cyberattack Infrastructure by Seizing 800 Servers and Arresting Hosting Operators

Dutch authorities arrested two co-owners of Internet hosting companies and seized approximately 800 servers used by Russian intelligence to stage cyberattacks, influence operations, and disinformation campaigns targeting the EU. The action disrupts a significant portion of Russia's operational infrastructure in Europe.

26 May 2026Stark Industries Solutions, EU organisations and member states

criticalVulnerabilityActive

Ghost CMS zero-day exploitation demonstrates persistent risks in widely-deployed blogging platform

A vulnerability in Ghost CMS has been exploited to compromise over 700 websites, including those of Harvard, Oxford, and DuckDuckGo. This represents a significant supply-chain risk given Ghost's prevalence among high-profile organisations.

26 May 2026Ghost CMS

highVulnerabilityActive

Hard-coded ASP.NET Keys in KnowledgeDeliver LMS Enabled Zero-Day Godzilla and Cobalt Strike Deployment

A high-severity flaw in Digital Knowledge's KnowledgeDeliver LMS, stemming from hard-coded ASP.NET machine keys, was exploited in the wild to install Godzilla web shells and subsequently Cobalt Strike Beacon. The vulnerability has been patched but likely saw active abuse before disclosure.

CVE-2026-5426

26 May 2026Digital Knowledge KnowledgeDeliver

highPolicyEmerging

Anthropic's Mythos Model Rollout Raises Questions About AI Code Generation Security Trade-offs

Anthropic is preparing to integrate its Mythos model into Claude Code, a restricted model previously flagged for security risks in software development contexts. This marks a shift from controlled deployment to broader availability with unclear safety mitigations.

26 May 2026Anthropic Claude Code, Claude Mythos

criticalVulnerabilityEmerging

ViewState Deserialization RCE in KnowledgeDeliver LMS: Japanese Educational Sector at Risk

Mandiant identified a critical remote code execution vulnerability in KnowledgeDeliver, a Learning Management System widely deployed in Japanese educational institutions, exploitable through unsafe .NET ViewState deserialisation. Active exploitation has been confirmed in the wild.

MNDT-2026-0009

25 May 2026KnowledgeDeliver (Digital Knowledge)

lowVulnerabilityResolved

Wireshark 4.6.6 maintenance release addresses single vulnerability among routine bug fixes

Wireshark 4.6.6 was released on 24 May, patching one vulnerability alongside 11 bug fixes. This is routine vendor maintenance with limited security impact.

25 May 2026Wireshark 4.6.x

highCampaignActive

Chinese-language PhaaS ecosystem rivals Russian offerings, lowering attack barriers for regional threat actors

Google's threat intelligence team identified a dozen mature phishing-as-a-service offerings operating in Chinese-language underground forums, representing a significant shift in the geographic distribution of PhaaS infrastructure and suggesting intensified credential theft campaigns targeting organisations with Asia-Pacific exposure.

25 May 2026Organisations with Asia-Pacific operations, Enterprise email systems, Authentication systems

criticalCampaignActive

Ghost CMS SQL injection weaponised in coordinated ClickFix distribution campaign

Attackers are exploiting a critical SQL injection flaw (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript that delivers ClickFix social engineering attacks at scale. This combines server-side code execution with client-side manipulation, significantly amplifying attack reach.

CVE-2026-26980

25 May 2026Ghost CMS

highCampaignResolved

Italian law enforcement dismantles CINEMAGOAL credential-stealing piracy operation targeting major streaming platforms

Italian authorities shut down CINEMAGOAL, a piracy application that harvested authentication credentials from Netflix, Disney+, Spotify and other streaming services to provide unauthorised access. The operation represents a significant credential-theft infrastructure targeting consumer accounts at scale.

24 May 2026Netflix, Disney+, Spotify +1

highCampaignActive

Phishing-at-scale: FIFA World Cup ticket scams exploit event-driven social engineering

Threat actors are operating fake FIFA websites mimicking official ticket and merchandise sales platforms to harvest payment card data and personal information from World Cup fans. This represents a high-volume, low-sophistication fraud operation capitalised on major sporting events.

24 May 2026FIFA World Cup fans and ticket purchasers, Event merchandise buyers

highVulnerabilityEmerging

Underminr DNS Vulnerability Exposes 88 Million Domains to Command-and-Control Masquerading

A DNS vulnerability called Underminr affects approximately 88 million domains and allows attackers to hide malicious traffic behind legitimate domain names, bypassing DNS filtering and exfiltrating data undetected.

24 May 2026DNS infrastructure, Approximately 88 million domains

informationalPolicyResolved

npm Staged Publishing: Supply Chain Defence Maturing Beyond Basic Access Controls

npm has released staged publishing, a feature requiring 2FA-gated approval before package releases become public, reducing the window for automated supply chain attacks. This represents incremental hardening of package distribution rather than addressing fundamental dependency resolution risks.

24 May 2026npm Registry, npm package maintainers

criticalSupply ChainActive

Laravel Lang Supply Chain Attack: Credential Theft via Composer Tag Hijacking

Attackers compromised Laravel Lang localisation packages on Composer by exploiting GitHub version tags to inject credential-stealing malware, directly exposing developer environments to post-compromise exfiltration. This represents a high-risk supply chain breach affecting a widely-used ecosystem package.

24 May 2026Laravel Lang packages, Composer package repository, PHP developers using Laravel

criticalVulnerabilityActive

YesWiki Unauthenticated SQL Injection in Form Import Handler

An unauthenticated SQL injection flaw in YesWiki's FormManager allows attackers to inject arbitrary SQL via the `bn_id_nature` parameter, enabling full database exfiltration including password hashes. The PoC demonstrates reliable, pre-authentication exploitation against default installations.

CVE-2026-46670

23 May 2026YesWiki/yeswiki (4.6.1, 4.6.2, doryphore-dev)

highVulnerabilityActive

Path Traversal in FileBrowser Public Share PATCH Handler via Unsafe Path Join

FileBrowser's public PATCH endpoint joins user-controlled paths with the share root before sanitization, allowing traversal outside the intended directory. Public shares with modification enabled are immediately exploitable.

23 May 2026FileBrowser/FileBrowser (commit 869b640 and prior)

criticalVulnerabilityActive

Nezha Monitoring: Authentication Bypass Enables Cross-Tenant RCE via Cron API

Nezha's cron scheduling API routes are protected by common authentication (any logged-in user) rather than admin-only gates, combined with a permission check bypass that allows RoleMembers to execute arbitrary commands on all monitored servers across tenant boundaries.

CVE-2026-46716

23 May 2026nezha/dashboard