Intelligence · Updated daily

Security Intelligence

AI-analysed threats, vulnerabilities and campaigns. Not just what happened — what it means, who's affected, and what to do about it.

RSS feedCVE index632 entries

Vulnerabilities Malware Campaigns Supply Chain Policy Tools

Page 7 of 26

151–175 of 632

highVulnerabilityActive

Microsoft's Silent Azure Backup Fix Raises Questions on Vulnerability Disclosure Transparency

A security researcher claims Microsoft quietly patched an Azure Backup for AKS vulnerability without issuing a CVE or acknowledging the original report, whilst Microsoft contests the characterisation and denies making product changes. The dispute highlights tensions in coordinated disclosure practices and raises concerns about undisclosed fixes in cloud infrastructure.

17 May 2026Microsoft Azure Backup for AKS

highVulnerabilityActive

Unauthenticated Directory Enumeration in Remote Sunrise Helper for Windows 2026.14

Remote Sunrise Helper for Windows 2026.14 permits unauthenticated attackers to enumerate files and directories via an improperly secured API or web interface. This PoC demonstrates information disclosure that could facilitate follow-on attacks.

16 May 2026Remote Sunrise Helper for Windows 2026.14

highVulnerabilityActive

Windows Snipping Tool NTLMv2 Hash Interception – Local Credential Relay Risk

The Snipping Tool can be abused to trigger NTLM authentication flows that leak NTLMv2 hashes to attacker-controlled network locations. Defenders must monitor for suspicious UNC path access and enforce network segmentation to prevent hash relay attacks.

16 May 2026Microsoft/Windows Snipping Tool

criticalCampaignActive

UNC6671's BlackFile Campaign: Vishing and AiTM as a Vector to Cloud Extortion at Scale

UNC6671 operates BlackFile, an extortion campaign using sophisticated vishing and adversary-in-the-middle techniques to bypass MFA and compromise Microsoft 365 and Okta environments, exfiltrating corporate data for extortion. The attack chain circumvents traditional perimeter defences by targeting human authentication vectors rather than technical infrastructure.

16 May 2026Microsoft 365, Okta, Cloud environments

mediumCampaignActive

Aggregated Security Digest: Multiple Vectors from Cloud Gaming Breaches to Legislative Pressure

SecurityWeek reports on multiple concurrent security issues including an Nvidia cloud gaming data breach, Canvas LMS compromise by ShinyHunters following FBI warning, Android 17 hardening, and automotive/enterprise vulnerabilities. The clustering suggests defenders face distributed pressure across consumer, educational, and enterprise sectors.

16 May 2026Nvidia, Canvas LMS, Android +2

highMalwareActive

Turla Weaponises Kazuar Backdoor as P2P Botnet: FSB-Linked Group Escalates Persistence Capabilities

Russian state-sponsored group Turla has rebuilt its Kazuar backdoor into a modular peer-to-peer botnet designed for stealth and persistent command-and-control. This represents a significant operational upgrade that complicates detection and attribution for defenders.

16 May 2026Enterprise networks (sector-agnostic), Government and critical infrastructure organisations

highVulnerabilityActive

THORChain vault compromise exposes multi-signature custody weaknesses in DeFi infrastructure

THORChain suffered a $10.7 million theft from one of six vaults, indicating a compromise of their multi-signature custody mechanism. This demonstrates that even established DeFi platforms remain vulnerable to sophisticated attacks targeting key management and vault architecture.

16 May 2026THORChain

criticalVulnerabilityActive

Active exploitation of Funnel Builder plugin vulnerability exposes WooCommerce payment data

Attackers are actively exploiting a critical flaw in the Funnel Builder WordPress plugin to inject malicious JavaScript into WooCommerce checkout pages, enabling payment card theft from customer transactions.

16 May 2026Funnel Builder plugin for WordPress, WooCommerce

criticalVulnerabilityActive

Marten Full-Text Search SQL Injection via Unparameterized regConfig

Marten's full-text search APIs directly interpolate user-supplied regConfig parameters into SQL queries without sanitization, enabling unauthenticated SQL injection against PostgreSQL backends. The PoC confirms multiple attack vectors including time-based exfiltration and arbitrary query execution.

CVE-2026-45288

15 May 2026JasperFx/marten

criticalVulnerabilityActive

VM2 Sandbox Escape via Async Generator Type Confusion

VM2 fails to properly isolate host exceptions thrown during async generator cleanup, allowing attackers to break sandbox confinement and execute arbitrary host code. This PoC reliably demonstrates RCE by constructing a type-confused Error object that escapes sandbox restrictions.

CVE-2026-45411

15 May 2026vm2

informationalPolicyActive

Cyber Incident Signals as Financial Indicators: Exploring the Intersection of Security Breach Data and Market Trading

SentinelOne Labs researchers examined whether publicly disclosed breach signals and market timing models can be used to predict or capitalise on stock price movements following cyber incidents, exploring the emerging intersection of cybersecurity data and financial markets.

15 May 2026

informationalPolicyEmerging

Data Center Security-Performance Tradeoff Revisited for AI Infrastructure

SecurityWeek publishes guidance on implementing security controls in AI data centres without proportional performance degradation. This reflects growing industry recognition that security and throughput constraints can be co-optimised through architectural choices.

15 May 2026

criticalSupply ChainActive

Supply-chain compromise in node-ipc npm package: three malicious versions distribute data-stealing backdoor

Three versions of the widely-used node-ipc npm package (9.1.6, 9.2.3, 12.0.1) were found to contain malicious code designed to exfiltrate developer secrets and credentials. This represents a direct compromise of a critical infrastructure dependency affecting Node.js projects globally.

15 May 2026node-ipc npm package, Node.js projects using affected versions

highSupply ChainActive

Coordinated supply chain compromise targets AI companies through TanStack and ecosystem packages

A supply chain campaign has compromised the TanStack npm library and related packages on npm and PyPI, affecting multiple AI companies including OpenAI. The attack leverages trusted open-source dependencies to distribute malicious code to downstream users.

15 May 2026OpenAI, TanStack, npm ecosystem +2

highCampaignActive

TeamPCP extortion campaign targets Mistral AI source code repositories

The TeamPCP hacker group is threatening to publicly release proprietary source code from Mistral AI unless a buyer purchases the stolen data. This represents a significant intellectual property theft and potential supply-chain risk for the AI company's customers and partners.

15 May 2026Mistral AI

criticalVulnerabilityActive

Unauthenticated Solr Streaming Expression Proxy in Goobi Viewer REST API

Goobi viewer's POST /api/v1/index/stream endpoint forwarded arbitrary Solr streaming expressions without authentication, enabling complete index exfiltration, modification, and deletion. This PoC demonstrates pre-authentication remote code execution risk against backend search infrastructure.

CVE-2026-45083

14 May 2026Goobi/goobi-viewer-core

criticalVulnerabilityActive

SiYuan Bazaar Stored XSS via Unescaped Package Metadata Leading to Electron RCE

SiYuan's Bazaar marketplace fails to HTML-escape package `name` and `version` fields before rendering them to DOM via `innerHTML`, enabling stored XSS that escalates to OS command execution due to permissive Electron security configuration (nodeIntegration enabled, contextIsolation disabled).

CVE-2026-45375

14 May 2026SiYuan/SiYuan (all versions prior to patch)

criticalVulnerabilityActive

Strapi Content-Type Builder SQL Injection via Unsanitized Raw Database Queries

CVE-2026-22599 allows authenticated administrators to inject arbitrary SQL through the Content-Type Builder's `column.defaultTo` attribute, enabling database compromise including file read, DoS, and potential RCE. This PoC demonstrates a critical gap in input validation on trusted user boundaries.

CVE-2026-22599

14 May 2026strapi/content-type-builder, strapi/plugin-content-type-builder

highVulnerabilityActive

Pixel 10 0-click exploit chain demonstrates persistent Android attack surface despite mitigations

Google Project Zero published a 0-click exploit chain for Pixel 10 leveraging CVE-2025-54957 (Dolby vulnerability) and bypassing RET PAC mitigations. The attack requires only two exploits to achieve root access from a zero-interaction context, indicating modern Android devices remain vulnerable despite security hardening.

CVE-2025-54957

14 May 2026Google Pixel 10, Google Pixel 9, Android platform (historical)

highCampaignActive

Nitrogen Ransomware Claims 8TB Theft from Foxconn North American Operations

The Nitrogen ransomware group claims to have compromised Foxconn's North American manufacturing facilities and exfiltrated 8TB of data including confidential documents. This represents a significant supply chain risk given Foxconn's role as a critical electronics manufacturer for major tech companies.

14 May 2026Foxconn, North American manufacturing facilities

highCampaignActive

Chinese-linked FamousSparrow expands targeting to Azerbaijani energy sector via Microsoft Exchange exploitation

A Chinese-affiliated threat actor designated FamousSparrow conducted a multi-wave intrusion against an Azerbaijani oil and gas company between December 2025 and February 2026, exploiting Microsoft Exchange vulnerabilities as an initial access vector. This represents a notable shift in the group's targeting geography and suggests persistent interest in critical infrastructure.

14 May 2026Microsoft Exchange, Azerbaijani oil and gas sector

informationalPolicyActive

Dream Market admin extradition signals enforcement momentum against tier-1 darknet marketplaces

Owe Martin Andresen, alleged administrator of Dream Market, was arrested in Germany following a US indictment. The arrest demonstrates coordinated international law enforcement action against established criminal marketplaces that operated for over a decade.

14 May 2026Dream Market platform

criticalVulnerabilityActive

SillyTavern Header-Based SSO Authentication Bypass – Untrusted Proxy Trust Model

SillyTavern trusts HTTP headers (`Remote-User`, `X-Authentik-Username`) from any network client without validating origination from a trusted reverse proxy, allowing unauthenticated attackers to impersonate any user including administrators. This is a foundational architectural flaw in SSO integration.

CVE-2026-44649

13 May 2026SillyTavern < 1.18.0

criticalVulnerabilityActive

Mapfish Print Unauthenticated Remote Code Execution via Dynamic Table Processing

Mapfish Print contains an unauthenticated RCE vulnerability in dynamic table functionality, allowing arbitrary code execution without credentials. This PoC is significant for defenders as it demonstrates a critical authentication bypass combined with code injection.

CVE-2026-44672

13 May 2026Mapfish/Mapfish Print

highPolicyActive

Incident Response Planning Must Differentiate State-Sponsored Threats from Commodity Ransomware

Cisco Talos highlights that responding to state-sponsored intrusions requires fundamentally different IR strategies than ransomware incidents. Organisations using ransomware-focused response playbooks may fail to detect or contain nation-state actors.

13 May 2026Enterprise organisations across all sectors