blog

FOCUS FRIDAY: TPRM Insights on Critical Vulnerabilities In Langflow, FreeBSD, and Memcached

Published

May 29, 2026

Introduction

Welcome to another edition of Focus Friday. This week's vulnerabilities span three distinct layers of modern infrastructure: an AI workflow orchestration platform at the heart of enterprise AI operations, an operating system powering network appliances and embedded systems worldwide, and an in-memory caching layer present in virtually every high-performance web application stack.

CVE-2025-34291 is a critical CORS/CSRF vulnerability chain in Langflow that allows an unauthenticated attacker to hijack an authenticated user's session and achieve full Remote Code Execution on the host server — without ever needing direct access to the Langflow instance. A public Proof-of-Concept is available, and the vulnerability was added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on May 21, 2026, confirming active exploitation in the wild. Separately, the FreeBSD Project has issued seven security advisories addressing vulnerabilities ranging from a critical over-the-air Remote Code Execution flaw triggered during Wi-Fi network scanning (CVE-2026-45255, CVSS 9.8) to multiple kernel-level privilege escalation paths, Use-After-Free vulnerabilities, and sandboxing breaches — collectively capable of granting unprivileged local users or remote physical attackers full root-level control. Finally, two timing side-channel vulnerabilities in Memcached's SASL authentication subsystem — CVE-2026-47783 and CVE-2026-47784 — allow attackers to enumerate valid usernames and systematically guess passwords byte by byte by analyzing authentication response times, threatening the caching infrastructure that accelerates applications across millions of enterprise deployments.

For Third-Party Risk Management (TPRM) professionals, this week's disclosures demonstrate that critical exposure reaches into AI development platforms that vendors rely on for internal automation, operating systems running their network and embedded infrastructure, and the caching layers that underpin their application performance. Understanding which vendors are exposed across each of these layers is the defining challenge this week.

Filtered view of vendors with Langflow - May2026 FocusTag® on the Black Kite platform.

Langflow - May2026 (CVE-2025-34291)

What Is the Langflow CORS/CSRF Vulnerability Chain?

CVE-2025-34291 is a Critical-severity vulnerability chain with a CVSS score of 9.4 and an EPSS score of 31.85%, affecting Langflow versions up to and including 1.6.9. Langflow is a widely deployed open-source visual framework for building AI workflows and multi-agent systems. A public Proof-of-Concept exploit is available. CVE-2025-34291 was added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on May 21, 2026, and is listed in the EU Vulnerability Database as EUVD-2025-201507. This vulnerability builds upon the previously disclosed CVE-2025-3248, which added authentication requirements to Langflow's code execution endpoint — requirements that CVE-2025-34291 now bypasses entirely via session hijacking.

The exploit chains three structural vulnerabilities. First, Langflow's backend configures FastAPI's CORSMiddleware with wildcard rules combined with allow_credentials=True, permitting credentialed cross-origin communication from any arbitrary domain. Second, while the primary access token cookie (access_token_lf) uses SameSite=Lax restrictions, the companion refresh_token_lf cookie is explicitly configured with SameSite=None; Secure, making it accessible in cross-site contexts — and the /api/v1/refresh endpoint lacks CSRF validation tokens or origin-verification headers. Third, Langflow's /api/v1/validate/code endpoint compiles and executes custom Python scripts via the exec() function, trusting any authenticated session as legitimate.

The attack requires no direct access to the target Langflow instance. When an authenticated Langflow user visits an attacker-controlled website, a background POST request is issued to the victim's internal /api/v1/refresh endpoint. Because the refresh cookie is SameSite=None, the browser appends it automatically. Permissive CORS rules allow the attacker's script to read the response, extracting a fresh JWT access token. With that token, the script immediately submits a crafted Python payload to /api/v1/validate/code. The exec() loop processes the malicious snippet and breaks out of the application context, executing system-level commands with the privileges of the Langflow web process — achieving full host RCE without the attacker ever needing to reach the Langflow instance directly. This attack vector is particularly dangerous because it successfully compromises non-public-facing, internal, and on-premises Langflow deployments.

Why Should TPRM Professionals Care About the Langflow May 2026 Vulnerability?

Langflow serves as a central integration hub for enterprise AI operations — orchestrating connections between large language models, internal vector databases, and enterprise SaaS platforms. Consequently, a compromised Langflow instance holds master API tokens, cloud infrastructure credentials, database passwords, and authentication keys for every system it integrates with. A successful RCE via CVE-2025-34291 does not compromise a single application — it provides access to the encrypted credential store of the entire AI workflow infrastructure.

For TPRM professionals, the CORS/CSRF attack vector introduces a uniquely difficult risk dimension: the attacker does not need to find or reach the vendor's Langflow instance. They only need to trick an authenticated Langflow user — a developer, data scientist, or administrator — into visiting a malicious page. This means that network-level controls around the Langflow deployment provide no protection against this specific attack chain. With active exploitation confirmed by CISA KEV listing and a 31.85% EPSS score, vendors running Langflow 1.6.9 or earlier are at immediate, demonstrated risk.

What Questions Should TPRM Professionals Ask Vendors About the Langflow May 2026 Vulnerability?

To assess your third-party partners' exposure to this actively exploited vulnerability chain, consider asking the following technical questions:

Have all Langflow instances been upgraded beyond version 1.6.9 and configured with explicit CORS allowed origins (using the LANGFLOW_CORS_ORIGINS environment variable) rather than the vulnerable wildcard default that enables the cross-origin credential theft in this exploit chain?
Has the refresh token cookie configuration been hardened to enforce SameSite=Lax or SameSite=Strict for the refresh_token_lf cookie, eliminating the cross-site CSRF attack surface on the /api/v1/refresh endpoint?
Is the Langflow application network segment micro-segmented with outbound internet access blocked — except to verified LLM provider API endpoints — to prevent reverse shell callbacks and automated credential exfiltration following a successful RCE?
Have application logs been reviewed for anomalous traffic spikes to /api/v1/refresh from unusual external referrers, or repeated calls to /api/v1/validate/code from unexpected session contexts, which would indicate active exploitation attempts?
Is the Langflow application process running under a strictly isolated, low-privileged service account rather than root or a broad system administrator profile, to limit the blast radius of a successful RCE payload?

Remediation Recommendations for Vendors Subject to This Risk

The following recommendations are drawn from the Obsidian Security disclosure of CVE-2025-34291 and the VulnCheck advisory on Langflow CORS misconfiguration.

Manually Harden CORS Configuration: Use the newly introduced environment variables to restrict allowed origins explicitly to authorized corporate domains. Never leave CORS configured with wildcard rules combined with allow_credentials=True.
Harden Refresh Cookie Configuration: Modify the backend REFRESH_SAME_SITE setting to enforce Lax or Strict handling if the frontend and backend share the same parent domain, eliminating the cross-site refresh token accessibility that enables session hijacking.
Enforce Micro-Segmentation: Isolate the Langflow network segment and block all outbound internet access from the host server except to verified LLM provider API endpoints. This prevents reverse shell callbacks following RCE.
Monitor Endpoint Activity: Actively monitor /api/v1/refresh for cross-origin requests from unexpected referrers and /api/v1/validate/code for unusual call frequency or payload patterns indicating exploitation attempts.
Run Under Least Privilege: Execute the Langflow application process as a strictly isolated, low-privileged user account to constrain the impact of any successful RCE payload.

Black Kite's Langflow - May2026 FocusTag® details critical insights on the event for TPRM professionals.

FreeBSD - May2026 (CVE-2026-45255, CVE-2026-45250, CVE-2026-45251, CVE-2026-45252, CVE-2026-39461, CVE-2026-45254, CVE-2026-45253)

What Are the FreeBSD - May2026 Vulnerabilities?

The FreeBSD Project has issued seven security advisories addressing critical vulnerabilities across the core operating system. The most severe, CVE-2026-45255 (CVSS 9.8, Critical), enables over-the-air Remote Code Execution during Wi-Fi network scanning. The remaining six vulnerabilities — CVE-2026-45250, CVE-2026-45251, CVE-2026-45252, CVE-2026-39461, CVE-2026-45254, and CVE-2026-45253 — cover kernel privilege escalation, Use-After-Free conditions, heap memory leakage, sandboxing breaches, and network-based Denial of Service. Public PoC methodologies have been reported. None of these vulnerabilities are listed in CISA's KEV Catalog. They are tracked in the EU Vulnerability Database under identifiers EUVD-2026-31263, EUVD-2026-31252, EUVD-2026-31256, EUVD-2026-31254, EUVD-2026-31258, EUVD-2026-31264, and EUVD-2026-31257. Affected versions are FreeBSD 15.0 prior to 15.0-RELEASE-p9, FreeBSD 14.4 prior to 14.4-RELEASE-p5, and FreeBSD 14.3 prior to 14.3-RELEASE-p14. Approximately 1,062 FreeBSD instances are discoverable on Shodan.

CVE-2026-45255 is a command injection flaw in bsdinstall and bsdconfig, FreeBSD's interactive setup utilities. When the OS scans for nearby Wi-Fi networks, the underlying shell script processes beacon names through bsddialog(1) without safely escaping them. A suitably crafted network name executes arbitrary subshell commands with root privileges — triggered the moment the system scans, without requiring the target to select the malicious network. CVE-2026-45250 (CVSS 7.8) is a stack overflow in the setcred(2) system call: the call copies user-supplied supplementary groups into a fixed-size kernel stack buffer before validating caller rights, enabling an unprivileged local user to overflow the stack and execute arbitrary code in kernel context. CVE-2026-45251 (CVSS 7.8) is a kernel Use-After-Free involving file descriptors: closing a targeted file descriptor while a thread is blocked in select(2) or poll(2) can free the underlying object while threads still hold references, leading to local privilege escalation.

CVE-2026-45252 (CVSS 5.5) affects the fusefs module, where strlen() is called on FUSE_LISTXATTR responses without validating NUL-termination, allowing malicious mount daemons to leak kernel heap memory or inject data into unallocated spaces — a sandboxing breach. CVE-2026-39461 (CVSS 8.8) is a stack overflow in the libcasper(3) helper proxy, where failure to verify that UNIX socket descriptors fit within allocated bounds enables a sandboxing breach and further exploitation. CVE-2026-45254 (CVSS 6.5) is a type confusion issue caused by an incorrect kernel lock order, leading to local privilege escalation. CVE-2026-45253 (CVSS 8.4) is a resource exhaustion flaw in kernel network traffic handling, enabling a Denial of Service by consuming excessive system resources.

Why Should TPRM Professionals Care About the FreeBSD Vulnerabilities?

FreeBSD is not just a desktop or server operating system — it is the foundation of numerous network appliances, storage systems, embedded platforms, and security devices. Products from major vendors including network firewalls, NAS appliances, and routing infrastructure are built directly on FreeBSD. This means that these seven vulnerabilities do not exclusively affect organizations running FreeBSD servers — they may affect the vendor-supplied appliances and network devices that organizations deploy throughout their environments.

For TPRM professionals, CVE-2026-45255 represents a particularly novel risk vector: a physical attacker within radio range of a FreeBSD system during Wi-Fi scanning can achieve root-level code execution without network connectivity to the target. For vendors operating in co-location facilities, shared office spaces, or environments with limited physical access control, this over-the-air attack surface demands specific attention. The kernel privilege escalation paths (CVE-2026-45250, CVE-2026-45251, CVE-2026-45254) compound this risk: even a low-privilege attacker who gains an initial foothold through any means can escalate to full root access using these flaws on unpatched FreeBSD systems.

What Questions Should TPRM Professionals Ask Vendors About the FreeBSD Vulnerabilities?

To evaluate your third-party partners' FreeBSD infrastructure security posture, consider asking the following technical questions:

Have all FreeBSD instances been updated to the patched versions — 15.0-RELEASE-p9, 14.4-RELEASE-p5, or 14.3-RELEASE-p14 — applying all seven security advisories issued by the FreeBSD Project on May 20, 2026?
Do any vendor-supplied appliances or network devices in your environment run FreeBSD as their underlying OS, and if so, have the relevant device vendors issued firmware updates addressing these kernel vulnerabilities?
In sensitive environments where physical access by untrusted actors is possible, has Wi-Fi network scanning via bsdinstall or bsdconfig been disabled or restricted on FreeBSD systems as a compensating control for CVE-2026-45255 until patches are applied?
Has the principle of least privilege been enforced for all local user accounts on FreeBSD systems, given that CVE-2026-45250, CVE-2026-45251, and CVE-2026-45254 each enable privilege escalation to root from an unprivileged local user?

Remediation Recommendations for Vendors Subject to This Risk

The following recommendations are drawn from the FreeBSD Project's official security advisories and the securityonline.info technical analysis of these vulnerabilities.

Apply All Security Updates Immediately: Patch all FreeBSD instances to 15.0-RELEASE-p9, 14.4-RELEASE-p5, or 14.3-RELEASE-p14 by applying all seven official security advisories. This is the definitive remediation across all vulnerability classes.
Restrict Wi-Fi Scanning in Sensitive Environments: Until patches are applied, avoid prompting FreeBSD systems to scan for nearby Wi-Fi networks using bsdinstall or bsdconfig in environments where physical access by untrusted actors is possible.
Enforce Least Privilege: Review and restrict local user account permissions across all FreeBSD systems. Minimizing initial user access significantly limits the impact of the kernel privilege escalation vulnerabilities.
Monitor System Logs for Anomalies: Actively monitor kernel and system logs for unexpected privilege escalation events, memory corruption indicators, or unusual process activity that may signal active exploitation attempts.
Audit FreeBSD-Based Appliances: Identify and inventory all vendor-supplied appliances and network devices running FreeBSD. Contact those vendors for firmware update availability and timelines addressing these kernel-level vulnerabilities.

Black Kite's FreeBSD - May2026 FocusTag® details critical insights on the event for TPRM professionals.

Memcached (CVE-2026-47783, CVE-2026-47784)

What Are the Memcached SASL Timing Side-Channel Vulnerabilities?

CVE-2026-47783 and CVE-2026-47784 are two High-severity timing side-channel vulnerabilities with a CVSS score of 8.1 each, affecting Memcached versions prior to 1.6.42. No public Proof-of-Concept exploit has been reported, and neither vulnerability is listed in CISA's KEV Catalog. The flaws reside in Memcached's SASL (Simple Authentication and Security Layer) authentication subsystem, the authentication mechanism used when Memcached is deployed with authentication enabled.

CVE-2026-47783 enables username enumeration via timing analysis. The SASL authentication handler processes valid and invalid usernames through code paths of measurably different execution duration. By submitting authentication requests with candidate usernames and precisely measuring the server's response time, an attacker can determine whether a given username exists in the system — distinguishing valid accounts from invalid ones without triggering account lockouts or generating alerting events. CVE-2026-47784 compounds this into a full credential recovery attack: once valid usernames are identified, the attacker can exploit a second timing discrepancy in the password validation path to guess passwords one byte at a time. Rather than brute-forcing the full password space, the attacker iterates through possible values for each character position, measuring response time differences to confirm correct bytes — systematically reconstructing valid credentials with a fraction of the attempts that brute-force would require. The fixed version is Memcached 1.6.42.

Why Should TPRM Professionals Care About the Memcached Vulnerabilities?

Memcached is deployed as the high-performance caching layer in web applications, API platforms, and microservice architectures across virtually every enterprise that operates at scale. Its role is to hold frequently accessed data in memory — including session tokens, user authentication states, API rate-limit counters, and application configuration values — precisely the data that is most sensitive to unauthorized access.

For TPRM professionals, the timing side-channel attack model creates a risk that is particularly difficult to detect and defend against without the patch. Unlike brute-force attacks that generate high volumes of failed authentication attempts, timing analysis attacks can be conducted at low request rates that evade standard rate-limiting and anomaly detection thresholds. An attacker who successfully recovers Memcached SASL credentials gains read and write access to the entire cache — the ability to read cached session data, inject malicious cache entries that propagate through the application, or delete critical cached values to degrade application performance. In environments where Memcached caches authentication tokens or session data shared between services, a cache compromise can translate directly into lateral movement across the application stack.

What Questions Should TPRM Professionals Ask Vendors About the Memcached Vulnerabilities?

To assess your third-party partners' caching infrastructure security posture, consider asking the following technical questions:

Has Memcached been upgraded to version 1.6.42 or higher across all deployments to remediate the SASL timing side-channel vulnerabilities CVE-2026-47783 and CVE-2026-47784?
Are all Memcached instances bound exclusively to trusted internal interfaces, with public internet access blocked at the firewall level — Memcached should never be directly accessible from untrusted networks regardless of authentication configuration?
Have SASL authentication logs been reviewed for any unusual patterns of low-rate authentication attempts across multiple usernames or with systematically varying password candidates, which could indicate an active timing analysis attack?
Does Memcached cache any session tokens, authentication states, or credentials that, if accessed by an unauthorized party, would enable lateral movement into connected application services or infrastructure?

Remediation Recommendations for Vendors Subject to This Risk

The following recommendations are drawn from the Memcached release notes for version 1.6.42 published at github.com/memcached/memcached and the securityonline.info technical analysis of CVE-2026-47783.

Upgrade to Memcached 1.6.42 Immediately: This release implements constant-time comparison functions across the SASL authentication subsystem, eliminating the timing discrepancies exploited by both CVE-2026-47783 and CVE-2026-47784.
Restrict Network Access: Bind all Memcached instances exclusively to trusted internal interfaces. Apply firewall rules to block any external access to Memcached ports. Memcached is not designed for direct public internet exposure under any configuration.
Rotate SASL Credentials: As a precautionary measure, rotate all SASL authentication credentials after upgrading, in the event that any prior timing analysis attempts may have partially recovered credential data before the patch was applied.
Audit What Is Cached: Review what data types are stored in Memcached. Ensure that highly sensitive values — particularly authentication tokens, session identifiers, and credentials — are either encrypted before caching or stored with sufficiently short TTLs to limit their exposure window in the event of unauthorized cache access.

Black Kite's Memcached FocusTag® details critical insights on the event for TPRM professionals.

How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities

This week's three FocusTags® expose fundamentally different attack surfaces that share a common thread: each targets infrastructure that vendors rely on but may not fully monitor for third-party risk purposes. AI workflow platforms like Langflow are often treated as developer tooling rather than production risk surfaces — yet they hold credentials for every system they integrate with. FreeBSD-based infrastructure spans server deployments and vendor-supplied appliances that organizations may not even know run the same vulnerable kernel. And caching layers like Memcached are rarely assessed in third-party risk programs despite holding sensitive session and authentication data. Black Kite's threat intelligence team published the Langflow - May2026 FocusTag® on May 22, 2026, the FreeBSD - May2026 FocusTag® and the Memcached | SASLVulnMay2026 FocusTag® on May 25, 2026.

TPRM teams can operationalize these FocusTags® to immediately filter their vendor portfolio and identify organizations running vulnerable Langflow deployments — including the actively exploited CORS/CSRF chain confirmed by CISA — as well as vendors with discoverable FreeBSD instances carrying critical kernel vulnerabilities, or Memcached deployments pre-1.6.42 exposed to SASL timing attacks. Rather than relying on vendors to self-report patching status through questionnaire cycles, analysts can use Black Kite's platform to drive evidence-based outreach grounded in observable infrastructure data.

A defining capability of Black Kite's intelligence is the granularity of asset detail surfaced for each identified vendor. When the Langflow - May2026 FocusTag® identifies a vendor as exposed, the platform provides the specific IP addresses and subdomains hosting the vulnerable Langflow version — enabling TPRM teams to present vendors with precise, undeniable evidence of their exposure rather than generic advisories. The same granularity applies to FreeBSD and Memcached identifications, allowing targeted remediation requests that accelerate vendor response and reduce the time-to-remediation across the portfolio.

Strengthening TPRM Outcomes with Black Kite’s FocusTags®

This week's disclosures demonstrate that third-party risk extends into every layer of vendor infrastructure — from the AI platforms orchestrating enterprise workflows to the operating systems powering network devices and the caching systems accelerating applications. Traditional point-in-time assessments and annual questionnaire cycles cannot provide the continuous visibility needed to identify this breadth of exposure in time to prevent exploitation. Black Kite's FocusTags® are designed to bridge this gap, delivering precise, vendor-specific risk signals as new vulnerabilities emerge.

When managing this week's disclosures, Black Kite's FocusTags® empower your team through:

Immediate Threat Visibility: Instantly identify which vendors are running vulnerable Langflow versions subject to active CISA KEV exploitation, FreeBSD deployments carrying critical kernel vulnerabilities, or Memcached instances exposed to SASL timing side-channel attacks — enabling targeted outreach before exploitation reaches your supply chain.
Contextual Risk Triage: Evaluate each vendor's exposure against their role in your ecosystem. A vendor whose Langflow deployment processes shared AI workflows or whose FreeBSD-based firewall appliance protects sensitive shared infrastructure demands different urgency than one with Memcached deployed only in an internal testing environment.
Evidence-Based Vendor Collaboration: Move beyond broad questionnaires. Equip risk teams with the exact IP addresses and subdomains identified as running vulnerable Langflow, FreeBSD, or Memcached instances, enabling precise, verifiable remediation conversations grounded in observable infrastructure evidence.
Resilient Supply Chain Defense: Maintain continuous visibility across the full breadth of your vendor technology stack — including AI development platforms, operating system infrastructure, and application caching layers — so your organization can adapt its security posture as new vulnerability classes emerge across previously unmonitored surfaces.

By transforming raw cyber threat data into precise, actionable intelligence, Black Kite's FocusTags® provide TPRM professionals with the exact tools needed to efficiently and effectively secure the digital supply chain against today's most sophisticated attacks.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags® in the Last 30 Days:

Langflow - May2026 : CVE-2025-34291, Critical CORS/CSRF and Remote Code Execution Vulnerabilities in Langflow.
FreeBSD - May2026 : CVE-2026-45255, CVE-2026-45250, CVE-2026-45251, CVE-2026-45252, CVE-2026-39461, CVE-2026-45254, CVE-2026-45253, Critical and High-Severity Remote Code Execution, Kernel Privilege Escalation, Sandboxing Breaches, and Network Denial of Service Vulnerabilities in FreeBSD core OS.
Memcached - May2026 : CVE-2026-47783, CVE-2026-47784, High-Severity SASL Authentication Timing Side-Channel Vulnerabilities in Memcached.
Exchange Server - May2026 : CVE-2026-42897, High-Severity Cross-Site Scripting (XSS) Vulnerability in Outlook Web Access (OWA).
NGINX - May2026 : Critical Memory Corruption and Remote Code Execution Vulnerability in Nginx.
OpenClaw - May2026 : CVE-2026-44112, CVE-2026-44113, CVE-2026-44115, CVE-2026-44118, Critical Sandbox Escape, Sensitive Data Exfiltration, Privilege Escalation, and Persistent Backdoor Installation Vulnerabilities in OpenClaw.
Flowise - May2026 : CVE-2026-46442, Critical Sandbox Escape and Remote Code Execution Vulnerability in Flowise.
PostgreSQL - May2026 : CVE-2026-6637, CVE-2026-6477, CVE-2026-6473, CVE-2026-6475, CVE-2026-6479, High-Severity Stack Buffer Overflow, Memory Corruption, Integer Wraparound, Filesystem Hijacking, and Denial of Service Vulnerabilities in PostgreSQL.
MongoDB - May2026 : CVE-2026-8053, Critical Time-Series Arbitrary Code Execution Vulnerability in MongoDB Server.
pgAdmin - May2026 : CVE-2026-7813, CVE-2026-7816, CVE-2026-7815, CVE-2026-7820, CVE-2026-7818, CVE-2026-7817, CVE-2026-7819, Critical and High-Severity OS Command Injection, Improper Authorization, Unsafe Deserialization, SSRF, and Authentication Bypass Vulnerabilities in pgAdmin 4.
FreePBX - May2026 : CVE-2026-46376, Critical Hard-Coded Credentials Vulnerability in FreePBX User Control Panel (UCP).
n8n - May2026 : CVE-2026-44790, CVE-2026-44791, CVE-2026-44789, Critical Arbitrary File Read, Prototype Pollution, and Remote Code Execution Vulnerabilities in n8n.
Dead.Letter : CVE-2026-45185, Critical Remote Code Execution, Use-After-Free, Memory Corruption, and Improper Input Validation Vulnerabilities in Exim Mail Server.
SharePoint - May2026 : CVE-2026-35439, CVE-2026-33110, CVE-2026-33112, CVE-2026-40357, CVE-2026-40365, CVE-2026-40368, High-Severity Remote Code Execution Vulnerabilities in Microsoft SharePoint.
MSSQL - May2026 : CVE-2026-40370, High-Severity Remote Code Execution and Privilege Escalation Vulnerability in Microsoft SQL Server.
cPanel & WHM : CVE-2026-41940, Critical Authentication Bypass Vulnerability in cPanel & WHM.
Redis - May2026 : CVE-2026-25243, CVE-2026-25588, CVE-2026-25589, CVE-2026-23479, CVE-2026-23631, High-Severity Invalid Memory Access and Use-After-Free Vulnerabilities in Redis.
Ivanti EPMM - May2026 : CVE-2026-6973, CVE-2026-7821, Improper Input Validation, Remote Code Execution, Improper Certificate Validation, Authentication Bypass, Information Disclosure, and Data Integrity Failure Vulnerabilities in Ivanti EPMM.