PAN-OS Zero-Day Under Active Exploitation Grants Root Access on Firewalls
Palo Alto Networks warned that CVE-2026-0300 in the PAN-OS Captive Portal is being actively exploited and allows unauthenticated remote code execution with root privileges. Because the bug affects internet exposed firewalls, it stands out as one of the highest priority issues of the week.
Source: Palo Alto Networks

cPanel Vulnerability Weaponized Against Government and MSP Networks
Threat actors were observed exploiting CVE-2026-41940 in cPanel and WHM shortly after disclosure, targeting government, military, hosting, and managed service provider environments. The flaw enables authentication bypass and gives attackers elevated control over exposed control panels.
Source: The Hacker News

DigiCert Revokes Fraudulently Issued Certificates After Support Portal Hack
DigiCert revoked certificates that were obtained after attackers compromised systems through a malicious payload delivered to its support team and pivoted into an internal support portal. The incident is notable because it involved EV Code Signing certificates and exposed weaknesses in internal trust workflows.
Source: SecurityWeek

Copy Fail Linux Root Bug Moves From Disclosure to In-The-Wild Exploitation
CVE-2026-31431, also known as Copy Fail, has already been added to CISA’s KEV catalog after limited exploitation was observed. The flaw affects Linux systems across major distributions and can allow local attackers to escalate privileges to root.
Source: SecurityWeek

DAEMON Tools Supply Chain Attack Confirmed by Vendor
DAEMON Tools Lite confirmed unauthorized interference in its infrastructure after trojanized installers were distributed from the legitimate site. The case is a classic software supply chain compromise because signed installation packages from a trusted vendor were turned into malware delivery vehicles.
Source: DAEMON Tools

Official SAP npm Packages Compromised in TeamPCP Linked Supply Chain Attack
Multiple official SAP CAP and Cloud MTA npm packages were compromised with malicious code that downloaded and executed unverified binaries. Because these packages are used in real developer and CI/CD workflows, the incident creates direct risk to credentials, tokens, and build environments.
Source: Socket

AI Supply Chain Abuse Hits Hugging Face and OpenClaw Ecosystems
Acronis reported active abuse of AI platforms including Hugging Face and OpenClaw, identifying more than 575 malicious skills in the OpenClaw ecosystem. The campaign shows how attacker controlled tools inside AI ecosystems can push malware through trusted workflows rather than through classic phishing alone.
Source: Acronis

Trellix Confirms Source Code Repository Breach
Trellix disclosed unauthorized access to part of its source code repository and said it is still investigating the intrusion with forensic support. Although the company said it has not found evidence that release or distribution systems were affected, the breach is significant because it involves a major cybersecurity vendor.
Source: Trellix

Microsoft Details Large Scale Code of Conduct Phishing Campaign Leading to AiTM Token Theft
Microsoft described a broad phishing campaign using code of conduct themed lures, multi stage delivery, and legitimate email services to steal credentials and session tokens. The campaign targeted tens of thousands of users and shows how polished enterprise style phishing continues to evolve beyond basic credential harvesting.
Source: Microsoft Security Blog

Google AppSheet Abuse Linked to 30,000 Compromised Facebook Accounts
Researchers traced a phishing operation that used Google AppSheet to send authenticated messages and compromise more than 30,000 Facebook accounts. The campaign stands out because it abused trusted Google infrastructure to improve delivery and bypass many normal email trust checks.
Source: Guardio

Breeze Cache WordPress Plugin Is Under Active Exploitation
Attackers are actively exploiting a critical arbitrary file upload vulnerability in the Breeze Cache plugin for WordPress. With hundreds of thousands of active installations and remote code execution potential, this moved quickly from disclosure to widespread attack traffic.
Source: Wordfence

MetInfo CMS RCE Flaw Is Being Exploited in the Wild
Threat actors are exploiting CVE-2026-29014, a critical unauthenticated PHP code injection flaw in MetInfo CMS. The vulnerability enables remote code execution through crafted requests and has already attracted real world attacker activity.
Source: The Hacker News

Critical Ollama Bug Could Expose 300,000 AI Deployments to Secret Theft
A critical vulnerability in Ollama could let remote unauthenticated attackers extract prompts, messages, API keys, and other secrets from roughly 300,000 exposed deployments. Because Ollama is widely used as a self hosted inference engine, the issue directly affects real enterprise AI environments rather than a niche lab setup.
Source: SecurityWeek

Talos Exposes China Nexus APT UAT-8302 and Its Malware Arsenal
Cisco Talos disclosed UAT-8302 as a China nexus APT focused on obtaining and maintaining long term access to government and related entities. The group uses credential theft, open source tooling, and custom malware, and appears to share technical overlap with other sophisticated Chinese speaking threat clusters.
Source: Cisco Talos

Critical vm2 Sandbox Escape Bugs Enable Host Code Execution
Critical vulnerabilities in the vm2 Node.js sandbox library allow attackers to escape the sandbox and execute code on the host system. The issue is especially important because vm2 is commonly used to run untrusted JavaScript, which means the failure hits exactly the control boundary organizations expect it to enforce.
Source: GitHub Security Advisories