PAN-OS Zero-Day Under Active Exploitation Grants Root Access on Firewalls
Palo Alto Networks says CVE-2026-0300 in the PAN-OS Captive Portal is being actively exploited and allows unauthenticated remote code execution with root privileges. Because it affects internet-facing firewalls, it is one of the most urgent issues in this week’s set.
Source: Palo Alto Networks

Cisco SD-WAN Authentication Bypass Is Under Active Exploitation
Cisco Talos reported ongoing exploitation of CVE-2026-20182 in Catalyst SD-WAN controllers, where attackers can bypass authentication and obtain administrative privileges. CISA has already added the flaw to KEV, which confirms real operational risk beyond theory.
Source: Cisco Talos

Critical cPanel Vulnerability Weaponized Against Government and MSP Networks
Threat actors were observed exploiting CVE-2026-41940 in cPanel and WHM shortly after disclosure, with activity spanning government, military, hosting, and MSP environments. The flaw enables authentication bypass and elevated control of exposed control panels.
Source: The Hacker News

DigiCert Revokes Fraudulently Issued Certificates After Support Portal Hack
DigiCert revoked certificates obtained after attackers compromised support systems and pivoted into an internal portal used for certificate handling. The incident is especially important because it involved EV code signing certificates and trust in the certificate issuance process itself.
Source: SecurityWeek

Copy Fail Linux Root Bug Moves Into Real-World Exploitation
CVE-2026-31431, known as Copy Fail, has moved from public disclosure to confirmed in-the-wild exploitation and was added to CISA’s KEV catalog. The flaw affects major Linux distributions and allows local privilege escalation to root.
Source: SecurityWeek

DAEMON Tools Lite Supply Chain Attack Confirmed by Vendor
DAEMON Tools confirmed unauthorized interference in its infrastructure after trojanized installers were distributed from the legitimate site. This is a direct supply chain compromise because trusted, signed installer packages were turned into malware delivery vehicles.
Source: DAEMON Tools

Official SAP npm Packages Compromised in TeamPCP Supply Chain Campaign
Multiple official SAP CAP and Cloud MTA npm packages were compromised with malicious install-time behavior designed to steal credentials and abuse developer environments. Because these packages sit inside normal CI/CD workflows, the impact extends beyond a single workstation compromise.
Source: Socket

Checkmarx Jenkins AST Plugin Compromised in Supply Chain Attack
Checkmarx warned that a malicious version of its Jenkins AST plugin was published to the Jenkins Marketplace as part of a supply chain attack. The issue matters because the plugin is designed to sit directly in security scanning and build pipelines.
Source: SecurityWeek

OpenAI Confirms Impact From the TanStack Supply Chain Attack
OpenAI said two employee devices were affected in the broader TanStack and Mini Shai Hulud campaign, prompting certificate rotation and repository credential response actions. The company said it found no evidence of impact to customer data, production systems, or deployed software.
Source: OpenAI

Instructure Reaches Agreement After Canvas Data Theft Incident
Instructure said it reached an agreement with the actor behind the Canvas breach in an effort to prevent publication of stolen data tied to thousands of schools and universities. The case remains significant because of the scale of affected education environments and the sensitivity of the exposed data.
Source: The Hacker News

JDownloader Site Hacked to Serve Python RAT Installers
The official JDownloader website was compromised and pointed users to malicious Windows and Linux installers, with the Windows payload deploying a Python based remote access trojan. It is another reminder that download portals remain a high-value target for supply chain abuse.
Source: BleepingComputer

Breeze Cache WordPress Plugin Is Under Active Exploitation
Attackers are actively exploiting a critical arbitrary file upload flaw in the Breeze Cache plugin for WordPress. With hundreds of thousands of active installations and remote code execution potential, the issue quickly moved from disclosure to broad attack traffic.
Source: Wordfence

Burst Statistics Flaw Could Let Attackers Fully Impersonate WordPress Admins
A critical authentication bypass in the Burst Statistics plugin can let unauthenticated attackers impersonate an administrator during REST API requests if they know a valid admin username. In a worst case scenario, that can be enough to create a new administrator account without prior access.
Source: Wordfence

Critical Ollama Bug Could Expose 300,000 AI Deployments to Secret Theft
Security researchers warned that a critical unauthenticated vulnerability in Ollama could expose prompts, messages, API keys, and other sensitive heap data from roughly 300,000 deployments. Since Ollama is widely used as a self-hosted inference engine, the finding has direct enterprise AI relevance.
Source: SecurityWeek

NGINX Rift Revives an 18-Year-Old Bug With Potential RCE Impact
Researchers disclosed memory corruption issues in NGINX, including a critical heap overflow in the rewrite module that can lead to denial of service and, in some configurations, remote code execution. The issue stands out because of NGINX’s internet-facing role and the age and reach of the vulnerable logic.
Source: depthfirst