PAN-OS Zero Day Under Active Exploitation Grants Root Access on Firewalls
Palo Alto Networks confirmed active exploitation of CVE-2026-0300 in the PAN-OS Captive Portal. The flaw allows unauthenticated remote code execution with root privileges on exposed firewalls, making it one of the most urgent perimeter risks in this cycle.
Source: Palo Alto Networks

Cisco SD-WAN Authentication Bypass Is Being Exploited in the Wild
Cisco Talos reported ongoing exploitation of CVE-2026-20182 in Catalyst SD-WAN controllers. Successful abuse lets a remote attacker bypass authentication and obtain administrative privileges, and the flaw has already been added to CISA’s KEV catalog.
Source: Cisco Talos

Critical cPanel Flaw Weaponized Against Government and MSP Networks
Threat actors were observed exploiting CVE-2026-41940 in cPanel and WHM shortly after disclosure. The activity targeted government, military, hosting, and managed service provider environments, showing rapid operationalization of the authentication bypass bug.
Source: The Hacker News

DigiCert Revokes Fraudulently Issued Certificates After Internal Portal Breach
DigiCert revoked certificates obtained after attackers compromised support systems and pivoted into an internal portal used in certificate workflows. The incident matters because it involved EV code signing certificates and directly affected trust in software signing and issuance processes.
Source: SecurityWeek

Copy Fail Linux Root Flaw Moves Into Real World Exploitation
CVE-2026-31431, known as Copy Fail, moved from disclosure to confirmed in the wild exploitation and was added to CISA’s KEV list. The bug affects major Linux distributions and can let a local attacker escalate privileges to root.
Source: SecurityWeek

NGINX CVE-2026-42945 Is Already Being Exploited
Attackers are targeting CVE-2026-42945, a heap buffer overflow in NGINX’s rewrite module, only days after public disclosure. The flaw can crash worker processes and, in certain configurations, may enable remote code execution on internet facing systems.
Source: The Hacker News

Mini Shai Hulud Hits More Than 320 npm Packages
A fresh Mini Shai Hulud supply chain campaign impacted more than 320 npm packages, along with GitHub Actions and a VS Code extension. The compromise propagated through trusted maintainer access and downstream dependencies, expanding the blast radius across developer and CI environments.
Source: SecurityWeek

GitHub Confirms Breach of 3,800 Repositories via Malicious VS Code Extension
GitHub said roughly 3,800 internal repositories were accessed after an employee device was compromised through a trojanized VS Code extension. The case highlights how developer tooling remains a direct path into high value internal code environments.
Source: BleepingComputer

OpenAI Confirms Internal Impact From the TanStack Supply Chain Attack
OpenAI disclosed that two employee devices were affected in the broader TanStack and Mini Shai Hulud campaign. The company said it found no evidence of impact to customer data, production systems, intellectual property, or deployed software, but still rotated certificates as a precaution.
Source: OpenAI

Checkmarx Jenkins AST Plugin Compromised in a Supply Chain Attack
Checkmarx warned that a malicious version of its Jenkins AST plugin was published to the Jenkins Marketplace. Because the plugin is used directly inside build and scanning pipelines, the incident placed developer credentials and CI workflows at risk.
Source: SecurityWeek

DAEMON Tools Lite Supply Chain Attack Confirmed by Vendor
DAEMON Tools confirmed unauthorized interference in its build environment after compromised installers were distributed from the official site. Signed installation packages from a trusted vendor were turned into malware delivery mechanisms, making this a clear software supply chain incident.
Source: DAEMON Tools

JDownloader Website Hacked to Deliver Python RAT Installers
The official JDownloader site was compromised and redirected users to malicious Windows and Linux installers, with the Windows variant dropping a Python based RAT. The incident shows that software download portals remain highly attractive targets for attacker controlled replacement payloads.
Source: BleepingComputer

Instructure Reaches Agreement After Canvas Data Theft Incident
Instructure said it reached an agreement with the actor behind the Canvas breach in an attempt to prevent publication of stolen data. The incident remains important because of the scale of affected schools and universities and the sensitivity of the exposed education related information.
Source: The Hacker News

Drupal Critical SQL Injection Flaw Is Now Being Targeted in Attacks
Drupal warned that attackers are attempting to exploit CVE-2026-9082, a highly critical SQL injection issue affecting PostgreSQL backed sites. The project had already cautioned that exploitation could begin within hours or days, and those attack attempts have now materialized.
Source: BleepingComputer

Critical Ollama Bug Could Expose 300,000 Deployments to Secret Theft
Researchers warned that a critical unauthenticated flaw in Ollama could expose prompts, messages, API keys, tokens, and other sensitive heap data from roughly 300,000 deployments. Since Ollama is widely used as a self hosted AI inference engine, the issue has direct enterprise impact beyond test environments.
Source: SecurityWeek