Threat actors are leveraging Microsoft's ClickOnce technology, designed for simplified application deployment, as an attractive vector to spread malware, allowing for easy distribution, minimal user interaction, and installation without elevated privileges on Windows systems.

An authentication logic flaw in Cap-go versions prior to 12.128.2 allows attackers to register an account with a victim's unverified email address, then enable two-factor authentication on this pre-registered account to gain full control, read/modify data, enforce organization-level policies, and deny the legitimate user access.

Adversaries can abuse the Azure VM Managed Run Command feature (MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMANDS/WRITE) to achieve code execution as System or root and establish persistence on Azure Virtual Machines or Virtual Machine Scale Sets by an unusual identity, potentially evading detections focused solely on action-based Run Commands.

The `undici` WebSocket client is vulnerable to CVE-2026-12151, a high-severity denial of service attack where a malicious WebSocket server can stream numerous small continuation frames that bypass `maxPayloadSize` checks, causing unbounded memory growth and exhaustion in affected client processes.

A vulnerability in the vim text editor allows a remote, unauthenticated attacker to perform a Denial of Service attack by exploiting a weakness to disrupt the service without requiring prior authentication.

A vulnerability in the libssh2 library allows a remote, unauthenticated attacker to perform a Denial of Service (DoS) attack or disclose sensitive information, potentially leading to service disruption or unauthorized data exposure.

Multiple vulnerabilities have been discovered in the expat XML parser library that can be exploited by a local attacker, potentially leading to a Denial of Service condition or allowing for arbitrary code execution on the affected system.

A remote, anonymous attacker can exploit a vulnerability in OpenBSD to disclose sensitive information, potentially leading to unauthorized data exposure.

Threat actors can abuse Microsoft's ClickOnce technology, which allows for simplified application distribution and installation with minimal user interaction and no administrative privileges, to easily spread malware and bypass traditional security controls through a 'click once' deployment.

An unauthenticated attacker can exploit a vulnerability in the PHP JWT Library's PBES2AESKW::unwrapKey() function when processing JWE tokens that use PBES2-HS*+A*KW algorithms by crafting a JWE with an excessively large 'p2c' (PBKDF2 iteration count) parameter in the JOSE header, forcing the server to perform an unbounded and CPU-intensive PBKDF2 computation, resulting in a CPU-amplification denial of service.

The spomky-labs/otphp library is vulnerable to a denial of service (GHSA-g7m4-839x-ch6v) where an unbounded 'digits' parameter in an otpauth provisioning URI causes a DivisionByZeroError, leading to unhandled fatal errors in applications trying to generate or verify OTPs.

Adversaries with privileged Azure RBAC roles are exploiting the Azure VM Serial Console to gain SYSTEM/root access on virtual machines, bypassing network controls like NSGs and JIT policies, with detections focusing on unusual user and source network combinations.

An unauthenticated attacker can exploit CVE-2026-55204, a null pointer dereference vulnerability in HAProxy through version 3.4.0, by triggering excessive HPACK dynamic table insertions under memory pressure, causing HAProxy worker processes to crash and resulting in a denial of service.

Adversaries are modifying OAuth application redirect URIs (ReplyUrls) in Microsoft Entra ID to intercept OAuth authorization codes and steal tokens, granting unauthorized access without new application registration or user consent.

A sophisticated threat actor, having compromised an existing guest account in Microsoft Entra ID, can establish persistent access and elevate privileges by performing a Guest-to-Member account conversion, which grants full directory read access and bypasses Conditional Access restrictions, enabling stealthy long-term access and reconnaissance.

Adversaries may create custom administrative roles in Google Workspace to establish persistence with tailored, elevated permissions, which are then assigned to compromised or attacker-controlled accounts to bypass security controls, grant OAuth access, or modify mail routing.

Adversaries with elevated privileges within Google Workspace may delete custom administrative roles to impede security operations, remove delegated administrator access, or obfuscate their activities during an active incident, leading to disrupted delegated administration, loss of security team access, or hindrance of incident response efforts.

An unauthenticated remote attacker can leverage a missing authorization vulnerability (CWE-862) in the Pipecat development runner's `/ws` WebSocket endpoint to supply a crafted `callSid` in a handshake message, compelling the server to use its configured Twilio, Telnyx, or Plivo credentials to issue authenticated API requests that terminate active calls, resulting in denial of service and credential abuse.

Multiple vulnerabilities, including CVE-2026-10883, CVE-2026-10892, and others, have been discovered in Microsoft Edge versions prior to 149.0.4022.53, enabling an attacker to bypass security policies and potentially cause other unspecified security issues within the browser environment.

Multiple vulnerabilities, CVE-2026-45491 and CVE-2026-45591, have been discovered in Microsoft .Net and ASP.NET Core versions, allowing a remote attacker to cause a denial of service and compromise data integrity across Windows, Linux, and macOS platforms.

This brief summarizes newly published IOCs consisting of domains and URLs associated with the Kimsuky APT group as of June 2nd, 2026, sourced from a Maltrail feed.

A critical vulnerability, CVE-2026-46376, exists in FreePBX due to the use of hard-coded credentials in the User Control Panel (UCP) generic template setup process, allowing an unauthenticated, remote attacker to gain unauthorized access to user accounts and manipulate user settings if default template credentials are not immediately changed by the administrator after enabling UCP.

Multiple npm packages within the legitimate @redhat-cloud-services namespace have been hijacked with malicious code, posing a supply chain risk.

SourceCodester SEO Meta Tag Extractor 1.0 is vulnerable to server-side request forgery (SSRF) via manipulation of the 'url' argument in the get_headers function of the /index.php file, potentially allowing a remote attacker to make requests to internal or external systems.

This rule detects unusual child process executions originating from web server processes on Linux systems, which attackers may use to maintain persistence on a compromised system by exploiting web server vulnerabilities.

Identifies suspicious command executions via a web server on Linux systems, which may suggest a vulnerability and remote shell access.

This rule detects unusual child process executions originating from web server processes on Linux systems, potentially indicating attackers exploiting web servers for persistence.

Identifies suspicious command executions via a web server on Linux systems, potentially indicating a vulnerability exploitation or remote shell access for persistence.

A vulnerability in Laravel allows an attacker to bypass the security policy; specifically, laravel/framework versions 12.x before 12.60.0 and 13.x before 13.10.0 are affected (CVE-2026-48019).

This rule detects the abuse of Azure Virtual Machine Run Command to execute scripts remotely, correlating Azure Activity Log events with endpoint process starts, identifying instances where adversaries use Run Command to run scripts as SYSTEM or root.

This rule identifies suspicious process start events where the parent process matches Azure Virtual Machine Run Command execution patterns on Windows (PowerShell with `-ExecutionPolicy Unrestricted` and `script?.ps1`) or Linux (waagent running `script.sh` under `/var/lib/waagent/run-command/`), exposing on-guest payloads.

CISA published ICS advisories between May 25 and 31, 2026, addressing vulnerabilities across various vendors including ABB, CP Plus, Eppendorf, Frontier, Jinan USR IOT, KMW, MacGregor, Schneider Electric, and XCharge, impacting industrial control systems and related applications.

Dell released security advisories in May 2026 to address vulnerabilities in PowerEdge Server Chipset Driver, Data Lakehouse, Dell Enterprise SONiC Distribution, and Dell Unity/UnityVSA/Unity XT.

A remote, anonymous attacker can exploit multiple vulnerabilities in ImageMagick to cause a denial of service condition, disclose information, and bypass security mechanisms.

A remote, anonymous attacker can exploit a vulnerability in the PostgreSQL JDBC Driver to perform a denial-of-service attack, impacting availability.

This rule detects Linux process executions that reference /etc/kubernetes/manifests in process arguments, which may indicate tampering with static pod manifests for persistence or privilege escalation in Kubernetes environments.

The creation, modification, or deletion of Kubernetes MutatingWebhookConfigurations or ValidatingWebhookConfigurations by non-system identities can allow attackers to inject malicious sidecars or block security tooling deployments for persistence and defense evasion.

This rule detects process start events where the parent process is the AWS Systems Manager (SSM) Session Manager worker, which can indicate remote execution and lateral movement by adversaries abusing legitimate AWS credentials.

This brief analyzes a Maltrail IOC list from June 1, 2026, identifying domains and IP addresses associated with various malware and threat actors, including android_fvncbot, lummac2, magentocore, sectoprat, apt_lazarus, offloader, android_joker, cyberstrikeai, and nightshadec2, potentially used for command and control, malware distribution, or phishing campaigns.

A local attacker can exploit multiple vulnerabilities in Fujitsu ServerView to escalate privileges on the targeted system.

CVE-2026-21711 allows code running under the Node.js permission model without network access to create and expose local IPC endpoints via Unix Domain Sockets, bypassing intended network restrictions and enabling inter-process communication.

CVE-2026-21717 is a vulnerability in V8's string hashing mechanism within Node.js that allows attackers to cause hash collisions via predictable integer-like strings in JSON input, leading to denial-of-service by degrading the performance of the Node.js process.

CVE-2026-44839 is a cross-site scripting (XSS) vulnerability in the RabbitMQ management UI that arises from unsanitized virtual host (vhost) names, potentially allowing an attacker to execute arbitrary JavaScript in the context of a user's browser.

CVE-2026-42790 is a vulnerability in Microsoft products related to name constraints DNS bypass via subject CommonName fallback in public_key hostname verification.

WinMTR 0.91 is vulnerable to a denial-of-service attack where a malformed payload file containing a buffer overflow can crash the application (CVE-2018-25426).

CVE-2026-41184 is a ServiceAccount token disclosure vulnerability in container logs addressed by a Microsoft security update.

A timestamp handling issue in Stigmem-node's federation peer token validation could cause valid peer tokens to be incorrectly treated as expired, impacting availability and reliability of authenticated federation flows, affecting versions prior to 0.9.0a2.

Gotenberg is vulnerable to a remote denial-of-service (DoS) in multipart `downloadFrom` handling, where a crafted multipart request with multiple `downloadFrom` entries causes concurrent goroutines to write to shared maps without synchronization, leading to process termination.

Detects an external Google Workspace user account being added to an existing group, potentially allowing adversaries to intercept shared files or emails.

This rule detects segfault messages in kernel logs originating from sensitive processes on Linux systems, indicating potential exploitation attempts that could lead to arbitrary code execution or credential access.

A public exploit has been published for CVE-2026-44596, a vulnerability in yamcs-core where the /auth/token authentication endpoint lacks rate limiting, allowing unauthenticated remote attackers to perform unlimited password guessing attempts against any user account, fixed in version 5.12.7.

This rule detects the creation of new inbox forwarding rules in Microsoft 365, which can be abused by attackers to intercept and exfiltrate email data to external addresses.

Microsoft released a security update on May 28, 2026, to address vulnerabilities in Microsoft Edge Stable Channel versions prior to 148.0.3967.96, advising users to apply the necessary updates.

CVE-2026-42965 describes a server-side request forgery (SSRF) vulnerability in the OpenShift Router where a user with EndpointSlice write access can expose instance credentials by creating a service that proxies requests to a cloud metadata endpoint.

This rule detects when a Microsoft Exchange inbox rule is created or modified with a name composed only of special characters, which adversaries may use to evade detection and hide malicious forwarding or deletion rules.

Successful deployment of a high-risk Azure Virtual Machine extension by an interactive user principal can lead to arbitrary code execution, backdoor account creation, credential harvesting, and persistence on Azure-hosted virtual machines.

The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery (CVE-2026-6075) due to missing nonce verification, allowing unauthenticated attackers to trick an administrator into performing unauthorized bulk actions.

A remote, authenticated attacker can exploit a vulnerability in Mautic to perform a SQL injection attack, potentially leading to unauthorized data access or modification.

The Link Whisper Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS), allowing unauthenticated attackers to inject arbitrary web scripts into pages, which execute when a user accesses the injected page, affecting versions up to and including 0.9.0.

CVE-2026-46174 describes a vulnerability in AMD Zen2 processors related to improper isolation of shared resources within the operation cache, potentially leading to information disclosure or other security impacts.

CVE-2026-46185 is an out-of-bounds read vulnerability in the SMB client component within the symlink_data() function, potentially leading to information disclosure or denial of service.

Microsoft published information regarding CVE-2026-46153, a vulnerability in 8021q that allows deleting cleared egress QoS mappings.

CVE-2026-46155 describes an out-of-bounds read vulnerability within the smb2_compound_op() function of the SMB client, requiring a security update from Microsoft to address the issue.

CVE-2026-46107 is a reported vulnerability in dm-thin, leading to a metadata refcount underflow.

CVE-2026-46172 is a vulnerability related to ipv6: xfrm6: release dst on error in xfrm6_rcv_encap(), potentially leading to a denial-of-service condition.

Multiple vulnerabilities in Red Hat OpenShift Tempo allow an unauthenticated remote attacker to bypass security measures, disclose sensitive information, manipulate data, or cause a denial of service condition.

A denial-of-service vulnerability exists in strongSwan version 5.9.13 due to a flaw in the eap-radius plugin when built with DAE enabled, allowing remote attackers to exhaust worker threads by sending a crafted RADIUS Access-Request (CVE-2026-35333).

CVE-2026-46835 is an easily exploitable vulnerability in Oracle Database Server's Net Service component, affecting versions 23.4.0 to 23.26.2, allowing an unauthenticated attacker with network access via TLS to cause a complete denial-of-service (DoS).

CVE-2026-46834 is a vulnerability in the Net Service component of Oracle Database Server versions 23.4.0 to 23.26.2 that allows an unauthenticated attacker with network access via TLS to cause a denial-of-service (DoS) condition.

An unauthenticated attacker with network access via HTTPS can exploit CVE-2026-46829 in Oracle REST Data Services versions 24.2.0 through 26.1.0, leading to a denial of service.

CVE-2026-46828 is an easily exploitable vulnerability in Oracle Payroll versions 12.2.3-12.2.15, allowing a low-privileged attacker with network access via HTTP to perform unauthorized creation, deletion, or modification of critical payroll data, as well as gain unauthorized access to sensitive information.

CVE-2026-46823 is an easily exploitable vulnerability in Oracle Public Sector Financials (International) versions 12.2.6-12.2.15, allowing a low privileged attacker with network access via HTTPS to gain unauthorized access to critical data or complete access to all accessible data, potentially impacting additional products.

CVE-2026-46821 is an easily exploitable vulnerability in Oracle Financials Common Modules of Oracle E-Business Suite versions 12.2.3-12.2.15, allowing a low-privileged attacker with network access via HTTP to gain unauthorized access to critical data.

CVE-2026-46820 is a vulnerability in Oracle Financials Common Modules within Oracle E-Business Suite versions 12.2.3-12.2.15, allowing a low-privileged attacker with network access via HTTP to gain unauthorized access to critical data and modify some data, resulting in a confidentiality and integrity impact.

A vulnerability exists in Oracle REST Data Services versions 24.2.0 to 26.1.0, where a low-privileged attacker with network access via HTTPS can, with human interaction, gain unauthorized data access, modification, and cause a partial denial of service.

This analytic identifies ICMP traffic to external IP addresses with total bytes greater than 1,000 bytes, leveraging the Network_Traffic data model to detect potential information smuggling, covert communication, or command-and-control (C2) activities.

Detection of expand.exe being used to extract Microsoft Cabinet (CAB) archives, specifically when extracting to C:\ProgramData or similar staging locations, potentially indicating ingress tool transfer and payload staging by threat actors like APT37.

This detection identifies instances where the ESXi UI is accessed using the root account instead of a delegated administrative user, which bypasses role-based access controls and may indicate risky behavior or unauthorized activity.

This Splunk search detects when the owner of an Active Directory object is updated, potentially granting full control privileges and enabling object hiding, focusing on Windows Event Log ID 5136, and includes lookups for SID resolution.

Tanium released security advisories addressing vulnerabilities in Connect versions prior to Update 25 (v5.26.191), Update 19 (v5.29.237), and Update 9 (v5.37.140), potentially leading to unauthorized access and data compromise.

This analytic identifies potentially unauthorized devices attempting to connect to an organization's network by inspecting DHCP request packets and comparing MAC addresses against a list of known authorized devices.

This analytic identifies emails claiming to originate from domains similar to those being monitored for abuse by cross-referencing sender addresses with a lookup table of domain permutations, indicating potential phishing or brand impersonation.

This analytic identifies instances where three or more distinct registry modification events associated with MITRE ATT&CK Technique T1112 are detected, leveraging Splunk's Risk data model to detect persistence, hiding malicious configurations, or erasing forensic evidence.

This correlation search identifies multiple risk events associated with 'Living Off The Land' activity, leveraging the Risk data model to aggregate events, focusing on systems with a high count of distinct sources, potentially enabling attackers to execute code, escalate privileges, or persist within the environment using trusted system utilities.

This analytic identifies web requests to domains that closely resemble a monitored brand's domain, indicating potential brand abuse indicative of phishing or malware distribution attempts.

This analytic detects internal systems generating an unusually high volume of intrusion detections within a 30-minute window using Cisco Secure Firewall Threat Defense logs, identifying hosts triggering more than 15 Snort-based signatures, which may indicate suspicious activity like malware execution, command-and-control communication, vulnerability scanning, or lateral movement.

phpMyFAQ before 4.1.3 is vulnerable to an unauthenticated password reset, allowing attackers to change account passwords without token validation by sending crafted PUT requests to the /api/index.php/user/password/update endpoint.

This rule detects when Google Workspace administrators initiate bulk movement or export of user Drive data, including admin data transfer requests and Customer Takeout export jobs which can be abused by adversaries with administrative access to stage or exfiltrate sensitive files.

Zimbra released a security advisory on May 28, 2026, addressing unspecified vulnerabilities in Zimbra Daffodil versions prior to v10.1.17, urging users to apply necessary updates.

Detects bursts of Google Workspace device registration events for a single user exceeding three distinct device registrations within one minute, indicative of AiTM phishing or stolen OAuth token replay attacks.

This rule detects when a Google Workspace user authenticates from a device type that hasn't been observed for that user in the past 14 days, potentially indicating account compromise via AiTM kits or stolen OAuth refresh tokens.

Multiple vulnerabilities in GitLab CE/EE allow attackers to cause remote denial of service and bypass security policies in versions 18.11.x before 18.11.4, 19.x before 19.0.1, and before 18.10.7; these vulnerabilities are tracked as CVE-2026-1402, CVE-2026-2601, CVE-2026-2710, CVE-2026-4868, CVE-2026-5296, CVE-2026-6713, and CVE-2026-8716.

A vulnerability in Gitea's built-in container registry (CVE-2026-27771) allows unauthenticated attackers to pull private container images, potentially exposing source code, secrets, and production infrastructure details, affecting over 30,000 deployments.

This rule detects successful S3 GetObject calls targeting high-value credential and secret files commonly stored in S3 buckets, indicating potential credential access.

The SlimStat Analytics plugin for WordPress is vulnerable to stored cross-site scripting (XSS) via the User-Agent header, allowing unauthenticated attackers to inject arbitrary web scripts if the 'show_complete_user_agent_tooltip' setting is enabled.

The HT Contact Form – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting (CVE-2026-7052) via the 'file_upload' parameter in versions up to 2.8.2, allowing unauthenticated attackers to inject arbitrary web scripts.

A remote, anonymous attacker can exploit a vulnerability in Apache Tika to read sensitive data or trigger malicious requests to internal resources or third-party servers.

A remote, anonymous attacker can exploit a vulnerability in VMware Tanzu Spring Framework to perform a denial of service attack.

A local attacker can exploit a vulnerability in VMware Tanzu Spring Security to manipulate files, potentially leading to privilege escalation.

Multiple vulnerabilities in Vim could allow an attacker to execute arbitrary code or cause a denial of service condition.

A remote, authenticated attacker can exploit multiple vulnerabilities in IBM DB2 to perform a denial of service attack, potentially disrupting database services.

CVE-2026-46099 describes a vulnerability in the IPv6 network stack related to NOREF dst use in seg6 and rpl lwtunnels, requiring a security update to address potential exploitation.

CVE-2026-46072 is a buffer boundary check vulnerability in ntfs3 affecting an unspecified Microsoft product, requiring further investigation upon patch application to understand exploitation vectors and develop detections.

CVE-2026-45842 is an unspecified vulnerability affecting Microsoft products, requiring further investigation to determine the specific attack vector, impact, and affected systems.

CVE-2026-44899 is a CSS Injection vulnerability in the Mistune Image Directive, potentially allowing for malicious CSS injection if user-supplied content is not properly sanitized.

Microsoft published CVE-2025-71305, addressing a vulnerability related to insufficient protection against zero VCPI values in DisplayPort Multi-Stream Transport (MST), although specifics on exploitation and impact are not detailed in the provided source.

CVE-2026-45843 is a Microsoft vulnerability with unspecified details at the time of this brief.

CVE-2026-44844 is a denial-of-service vulnerability in Microsoft's eml_parser due to recursion in nested message/rfc822 attachments, potentially causing a service outage.

CVE-2026-45932 is a vulnerability affecting the bpf component, related to tcx/netkit detach permissions when the prog fd isn't given, requiring a security update from Microsoft.

CVE-2026-45991 is a security vulnerability affecting a Microsoft product, related to UDF partition descriptor append bookkeeping.

CVE-2026-46084 is a vulnerability related to RDMA/mana_ib that requires disabling RX steering on RSS QP destroy, potentially leading to denial of service or privilege escalation.

Pimcore's CustomReports feature has a share bypass vulnerability due to inconsistent authorization checks between the report listing endpoint and the report detail endpoint, allowing low-privileged users to access report configurations without explicit sharing permissions.

Google released a security update on May 27, 2026, to address vulnerabilities in Chrome for Desktop versions prior to 0.7778.216/217 for Windows, 148.0.7778.215/216 for Mac, and 148.0.7778.215 for Linux, requiring users to apply the necessary updates to mitigate potential exploitation.

Cyber threat actors are conducting spoofing attacks against FIFA websites in advance of the 2026 FIFA World Cup to steal personal information and facilitate monetary scams.

Multiple vulnerabilities have been discovered in Kaspersky Anti Targeted Attack Platform versions prior to 7.1.7, allowing an attacker to cause a remote cross-site scripting (XSS) vulnerability, tracked as CVE-2026-28348 and CVE-2026-28350.

IBM Aspera High-Speed Transfer Endpoint and Server versions 3.7.4 through 4.4.7 Fix Pack 1 are vulnerable to a denial-of-service (DoS) attack where an unauthenticated user can crash the asperahttpd service.

IBM Langflow OSS versions 1.0.0 through 1.9.0 are vulnerable to a denial-of-service (DoS) attack due to uncontrolled resource consumption as tracked by CVE-2026-7528.

CVE-2026-1933 describes a vulnerability in Samba's handling of NTFS-style reparse points on read-only shares, allowing authenticated users with filesystem write permissions to modify reparse point metadata and potentially alter SMB-visible file behavior.

IBM Db2 versions 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 are vulnerable to a denial-of-service (DoS) attack via a specially crafted query when autonomous transactions are enabled, potentially leading to service disruption.

This rule detects suspicious network activity from tools or scripts attempting to access the cloud service provider's Instance Metadata Service (IMDS) API endpoint, potentially retrieving sensitive instance-specific information and credentials.

The rule identifies command-line executions that attempt to access cloud service provider's Instance Metadata Service (IMDS) API endpoints, potentially retrieving sensitive instance information and temporary security credentials, ultimately leading to credential access and privilege escalation within the cloud environment.

A local attacker can exploit a vulnerability in OpenVPN Connect on MacOS to escalate their privileges.

The HBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'hb_country_iso', 'hb_usa_state_iso', and 'hb_canada_province_iso' parameters (CVE-2026-8143) in versions up to 2.1.6, potentially leading to arbitrary script execution in the administrator's browser.

The LiteSpeed Cache plugin for WordPress is vulnerable to stored Cross-Site Scripting (XSS) via the /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST API endpoints, affecting versions up to 7.7, allowing unauthenticated attackers to inject arbitrary JavaScript into CCSS/UCSS content by bypassing IP-based access controls.

Multiple vulnerabilities in IBM DB2 allow a remote, authenticated, or local attacker to disclose information, bypass security measures, or cause a denial of service.

Fedify is vulnerable to CVE-2026-42462, a Linked Data Signature bypass via JSON-LD Named-Graph Restructuring, allowing attackers to alter third-party signed activities by manipulating the document structure without invalidating the signature, potentially leading to integrity, availability, and confidentiality issues.

CVE-2026-42012 describes a vulnerability in GnuTLS where a remote attacker can spoof legitimate services or intercept sensitive information by presenting a specially crafted certificate with URI or SRV SANs, causing the certificate validation process to incorrectly fall back to checking DNS hostnames against the Common Name (CN).

JeecgBoot up to version 3.9.1 is vulnerable to improper access control in the LoginController.selectDepart function, allowing remote attackers to bypass intended restrictions.

IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 are vulnerable to XML external entity injection (XXE), allowing an authenticated attacker to expose sensitive information or consume memory resources.

IBM HTTP Server 8.5 and 9.0 is vulnerable to a denial of service (DoS) in configurations where an attacker possesses write access to server configuration files, as tracked by CVE-2026-8856.

IBM HTTP Server 8.5 and 9.0 are vulnerable to a denial-of-service (DoS) attack due to a flaw in the optional `mod_mem_cache` module that can be triggered remotely.

IBM HTTP Server versions 8.5 and 9.0 are susceptible to an invalid pointer dereference, potentially allowing a privileged, authenticated user to expose sensitive information or cause a denial of service.

IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5 and 9.0 are vulnerable to HTTP request smuggling due to inconsistent interpretation of HTTP requests, potentially leading to unauthorized access and data manipulation.

A hardware exploit has been published on Exploit-DB for D-Link DSL2600U, detailing a 'rom-0' Admin Password Disclosure vulnerability that allows unauthorized access to the device's administration interface.

A vulnerability, CVE-2025-11482, exists in ABB's PPT30 Operating System related to handling concurrent connections in the PPT30 OPC-UA Server, affecting versions prior to 1.8.0.

CVE-2026-9421 is an unrestricted file upload vulnerability in the File Handler component of KLiK SocialMediaWebsite 1.0 that can be exploited remotely.

NordVPN version 6.14.31 is vulnerable to a denial-of-service attack (CVE-2018-25368) where an unauthenticated attacker can crash the application by submitting an excessively long string in the password field.

userSpice 4.3.24 contains a username enumeration vulnerability, allowing unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint and analyzing the response for the 'taken' string.

A server-side request forgery (SSRF) vulnerability, identified as CVE-2026-9372, exists in ItzCrazyKns Vane up to version 1.12.1, allowing a remote attacker to manipulate the baseURL argument in the Model Provider API component and potentially conduct internal reconnaissance or access sensitive data.

CVE-2026-26147 is an improper input validation vulnerability in Azure Compute Gallery that allows an authorized attacker to disclose information over a network.

Dell ECS versions 3.5 and 3.6 contain an improper access control vulnerability (CVE-2022-31231) in the Identity and Access Management (IAM) module, potentially allowing a remote unauthenticated attacker to gain unauthorized read access to data.

Dell PowerFlex Manager versions 4.6.2 and earlier contain a directory listing vulnerability (CVE-2025-32749) that allows an unauthenticated remote attacker to expose sensitive information.

Dell PowerFlex Manager versions 4.6.2 and earlier contain an Incorrect Privilege Assignment vulnerability (CVE-2025-32747) that allows a low-privileged attacker with local access to elevate privileges.

Dell PowerFlex Manager versions 4.6.2 and prior contains an open redirect vulnerability (CVE-2025-26483) that allows an unauthenticated attacker to redirect a targeted user to an arbitrary web URL, potentially enabling phishing attacks.

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints, allowing an attacker to cause a denial of service via crafted oversized HTTP requests.

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, allowing an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs.

A vulnerability in Firefox for iOS versions prior to 151.1 allows an attacker to bypass the security policy (CVE-2026-9078).

A data integrity vulnerability exists in Spring AI versions 1.1.x before 1.1.7, potentially allowing an attacker to compromise data integrity, as identified by CVE-2026-41863.

An unspecified vulnerability in CPython, tracked as CVE-2026-8328, allows an attacker to cause an unspecified security issue.

A local attacker can exploit vulnerabilities in Ivanti Secure Access Client to manipulate files or escalate privileges, potentially gaining elevated access to the system.

Multiple vulnerabilities in Devolutions Server could allow an attacker to bypass security measures, disclose information, and manipulate files.

A remote, anonymous attacker can exploit multiple vulnerabilities in PuTTY to perform a denial of service attack, manipulate data, and possibly carry out spoofing attacks.

Multiple vulnerabilities in the Intel NPU Driver allow a local attacker to escalate privileges and cause a denial of service.

Adversaries may attempt to bypass macOS privacy controls by directly modifying the Transparency, Consent, and Control (TCC) SQLite database using sqlite3, potentially gaining unauthorized access to sensitive resources.

CISA published ICS advisories addressing vulnerabilities in products from ABB, Hitachi Energy, Kieback & Peter, ScadaBR, Siemens, and ZKTeco, recommending mitigations and updates.

The rule detects script interpreters (osascript, Node.js, Python) making outbound connections to AWS S3 or CloudFront domains on macOS, which may indicate command and control or data exfiltration activity.

A denial-of-service vulnerability, CVE-2026-47138, exists in Parse Server due to inefficient regular expression handling of the client SDK version field in HTTP requests, allowing an unauthenticated attacker to exhaust server resources by sending a crafted request with a malicious `X-Parse-Client-Version` header or `_ClientVersion` body field.

Nezha Monitoring is vulnerable to a server-side request forgery (SSRF) vulnerability, where a low-privilege RoleMember user can call notification routes and send HTTP requests to a user-controlled URL, with the entire response body reflected back to the caller, potentially exposing intranet resources and causing denial of service.

This rule identifies rare connection attempts to a Web Distributed Authoring and Versioning (WebDAV) resource, where attackers may inject WebDAV paths in files or features opened by a victim user to leak their NTLM credentials via forced authentication using rundll32.exe.

HPE published a security advisory addressing multiple unspecified vulnerabilities in HPE Telco Universal SLA Management version 4.6 and prior, prompting users to apply necessary updates.

Microsoft released a security update on May 21, 2026, to address vulnerabilities in Microsoft Edge Stable Channel versions prior to 148.0.3967.83, urging users to apply the update.

A remote denial-of-service vulnerability exists in Stormshield Network Security (SNS) versions 4.3.x before 4.3.43, 4.4.x to 4.8.x before 4.8.16, and 5.x before 5.0.6, allowing an attacker to disrupt service availability.

Multiple vulnerabilities in Tenable Sensor Proxy versions prior to 1.4.0 could allow a remote attacker to cause a denial of service, data confidentiality breaches, and other unspecified security impacts.

A vulnerability in SPIP versions prior to 4.4.15 allows an attacker to bypass the security policy, potentially leading to unauthorized actions.

A remote, authenticated attacker can exploit a vulnerability in Sparx Systems Enterprise Architect to bypass security precautions.

A remote, authenticated attacker can exploit a vulnerability in TeamViewer to escalate privileges on a compromised system.

A remote, unauthenticated attacker can exploit a cross-site scripting (XSS) vulnerability in the Royal Elementor Addons plugin for WordPress.

An authenticated remote attacker can exploit multiple vulnerabilities in XWiki to manipulate files and disclose information.

The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress versions up to 3.1.65 is vulnerable to an authorization bypass (CVE-2026-9011) that allows unauthenticated attackers to retrieve the full content of non-public Dittys by exploiting the ditty_init AJAX endpoint.

The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference (CVE-2026-8679) in versions up to 2.0.2, allowing unauthenticated attackers to view track metadata of any playlist, regardless of its status.

A remote, anonymous attacker can exploit a vulnerability in cPanel cPanel/WHM to perform an HTTP response header injection, enabling cross-site scripting (XSS), open redirect attacks, and cache or header manipulation.

A remote attacker can exploit multiple vulnerabilities in PHP to disclose information, cause a denial-of-service condition, perform a Server-Side Request Forgery (SSRF) attack, or achieve unknown impacts.

Multiple vulnerabilities in PowerDNS Authoritative Server allow an attacker to disclose information, manipulate data, and cause a denial-of-service condition.

A memory exhaustion vulnerability exists in `@libp2p/gossipsub` due to unbounded subscription handling, allowing a single attacker to exhaust a Node.js heap by flooding unique topic subscriptions, leading to denial-of-service.

Attackers are compromising npm packages to distribute a RAT linked to PolinRider, directly injecting malicious code into the software supply chain.

@hulumi/policies versions before 1.3.2 allowed unrelated compliant-looking evidence to suppress violations for different zones, hostnames, origins, or repositories in the same stack, bypassing Cloudflare and deployment-governance guardrails.

This rule detects potential session hijacking or token replay in Microsoft Entra ID, identifying cases where a user signs in and subsequently accesses Microsoft Graph from a different IP address using the same session ID, which may indicate a successful OAuth phishing attack, session hijacking, or token replay attack.

A remote denial-of-service vulnerability (CVE-2026-46545) exists in Nimiq primitives where an unauthenticated peer can send a malicious chunk with an empty key, leading to a panic when `put_raw` attempts to store a value at the root node, causing the node process to abort.

LMDeploy <= 0.12.3 is vulnerable to remote code execution (CVE-2026-46517) because it hardcodes `trust_remote_code=True` when calling `transformers.AutoConfig.from_pretrained()`, allowing a malicious Hugging Face repository to execute arbitrary Python code when loaded without user opt-out.

Open ISES Tickets before version 3.44.2 contains hardcoded MySQL database connection credentials in import_mdb.php, allowing unauthorized database access.

A commodity BadIIS malware variant is fueling a thriving malware-as-a-service (MaaS) ecosystem for Chinese-speaking cybercrime groups, allowing them to execute malicious SEO fraud, hijack server content, and redirect traffic to illicit sites.

ConnectWise released a security advisory addressing a vulnerability in ConnectWise Automate versions prior to 2026.5, prompting users to apply the necessary updates.

Hitachi Energy GMS600 versions 1.3.0 and 1.3.1 are affected by CVE-2022-4304, a vulnerability in the OpenSSL RSA Decryption implementation; an attacker could exploit this timing-based side channel to recover plaintext across a network in a Bleichenbacher-style attack by sending trial messages to the server and recording processing times, eventually decrypting application data.

ABB B&R Automation Runtime versions before 6.4 are vulnerable to predictable number generation (CVE-2025-3449), reflected XSS (CVE-2025-3448), and CSV injection (CVE-2025-11498), potentially allowing attackers to hijack sessions or execute arbitrary code in a user's browser context.

Multiple buffer overflow vulnerabilities in ABB Terra AC Wallbox versions <=1.8.33, exploitable via Bluetooth hijacking, could allow an attacker to remotely control the device and alter its firmware.

Trend Micro released a security advisory addressing vulnerabilities in Apex One (on-premise), Apex One as a service, and Trend Vision One Endpoint, prompting users to apply necessary updates to mitigate potential risks.

A CSRF-OOB-Injection vulnerability exists in SolarEdge Monitoring Platform's `/solaredge-web/p/initClient` endpoint due to improper validation of session parameters, allowing attackers to manipulate headers to initiate requests to attacker-controlled domains, potentially leading to session compromise and unauthorized system control.

A local exploit has been published for Lenovo LegionSpace 1.7.11.2, detailing an Unquoted Service Path vulnerability in the 'DAService', potentially leading to local privilege escalation.

A denial-of-service vulnerability exists in BookStack version 25.12.1, and a public exploit (EDB-52571) is available, increasing the risk to unpatched systems.

Multiple vulnerabilities have been discovered in Apereo Java CAS client versions prior to 4.1.1, potentially leading to data confidentiality breaches as detailed in the casc-jwt-vuln security bulletin.

A remote, anonymous attacker can exploit multiple vulnerabilities in Internet Systems Consortium BIND to trigger memory corruption or cause a denial-of-service condition.

An anonymous remote attacker can exploit a vulnerability in MongoDB Compass to manipulate files and potentially execute arbitrary code.

A vulnerability in ffmpeg allows an attacker to execute arbitrary program code and potentially conduct a denial of service attack.

A remote, authenticated attacker can exploit a vulnerability in vllm to disclose information or cause a denial-of-service condition.

CVE-2026-45736 is an uninitialized memory disclosure vulnerability affecting Microsoft products, potentially allowing an attacker to read sensitive information from process memory.

CVE-2026-44390 is a denial-of-service vulnerability in Microsoft products due to unbounded name compression.

CVE-2026-47783 is a timing side channel vulnerability in memcached before 1.6.42, affecting SASL password database authentication due to premature loop exit upon finding a valid username, potentially leading to information disclosure.

The TeamPCP hacking group released the source code of the Shai-Hulud worm impacting npm and PyPI, prompting European governments to seek secure messaging alternatives due to phishing risks and data sovereignty concerns, while historical analysis reveals the Fast16 malware targeted Iran's nuclear program by tampering with simulation software.

This brief summarizes indicators of compromise (IOCs) from a Maltrail feed update on 2026-05-20, detailing network activity associated with APT Kimsuky, Lummac2, MagentoCore, and FakeApp campaigns, providing actionable intelligence for detection and response.

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 is vulnerable to stored cross-site scripting (CVE-2026-9144) in the web configuration interface, allowing authenticated attackers to execute persistent JavaScript by fragmenting malicious payloads across multiple administrative form fields for persistent code execution.

Splunk released security advisories on May 20, 2026, addressing vulnerabilities in Splunk User Behavior Analytics, AppDynamics Agents, Universal Forwarder, Enterprise, Cloud Platform, and AI Toolkit, prompting users to apply necessary updates.

Splunk Enterprise and Cloud Platform versions prior to 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13 are vulnerable to information disclosure (CVE-2026-20239), allowing users with access to the `_internal` index to view sensitive data.

CVE-2026-45498 is a denial-of-service vulnerability in Microsoft Defender that could disrupt endpoint protection capabilities, requiring timely mitigation per vendor instructions.

The Cost of Goods by PixelYourSite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csvdata[0][cost_of_goods_value]' parameter in versions up to, and including, 1.2.12 due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts that execute when a user accesses an injected page.

CVE-2026-5783 is a reflected cross-site scripting (XSS) vulnerability in Beyaz Computer Software Design Industry and Trade Ltd. Co. CityPLus before version V24.29750.1.0, allowing attackers to inject malicious scripts into web pages viewed by users.

CVE-2026-20206 describes a command injection vulnerability in the BrowserBot component of Cisco ThousandEyes Enterprise Agent where an authenticated remote attacker with transaction test management privileges could execute arbitrary commands within the BrowserBot container as the node user.

CVE-2026-20199 - A vulnerability in the SSL certificate handling of Cisco ThousandEyes Virtual Appliance could allow an authenticated, remote attacker to execute commands on the underlying operating system as the root user.

CVE-2026-20171 describes a vulnerability in the Border Gateway Protocol (BGP) enforce-first-as feature of Cisco Nexus 3000 and 9000 Series Switches that could allow an unauthenticated, remote attacker to trigger BGP peer flaps, resulting in a denial-of-service (DoS) condition.

Plug versions 1.4.0 to 1.19.1 are vulnerable to denial-of-service (CVE-2026-8468) due to unbounded buffer accumulation in multipart header parsing, allowing an unauthenticated attacker to exhaust server memory by sending a crafted multipart/form-data request.

FreePBX released security advisories addressing authenticated SQL injection and local file inclusion vulnerabilities in the Security-Reporting cdr and dashboard modules for FreePBX 16 and 17.

Multiple vulnerabilities in Symfony, including CVE-2026-45070, CVE-2026-45077, CVE-2026-45304, CVE-2026-45305, CVE-2026-45753, CVE-2026-45754, CVE-2026-45755, CVE-2026-45756, CVE-2026-46626, and CVE-2026-47212, can lead to remote denial of service, cross-site scripting (XSS), and cross-site request forgery (CSRF) attacks.

A vulnerability in Wireshark versions 4.4.x before 4.4.16 and 4.6.x before 4.6.6 allows a remote attacker to cause a denial of service.

BIND servers configured for TKEY-based authentication using GSS-API tokens are susceptible to excessive memory consumption upon receiving and processing crafted packets, impacting availability.

Multiple flaws in BIND 9's `named` component, specifically versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1, can be exploited by sending specially crafted DNS requests with non-`IN` CLASS or meta-classes, leading to assertion failures and potential denial-of-service.

A remote, anonymous attacker can exploit a vulnerability in Squid to bypass security precautions and disclose information, potentially leading to unauthorized access or data leakage.

CVE-2026-9064 describes a denial-of-service vulnerability in 389-ds-base where an unauthenticated attacker can send a crafted LDAP request with excessive controls, causing excessive CPU consumption and heap allocation, leading to latency degradation, worker thread starvation, or out-of-memory termination.

CVE-2026-43492 is an integer underflow vulnerability in the mpi_read_raw_from_sgl function within the lib/crypto component that could lead to unexpected behavior or denial-of-service.

CVE-2026-45585 is a security feature bypass vulnerability in Windows BitLocker, known as 'YellowKey', for which a public proof of concept exists, prompting Microsoft to release mitigation guidance prior to a security update.

SQLFluff versions prior to 4.2.0 are vulnerable to uncontrolled resource consumption (CVE-2026-46374), allowing an attacker to cause a denial of service by submitting a maliciously crafted, long SQL query.

The dasel selector lexer is vulnerable to an index-out-of-range panic when tokenizing a quoted string that ends with a trailing backslash (e.g., `"\` or `'\`), leading to a process crash if an attacker can control the selector string.

Dasel versions 3.0.0 to 3.3.1 are vulnerable to a denial-of-service attack (CVE-2026-46378) where the selector lexer enters a non-terminating loop when tokenizing an unterminated regex pattern, causing 100% CPU usage on one core, which can be triggered by an attacker-controlled selector/query string.

An unauthenticated remote peer can exhaust the disk storage of any `@libp2p/kad-dht` node running in server mode by sending an unbounded stream of `PUT_VALUE` messages with crafted keys to bypass validation and cause disk exhaustion.

Dell published security advisories between May 11 and 17, 2026, addressing vulnerabilities in Dell Enterprise Sonic Distribution, Dell Live Optics Collector, Intel 800 Series Ethernet Adapters, Dell PowerEdge with AMD Graphics, and PowerScale InsightIQ, prompting users to apply necessary updates.

A vulnerability in Wire's protobuf group-skipping logic allows a crafted payload with a negative length to cause a runtime exception and potentially crash services decoding untrusted protobuf, addressed in version 6.3.0.

Bandit versions 1.6.0 through 1.11.0 are vulnerable to an unauthenticated denial-of-service (CVE-2026-39806) via a chunked request with trailers, where sending a request with `Transfer-Encoding: chunked` and a trailer field causes the connection's worker process to spin forever in an infinite recursion, exhausting the listener pool and rendering the server unresponsive.

Bandit's HTTP/1 chunked-body reader silently drops the request size cap, leading to excessive memory buffering. An unauthenticated attacker can crash Bandit-fronted Phoenix/Plug applications by sending a single 'Transfer-Encoding: chunked' request to any URL, causing BEAM memory exhaustion and a denial-of-service.

Mozilla released security updates on May 19, 2026, addressing vulnerabilities in Firefox versions prior to 151, Firefox ESR versions prior to 115.36, and Firefox ESR versions prior to 140.11.

An application that passes an overlong ciphertext buffer to `libcrux_chacha20poly1305::encrypt` or `libcrux_chacha20poly1305::xchacha20_poly1305::encrypt` can experience a panic, leading to a crash if the buffer length is attacker-controlled, affecting libcrux-chacha20poly1305 versions prior to 0.0.8.

Composer leaks GitHub OAuth tokens in GitHub Actions logs if they do not match the expected format due to a validation regex, leading to potential unauthorized access.

A cross-site scripting vulnerability, CVE-2026-4293, exists in multiple Kieback & Peter DDC Building Controllers that could allow an attacker to take control of the victim's browser.

Mailpit is vulnerable to an unauthenticated remote memory-exhaustion denial-of-service attack due to missing size limits on incoming SMTP DATA and HTTP requests, leading to unbounded memory and disk growth, potentially crashing the application.

CVE-2026-7571 describes a vulnerability in Keycloak where a low-privilege user can bypass security controls intended to disable the implicit flow in OpenID Connect (OIDC) clients by manipulating client data during session restart, potentially exposing access tokens.

A remote, anonymous attacker can exploit a vulnerability in Apache Tomcat to bypass security measures.

A remote, authenticated attacker can exploit a vulnerability in Podman to manipulate files on the host system.

A vulnerability in Unbound allows an attacker from an adjacent network to manipulate the cache, potentially leading to domain hijacking.

An authenticated or anonymous attacker can exploit multiple vulnerabilities in Red Hat Enterprise Linux regarding Valkey to manipulate files or cause a denial-of-service condition.

Multiple unspecified vulnerabilities in Mattermost Desktop App and Mattermost Server allow an attacker to cause an unspecified security issue.

Multiple vulnerabilities in Docker allow a local attacker to execute arbitrary code with administrator privileges, cause a denial-of-service condition, or manipulate data.

An authenticated remote attacker can exploit a vulnerability in Keycloak to bypass security measures.

An authenticated or unauthenticated remote attacker can exploit multiple vulnerabilities in Red Hat Enterprise Linux and Quarkus to perform a denial of service attack, disclose sensitive information, or manipulate data.

An authenticated remote attacker can exploit a vulnerability in BigBlueButton to conduct a Cross-Site Scripting (XSS) attack.

A remote, anonymous attacker can exploit multiple vulnerabilities in Ruby to cause a denial-of-service condition and disclose confidential information.

Microsoft published information regarding CVE-2026-7168, a cross-proxy Digest authentication state leak.

An integer underflow vulnerability, CVE-2026-37459, in FRRouting (FRR) versions stable/10.0 to stable/10.6 allows a remote attacker to cause a Denial of Service (DoS) by sending a crafted BGP UPDATE message.

Microsoft published information about CVE-2026-5773, a vulnerability related to the incorrect reuse of SMB connections.

CVE-2026-6429 is a credential leak vulnerability affecting Microsoft products.

A denial-of-service vulnerability, identified as CVE-2026-37458, exists in the MP_REACH_NLRI component of FRRouting versions stable/10.0 to stable/10.6, where authenticated attackers can trigger a DoS by sending a crafted UPDATE message due to missing input validation.

CVE-2026-31704 is a vulnerability in ksmbd related to the use of check_add_overflow() to prevent a u16 DACL size overflow, potentially leading to denial of service or privilege escalation.

A SQL Injection vulnerability (CVE-2025-45809) in LiteLLM versions prior to 1.81.0 allows unauthenticated attackers to potentially steal database contents and read server files via time-based blind SQL injection in the `/key/block` and `/key/unblock` endpoints.

A remotely reachable integer overflow in OpenTelemetry eBPF Instrumentation's (OBI) memcached text protocol parser can crash the OBI process, causing a denial of service due to unchecked arithmetic when handling large payload sizes in memcached storage commands.

Malformed MongoDB wire messages can trigger uncaught panics in the OpenTelemetry eBPF Instrumentation agent's MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service.

The OpenTelemetry eBPF Instrumentation (OBI) Postgres protocol parser is vulnerable to a remote availability issue - when processing BIND messages, the parser assumes payloads contain a valid NUL-terminated portal name; a crafted empty or unterminated payload can cause OBI to slice beyond the end of the captured buffer, triggering a runtime panic and crashing the agent.

Multiparty versions 4.2.3 and lower are vulnerable to denial of service via prototype pollution, where a crafted multipart/form-data request with a field name colliding with an Object.prototype property triggers a TypeError, leading to an uncaught exception and process crash.

parse-nested-form-data versions 1.0.0 and earlier are vulnerable to prototype pollution via crafted FormData field names, allowing an unauthenticated remote client to mutate `Object.prototype` and potentially corrupt application state, alter control flow, or cause denial of service.

The form-data-objectizer npm package version 1.0.0 is vulnerable to prototype pollution (CVE-2026-46510) via crafted form keys, allowing an attacker to modify Object.prototype and potentially cause denial-of-service, bypass security checks, or inject unintended values.

A remote attacker could exploit a flaw in GnuTLS's DTLS packet reordering logic (CVE-2026-42009) to cause unstable packet ordering or undefined behavior, resulting in a denial of service.

This rule detects successful Amazon EKS UpdateClusterConfig requests that disable control plane logging, potentially indicating defense evasion via compromised AWS credentials or unauthorized administrative access that reduces visibility into cluster activity.

The Avro map decoder accepted attacker-controlled block-element counts, leading to unbounded map growth and potential denial-of-service via memory exhaustion; upgrading to v2.33.0 requires explicit configuration of MaxMapAllocSize to mitigate the vulnerability.

This rule detects suspicious Finder Sync plugin registrations on macOS, where adversaries abuse the pluginkit process to establish persistence by repeatedly executing malicious payloads.

The Q1 2026 mobile threat landscape saw a decrease in overall attack volume driven by reduced adware and RiskTool detections, while the number of unique users targeted remained stable, with new SparkCat variants on app stores and increased banking Trojan and Triada backdoor activity.

This rule detects Linux process executions that access Kubernetes static pod manifest files, potentially indicating malicious tampering for persistence or privilege escalation.

Detects suspicious Microsoft Entra ID audit events for device registration where details indicate an Azure AD join and the user agent is not a standard registration client, potentially indicating scripted registration, third-party tooling, or malicious device registration for persistence or token abuse.

Detects successful Microsoft Entra ID sign-ins where the client application is the Microsoft Authentication Broker (MAB) and the requested resource identifier is outside a short list of commonly observed first-party targets, potentially indicating abuse to obtain tokens for unexpected APIs or enterprise applications.

Detects execution of curl or wget from processes running inside OCI/runc-backed containers, potentially indicating ingress tool transfer or data exfiltration after a container breakout.

Detects potential reconnaissance activity in Kubernetes environments where adversaries or automated scripts attempt to map the environment by rapidly querying multiple API resource kinds, indicative of initial setup before actions like privilege escalation or data exfiltration.

This rule detects Kubernetes audit events where node or pod service accounts are accessing secrets via `get` or `list` operations, which may indicate credential access attempts by attackers sweeping Secret objects for sensitive information.

This rule identifies process start events where the parent process is the AWS Systems Manager (SSM) Session Manager worker, which adversaries may abuse for remote execution and lateral movement using legitimate AWS credentials and IAM permissions.

Detects Microsoft Entra ID sign-ins consistent with Tycoon2FA phishing-as-a-service (PhaaS) adversary-in-the-middle (AiTM) activity targeting Microsoft 365 and Gmail, where the Microsoft Authentication Broker requests tokens for Microsoft Graph or Exchange Online, or the Office web client application authenticates to itself, combined with Node.js-style user agents (node, axios, undici).

The rule detects Microsoft Graph activity from delegated user tokens where a single user session and source IP rapidly touches multiple high-value Graph paths indicative of reconnaissance, suggesting a broad enumeration playbook.

This rule identifies a high number of inbound SSH login attempts on a macOS host within a short time window by monitoring the `sshd-keygen-wrapper` process, indicating potential brute-force attacks against exposed SSH services.

Vulnerability CVE-2026-8768 describes a server-side request forgery (SSRF) flaw in the validateDownloadUrl function of the provider-utils component in Vercel AI versions up to 3.0.97, enabling remote attackers to potentially make internal requests.

Fuel CMS 1.4.13 is vulnerable to blind SQL injection via the 'col' parameter in the Activity Log interface, allowing authenticated attackers to manipulate database queries and extract information through time-based delays (CVE-2021-47980).

WP Learn Manager 1.1.2 contains a stored cross-site scripting vulnerability (CVE-2021-47975) that allows unauthenticated attackers to inject malicious scripts through the fieldtitle parameter via a POST request to the jslm_fieldordering page, resulting in arbitrary JavaScript execution when administrators view the field ordering interface.

Sticky Notes Widget 3.0.6 is vulnerable to a denial-of-service attack (CVE-2021-47973), where an attacker can crash the application on iOS devices by pasting excessively long character strings into note fields.

Sticky Notes & Color Widgets 1.4.2 is vulnerable to denial of service via excessively long character strings (CVE-2021-47972), allowing attackers to crash the application.

My Notes Safe 5.3 is vulnerable to a denial-of-service attack (CVE-2021-47971) where an attacker can crash the application by pasting excessively long character strings into note fields.

Macaron Notes 5.5 is vulnerable to a denial-of-service condition (CVE-2021-47970) due to its handling of excessively long character strings in notes, leading to application crashes.

Color Notes 1.4 is vulnerable to a denial-of-service attack (CVE-2021-47969) where pasting excessively long character strings into note fields can crash the application, achieved by generating and pasting a 350,000-character payload twice into a new note.

Microsoft published information about CVE-2026-43490, a vulnerability in ksmbd related to the validation of inherited ACE SID length.

Detection of handle requests to the LSASS process with specific access masks commonly used by tools to dump memory, indicating potential credential access attempts.