Vulnerabilities
Curated coverage and analysis in this editorial area.
Siemens Simcenter Femap Memory Corruption Vulnerability: Coordinated Disclosure Set for May 2026
A high-severity memory corruption vulnerability in Simcenter Femap’s IPT file parser (ZDI-26-317) leaves users with a nine-month expos…
Progress Software Patches High-Severity Command Injection in Kemp LoadMaster (ZDI-26-319)
An authenticated command injection vulnerability in the customLocation parameter of Kemp LoadMaster carries a CVSS score of 8.8. While…
Adobe ColdFusion: Security Update Addresses Reported Authentication Bypass
Advisory ZDI-26-263 describes a reported remote authentication bypass in Adobe ColdFusion. With a CVSS score of 6.5, the vulnerability…
Cisco SD-WAN: Potential Targeted Activity Involving Controllers
A report describes potential exploitation of SD-WAN vulnerabilities, noting activity attributed to a group designated as UAT-8616 and…
OpenAI Codex: Reported Sandbox Escape Disclosed (ZDI-26-305)
A reported sandbox escape in OpenAI Codex (ZDI-26-305) could potentially allow code execution via specific JavaScript repositories. Th…
Apple macOS USD Library Flaw Enables Information Disclosure and Exploit Chaining
A vulnerability in the macOS Universal Scene Description (USD) library (ZDI-26-315) allows for out-of-bounds reads and potential code…
Docker Desktop ECI Flaw: High-Severity LPE Vulnerability Enables Container Escapes
A vulnerability in Docker Desktop’s Enhanced Container Isolation (ECI) allows for local privilege escalation with a CVSS score of 8.8.…
India’s CERT-In Mandates 12-Hour Patch Window to Counter AI-Driven Exploitation
A new 38-page blueprint from CERT-In slashes the remediation window to just 12 hours for exposed systems, citing the rapid weaponizati…
CISA Adds Drupal SQL Injection Vulnerability to KEV Catalog Following Mass Exploitation
CISA has added the CVE-2026-9082 SQL injection flaw in Drupal Core to its Known Exploited Vulnerabilities catalog. The move follows re…
CVE-2026-5426: KnowledgeDeliver LMS Targeted by Zero-Day ViewState Exploit
Hard-coded ASP.NET machine keys in KnowledgeDeliver LMS have enabled unauthenticated RCE attacks. Threat actors deployed the BLUEBEAM…
300 WordPress Zero-Days in 72 Hours for $20: The Falling Economic Threshold of the Bug
TrendAI and CHT Security researchers have uncovered over 300 critical zero-day vulnerabilities in 72 hours using an AI pipeline develo…
Windows Hit by Post-Patch Tuesday Zero-Day Blitz
Security researcher Chaotic Eclipse has disclosed three new Windows zero-day vulnerabilities following the May 2026 Patch Tuesday. To…