cPanel is a very popular hosting framework which is often very difficult to avoid exposing to the internet. The exploit for this weakness gives the attacker root access to cPanel (and from there easy RCE on the system), and the exploit is reliable, well documented, and affects all versions of cPanel except the latest patch. There are well over a million hosts exposed, and though cPanel does have some automated self-upgrade functionality, it can be turned off, and the window before an upgrade (usually up to 24h) is long enough for attacker to have already exploited this weakness. cPanel have provided a script you can use to detect if compromise has already occurred, which can be found here.
Vulnerability intelligence
Updated 29 minutes ago
FeedsTrending now
CVEs trending on social media within the last 24 hours
Hypemeter
Current score
Cold bath
1
CVE-2026-45659 Published May 22, 2026Hype score
19
high 8.8
Exploit known
CVE-2026-45659 is a remote code execution (RCE) vulnerability found in Microsoft SharePoint Server, stemming from a deserialization of untrusted data issue. This flaw allows an authenticated attacker with low privileges, such as a Site Member, to execute arbitrary code on the server without requiring user interaction. The vulnerability affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Despite Microsoft initially assessing the vulnerability as "less likely to be exploited," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-45659 to its Known Exploited Vulnerabilities (KEV) catalog in July 2026, confirming active exploitation in the wild. A patch for this vulnerability was included in the May 2026 security updates, though its details were inadvertently omitted from the initial release notes.
2
CVE-2026-34008Hype score
11
CVE-2026-34008 identifies a security flaw found in Tenda AC15 devices running firmware versions up to 15.13.07.13. This vulnerability is a stack-based buffer overflow that occurs within the `/goform/TextEditingConversion` file. The flaw can be exploited remotely by manipulating the `wpapsk_crypto2_4g` argument. A public exploit for this vulnerability has been released.
3
CVE-2026-34007Hype score
11
CVE-2026-3400 is a security vulnerability identified in Tenda AC15 routers, specifically affecting versions up to 15.13.07.13. This flaw is characterized as a stack-based buffer overflow, occurring within an unspecified function of the `/goform/TextEditingConversion` file. The vulnerability can be triggered by manipulating the `wpapsk_crypto2_4g` argument, leading to memory operations outside of their intended boundaries. This issue can be exploited remotely, and a public exploit has been released, making it a potential target for attacks.
Known exploited
Sourced from CISA's Known Exploited Vulnerability (KEV) catalog.
- CVE-2026-45659 Published May 22, 2026
Hype score
19
high 8.8
Exploit known
CVE-2026-45659 is a remote code execution (RCE) vulnerability found in Microsoft SharePoint Server, stemming from a deserialization of untrusted data issue. This flaw allows an authenticated attacker with low privileges, such as a Site Member, to execute arbitrary code on the server without requiring user interaction. The vulnerability affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Despite Microsoft initially assessing the vulnerability as "less likely to be exploited," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-45659 to its Known Exploited Vulnerabilities (KEV) catalog in July 2026, confirming active exploitation in the wild. A patch for this vulnerability was included in the May 2026 security updates, though its details were inadvertently omitted from the initial release notes.
- CVE-2026-48558 Published Jun 12, 2026
critical 9.5
Exploit known
npmContainer SecurityICSServerSimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication. No user interaction is required.
- CVE-2026-20230 Published Jun 3, 2026
high 8.6
Exploit known
NetworkServerCVE-2026-20230 is an unauthenticated Server-Side Request Forgery (SSRF) vulnerability found in the WebDialer component of Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition. This flaw stems from improper input validation of specific HTTP requests, allowing a remote, unauthenticated attacker to send crafted requests. Successful exploitation of this vulnerability enables an attacker to write arbitrary files to the underlying operating system. These files can subsequently be used to escalate privileges to root on the affected system. While proof-of-concept exploit code is publicly available, Cisco has not observed active exploitation of this vulnerability. The affected WebDialer service is disabled by default, meaning only deployments where it has been explicitly enabled are susceptible.
Insights
See moreOur Security Team's most recent CVE analysis
- Link to CVE page
CVE-2026-41940
critical 9.3
Exploit known
Intruder Insights
Updated Apr 30, 2026
- Link to CVE page
CVE-2026-1340
critical 9.8
Exploit known
Intruder Insights
Updated Jan 30, 2026
This and the similar vulnerability CVE-2026-1281 allow an unauthenticated attacker to execute code remotely on unpatched Ivanti EPMM instances.
A patch is available from Ivanti here and should be installed immediately. There is a page for defenders who need to check if their instance has been compromised here, though this is a work in progress.
Note that this is a temporary patch which will be removed with further version updates. If you update the version of your EPMM instance after patching, you must apply the patch again. A fully patched version of EPMM will be available in future which will permanently fix the vulnerability.
This vulnerability was known to be used in the wild before being disclosed by the vendor. Proof of concept code is now available publicly, so increased attack activity is expected.
- Link to CVE page
CVE-2026-1281
critical 9.8
Exploit known
Intruder Insights
Updated Jan 30, 2026
This and the similar vulnerability CVE-2026-1340 allow an unauthenticated attacker to execute code remotely on unpatched Ivanti EPMM instances.
A patch is available from Ivanti here and should be installed immediately. There is a page for defenders who need to check if their instance has been compromised here, though this is a work in progress.
Note that this is a temporary patch which will be removed with further version updates. If you update the version of your EPMM instance after patching, you must apply the patch again. A fully patched version of EPMM will be available in future which will permanently fix the vulnerability.
This vulnerability was known to be used in the wild before being disclosed by the vendor. Proof of concept code is now available publicly, so increased attack activity is expected.