cPanel is a very popular hosting framework which is often very difficult to avoid exposing to the internet. The exploit for this weakness gives the attacker root access to cPanel (and from there easy RCE on the system), and the exploit is reliable, well documented, and affects all versions of cPanel except the latest patch. There are well over a million hosts exposed, and though cPanel does have some automated self-upgrade functionality, it can be turned off, and the window before an upgrade (usually up to 24h) is long enough for attacker to have already exploited this weakness. cPanel have provided a script you can use to detect if compromise has already occurred, which can be found here.
Vulnerability intelligence
Updated an hour ago
FeedsTrending now
CVEs trending on social media within the last 24 hours
Hypemeter
Current score
Colder than a datacentre floor
1
CVE-2026-50751 Published Jun 8, 2026Hype score
9
critical 9.3
Exploit known
CVE-2026-50751 is an authentication bypass vulnerability affecting Check Point Remote Access VPN, Mobile Access, and Spark Firewall products. This flaw arises from a logic flow weakness in the certificate validation process within the deprecated IKEv1 key exchange protocol. Exploitation of this vulnerability allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without requiring a valid user password. Successful exploitation requires specific conditions, including the enablement of Remote Access VPN or Mobile Access, active IKEv1 for remote access, and gateways that accept legacy Remote Access clients without demanding a machine certificate for connections. While a VPN session can be established, additional post-authentication activity is necessary to access internal resources or escalate privileges.
2
CVE-2025-8088 Published Aug 8, 2025Hype score
9
high 8.4
Exploit known
WinRARCVE-2025-8088 is a path traversal vulnerability affecting the Windows version of WinRAR. It allows attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild. It was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET. The vulnerability was exploited in phishing attacks to deliver RomCom malware. The attackers can trick the program into saving a file in a different location than the user intended, such as the computer's Startup folder. This allows the attackers to execute their own code. WinRAR patched the vulnerability in version 7.13.
3
CVE-2023-46604 Published Oct 27, 2023Hype score
8
critical 10.0
Exploit known
Apache ActiveMQCVE-2023-46604 is a remote code execution (RCE) vulnerability that affects Apache ActiveMQ. It stems from the Java OpenWire protocol marshaller. A remote attacker with network access to a Java-based OpenWire broker or client can exploit this vulnerability. By manipulating serialized class types in the OpenWire protocol, the attacker can cause the broker or client to instantiate any class on the classpath, potentially leading to the execution of arbitrary shell commands. It is recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 to address this issue.
Known exploited
Sourced from CISA's Known Exploited Vulnerability (KEV) catalog.
- CVE-2026-50751 Published Jun 8, 2026
Hype score
9
critical 9.3
Exploit known
CVE-2026-50751 is an authentication bypass vulnerability affecting Check Point Remote Access VPN, Mobile Access, and Spark Firewall products. This flaw arises from a logic flow weakness in the certificate validation process within the deprecated IKEv1 key exchange protocol. Exploitation of this vulnerability allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without requiring a valid user password. Successful exploitation requires specific conditions, including the enablement of Remote Access VPN or Mobile Access, active IKEv1 for remote access, and gateways that accept legacy Remote Access clients without demanding a machine certificate for connections. While a VPN session can be established, additional post-authentication activity is necessary to access internal resources or escalate privileges.
- CVE-2026-42271 Published May 8, 2026
Hype score
8
high 8.7
Exploit known
CVE-2026-42271 is a command injection vulnerability found in LiteLLM, an open-source proxy server designed to expose Large Language Model (LLM) APIs in an OpenAI-compatible format. This flaw affects LiteLLM versions from 1.74.2 up to, but not including, 1.83.7. The vulnerability resides in two Model Context Protocol (MCP) preview endpoints, `POST /mcp-rest/test/connection` and `POST /mcp-rest/test/tools/list`, which incorrectly accepted full server configurations, including fields for `command`, `args`, and `env` used by the `stdio` transport. Exploitation of CVE-2026-42271 allows an authenticated attacker, even with a low-privilege API key, to execute arbitrary commands on the LiteLLM proxy host. This occurs because the vulnerable endpoints would spawn the supplied command as a subprocess with the privileges of the proxy process. The issue has been patched in LiteLLM version 1.83.7, which introduced additional authorization controls requiring the `PROXY_ADMIN` role for these test endpoints. Furthermore, this vulnerability can be chained with CVE-2026-48710, a Starlette "BadHost" host header validation bypass, to achieve unauthenticated remote code execution.
- CVE-2026-28318 Published Jun 4, 2026
high 7.5
Exploit known
SolarWinds Serv-UServ-USolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure customer environments in the SolarWinds Trust Center if you are unable to deploy the update
Insights
See moreOur Security Team's most recent CVE analysis
- Link to CVE page
CVE-2026-41940
critical 9.3
Exploit known
Intruder Insights
Updated Apr 30, 2026
- Link to CVE page
CVE-2026-1340
critical 9.8
Exploit known
Intruder Insights
Updated Jan 30, 2026
This and the similar vulnerability CVE-2026-1281 allow an unauthenticated attacker to execute code remotely on unpatched Ivanti EPMM instances.
A patch is available from Ivanti here and should be installed immediately. There is a page for defenders who need to check if their instance has been compromised here, though this is a work in progress.
Note that this is a temporary patch which will be removed with further version updates. If you update the version of your EPMM instance after patching, you must apply the patch again. A fully patched version of EPMM will be available in future which will permanently fix the vulnerability.
This vulnerability was known to be used in the wild before being disclosed by the vendor. Proof of concept code is now available publicly, so increased attack activity is expected.
- Link to CVE page
CVE-2026-1281
critical 9.8
Exploit known
Intruder Insights
Updated Jan 30, 2026
This and the similar vulnerability CVE-2026-1340 allow an unauthenticated attacker to execute code remotely on unpatched Ivanti EPMM instances.
A patch is available from Ivanti here and should be installed immediately. There is a page for defenders who need to check if their instance has been compromised here, though this is a work in progress.
Note that this is a temporary patch which will be removed with further version updates. If you update the version of your EPMM instance after patching, you must apply the patch again. A fully patched version of EPMM will be available in future which will permanently fix the vulnerability.
This vulnerability was known to be used in the wild before being disclosed by the vendor. Proof of concept code is now available publicly, so increased attack activity is expected.