Report Date: 2026-05-10
New KEVs: 3Critical CVEs: 5Ransomware Victims: 187
3 vulnerabilities were added to the CISA Known Exploited Vulnerabilities catalog this period. 5 additional critical-severity CVEs have been published to the NVD but not yet confirmed as exploited — Berriai products show the strongest concentration of risk signals this week. Threat intelligence sources this period reference Salt Typhoon (China) and MuddyWater (Iran). Ransomware activity is moderate with 187 new victims posted to leak sites over the last 7 days, with Thegentlemen posting the most victims.
Patch This Week
The top 3 KEVs to remediate right now, ranked by CISA deadline proximity, ransomware exploitation, and severity. These are confirmed exploited — if you do nothing else today, patch these.
- CVE-2026-0300 – Palo Alto Networks PAN-OS | CVSS 9.3
CISA deadline: 2026-05-09 (overdue by 1d) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Until the vendor releases an official fix, the following workaround should be implemented: – Restrict User-ID Authentication Portal access to only trusted zones. – Disable User-ID Authentication Portal if not required. - CVE-2026-6973 – Ivanti Endpoint Manager Mobile (EPMM) | CVSS 7.2
CISA deadline: 2026-05-10 (0d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. - CVE-2026-42208 – BerriAI LiteLLM | CVSS 9.3
CISA deadline: 2026-05-11 (1d remaining) — Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Top KEVs
Vulnerabilities confirmed actively exploited in the wild by CISA — ranked by ransomware use, then severity. Patch these before anything else.
This Reporting Window
- CVE-2026-42208 – BerriAI LiteLLM | CVSS 9.3 (CRITICAL) | AV: Network | EPSS 37.4% / 97th pct | Ransomware Use: No
- CVE-2026-0300 – Palo Alto Networks PAN-OS | CVSS 9.3 (CRITICAL) | AV: Network | EPSS 5.3% / 90th pct | Ransomware Use: No
- CVE-2026-6973 – Ivanti Endpoint Manager Mobile (EPMM) | CVSS 7.2 (HIGH) | AV: Network | EPSS 5.0% / 90th pct | Ransomware Use: No
Major CVEs
Critical-severity CVEs published in the last 7 days that are not yet in the CISA KEV catalog — not confirmed exploited, but severe enough to assess and prioritize patching before they are.
- CVE-2026-6508 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.0% / 6th pct | Published: 3 days ago
Origin Validation Error vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Liderahenk: from 2.0.1 befo…
- CVE-2026-5722 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.2% / 42th pct | Published: 5 days ago
The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to the guest waitlist verification flow not invalidating or regenerating verificat… - CVE-2025-13618 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.1% / 21th pct | Published: 5 days ago
The Mentoring plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.8. This is due to the plugin not properly restricting the roles that users can register with in the mento… - CVE-2026-5294 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.2% / 41th pct | Published: 5 days ago
The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a nopriv AJAX route allowing attacker-controlled model/function dispatch and reaching a pl… - CVE-2025-14320 – Unknown Vendor | CVSS 9.8 (CRITICAL) | AV: Network | EPSS 0.1% / 19th pct | Published: 6 days ago
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Tegsoft Management and Information Services Trade Limited Company Online Support Application allows Reflected XSS.Th…
Security News
Advisories, threat research, and incident reports from 12 sources across government, commercial research, and security journalism — prioritized by source credibility.
- CISA ICS AdvisoryAdvisory · 3 days ago – MAXHUB Pivot Client Application
View CSAF Summary Successful exploitation of this vulnerability may enable an attacker to access tenant email addresses and associated information in cleartext or cause a denial-of-service condition. The following versio… - CISA ICS AdvisoryAdvisory · 5 days ago – ABB B&R PVI
View CSAF Summary ABB became aware of vulnerability in the product versions listed as affected in the advisory. An update is now available that addresses and remediates the vulnerability. An attacker who successfully exp… - CISA ICS AdvisoryAdvisory · 5 days ago – Hitachi Energy PCM600
View CSAF Summary Hitachi Energy is aware of a vulnerability that affects the Hitachi Energy PCM600 product versions listed in this document. An attacker successfully exploiting this vulnerability can impact integrity of… - Unit 42Research · 3 days ago – Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
Unit 42 details CVE-2026-0300, a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal. Read now for details. The post Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated … - Unit 42Research · 5 days ago – Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years
Copy Fail (CVE-2026-31431) is a critical Linux kernel LPE that allows stealthy root access. This flaw impacts millions of systems. Read our analysis. The post Copy Fail: What You Need to Know About the Most Severe Linux … - Sophos X-OpsResearch · 3 days ago – Donuts and Beagles: Fake Claude site spreads backdoor
<p>A malicious imitation of&nbsp;Anthropic’s&nbsp;Claude&nbsp;site leads to&nbsp;DLL sideloading&nbsp;– and&nbsp;a backdoor</p> Categories: Threat Research Tags: Claude, Beagle, Backdo… - Sophos X-OpsResearch · 9 days ago – Proof-of-concept exploit available for Linux 'Copy Fail' vulnerability (CVE-2026-31431)
Categories: Threat Research Tags: advisory, Linux, Copy Fail - The RecordNews · 2 days ago – Kingdom Market administrator given 16-year sentence
Slovakian national Alan Bill, 33, pleaded guilty in January to a conspiracy to distribute controlled substances charge after admitting to his role in running Kingdom Market â a platform used by drug dealers and cybercr… - The RecordIncident · 2 days ago – Multiple universities forced to reschedule final exams after Canvas cyber incident
On Thursday, dozens of students took to social media to say they saw a message from a cybercriminal group as they navigated through Canvas, an educational platform created by Instructure that hosts teaching materials, te… - Security Affairs (APT)Incident · 4 days ago – Iranian cyber espionage disguised as a Chaos Ransomware attack
Iran-linked APT MuddyWater used ransomware-style tactics to mask espionage, combining phishing, credential theft, data exfiltration, and extortion without encryption. A newly discovered cyber intrusion attributed to the … - Security Affairs (APT)Incident · 7 days ago – Salt Typhoon breach IBM subsidiary in Italy: a warning for Europe’s digital defenses
April 2026 breach at Sistemi Informativi (IBM Italy) raises concerns over Chinese-linked cyber ops in Europe, including Salt Typhoon. In late April 2026, the Italian cybersecurity landscape was shaken by a significant br… - Security Affairs (Cybercrime)Incident · today – Official JDownloader site served malware to Windows and Linux users between May 6 and May 7
JDownloader website was hacked to distribute malicious Windows and Linux installers carrying a Python RAT between May 6–7, 2026. JDownloader official website was compromised in a supply chain attack that replaced legitim… - Security Affairs (Cybercrime)News · yesterday – Quasar Linux RAT (QLNX): A Fileless Linux Implant Built for Stealth and Persistence
Researchers uncovered QLNX, a Linux RAT targeting developers to steal credentials, log keystrokes, monitor systems, and enable remote access. Security researchers discovered a previously undocumented Linux malware called… - Bleeping ComputerNews · today – Hackers abuse Google ads, Claude.ai chats to push Mac malware
Attackers are abusing Google Ads and legitimate Claude.ai shared chats in an active malvertising campaign. Users searching for "Claude mac download" may come across sponsored search results that list claude.ai as the tar… - The Hacker NewsNews · today – Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak
Cybersecurity researchers have disclosed a critical security vulnerability in Ollama that, if successfully exploited, could allow a remote, unauthenticated attacker to leak its entire process memory. The out-of-bounds re…
Ransomware Activity
Victim counts posted to ransomware group leak sites — use this to gauge which groups are most active and which sectors and regions are being targeted.
19 new victims posted today
7-day total: 187 via Ransomware.live
Infostealer Exposure: 4,411 employee credentials and 27,817 user credentials compromised via infostealer malware across victim organisations — indicating credential theft likely preceded these ransomware deployments.
Most Active Groups
Group Intelligence
- Thegentlemen — The Gentlemen is a RaaS group that emerged in July–August 2025, rapidly claiming over 320 victims across 17+ countries by offering affiliates a 90% revenue share, deploying a Go-based locker against W…
- Qilin — Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator. Qilin actors practice do…
- Medusalocker — Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC.
- Safepay — SafePay emerged in September 2024 as a rapidly growing ransomware operation that explicitly disavows the RaaS model and manages all operations internally, claiming over 300 victims worldwide by mid-20…
- Incransom — INC Ransom is a prolific ransomware-as-a-service operation active since July 2023 that systematically targets healthcare, government, education, and manufacturing sectors in North America and Europe, …
Most Targeted Sectors
Top Countries
US (72), GB (14), DE (11), IT (11), CA (6)
Notable Incidents
- st-annes.uk.com (Education · GB) — claimed by Lynx. St Anne's Catholic School & Sixth Form College is a distinguished educational institution in Southampton, dedicated to providing a strong moral and academic foundation for students aged 11 to 18. The school emphasizes a … Press coverage →
Vendor-Specific Risks
Vendors with confirmed KEV exploitation this week — the stacked bar shows how that exposure breaks down across exploited CVEs (red), critical CVEs to watch (orange), and news mentions (yellow). Prioritize patching vendors with the largest red segment.
Stay Ahead
Found this useful? Get the daily report in your reader.
Free. No account. No email. Follow in Feedly, Inoreader, or any RSS reader.
Or follow on X for alerts in your feed: