Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

CVE-2026-20182 is an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage). The flaw sits in the peering authentication path of the vdaemon service running over DTLS on UDP port 12346, the same control-plane service involved in CVE-2026-20127 earlier in 2026. It is not a patch bypass of that earlier issue, but a separate weakness in the device-type handling of the control connection handshake.

CVE-2026-42945, nicknamed "NGINX Rift", is a heap buffer overflow in the ngx_http_rewrite_module component of NGINX. It has sat in the project's source code since 2008. F5 disclosed the flaw on May 13, 2026, after responsible disclosure by researchers at depthfirst, who reported finding it through an autonomous code scanning system.

CVE-2026-45185, nicknamed Dead.Letter, is a use-after-free vulnerability in the BDAT message body parsing path of Exim, the open-source Mail Transfer Agent that runs a large share of the internet's email servers. The flaw lives in the GnuTLS-backed TLS path, where Exim can free its internal transfer buffer during a TLS shutdown while the SMTP state machine still holds a reference to it.

May the 4th be with you. In celebration of Star Wars Day, here's what a galaxy far, far away can teach us about security. The films work surprisingly well as a case study, and not in the obvious way. It's not the lasers, androids or the lightsabers. It's that the Empire and the First Order both fall into the same trap most security programs walk into every day. In this post, we'll walk through what the films get right about modern security challenges, how AI is making them worse, and what to do about it.

CVE-2026-41940 is a pre-authentication remote authentication bypass in cPanel and WHM caused by a CRLF (Carriage Return Line Feed) injection in the login and session handling logic. An unauthenticated remote attacker can inject raw \r\n characters into a malicious basic authorization header, which cpsrvd then writes into a session file without sanitization.

CVE-2026-3854 is a command injection vulnerability in GitHub Enterprise Server. It lives in the git push pipeline. User-supplied push option values were not properly sanitized before being embedded in an internal service header. The header format used a delimiter that could also appear in user input. A crafted push option containing that delimiter let an attacker inject additional metadata fields. Downstream services treated those fields as trusted internal values.

CVE-2026-40372 is an elevation of privilege vulnerability in ASP.NET Core caused by improper verification of cryptographic signatures in the Data Protection library. The flaw sits in the HMAC validation routine of the managed authenticated encryptor, where a defective comparison lets an attacker submit a forged payload that the application accepts as legitimately signed. The vulnerability carries a CVSS v3.1 base score of 8.1 (Important), as assigned by Microsoft in the official advisory.

CVE-2026-29145 is an authentication bypass flaw in Apache Tomcat and Apache Tomcat Native affecting the CLIENT_CERT authentication path. When OCSP soft-fail is disabled, certain code paths fail to treat an OCSP check failure as a hard authentication failure, allowing a connecting client to reach protected resources without presenting a valid, revocation-checked certificate.

CVE-2026-23869 is a denial of service vulnerability in React Server Components, caused by improper handling of cyclic data structures during deserialization of incoming HTTP requests. The vulnerability resides in the React Flight protocol's server-side reply handling, specifically in the createMap, createSet, and extractIterator functions within ReactFlightReplyServer.js. The vulnerability carries a CVSS v3.1 base score of 7.5 (High). Exploitation requires no authentication and no user interaction.