Security Threat Feed
Clear insights on active threats, supply chain attacks, and critical vulnerabilities affecting developers and organisations.
CVE-2026-48172: CVSS 10.0 LiteSpeed cPanel Plugin Flaw Under Active Exploitation Lets Any cPanel User Execute Arbitrary Scripts as Root
LiteSpeed confirmed active exploitation of CVE-2026-48172, a maximum-severity incorrect privilege assignment vulnerability in the LiteSpeed User-End cPanel Plugin affecting all versions between 2.3 and 2.4.4. Any cPanel user, including a compromised or attacker-controlled account, can abuse the lsws.redisAble function to execute arbitrary scripts with root-level permissions. The flaw has been patched in version 2.4.5, with additional hardening across both plugins delivered in cPanel plugin 2.4.7 bundled within WHM Plugin version 5.3.1.0. The disclosure arrives weeks after the actively exploited cPanel authentication bypass CVE-2026-41940.
CVE-2026-20223: Cisco Secure Workload REST API Flaw Allows Unauthenticated Attackers to Read Sensitive Data and Reconfigure Tenants with Site Admin Privileges
Cisco patched CVE-2026-20223, a CVSS 10.0 vulnerability in Cisco Secure Workload stemming from insufficient validation and authentication on REST API endpoints. An unauthenticated remote attacker who sends a crafted API request to an affected endpoint can read sensitive data and make configuration changes across tenant boundaries using the privileges of the Site Admin user, affecting both SaaS and on-premises deployments regardless of device configuration. Cisco discovered the flaw through internal security testing and reports no evidence of exploitation in the wild. Patches are available in releases 3.10.8.3 and 4.0.3.17. The disclosure comes one week after Cisco confirmed active exploitation of another CVSS 10.0 flaw in the Catalyst SD-WAN Controller.
Laravel-Lang Supply Chain Attack: Attackers Rewrote 700+ Git Tags Across Four Packages to Silently Boot a 15-Module PHP Credential Stealer on Every Application Startup
A sophisticated supply chain attack struck four widely-used Laravel-Lang packages on May 22 and 23, 2026, with attackers rewriting existing git tags across laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions to point to malicious commits rather than altering any source code. More than 700 malicious version tags were published in automated rapid succession, indicating access to organization-level release infrastructure. A malicious src/helpers.php file registered under composer.json autoload.files executes automatically on every PHP application startup without any additional trigger, contacts flipboxstudio[.]info, and deploys a 5,900-line AES-256-encrypted PHP credential stealer organized into fifteen collection modules that harvests cloud credentials, CI/CD tokens, cryptocurrency wallets, browser data, VPN configurations, and dozens of other credential sources across Windows, Linux, and macOS before self-deleting from disk.
ssh-keysign-pwn (CVE-2026-46333): Nine-Year-Old Linux Kernel Privilege Flaw Lets Any Local User Read /etc/shadow, Steal SSH Host Keys, and Execute Commands as Root — PinTheft RDS Double-Free Also Drops Root on Arch Linux
Qualys disclosed CVE-2026-46333, a nine-year-old Linux kernel privilege management flaw rooted in the __ptrace_may_access() function, that allows any unprivileged local user to read /etc/shadow, steal SSH host keys from /etc/ssh/*_key, and execute arbitrary commands as root through four independent exploit chains targeting chage, ssh-keysign, pkexec, and accounts-daemon on default installations of Debian, Fedora, and Ubuntu. A proof-of-concept was released last week. The disclosure arrives alongside PinTheft, a separate Linux local privilege escalation from Zellic and V12 that exploits an RDS zerocopy double-free via io_uring fixed buffers to achieve root on Arch Linux systems where the RDS module is loaded.
MiniPlasma: A Windows LPE Microsoft Thought It Patched in 2020 Is Back — Unpatched — and Opens a SYSTEM Shell on Fully Updated Windows 11
Chaotic Eclipse has published a weaponized proof-of-concept for MiniPlasma, a Windows privilege escalation zero-day targeting cldflt.sys — the Windows Cloud Files Mini Filter Driver — in a routine named HsmOsBlockPlaceholderAccess. The same logic bug was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020 and assumed patched under CVE-2020-17103 in December 2020. Investigation by Chaotic Eclipse found the exact same issue remains fully exploitable on Windows 11 systems running the latest May 2026 security updates. A working SYSTEM shell PoC has been released. Microsoft has not issued a patch.
YellowKey & GreenPlasma: Chaotic Eclipse Returns With an Unpatched BitLocker Bypass and a Windows CTFMON Privilege Escalation
The researcher behind the Defender zero-day trio has disclosed two new unpatched Windows vulnerabilities. YellowKey is a BitLocker bypass operating within the Windows Recovery Environment that works regardless of TPM+PIN configuration, affecting Windows 11 and Server 2022/2025. GreenPlasma is a Windows Collaborative Translation Framework privilege escalation enabling arbitrary memory section creation in SYSTEM-writable directory objects. Both remain unpatched. The same disclosure also revisits a boot manager downgrade attack chain against BitLocker exploiting CVE-2025-48804, which persists due to Secure Boot's inability to enforce certificate version revocation.
Page 1 of 9