Everest Forms Pro has an actively exploited critical remote code execution flaw, CVE-2026-3300, that lets unauthenticated attackers run PHP and take over WordPress sites. The bug affects versions through 1.9.12, and WPEverest fixed it in 1.9.13 on March 18, 2026. Wordfence says abuse began on April 13, 2026, and its firewall has blocked more than 29,300 exploit attempts so far.

The Everest Forms developer released a patch for CVE-2026-3300 in Everest Forms Pro on March 18, closing an unauthenticated arbitrary code execution flaw affecting versions 1.9.12 and earlier. The update matters because the vulnerable plugin could let attackers gain complete control of WordPress sites before administrators apply the fix.

Active exploitation of CVE-2026-3300 in Everest Forms Pro is driving complete site compromise risk for WordPress sites. Attackers have been using the flaw for arbitrary code execution since April 13, 2026. More than 29,300 exploit attempts have already been blocked, showing sustained exploitation at scale.

OpenAI ChatGPT is rolling out Lockdown Mode for eligible personal accounts, reducing the risk of prompt-injection-driven data exfiltration. The update adds stricter limits on web- and network-connected features while also introducing active session review and logout controls for suspicious account activity.

Researchers reverse-engineered Bright Data's iOS SDK and found it can turn consumer devices into exit nodes for web-scraping traffic. The teardown showed the job channel has no real authentication and that iOS traffic bypasses a configured VPN, increasing exposure on home and managed devices. The SDK's behavior also reduces visibility for normal app-monitoring tools.

SolarWinds Serv-U mitigation guidance now covers CVE-2026-28318, reducing unauthenticated DoS risk from specially crafted POST requests. SolarWinds says the flaw is addressed in version 15.5.4 HF1 and recommends limiting access to known addresses. Operators should also block requests containing "content-encoding" because the service does not require that functionality.

CISA added CVE-2026-28318 affecting SolarWinds Serv-U to the Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation. The high-severity flaw is a denial-of-service (DoS) issue in SolarWinds Serv-U multi-protocol file server software that can be triggered by specially crafted POST requests using `Content-Encoding: deflate` to crash the service without authentication. SolarWinds says the bug is fixed in Serv-U 15.5.4 HF1, and administrators are advised to limit access to known addresses and block requests containing "content-encoding" until patching is complete. FCEB agencies must remediate by June 19, 2026 under BOD 22-01.

FFmpeg now has 21 confirmed zero-days, creating risk for any product that bundles the media library and processes untrusted video input. The findings include heap and stack overflows in parsers and demuxers, and each bug has a reproducible proof-of-concept. Several flaws were latent for 15 to 20 years, including one stack overflow dating to 2003. Some issues already map to CVE-2026-39210 through CVE-2026-39218, while the rest are fixed but not yet numbered.

Google shipped Chrome 149 with patches for 429 security bugs, including CVE-2026-10881 in ANGLE, creating a broad browser update for users on Linux, Windows, and macOS. The release is the largest Chrome security bundle on record and includes a CVSS 9.6 flaw that can let a crafted page escape the sandbox and run code on the host. Users need to update to 149.0.7827.53 on Linux or 149.0.7827.53/54 on Windows and macOS, or confirm auto-update has run.

The Miasma self-replicating supply-chain campaign has hit 73 Microsoft repositories across four GitHub organizations, forcing GitHub to disable access and raising the risk of further secret theft and repository compromise. The latest wave also re-compromised the durabletask package and spread through additional repositories, showing that the operation is still actively mutating. Its use of direct commits and a 4.3 MB payload runner means developers can trigger infection simply by cloning affected code and opening it in supported tooling.

CVE-2026-20245 in Cisco Catalyst SD-WAN Manager is an actively exploited high-severity vulnerability that can let an authenticated local attacker with netadmin privileges upload a crafted file and execute arbitrary commands as root. Cisco says the issue affects On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP), and that exploitation has already caused configuration changes pushed to edge devices in limited cases. Cisco also said no patches or mitigations are currently available and advised checking /var/log/scripts.log for IoCs.

CVE-2026-45247 is a critical deserialization of untrusted data flaw in Mirasvit Cache Warmer that enables unauthenticated remote code execution on affected Magento servers. The vulnerability affects versions prior to 1.11.12 and is being actively exploited in the wild. Fixes were released on May 25, 2026.

SolarWinds released Serv-U 15.5.4 Hotfix 1 for CVE-2026-28318, an actively exploited denial-of-service flaw that can crash exposed Serv-U servers. The update fixes an uncontrolled resource consumption weakness and covers the Windows and Linux file transfer product used for MFT and FTP services. Administrators that cannot patch immediately were told to restrict access and block POST requests containing content-encoding.

The Brickstorm malware set enabled UNC5221 / VerdantBamboo to keep long-term access inside victim infrastructure, including Microsoft 365, raising the risk of stealthy follow-on intrusion. The operation blended stolen credentials with SSL VPN access and proxying to avoid controls that would normally block entry. The malware also extended into internal appliances and supporting infrastructure, including a Synology NAS device and an affected managed services provider (MSP). Persistent access lasting at least 18 months made the compromise harder to detect and easier to re-use.

UNC5221's BRICKSTORM espionage campaign targets U.S. legal services, SaaS providers, BPOs, and technology companies by planting a stealth backdoor on edge appliances and then moving into virtualization and identity layers. The activity has been observed since March 2025, with an average dwell time of 393 days, theft of source code and other intellectual property, and prior exploitation of Ivanti Connect Secure flaws CVE-2023-46805 and CVE-2024-21887. Google released a BRICKSTORM shell script scanner, but the full victim count and the complete downstream impact remain unknown.

A Miasma supply-chain campaign has expanded across GitHub and npm, now linked to 57 npm packages and more than 286 malicious versions. The latest wave uses a 157-byte binding.gyp file to trigger code execution during npm install, then stages payloads that steal developer secrets, target AI-assisted IDE workflows, and inject persistent backdoor files into project repositories. Earlier activity in the same campaign affected @redhat-cloud-services packages and spread through compromised GitHub access and poisoned releases. The campaign remains focused on developer projects, CI/CD environments, and downstream package propagation.

U.S. District Judge John F. Kness sentenced Darren Hughes in a Nemesis Market drug-trafficking case, extending federal punishment for sales conducted through a dark web marketplace. The sentence adds major legal exposure to the defendant after his November 2025 conviction and follows sales involving methamphetamine and fentanyl pills.

The Asin Android spyware activity is being distributed through fake utility, PDF, and war-map apps, putting Arabic-speaking users at risk of covert surveillance on Android devices. ESET found the malware spreading across multiple waves starting in early 2025, with some lures marketed through Facebook and Telegram accounts. Artifacts seen through mid-January 2026 suggest the distribution remains active and may be aimed at Arabic-speaking journalists and OSINT practitioners.

Over 900 internet-exposed ATG systems across the United States are being targeted in ongoing attacks, creating risk of alert tampering, fuel or chemical leaks, and equipment failure. The affected devices support monitoring across critical infrastructure sectors, including gas stations and industrial storage sites. Attackers are abusing hardcoded credentials, authentication bypasses, SQL injection, OS command execution, and privilege escalation flaws to modify system settings. Defenders are being told to restrict Internet access, replace default passwords, apply updates, and enforce VPNs or ACLs where possible.

On 2026-06-05, CISA, the FBI, the NSA, the Department of Energy, and other U.S. partners issued a joint advisory telling critical infrastructure organizations to secure internet-exposed ATG systems because ongoing attacks could lead to tampered alerts, leaks, and equipment failure.

Security teams are being pushed to treat browser sessions as the primary detection surface for phishing, credential theft, and ClickFix. Browser-native attacks can move past network, DNS, and endpoint controls without being stopped. Visibility inside the browser is presented as the only reliable way to catch malicious rendering and user interaction before the attack continues onto the host. The operational takeaway is to close the browser-layer blind spot rather than rely on downstream telemetry alone.

Enterprise users are showing a sharp rise in shadow AI, credential abuse, and browser-native attack exposure, increasing risk at the browser layer. The trend matters because employees are moving sensitive work into personal AI accounts while attackers continue to target browser sessions and evade traditional controls. Browser telemetry and breach data together point to a widening visibility gap across 2025-2026.

OP-512 is an active espionage campaign targeting Microsoft IIS servers with a bespoke web shell framework, increasing the risk of stealthy remote access on exposed legacy systems. The activity was assessed as China-linked and appears tuned to organizations whose sector and geography fit those intelligence priorities. The campaign stands out for using custom tooling, timestomping, and DNS/HTTP self-reporting to reduce detection and preserve access.

AI adoption in SOCs is rising fast, but the 2026 benchmark shows most teams are still getting limited value from deployments. The SOC-CMM 2026 Maturity Report drew on survey data from roughly 200 SOCs collected between late January and mid-March 2026, and only about 10% said AI delivered excellent value while 71% said it delivered some value or none. The gap suggests the current wave of SOC AI is expanding faster than operational maturity and workflow integration.

OWASP rolled out the Enterprise Adoption Maturity Model, a new agentic AI security framework that helps organizations align governance with deployed agents. Introduced through the GenAI Security Project and presented at Infosecurity Europe 2026, the framework gives teams a practical way to judge whether their controls match the autonomy of shadow AI, custom agents, and multi-agent systems. It matters because mismatches can leave organizations deploying agentic systems without the monitoring, containment, and identity controls they need. The model pushes teams toward either adding agent-specific controls or reducing permissions and autonomy until existing governance can keep pace.

The GorgonAgora campaign is using 5,714 fake .shop storefronts to steal payment data, widening card-theft risk across brand-impersonation checkout pages. The operation has been active since August 2025 and routes stolen card data to a single skimmer server in Moldova. It impersonates major brands including Starbucks, Ford, Sony, Mattel, Hasbro, Lego, Disney, and Toyota.

A FIFA-themed phishing-as-a-service market is selling ready-made scam kits and ticket-buying bots, lowering the barrier for fraud operators and making takedowns less effective during the World Cup 2026 scam window. The ecosystem lets multiple buyers reuse the same fraud infrastructure across cloned sites and account-takeover flows. That service model turns one operator’s tooling into a repeatable criminal supply chain. The result is broader ticket theft, credential abuse, and fraud resilience across the event period.

The PCPJack campaign converted hijacked AWS, Google Cloud, and Microsoft Azure servers into a covert SMTP relay network, enabling large-scale email delivery through verified proxies. The infrastructure was still active when discovered and had expanded to a reported 230-node outcome across the U.S., Europe, and Asia. The operation raises abuse risk for spam, phishing, and other mail-based activity at scale.

Brave Software launched Brave Origin, a paid browser variant that removes cryptocurrency, AI, rewards, and other monetization features while keeping Brave Shields. The release packages a cleaner, privacy-focused configuration for users who want a more minimal browsing experience. Pricing is a $59.99 one-time license for up to 10 devices, with a free Linux version also available.

The Hola Browser for Windows supply chain delivered an undeclared Monero miner, putting some installations at risk of unauthorized CPU use and persistence. Researchers found the payload during AppEsteem certification checks after it had already been distributed through the browser pipeline. The executable was identified as me.exe and was installed in some cases under the Hola program directory.