UniFi OS Server is exposed to an unauthenticated root RCE chain that combines CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, putting versions 5.0.6 and earlier at risk. Researchers validated the chain on a live 5.0.6 instance and showed that it can reach root without credentials or user interaction. The flaws were fixed in May, and defenders can confirm exposure with a free detection script before upgrading to 5.0.8 or later.

A UNK_DeadDrop phishing campaign sent more than 250 emails to software developers at almost 100 organizations, using fake job and code-review lures to steal cryptocurrency and credentials. The operation targeted mostly US-based workers in technology, education, and finance, with a focus on cryptocurrency firms. It relied on GitHub/GitLab repositories, a hidden tasks.json file, and editor execution in VS Code or Cursor to deploy payloads across macOS, Linux, and Windows.

Check Point warned that CVE-2026-50751 is being actively exploited against Remote Access VPN and Mobile Access deployments using deprecated IKEv1, where an unauthenticated attacker can bypass password authentication and establish a VPN session. The activity has affected a few dozen organizations worldwide, began on May 7, 2026, and surged in early June 2026; one post-exploitation case was linked to a Qilin ransomware affiliate. Check Point also disclosed CVE-2026-50752 as a related issue affecting site-to-site VPN connections, with no evidence of real-world exploitation.

CVE-2026-50751 in Check Point Remote Access VPN and Mobile Access deployments is under active exploitation, with the abuse limited to a few dozen targeted organizations globally. Attackers can use the flaw in deprecated IKEv1 setups to bypass authentication and establish VPN access without a valid password. The activity is ramping up in June 2026 and has already reached post-exploitation stages in at least one case linked to a Qilin ransomware affiliate.

OpenAI rolled out Lockdown Mode and Active Sessions in ChatGPT, adding controls that reduce prompt-injection data exfiltration risk and improve signed-in session auditing. The new controls reach beyond awareness messaging by changing how the service can connect to the web and external services and by exposing account sign-in visibility. The rollout began reaching personal and self-serve business accounts in early June 2026 after first being offered to enterprise plans in February.

Check Point released security updates to patch CVE-2026-50751 in Remote Access VPN and Mobile Access deployments. The update addressed a critical authentication bypass on systems using deprecated IKEv1, after the flaw was exploited in zero-day attacks. Check Point also disclosed CVE-2026-50752 and urged customers to apply the fixes immediately or use mitigation steps such as IKEv2 only and mandatory Machine Certificate Authentication.

The University of Oxford disclosed a breach of its CareerConnect platform that exposed user account data and created follow-on phishing risk. Attackers accessed first names, last names, email addresses, and encrypted passwords tied to local accounts. Oxford said its own systems were not compromised and the affected passwords were invalidated and reset.

The deployment of BRICKSTORM, PLENET (aka GRIMBOLT), and AGENTPSD on Linux appliances expanded operator access with backdoor, proxying, remote command execution, and fallback reverse-shell capabilities. The malware set was observed during September 2025 after compromise of an Egnyte Storage Sync system and later use of a Synology NAS appliance. The activity is attributed to VerdantBamboo and matters because it combines stealthy appliance abuse with multiple implants and persistence options.

UNC5221's BRICKSTORM espionage campaign targets U.S. legal services, SaaS providers, BPOs, and technology companies by planting a stealth backdoor on edge appliances and then moving into virtualization and identity layers. The activity has been observed since March 2025, with an average dwell time of 393 days, theft of source code and other intellectual property, and prior exploitation of Ivanti Connect Secure flaws CVE-2023-46805 and CVE-2024-21887. Google released a BRICKSTORM shell script scanner, but the full victim count and the complete downstream impact remain unknown.

OpenSSF found stagnating CRA readiness across global manufacturers, developers, and open source stakeholders, leaving a large share of the ecosystem exposed to December 2027 compliance risk. 66% of respondents were not familiar at all or only slightly familiar with the Cyber Resilience Act, and 41% had not determined whether it applies to them. The same poll found that only 32% of manufacturers produce SBOMs for all products, underscoring operational gaps in supply-chain transparency.

OpenSSF warned that global manufacturers, developers, and open source stakeholders remain materially unprepared for Cyber Resilience Act (CRA) compliance ahead of the December 2027 deadline. The group said 66% of surveyed organizations were not familiar at all or only slightly familiar with the rule, with familiarity falling to 72% in the US and Canada. It also said many organizations still do not know whether the CRA applies to them, what deadlines and penalties look like, or how manufacturer and steward obligations divide across the software supply chain.

ChatGPT is expanding access to Lockdown Mode and Active Sessions, tightening protection against prompt-injection data exfiltration and account/session compromise. Lockdown Mode limits outbound network requests and restricts features that could move sensitive data off the platform. Active Sessions lets users review signed-in devices and log out sessions they do not recognize.

Instagram account data was exposed after a flaw in Meta’s High Touch Support (HTS) recovery flow let unauthorized third parties receive password reset links for 20,225 accounts. The exposed material included contact information, dates of birth, posts and media, direct messages, account activity, profile information, and connected accounts. Meta disabled the vulnerable path, invalidated reset links, and notified potentially impacted users.

The Instagram accounts for the Obama White House and the Chief Master Sergeant of the U.S. Space Force were briefly defaced after attackers abused Meta’s AI support assistant to reset passwords, creating a public-facing account takeover risk. The reported workflow let the attacker link a new email address and receive a reset code, which enabled the hijack and message injection. Meta reportedly pushed an emergency patch, and the exploit reportedly failed when MFA was enabled.

Meta's High Touch Support (HTS) flaw enabled attackers to trigger Instagram password resets, creating account-takeover risk for over 20,000 users and weakening protection for accounts without 2FA. The weakness let unauthorized parties use the recovery flow to obtain reset links for targeted accounts. Meta later said the issue was resolved and that impacted accounts were being secured.

SolarWinds released Serv-U 15.5.4 Hotfix 1 for CVE-2026-28318, an actively exploited denial-of-service flaw that can crash exposed Serv-U servers. The update fixes an uncontrolled resource consumption weakness and covers the Windows and Linux file transfer product used for MFT and FTP services. Administrators that cannot patch immediately were told to restrict access and block POST requests containing content-encoding.

CISA added CVE-2026-28318 affecting SolarWinds Serv-U to the Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation. The high-severity flaw is a denial-of-service (DoS) issue in SolarWinds Serv-U multi-protocol file server software that can be triggered by specially crafted POST requests using `Content-Encoding: deflate` to crash the service without authentication. SolarWinds says the bug is fixed in Serv-U 15.5.4 HF1, and administrators are advised to limit access to known addresses and block requests containing "content-encoding" until patching is complete. FCEB agencies must remediate by June 19, 2026 under BOD 22-01.

Visual Studio Code (VS Code) will delay automatic extension updates by two hours starting in VS Code 1.123, reducing exposure to problematic or potentially compromised releases. The control adds a short buffer against software supply chain threats while still allowing manual updates at any time. Extensions from trusted publishers such as Microsoft, GitHub, and OpenAI continue to update immediately.

The C0XMO botnet is spreading through DD-WRT router firmware and other internet-facing devices, increasing the pool of systems available for DDoS attacks. It exploits CVE-2021-27137 for unauthenticated code execution, then brute-forces SSH and Telnet credentials to expand. The malware can persist with cron jobs and shell startup changes, detect CPU architecture, deploy a matching binary, and remove rival botnet clients. Its support for 19 DDoS methods makes each infected device useful for both propagation and attack traffic.

DD-WRT router firmware is affected by CVE-2021-27137, a buffer overflow now being used by C0XMO to deliver malware and enable unauthenticated remote code execution. The flaw expands risk for internet-facing routers because exploitation does not require credentials. Successful abuse can turn exposed devices into botnet nodes and give attackers arbitrary code execution on the device.

Silent Ransom Group (UNC3753) is a standalone data-theft extortion actor that has operated separately since 2022 after the Conti shutdown, using stolen data and leak threats rather than ransomware encryption. Recent reporting shows the group still fits that extortion model through vishing, social engineering, and tool-assisted access, reinforcing its role as a focused extortion brand tied to the broader Conti lineage.

Emphere raised $2.1 million in pre-seed funding from AI2 Incubator and Outsiders Fund, giving the Seattle startup capital to expand its AI-driven vulnerability remediation platform. The company plans to use the money to accelerate platform development and grow its customer base. The funding supports a product aimed at helping software teams identify what is exploitable, apply fixes automatically, and ship safer releases at scale.

Everest Forms Pro has an actively exploited critical remote code execution flaw, CVE-2026-3300, that lets unauthenticated attackers run PHP and take over WordPress sites. The bug affects versions through 1.9.12, and WPEverest fixed it in 1.9.13 on March 18, 2026. Wordfence says abuse began on April 13, 2026, and its firewall has blocked more than 29,300 exploit attempts so far.

The Everest Forms developer released a patch for CVE-2026-3300 in Everest Forms Pro on March 18, closing an unauthenticated arbitrary code execution flaw affecting versions 1.9.12 and earlier. The update matters because the vulnerable plugin could let attackers gain complete control of WordPress sites before administrators apply the fix.

Active exploitation of CVE-2026-3300 in Everest Forms Pro is driving complete site compromise risk for WordPress sites. Attackers have been using the flaw for arbitrary code execution since April 13, 2026. More than 29,300 exploit attempts have already been blocked, showing sustained exploitation at scale.

OpenAI ChatGPT is rolling out Lockdown Mode for eligible personal accounts, reducing the risk of prompt-injection-driven data exfiltration. The update adds stricter limits on web- and network-connected features while also introducing active session review and logout controls for suspicious account activity.

Researchers reverse-engineered Bright Data's iOS SDK and found it can turn consumer devices into exit nodes for web-scraping traffic. The teardown showed the job channel has no real authentication and that iOS traffic bypasses a configured VPN, increasing exposure on home and managed devices. The SDK's behavior also reduces visibility for normal app-monitoring tools.

SolarWinds Serv-U mitigation guidance now covers CVE-2026-28318, reducing unauthenticated DoS risk from specially crafted POST requests. SolarWinds says the flaw is addressed in version 15.5.4 HF1 and recommends limiting access to known addresses. Operators should also block requests containing "content-encoding" because the service does not require that functionality.

FFmpeg now has 21 confirmed zero-days, creating risk for any product that bundles the media library and processes untrusted video input. The findings include heap and stack overflows in parsers and demuxers, and each bug has a reproducible proof-of-concept. Several flaws were latent for 15 to 20 years, including one stack overflow dating to 2003. Some issues already map to CVE-2026-39210 through CVE-2026-39218, while the rest are fixed but not yet numbered.

Google shipped Chrome 149 with patches for 429 security bugs, including CVE-2026-10881 in ANGLE, creating a broad browser update for users on Linux, Windows, and macOS. The release is the largest Chrome security bundle on record and includes a CVSS 9.6 flaw that can let a crafted page escape the sandbox and run code on the host. Users need to update to 149.0.7827.53 on Linux or 149.0.7827.53/54 on Windows and macOS, or confirm auto-update has run.