LMDeploy SSRF flaw (CVE-2026-33626, actively exploited)
Vulnerability
Summary
Hide ▲
Show ▼
LMDeploy CVE-2026-33626 is being actively exploited within 13 hours of disclosure, turning a vision-language SSRF flaw into a path to cloud credentials and internal services. The weakness affects LMDeploy 0.12.0 and prior with vision-language support because `load_image()` can fetch arbitrary URLs without validating internal or private IPs. That makes internet-facing model servers vulnerable to internal reconnaissance, metadata access, and lateral-movement opportunities.
Related Happenings
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation Wave
H score46
First: 17.05.2026 14:57
Last: 17.05.2026 14:57
Sources 1
About this happening:
**openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation WaveAbout this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation Wave
H score89
First: 04.05.2026 11:25
Last: 04.05.2026 11:25
Sources 1
About this happening:
Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
Nginx UI auth-bypass exploitation wave (CVE-2026-33032)
Exploitation Wave
H score9
First: 16.04.2026 01:35
Last: 16.04.2026 01:35
Sources 1
About this happening:
**CVE-2026-33032** is now **actively exploited**, creating immediate risk for **publicly exposed Nginx UI** instances that rely on the vulnerable **/mcp_message** endpoint. Intern...
Nginx UI auth-bypass exploitation wave (CVE-2026-33032)
Exploitation WaveAbout this happening: **CVE-2026-33032** is now **actively exploited**, creating immediate risk for **publicly exposed Nginx UI** instances that rely on the vulnerable **/mcp_message** endpoint. Intern...
Marimo CVE-2026-39987 exploitation wave
Exploitation Wave
H score51
First: 12.04.2026 17:20
Last: 12.04.2026 17:20
Sources 1
About this happening:
**Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...
Marimo CVE-2026-39987 exploitation wave
Exploitation WaveAbout this happening: **Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...
Anthropic launches Project Glasswing with Claude Mythos for vulnerability discovery
Security Tool/Service
H score58
First: 08.04.2026 12:16
Last: 08.04.2026 12:16
Sources 1
About this happening:
**Anthropic’s Project Glasswing** is now showing measurable results: since launching last month, the **Claude Mythos Preview**-based initiative has uncovered **more than 10,000**...
Anthropic launches Project Glasswing with Claude Mythos for vulnerability discovery
Security Tool/ServiceAbout this happening: **Anthropic’s Project Glasswing** is now showing measurable results: since launching last month, the **Claude Mythos Preview**-based initiative has uncovered **more than 10,000**...
Latest development: 03.06.2026 14:00
President Donald Trump signed a June 2 executive order that sets up a voluntary framework for developers of covered frontier models to give the US government access for cybersecurity review for up to 30 days before release, while expressly rejecting any mandatory licensing or preclearance requirement. The order directs NSA, CISA, and NIST to build a classified benchmark for determining which models cross the covered threshold and creates an AI cybersecurity clearinghouse led by the Treasury Department. The framework closely echoes Anthropic's Project Glasswing, which gives vetted partners early access to Claude Mythos Preview to scan critical software for vulnerabilities.
Timeline
-
24.04.2026 10:24 2 articles · 2mo ago
LMDeploy SSRF flaw (CVE-2026-33626, actively exploited)
Initial DisclosureWithin **12 hours and 31 minutes** of public disclosure, an attacker began testing **LMDeploy CVE-2026-33626** against honeypots, using the vision-language image loader as an **SSRF primitive** to probe **AWS IMDS** and other internal services.
Show sources
- LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure — thehackernews.com — 24.04.2026 10:24
- LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure — thehackernews.com — 24.04.2026 10:24