Security News Bulletin - May 2026

Banner Background

WordPress TaxoPress plugin  SQL Injection

CVE-2026-42646

Published: 2026-04-29 
Updated: 2026-04-29

Vendor: Steve Burge
Product: TaxoPress

Attack Tags: SQL Injection, Web Application Attack, Authenticated Exploitation, Data Exfiltration

Severity: High (CVSS 7.6)  

What Is CVE-2026-42646?
 

This vulnerability occurs due to improper input sanitization in SQL queries, allowing attackers to inject malicious SQL commands.

  • The TaxoPress plugin fails to properly neutralize user-controlled input  
  • Attackers can perform Blind SQL Injection  
  • Exploitation allows data extraction without direct output

Affected Versions

  • affected from 0 through 3.44.0  

Observed Attack Activity

There is currently no confirmed large-scale exploitation or active attack activity reported.

However:

  • SQL Injection is commonly weaponized quickly  
  • WordPress plugins are frequent attack targets

The Indicators of Compromise:  

  • Unusual SQL query pattern in logs
  • Error messages or anomalies
  • Suspicious HTTP requests
  • Unexpected database activity

Additional Resources

  1. Official CVE Record — CVE.org 
    https://www.cve.org/CVERecord?id=CVE-2026-42646
  2. Patchstack Advisory 
    https://patchstack.com/database/Wordpress/Plugin/simple-tags/vulnerability/wordpress-taxopress-plugin-3-44-0-sql-injection-vulnerability
  3. GitHub 
    https://github.com/advisories/GHSA-rf76-3xjq-xw9p

Mozilla Firefox & Thunderbird Memory Safety Vulnerability 

CVE-2026-6786

Released: 2026-04-21 
Last Updated: 2026-04-21 

Vendor: Mozilla 
Product: Firefox 

Attack Tags: Memory Corruption, Browser Exploit, Use-After-Free, Out-of-Bounds Access  

Severity: High (CVSS ~8.1) 

What Is CVE-2026-6786 ? 

CVE-2026-6786 is a high-severity vulnerability caused by multiple memory safety bugs in Mozilla products such as Firefox and Thunderbird. 

These issues include: 

  • Out-of-bounds read/write
  • Use-after-free conditions
  • Memory corruption scenarios 

Such flaws can lead to unstable behavior and, more critically, may allow attackers to execute arbitrary code if successfully exploited. 

In simple terms: If a user interacts with specially crafted web content or data, the browser or email client may process memory incorrectly — opening the door for attackers to take control of the system. 

Affected Versions 

The vulnerability affects the following versions: 

  • Firefox 149
  • Firefox ESR 140.9
  • Thunderbird 149
  • Thunderbird ESR 140.9 

Fixed Versions 

  • Firefox 150
  • Firefox ESR 140.10
  • Thunderbird 150
  • Thunderbird ESR 140.10 

Observed Attack Activity 

At the time of disclosure, there is no confirmed widespread exploitation in the wild. 

However, the risk remains significant because: 

  • Memory corruption bugs are commonly used in browser exploitation chains
  • They can be triggered remotely via web content
  • They often serve as a first step in full system compromise 
     

Security researchers noted that some of these bugs show evidence of memory corruption, meaning they could potentially be weaponized for code execution. 

Additional Resources 

  1. Official CVE Record - CVE.org 
    https://www.cve.org/CVERecord?id=CVE-2026-6786
  2. Mozilla Security Advisory (MFSA) 
    https://www.mozilla.org/security/advisories/
  3. Debian Security Tracker
    https://security-tracker.debian.org/tracker/CVE-2026-6786
  4. Rapid7 Vulnerability Database  
    https://www.rapid7.com/db/vulnerabilities/mozilla-thunderbird-cve-2026-6786/ 

ASP.NET Core Elevation of Privilege Vulnerability 

CVE-2026-40372 

Published: 2026-04-21 
Updated: 2026-04-30 

Vendor: Microsoft 
Product: ASP.NET Core 10.0, Microsoft Visual Studio 2026 version 18.5 

Attack Tags: Authentication Bypass, Cryptographic Signature Bypass, Privilege Escalation, Web Application Attack. 

Severity: Critical (CVSS 9.1) 

What Is CVE-2026-40372? 
 

CVE-2026-40372 is a critical elevation-of-privilege vulnerability in the ASP.NET Core Data Protection API, caused by improper verification of cryptographic signatures. 

The issue arises because ASP.NET Core does not correctly validate the integrity and authenticity of cryptographically protected data. As a result, signature validation can be bypassed, allowing tampered or forged payloads to be treated as legitimate by the application. 

This weakness enables an unauthorized attacker over a network to craft specially formed data (e.g., authentication tokens or cookies) that appear trustworthy to the application. 

Affected Versions 

For ASP.NET Core 10.0 

  • affected from 10.0 before 10.0.7 

For Visual studio 

  • affected from 18.5.0 before 18.5.2  

Observed Attack Activity 

At the time of disclosure, there are no confirmed large-scale active exploits in the wild. 

However, this vulnerability is still critical because: 

  • High CVSS (9.1), likely rapid weaponization  

  • Targets internet-facing ASP.NET applications 

Likely Attack Patterns: 

  • Forged authentication cookies  

  • Manipulated tokens with invalid signatures  

  • Sudden privilege escalation without proper login  

  • Access to admin endpoints without valid credentials  

The Indicators of Compromise:  

  • Authentication success without valid signature validation  

  • Privileged actions from unauthenticated sessions  

  • Token anomalies (invalid signature but accepted) 

Additional Resources 

  1. Official CVE Record — CVE.org 
    CVE Record: CVE-2026-40372

  2. Microsoft Security Update Guide
    CVE-2026-40372 - Security Update Guide - Microsoft - ASP.NET Core Elevation of Privilege Vulnerability

  3. The Hacker News
    https://thehackernews.com/2026/04/microsoft-patches-critical-aspnet-core.html

  4. GitHub Advisory
    https://github.com/dotnet/announcements/issues/395

Google Chrome GPU Sandbox Escape Vulnerability 

CVE-2026-6921 

Published: 2026-04-23
Last Updated: 2026-04-23 

Vendor: Google  
Product : Chrome  

Attack Tags: Sandbox Escape, Browser Exploit, GPU Vulnerability, Remote Attack 
 
Severity: Critical (CVSS 9.6) 

What Is CVE-2026-6921? 
 

CVE-2026-6921 is a high-severity vulnerability in Google Chrome caused by a race condition in the GPU component. 

A race condition happens when the system processes operations in an unexpected order, leading to unpredictable behavior. In this case, the flaw can be exploited using a specially crafted video file or web content, allowing an attacker to potentially break out of Chrome’s sandbox protections.  

The Chrome sandbox is designed to isolate web content from the underlying system. Bypassing it can significantly increase the impact of browser-based attacks. 

Affected Versions 

  • Google Chrome on Windows prior to version 147.0.7727.117

Users running outdated versions of Chrome are vulnerable until they update to the latest patched release. 

Observed Attack Activity 

At the time of disclosure, there are no confirmed reports of widespread exploitation in the wild. 

However, this vulnerability is considered high risk because: 

  • It can be triggered remotely via malicious web content or media  

  • It targets the browser sandbox, a critical security boundary  

  • It may be combined with other vulnerabilities (e.g., renderer compromise) for full system exploitation  

Such vulnerabilities are commonly used in multi-stage browser attacks, where attackers first gain limited access and then escalate privileges. 

If successfully exploited, it can: 

  • Allow attackers to escape the browser sandbox  

  • Enable execution of malicious code on the system (when chained with other flaws)  

  • Increase risk of data theft, malware installation, or session hijacking  

Given Chrome’s widespread use, even medium-complexity vulnerabilities can have large-scale impact. 

Additional Resources 

  1. Official CVE Record — CVE.org 
    https://www.cve.org/CVERecord?id=CVE-2026-6921

  2. Chrome Release Security Advisory 
    https://chromereleases.googleblog.com/2026/04/stable-channel-update-for-desktop_22.html

  3. Tenable CVE Summary 
    https://www.tenable.com/cve/CVE-2026-6921

  4. Vulnerability Database Overview 
    https://www.thehackerwire.com/vulnerability/CVE-2026-6921/

OpenClaw Role Bypass Vulnerability 

CVE-2026-42422 

Published: 2026-04-28 
Updated: 2026-04-28 

Vendor: OpenClaw 
Product : OpenClaw  

Attack Tags: Authorization Bypass, Token Manipulation, Privilege Escalation, API Abuse 
 
Severity: High (CVSS 8.8) 

What Is CVE-2026-42422? 
 

CVE-2026-42422 is a high-severity authorization role bypass vulnerability in OpenClaw, caused by improper enforcement of role-based access control during token management operations. 

The issue exists in the “device.token.rotate” function, where the application fails to properly validate user roles and authorization states before issuing or rotating tokens. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval. 

Due to this flaw: 

  • Authorization checks are either missing or improperly implemented  

  • The system does not confirm whether a role is approved or permitted  

  • Tokens can be generated or rotated with elevated privileges without validation  

Affected Versions 

  • affected from 0 before 2026.4.8  

Observed Attack Activity 

As of now, there are no confirmed exploitation in the wild. 

However, this vulnerability is critical because: 

  • Exploitation is relatively easy (low complexity)  

  • Attack can be performed remotely over the network  

  • Requires low privileges (authenticated user) 

If successfully exploited, then :  

  • Unauthorized roles can obtain valid tokens  

  • Attackers can retain elevated privileges  

  • Security boundaries between roles are broken 

Additional Resources 

  1. Official CVE Record — CVE.org 
    https://www.cve.org/CVERecord?id=CVE-2026-42422

  2. OPenCVE 
    https://app.opencve.io/cve/CVE-2026-42422

  3. GithHub 
    https://github.com/openclaw/openclaw/security/advisories/GHSA-whf9-3hcx-gq54

cPanel and WHM Authentication Bypass 

CVE-2026-41940 

Published: 2026-04-29 
Updated: 2026-05-06 

Vendor: WebPros 
Product : cPanel  

Attack Tags: Authentication Bypass, Unauthorized Admin Access, Full Server Compromise 
 
Severity: Critical (CVSS 9.8) 

What Is CVE-2026-41940? 

CVE-2026-41940 is a critical authentication bypass vulnerability affecting cPanel & WHM and WP Squared. The flaw exists in the login/session handling mechanism and allows unauthenticated remote attackers to bypass authentication controls and gain administrative access to vulnerable servers. 

Security researchers reported that attackers could exploit the flaw remotely without valid credentials, potentially obtaining root-level administrative access to hosting environments. This could result in a complete compromise of confidentiality, integrity, and availability. 

Affected Versions 

  • affected from 11.40.0.0 before 11.86.0.41 
  • affected from 11.88.0.0 before 11.94.0.28 
  • affected from 11.96.0.0 before 11.102.0.39 
  • affected from 11.104.0.0 before 11.110.0.97 
  • affected from 11.112.0.0 before 11.118.0.63 
  • affected from 11.120.0.0 before 11.124.0.35 
  • affected from 11.126.0.0 before 11.126.0.54 
  • affected from 11.128.0.0 before 11.130.0.19 
  • affected from 11.132.0.0 before 11.132.0.29 
  • affected from 11.134.0.0 before 11.134.0.20 
  • affected from 11.136.0.0 before 11.136.0.5  

Observed Attack Activity 

Security researchers and industry reports confirmed active exploitation of this vulnerability in real-world attacks. 

  • Exploitation reportedly began before public disclosure, making it effectively a zero-day vulnerability.
  • Threat actors used crafted HTTP headers and session manipulation techniques to bypass authentication.
  • Attackers could gain root-level access to WHM environments.
  • Once compromised, the system can be used for:
    • Website defacement
    • Data theft
    • Malware deployment
    • Ransomware attacks
    • Backup deletion
    • Cross-tenant compromise in shared hosting environments. 

Additional Resources 

  1. Official CVE Record — CVE.org 
    CVE Record: CVE-2026-41940
  2. cPanel Security Advisories 
    Security: CVE-2026-41940 - cPanel & WHM / WP2 Security Update 04/28/2026 – cPanel
  3. Censys Advisories
    https://censys.com/advisory/cve-2026-41940/

Dirty Frag: Linux Kernel ESP Fragment Processing Vulnerability 

CVE-2026-43284 

Published: 2026-05-08 
Updated: 2026-05-11 

Vendor: Linux 
Product : Linux  

Attack Tags: Local Privilege Escalation, Linux Kernel Exploitation, Memory Corruption, Kernel Page Cache Manipulation 
 
Severity: High(CVSS 8.8) 

What Is CVE-2026-43284? 

CVE-2026-43284 is a vulnerability in the Linux kernel xfrm-ESP networking subsystem, where the kernel improperly handles shared socket buffer (skb) fragments during ESP packet decryption operations. 

The issue occurs because: 

  • Packet fragments originating from pipe-backed memory can be attached to network buffers using MSG_SPLICE_PAGES  

  • Certain UDP/IPsec packet paths fail to correctly mark these fragments as externally shared  

  • The kernel then performs in-place decryption on memory it does not privately own 

Affected Versions 

  • affected at 4.11  

Observed Attack Activity 

Security researchers and defenders observed the following behaviors: 

  • Post-compromise exploitation: The vulnerability is primarily used after attackers obtain local access (e.g., SSH access, web shell, compromised service account, or container escape).  

  • Reliable root escalation: Dirty Frag enables deterministic privilege escalation without relying on fragile race conditions commonly seen in Linux LPE exploits.  

  • Page-cache manipulation: Exploitation involves modifying page-cache-backed memory to tamper with privileged files or binaries in memory.  

  • Abuse of networking/kernel modules: Exploits target vulnerable ESP/XFRM (esp4, esp6) paths involved in Linux networking and cryptographic processing. 

Once exploited, attackers can: 

  • Modify sensitive file contents in memory  

  • Corrupt kernel-managed data  

  • Escalate privileges to root 

Mitigation Recommendations: 

  • Apply updated Linux kernel patches immediately  

  • Restrict untrusted local shell access  

  • Disable vulnerable modules where operationally feasible  

  • Harden container permissions  

  • Monitor for suspicious privilege escalation behavior 

Note : Patches are available or rolling out for several Linux distributions and kernel branches. Upstream Linux kernel fixes have already been committed. 

Additional Resources 

  1. Official CVE Record — CVE.org 
    CVE Record: CVE-2026-43284

  2. Microsoft Security Advisories 
    https://www.microsoft.com/en-us/security/blog/2026/05/08/active-attack-dirty-frag-linux-vulnerability-expands-post-compromise-risk/

  3. GitHub 
    https://github.com/0xBlackash/CVE-2026-43284

Back to Newsletter Home