Threat Intelligence Brief — May 23, 2026
Coverage: May 22–23, 2026 | New CVEs this report: 7 | New supply chain incidents: 2
Previous reports: May 22, 2026 | May 21, 2026
This report covers new vulnerability disclosures and security incidents identified on May 22 and 23, 2026. Items that were covered in earlier reports and carry no major new information are summarised with update notes at the bottom, linking back to the original entry. New items are listed first.
LiteSpeed User-End cPanel Plugin — CVE-2026-48172
Software affected: LiteSpeed User-End cPanel Plugin, versions 2.3 through 2.4.4. The WHM plugin is not affected. Fixed in version 2.4.5 (initial fix), with version 2.4.7 (bundled with WHM Plugin 5.3.1.0) recommended as the minimum following a full security review.
CVE: CVE-2026-48172 | CVSS 10.0 Critical | CWE-266 (Incorrect Privilege Assignment) | Actively exploited in the wild
Fixable: Yes. Update the LiteSpeed cPanel plugin to version 2.4.7 or later. If an immediate update is not possible, uninstall the user-end plugin entirely using: /usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall
Business impact: An incorrect privilege assignment in the lsws.redisAble function allows any cPanel user — including one with only standard shared hosting credentials — to execute arbitrary scripts with root privileges on the underlying server. This is the highest possible severity: a regular tenant account on a shared hosting server can fully compromise the host. LiteSpeed has confirmed active in-the-wild exploitation. This vulnerability follows CVE-2026-41940 (CVSS 9.8, also in LiteSpeed’s cPanel integration), which was previously exploited to deploy Mirai botnet variants and “Sorry” ransomware. Hosting providers and managed service providers running LiteSpeed on cPanel infrastructure are particularly at risk.
How to fix: Update the LiteSpeed cPanel plugin to version 2.4.7 and the WHM plugin to 5.3.1.0 via the LiteSpeed auto-update mechanism or manually from the LiteSpeed release log. If auto-update is not available or has not yet delivered the patch, uninstall the user-end plugin using the command above as a temporary measure. After patching, check for signs of compromise using the indicator of compromise command provided by LiteSpeed: grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/. Any output from this command should be treated as a potential exploitation event — review the originating IP addresses and block illegitimate ones.
Recommended action: Urgent for all environments running LiteSpeed on cPanel. Patch immediately, then run the IoC check. Given confirmed active exploitation and the maximum CVSS score, do not delay. Review all recently created user accounts or files with elevated permissions on affected servers.
Official source: LiteSpeed Security Advisory — Blog Post May 21, 2026 | NVD — CVE-2026-48172
Ubiquiti UniFi OS — CVE-2026-34908, CVE-2026-34909, CVE-2026-33000
Software affected: Ubiquiti UniFi OS devices across a broad range of hardware models. Three CVEs are addressed in Security Advisory Bulletin 064. The affected version ranges differ slightly by device model but in general: UCG-Industrial running UniFi OS 5.0.13 and earlier; UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, EFG, UDW, UDR, UDR7, Express 7, UNVR, UNVR-Pro, UNVR-Instant, ENVR, UCG-Ultra, UCG-Max, and UCG-Fiber running 5.0.16 and earlier; UDR-5G, ENVR-Core, UCKP, UCK, and UCK-Enterprise running 5.0.17 and earlier; UniFi OS Server running 5.0.6 and earlier; UNVR-G2 and UNVR-G2-Pro running 5.1.11 and earlier; UDM-Beast, UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, and UNAS-Pro-8 running 5.1.8 and earlier; and Express running 4.0.13 and earlier.
Fixed versions: Most devices: UniFi OS 5.1.12 or later. UNAS-series: 5.1.10 or later. UDM-Beast: 5.1.11 or later. UniFi OS Server: 5.0.8 or later. Express: 4.1.5 or later.
CVEs: CVE-2026-34908 | CVSS 10.0 Critical | CWE-284 (Improper Access Control) | No authentication required — remote attacker can make unauthorised changes to the system. CVE-2026-34909 | CVSS 10.0 Critical | CWE-22 (Path Traversal) | No authentication required — remote attacker can access files on the underlying system and manipulate them to take over an account. CVE-2026-33000 | CVSS 9.1 Critical | CWE-20 (Improper Input Validation / Command Injection) | Requires high privileges — an attacker with network access and admin credentials can execute arbitrary commands.
Fixable: Yes. Update UniFi OS via the UniFi Network application or UniFi OS console to the fixed versions listed above.
Business impact: Two of the three vulnerabilities (CVE-2026-34908 and CVE-2026-34909) require no authentication and are reachable over the network, giving any attacker who can reach the management interface full control of the device and the underlying system. UniFi OS devices serve as network gateways, security gateways, NVR recorders, and cloud keys in enterprise, SMB, and prosumer environments. A compromised UniFi gateway provides an attacker with a network-level position inside the environment from which lateral movement, traffic inspection, VPN access manipulation, and further compromise are all possible. No active exploitation has been confirmed at the time of advisory publication, but the combination of zero-authentication and CVSS 10.0 makes these high-priority targets.
How to fix: Log in to your UniFi OS console (typically at unifi.ui.com or the local management IP), navigate to the system update section, and apply the latest UniFi OS firmware update for each device. Verify the installed version matches the fixed version for your specific model as listed above. After updating, verify that the UniFi management interface is not exposed directly to the internet — place it behind a VPN or restrict access to known administrative IP ranges.
Recommended action: High priority. Apply UniFi OS firmware updates across all devices in your estate. If you cannot update immediately, ensure the UniFi management interface is not publicly accessible and is firewalled to administrative networks only. Review access logs for any unexpected connections to the management interface.
Official source: Ubiquiti Security Advisory Bulletin 064
Drupal Core — CVE-2026-9082 (Now Actively Exploited, Added to CISA KEV)
Software affected: Drupal Core (all versions using PostgreSQL as the database backend). Full version details and fixed versions were covered in the May 21, 2026 report.
CVE: CVE-2026-9082 | CVSS 6.5 | CWE-89 (SQL Injection) | Added to CISA KEV May 23, 2026 — FCEB agency deadline May 27, 2026
Update since previous report: This vulnerability was first covered in the May 21 report. As of May 23, exploitation is now confirmed active and widespread. Security firm Imperva (Thales) has observed more than 15,000 attack attempts targeting approximately 6,000 Drupal sites across 65 countries within 48 hours of the patch release. Approximately half of the observed attacks targeted gaming and financial services organisations. The pattern is primarily reconnaissance and probing at this stage, but the tooling in use is capable of escalating to data extraction and privilege escalation. CISA has added this to the Known Exploited Vulnerabilities catalog with a May 27 deadline for US federal agencies. If you have not yet applied the Drupal core update, do so immediately — the window between disclosure and active exploitation has already closed.
Official source: Drupal Security Advisory SA-CORE-2026-004 | CISA KEV Catalog
Supply Chain Incident: Laravel-Lang PHP Packages Compromised
Software affected: The following Composer (PHP) packages published on May 22–23, 2026 are confirmed malicious and must not be used: laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. Approximately 700 malicious versions were published across these four packages in rapid automated succession within seconds of each other. Any application that pulled one of these packages during the compromise window and is still running them is executing credential-stealing code on every PHP request.
No CVE assigned. This is an active supply chain compromise of the Laravel-Lang GitHub organisation, likely via stolen organisation credentials or release pipeline access.
Fixable: Partially. Revert any of the four affected packages to a version published before May 22, 2026 and verify the integrity of your composer.lock. If any of the malicious versions were ever installed and the application was running, treat the environment as fully compromised and rotate all credentials immediately.
Business impact: The attacker injected malicious code into src/helpers.php in all affected package versions. Because this file is declared under autoload.files in composer.json, it executes automatically on every PHP request in any application using these packages — not just at install time. The injected code first fingerprints the host with a unique MD5 marker to execute its payload only once per machine, then contacts the attacker’s C2 server at flipboxstudio[.]info to download a roughly 5,900-line PHP credential stealer. The stealer is comprehensive: it targets cloud credentials (AWS IAM, Google Cloud, Azure, DigitalOcean, Heroku, Vercel, Netlify, Railway, Fly.io), container and orchestration secrets (Kubernetes service account tokens, Helm configs, Docker auth), CI/CD tokens (Jenkins, GitLab Runners, GitHub Actions, CircleCI, Travis CI, ArgoCD), cryptocurrency wallets (Electrum, Exodus, Atomic, MetaMask, Phantom, Trust Wallet, Ledger Live, Trezor, and others), browser credentials and cookies (Chrome, Edge, Firefox, Brave, Opera — including a bypass of Chromium App-Bound Encryption), password manager vaults (1Password, Bitwarden, LastPass, KeePass, Dashlane, NordPass), remote access credentials (PuTTY, WinSCP, RDP files, Windows Credential Manager), communication tokens (Discord, Slack, Telegram), email and FTP clients (Outlook, Thunderbird, FileZilla), infrastructure files (SSH private keys, Git credentials, .env files, wp-config.php, docker-compose.yml, Kubernetes cluster configs), and VPN configs (OpenVPN, WireGuard, NordVPN, ExpressVPN, CyberGhost, Mullvad). Collected data is AES-256 encrypted and exfiltrated to flipboxstudio[.]info/exfil, after which the payload self-deletes to reduce forensic evidence. The malware delivers the payload via VBScript on Windows and via exec() on Linux and macOS, making it cross-platform.
How to fix: Remove or downgrade the four affected packages to pre-compromise versions using Composer. Delete vendor/ and composer.lock and reinstall cleanly. Block the domain flipboxstudio[.]info at your DNS and network perimeter. If a server was running the malicious code: rotate every credential type listed above, audit cloud audit logs for activity from the affected host, revoke and regenerate all API keys and service account tokens, and consider the host compromised until forensically cleared. Check your application’s autoloaded files for the presence of the MD5 fingerprinting marker code.
Recommended action: Urgent for any PHP/Laravel environment. Audit your composer.lock files for any of the four affected packages at versions published on May 22–23, 2026. Even if the packages were present for only minutes before being removed by your deployment pipeline, the autoload execution at application startup may have been enough to trigger the payload. Treat any exposure as a full credential compromise event.
Official source: Socket Security Research | Research by Aikido Security (Ilyas Makari)
Supply Chain Incident: Megalodon GitHub CI/CD Attack (5,561 Repositories Targeted)
Software affected: GitHub repositories — 5,561 repositories received 5,718 malicious commits during a 6-hour window on May 18, 2026 (11:36 AM to 5:48 PM UTC). One confirmed affected npm package is @tiledesk/tiledesk-server. The campaign is attributed to the same TeamPCP threat group responsible for the TanStack npm supply chain attack covered in the May 21 report. Other organisations previously targeted by TeamPCP include OpenAI, Mistral AI, and Grafana Labs.
No CVE assigned. This is a GitHub Actions workflow injection campaign, not a software vulnerability.
Fixable: Repository owners must audit recent commits for unexpected GitHub Actions workflow file additions and revert any malicious changes. All CI/CD secrets and credentials that passed through affected pipelines should be rotated immediately.
Business impact: Attackers created throwaway GitHub accounts with random eight-character usernames and pushed malicious GitHub Actions workflow files to 5,561 repositories, using commit messages mimicking routine CI maintenance (“build-bot”, “auto-ci”, “pipeline-bot”) across seven rotating templates to avoid pattern detection. Two payload variants were used: one triggering on every push and pull request event (broad reach), and one using workflow_dispatch for on-demand targeted execution (stealthier). When a repository owner merges the malicious commit — or if it is auto-merged by a bot — the workflow executes inside the CI/CD pipeline and exfiltrates: all environment variables, AWS credentials, Google Cloud tokens, Azure IMDS credentials, SSH private keys, Docker and Kubernetes configurations, HashiCorp Vault tokens, Terraform credentials, shell history, API keys, database connection strings, JWTs, PEM keys, GitHub Actions OIDC tokens, GitLab and Bitbucket tokens, and common secret files (.env, credentials.json, service-account.json). All data is sent to the attacker’s C2 server at 216.126.225[.]129:8443. TeamPCP is described as both financially motivated (partners with BreachForums, LAPSUS$, and VECT) and geopolitically motivated, deploying wiper malware on machines geolocated in Iran or Israel.
How to fix: Search your repositories for unexpected workflow file additions in .github/workflows/ from accounts you do not recognise, particularly around May 18, 2026. Use git log --all --full-history -- .github/workflows/ to review workflow file history. Revert any suspicious commits. If a pipeline ran with a malicious workflow: rotate all secrets stored in GitHub Actions (Settings > Secrets and variables > Actions), revoke and regenerate cloud credentials, and audit cloud provider access logs for activity during and after the exposure window. Block the C2 address 216.126.225[.]129 at your network perimeter. Enable branch protection rules and require pull request reviews before merging to reduce the risk of automated or accidental merging of injected commits.
Recommended action: Any organisation with public or semi-public GitHub repositories should audit recent workflow file changes. This is particularly important for repositories that have automated merging enabled. Given the 6-hour window and 5,561 repositories targeted, the blast radius of this campaign is large.
Official source: Research by SafeDep and OX Security | The Hacker News — Megalodon GitHub Attack
curl and libcurl — Multiple CVEs (Fixed in curl 8.19.0, Released April 29, 2026)
Software affected: curl and libcurl — all versions prior to 8.19.0. Eight CVEs were addressed in the April 29, 2026 release of curl 8.19.0. These were reported in the security.nl news cycle this week and are included here for completeness. All are rated medium or low severity and relate to credential leakage via connection-reuse edge cases.
CVEs (all fixed in curl 8.19.0): CVE-2026-7168 (cross-proxy Digest auth state leak, affecting libcurl since 7.12.0) | CVE-2026-6429 (netrc credential leak with reused proxy connection, libcurl since 7.14.0) | CVE-2026-6253 (proxy credentials leak over redirect-to-proxy, curl since 7.14.1) | CVE-2026-5545 (wrong reuse of HTTP Negotiate connection, curl since 7.10.6) | CVE-2026-7009 (OCSP stapling bypass with Apple SecTrust, curl since 8.17.0) | CVE-2026-6276 (stale custom cookie host causes cookie leak, libcurl since 7.71.0) | CVE-2026-5773 (wrong reuse of SMB connection, curl since 7.40.0) | CVE-2026-4873 (connection reuse ignores TLS requirement, curl since 7.20.0). All rated Medium or Low. No active exploitation reported for any.
Fixable: Yes. Update curl and libcurl to version 8.19.0 or later.
Business impact: The vulnerabilities are predominantly credential leakage issues triggered by connection-reuse edge cases — scenarios where curl incorrectly reuses a connection established with one set of credentials for a subsequent request that should use different credentials or no credentials at all. In practical terms, these are most relevant in server-side environments where curl or libcurl is used programmatically to call multiple APIs or proxies, and where a misconfiguration or redirect could cause tokens or credentials to leak to unintended endpoints. No remote code execution is possible through these CVEs.
How to fix: Update curl and libcurl via your system package manager (apt upgrade curl / dnf update curl) or download curl 8.19.0 from curl.se. For applications that bundle libcurl, ensure they are rebuilt against 8.19.0 or later. In containerised environments, rebuild base images to pull in the updated curl package.
Recommended action: Apply the curl update as part of your normal patching cycle. These are not emergency-grade vulnerabilities but should not be left unpatched given the long version history of several of the affected ranges and the prevalence of curl in server-side environments.
Official source: curl Security Advisories — curl.se
Updates on Items from Previous Reports
The following items were covered in full in earlier reports. Brief updates are noted where new information is available. For full technical details and remediation steps, refer to the linked original entries.
Langflow — CVE-2025-34291 (CISA KEV, MuddyWater exploitation): Covered in full in the May 22 report. No new technical developments. CISA KEV deadline is June 4, 2026. If you run Langflow, upgrade to 1.7.0 or later immediately.
Trend Micro Apex One — CVE-2026-34926 (actively exploited, CISA KEV): Covered in full in the May 22 report. No new technical developments. CISA KEV deadline is June 4, 2026. Apply SP1 CP Build 18012 for on-premise deployments and agent build 14.0.20731 for SaaS.
Cisco Secure Workload — CVE-2026-20223 (CVSS 10.0): Covered in full in the May 22 report. No exploitation reported. Update to 3.10.8.3 or 4.0.3.17. Release 3.9 and earlier require migration. No workarounds exist.
Microsoft Defender — CVE-2026-41091, CVE-2026-45498, CVE-2026-45584: Covered in full across the May 21 and May 22 reports. All three are remediated by the Malware Protection Engine update to 1.1.26040.8. CVE-2026-41091 and CVE-2026-45498 remain on the CISA KEV list with a June 3 deadline. Verify engine version across all Windows endpoints.
Windows BitLocker — CVE-2026-45585 (YellowKey): Covered in the May 21 and May 22 reports. A PowerShell mitigation script is available from Microsoft. No permanent patch yet. Apply the script, enforce TPM+PIN, and monitor for the upcoming security update. Official source: Microsoft MSRC — CVE-2026-45585.
Linux Kernel — CVE-2026-46333 (ssh-keysign-pwn): Covered in the May 21 and May 22 reports. Kernel patches available via distribution update channels. Apply immediately and set kernel.yama.ptrace_scope = 2 as an interim workaround if the patch cannot be applied right away.
NGINX — CVE-2026-42945 (NGINX Rift, actively exploited): Covered in the May 21 report. Update to NGINX Open Source 1.30.1 or 1.31.0, or NGINX Plus R36 P4 / R32 P6. Still actively exploited.
Google Chrome — CVE-2026-9111 and CVE-2026-9110: Covered in the May 22 report. Update to Chrome 148.0.7778.178 or later. Both are critical drive-by RCE vulnerabilities. No exploitation reported.
Composer (PHP) — CVE-2026-45793: Covered in the May 22 report. Update to Composer 2.9.8, 2.2.28, or 1.10.28. Review CI/CD build logs for leaked GitHub Actions tokens.
HPLIP — CVE-2026-8631 (CVSS 9.8): Covered in the May 22 report. Update to HPLIP 3.26.4. Network-accessible RCE via crafted print job with no authentication required.
TanStack npm supply chain / GitHub and Grafana Labs breach: Covered in the May 21 and May 22 reports. The Megalodon campaign listed above is a continuation of the same TeamPCP threat actor’s operations against the developer ecosystem. If you have not yet audited your CI/CD secrets following the TanStack incident, do so now.
This report is compiled from official advisories and primary sources. Verify all remediation steps against official vendor documentation before applying changes in production environments.
