QUICK REFERENCE – Active Vulnerabilities and Affected Software

Cisco Catalyst SD-WAN Controller and Manager: CVE-2026-20182, CVE-2026-20127

Palo Alto Networks PAN-OS (User-ID Authentication Portal): CVE-2026-0300

cPanel and WHM: CVE-2026-41940

LiteSpeed cPanel Plugin: CVE-2026-48172

Drupal Core: CVE-2026-9082

LiteLLM Proxy: CVE-2026-42208

Linux kernel (algif_aead): CVE-2026-31431

Trend Micro Apex One (on-premise): CVE-2026-34926

Ivanti Endpoint Manager Mobile (EPMM): CVE-2026-6973

Microsoft Defender: CVE-2026-41091, CVE-2026-45498

Microsoft Exchange Server: CVE-2026-42897

Microsoft Windows Shell: CVE-2026-32202

Google Chrome: CVE-2026-7896, CVE-2026-7897, CVE-2026-7898, CVE-2026-7899, CVE-2026-7900, and additional vulnerabilities

 

This report summarizes the most significant vulnerabilities and active threats as of May 27, 2026. The following assessments are drawn directly from vendor security advisories, the CISA Known Exploited Vulnerabilities catalog, and the National Vulnerability Database.

Cisco Catalyst SD-WAN Authentication Bypass (CVE-2026-20182 / CVE-2026-20127)

 

Cisco has disclosed a critical vulnerability in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). The flaw allows an unauthenticated remote attacker to bypass authentication and gain administrative privileges. A successful exploit permits the attacker to log in as an internal high-privileged non-root user, access NETCONF, and manipulate the SD-WAN fabric network configuration. Cisco has assigned this vulnerability a CVSS score of 10.0. The vendor advisory is available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk. CISA has added this vulnerability to the Known Exploited Vulnerabilities catalog. Organizations running affected SD-WAN infrastructure should apply patched versions immediately.

 

Palo Alto Networks PAN-OS User-ID Authentication Portal Buffer Overflow (CVE-2026-0300)

 

Palo Alto Networks has published an advisory for a buffer overflow vulnerability in the User-ID Authentication Portal service of PAN-OS software. The flaw allows an unauthenticated attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets. Palo Alto Networks rated this vulnerability with a CVSS score of 9.8. Prisma Access, Cloud NGFW, and Panorama appliances are not affected. The vendor recommends restricting access to the Authentication Portal to trusted internal IP addresses as a risk-reduction measure in addition to patching. The official advisory is located at https://security.paloaltonetworks.com/CVE-2026-0300, and CISA has listed this vulnerability in its Known Exploited Vulnerabilities catalog.

 

cPanel and WHM Authentication Bypass (CVE-2026-41940)

 

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel. The National Vulnerability Database assigns this a CVSS score of 9.8. Given the widespread deployment of cPanel in shared hosting environments, exploitation has been observed in the wild. Detection guidance and mitigation strategies have been published by third-party security researchers, and cPanel maintains current release notes at https://docs.cpanel.net/release-notes/release-notes/. Additional technical analysis is available from https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow and https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/. CISA has added this issue to the Known Exploited Vulnerabilities catalog.

 

LiteSpeed cPanel Plugin Privilege Escalation (CVE-2026-48172)

 

LiteSpeed Technologies has released a security update for the LiteSpeed User-End cPanel Plugin. Versions before 2.4.5 are vulnerable to privilege escalation that can be abused by any cPanel user account to execute arbitrary scripts with root privileges. The vulnerability has been actively exploited in the wild as of May 2026. LiteSpeed recommends updating to version 2.4.7 or later. Detection guidance includes checking cPanel logs for the cpanel_jsonapi_func=redisAble parameter. The vendor security update is posted at https://blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin/, and the product release log is maintained at https://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/release-log. CISA added this vulnerability to the KEV catalog on May 26, 2026, with a remediation due date of May 29, 2026.

 

Drupal Core SQL Injection (CVE-2026-9082)

 

Drupal has published security advisory SA-CORE-2026-004 for a SQL injection vulnerability in Drupal Core. The flaw affects multiple supported branches and could allow privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API. Affected versions include 8.9.0 through 10.4.x, 10.5.x through 10.5.x, 10.6.x through 10.6.x, 11.0.x through 11.1.x, 11.2.x through 11.2.x, and 11.3.x through 11.3.x before the respective patched releases. The NVD assigns this a CVSS score of 9.8. This vulnerability is actively exploited in the wild and was added to the CISA Known Exploited Vulnerabilities catalog on May 22, 2026. The CISA remediation due date is May 27, 2026, making immediate patching essential. The official Drupal security advisory is at https://www.drupal.org/sa-core-2026-004.

 

LiteLLM Proxy SQL Injection (CVE-2026-42208)

 

LiteLLM, an open-source proxy server used as an AI Gateway for LLM APIs, contains a SQL injection vulnerability in versions 1.81.16 through 1.83.6. The database query used during proxy API key checks mixed the caller-supplied key value into the query text rather than passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route and exploit this through the proxy’s error-handling path, permitting unauthorized database read and potentially write access. The vendor has patched this in version 1.83.7. The GitHub Security Advisory is available at https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc, and the release notes are at https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable. CISA has added this to the Known Exploited Vulnerabilities catalog.

 

Linux Kernel algif_aead Page Cache Vulnerability (CVE-2026-31431)

 

A vulnerability in the Linux kernel’s crypto algif_aead subsystem has been resolved in stable kernel updates. The issue, related to improper handling of in-place operations through the algif_aead interface, could allow an attacker to achieve privilege escalation. CISA added this to the Known Exploited Vulnerabilities catalog. The kernel developer fix is documented in the stable kernel Git repository at https://git.kernel.org/stable/c/19d43105a97be0810edbda875f2cd03f30dc130c. Additional guidance is available from CERT/CC at https://www.kb.cert.org/vuls/id/260001 and from Red Hat at https://access.redhat.com/security/cve/cve-2026-31431. Administrators should ensure their Linux kernel is updated to a patched stable version.

 

Trend Micro Apex One Directory Traversal (CVE-2026-34926)

 

Trend Micro Apex One (on-premise) contains a directory traversal vulnerability that could allow a pre-authenticated local attacker to modify a key table on the server and inject malicious code deployable to agents. The attacker must already have local access and administrative credentials on the Apex One server to exploit the vulnerability. The vulnerability does not affect the SaaS version. The NVD assigns this a CVSS score of 6.7. CISA has added this vulnerability to the KEV catalog. Additional analysis is available from JPCERT/CC at https://www.jpcert.or.jp/english/at/2026/at260014.html and from JVN at https://jvn.jp/en/vu/JVNVU90583059/.

 

Ivanti Endpoint Manager Mobile Input Validation (CVE-2026-6973)

 

Ivanti has published a May 2026 security advisory for multiple vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core. CVE-2026-6973 is an improper input validation vulnerability that allows a remotely authenticated user with administrative access to achieve remote code execution. Affected versions are before 12.6.1.1, 12.7.0.1, and 12.8.0.1. The NVD assigns this a CVSS score of 7.2. CISA has listed this vulnerability in the Known Exploited Vulnerabilities catalog. The Ivanti security advisory is located at https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US.

 

Microsoft Defender Vulnerabilities (CVE-2026-41091 / CVE-2026-45498)

 

Microsoft has disclosed two vulnerabilities in Microsoft Defender. CVE-2026-41091 is a link-following vulnerability that allows an authorized attacker to elevate privileges to SYSTEM, carrying a CVSS score of 7.8. CVE-2026-45498 is a denial-of-service vulnerability with a CVSS score of 4.0. Both vulnerabilities have been addressed in Microsoft Defender engine version 1.1.26040.8 and later. The Microsoft Security Response Center advisories are available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41091 and https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45498.

 

Microsoft Exchange Server Cross-Site Scripting (CVE-2026-42897)

 

Microsoft has published an advisory for a cross-site scripting vulnerability in Microsoft Exchange Server that allows an unauthorized attacker to perform spoofing over a network. The NVD assigns this a CVSS score of 8.1. CISA has added this vulnerability to the Known Exploited Vulnerabilities catalog. The advisory is available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897.

 

Microsoft Windows Shell Spoofing (CVE-2026-32202)

 

A protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network. The NVD assigns this a CVSS score of 4.3. CISA has added this vulnerability to the Known Exploited Vulnerabilities catalog. The Microsoft advisory is available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32202.

 

Google Chrome Multiple Vulnerabilities

 

Google has released a stable channel update for Chrome addressing multiple security vulnerabilities. Among the fixed issues, CVE-2026-7896 is an integer overflow in Blink with a CVSS score of 8.8 (Chromium security severity: Critical). CVE-2026-7897 is a use-after-free in Mobile on iOS (CVSS 7.5). CVE-2026-7898 is a use-after-free in Chromoting on Linux (CVSS 8.8). CVE-2026-7899 is an out-of-bounds read and write in V8 (CVSS 8.8). CVE-2026-7900 is a heap buffer overflow in ANGLE (CVSS 8.3). Users should update to Chrome version 148.0.7778.96 or later. The official release announcement is at https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html.

 

RECOMMENDATIONS

 

Prioritize patching vulnerabilities with CISA KEV due dates occurring on or before May 27, 2026, particularly CVE-2026-9082 (Drupal Core) and CVE-2026-48172 (LiteSpeed cPanel Plugin). Apply vendor patches for Cisco SD-WAN, Palo Alto Networks PAN-OS, cPanel/WHM, and Microsoft Exchange immediately where applicable. For Linux systems, update kernel packages to versions containing the fix for CVE-2026-31431. Verify that Chrome deployments are updated to version 148.0.7778.96 or later across all endpoints.

 

Report compiled May 27, 2026