Vulnerability Intelligence Report — May 29, 2026
Coverage: May 28–29, 2026 | New items this report: 8 | Actively exploited: 4
Previous report: May 28, 2026
This report covers new vulnerability disclosures and active threat intelligence surfaced between May 28 and 29, 2026. Items that were covered in earlier reports and carry no major new information are summarised with update notes at the bottom, linking back to the original entry. New items are listed first.
Quick Reference — New and Active Vulnerabilities
FortiClient EMS: CVE-2026-35616 (actively exploited, EKZ infostealer)
FortiAuthenticator: CVE-2026-44277
FortiSandbox: CVE-2026-26083
Ghost CMS: CVE-2026-26980 (actively exploited, ClickFix campaign, 700+ domains)
ChromaDB: CVE-2026-45829 (CVSS 10.0, 73% of exposed instances vulnerable)
Burst Statistics (WordPress): CVE-2026-8181 (actively exploited, 200,000+ sites)
Exim: CVE-2026-45185
SonicWall SSL-VPN: CVE-2024-12802 (actively exploited, MFA bypass on patched devices)
FortiClient EMS — CVE-2026-35616 (Actively Exploited, CVSS 9.8)
Software affected: Fortinet FortiClient Enterprise Management Server (EMS), versions 7.4.5 and 7.4.6.
CVE: CVE-2026-35616 | CVSS 9.8 Critical | CWE-284 (Improper Access Control) | Actively exploited in the wild
Fixable: Yes. Fortinet released emergency hotfixes for versions 7.4.5 and 7.4.6 in early April. Apply the hotfix immediately. CISA directed federal agencies to secure their instances by the end of that week.
Business impact: An improper access control vulnerability allows unauthenticated remote attackers to execute arbitrary code or commands via specially crafted requests against the EMS API. Arctic Wolf researchers observed attackers exploiting this to deploy an undocumented credential stealer named EKZ, disguised as a legitimate Fortinet endpoint update. The attack chain begins with abusing endpoint APIs for unauthenticated administrative actions, then modifies EMS configuration and VPN policies to inject malicious script execution. When endpoints establish an IPsec tunnel to a FortiGate firewall, the legitimate fortitray.exe process launches malicious batch scripts that execute the stealer payload. The Shadowserver Foundation reported approximately 2,000 internet-exposed EMS instances at the time of initial exploitation. This is the third actively exploited Fortinet vulnerability to appear in the threat landscape this year, and Fortinet appliances remain a top target for ransomware and espionage groups.
How to fix: Apply the Fortinet emergency hotfix for your EMS version immediately. Verify that the hotfix has been applied by checking the EMS admin console version information. After patching, audit EMS configuration for unauthorised VPN policy changes and review endpoint logs for unexpected script executions launched by fortitray.exe. Block known-bad IP addresses associated with the EKZ campaign at your perimeter.
Recommended action: Critical priority. If your FortiClient EMS is internet-facing, treat this as an emergency patch. Even if the EMS is internal-only, any compromised endpoint with VPN access could be used as a pivot point. Review all EMS-managed endpoints for signs of the EKZ stealer.
Official source: Fortinet PSIRT Advisory — FG-IR-26-121 | NVD — CVE-2026-35616
FortiAuthenticator — CVE-2026-44277 (CVSS 9.8)
Software affected: Fortinet FortiAuthenticator versions 6.5.0 through 6.5.6, 6.6.0 through 6.6.8, and 8.0.0 through 8.0.2. FortiAuthenticator Cloud (FortiTrust Identity) is not affected.
CVE: CVE-2026-44277 | CVSS 9.8 Critical | CWE-284 (Improper Access Control)
Fixable: Yes. Update to FortiAuthenticator 6.5.7, 6.6.9, or 8.0.3.
Business impact: An improper access control vulnerability in FortiAuthenticator — Fortinet’s identity and access management appliance — may allow an unauthenticated attacker to execute unauthorised code or commands via crafted requests. While no active exploitation has been confirmed at the time of advisory publication, Fortinet IAM appliances sit at a critical choke point in enterprise authentication flows. A compromised FortiAuthenticator could provide an attacker with the ability to manipulate authentication policies, issue fraudulent tokens, or intercept credential flows across the entire organisation. Fortinet vulnerabilities are consistently among the most targeted by ransomware operators and nation-state groups, and the window between patch release and active exploitation for Fortinet products is often measured in days.
How to fix: Upgrade FortiAuthenticator to the patched version for your release branch (6.5.7, 6.6.9, or 8.0.3) via the Fortinet upgrade mechanism. Verify the new version is active in the admin console. Review authentication logs for unexpected administrative actions or API calls from unrecognised IP addresses.
Recommended action: High priority. Patch immediately, especially if your FortiAuthenticator is accessible from anything beyond strictly controlled management networks. Given the critical CVSS score and the history of rapid exploitation of Fortinet products, do not defer this update.
Official source: Fortinet PSIRT Advisory — FG-IR-26-109 | NVD — CVE-2026-44277
FortiSandbox — CVE-2026-26083 (CVSS 9.8)
Software affected: Fortinet FortiSandbox versions 4.4.0 through 4.4.8 and 5.0.0 through 5.0.1; FortiSandbox Cloud versions 5.0.2 through 5.0.5 and 24.1.4436; FortiSandbox PaaS versions 22.2, 23.1, 23.3, and 23.4 (all versions within those branches).
CVE: CVE-2026-26083 | CVSS 9.8 Critical | CWE-862 (Missing Authorization)
Fixable: Yes. Update FortiSandbox to 4.4.9 or 5.0.2; FortiSandbox Cloud to 5.0.6; FortiSandbox PaaS to 4.4.9 or 5.0.2 (depending on your branch).
Business impact: A missing authorization vulnerability in the FortiSandbox web UI allows an unauthenticated attacker to execute unauthorised code or commands via HTTP requests. FortiSandbox is designed to protect organisations against malicious activity, including zero-day threats, by detonating suspicious files in an isolated environment. A compromised sandbox appliance gives an attacker a privileged vantage point — they could suppress malware detections, tamper with analysis results, or use the sandbox as a pivot point into the broader security infrastructure. While Fortinet has not tagged this as actively exploited, the pattern of Fortinet vulnerabilities being weaponised within days of disclosure is well established.
How to fix: Apply the appropriate patch for your deployment model. For on-premises FortiSandbox appliances: upgrade to 4.4.9 or 5.0.2. For FortiSandbox Cloud: ensure you are on version 5.0.6 or later (Fortinet manages cloud upgrades — verify with your account representative). For PaaS deployments: upgrade to 4.4.9 or 5.0.2. After patching, review sandbox analysis logs for unexpected submissions or configuration changes.
Recommended action: High priority. Patch all FortiSandbox deployments. Even though no active exploitation has been confirmed, the combination of CVSS 9.8, a web-facing attack surface, and Fortinet’s history of rapid in-the-wild exploitation makes this a patch-now item. The advisory was published alongside CVE-2026-44277 (FortiAuthenticator) — if you run both, patch both in the same maintenance window.
Official source: Fortinet PSIRT Advisory — FG-IR-25-367 | NVD — CVE-2026-26083
Ghost CMS — CVE-2026-26980 (Actively Exploited in ClickFix Campaign, CVSS 9.4)
Software affected: Ghost CMS (Node.js content management system), versions 3.24.0 through 6.19.0.
CVE: CVE-2026-26980 | CVSS 9.4 Critical | CWE-89 (SQL Injection) | Actively exploited at scale
Fixable: Yes. Update to Ghost CMS version 6.19.1 or later. The fix was released on February 19, 2026.
Business impact: An unauthenticated SQL injection vulnerability allows attackers to perform arbitrary reads from the Ghost database, including extraction of admin API keys. With the admin API key, an attacker gains full management access to users, articles, and site themes — and can modify published article content to inject malicious JavaScript. Chinese threat intelligence firm Qianxin (XLab) has confirmed a large-scale ClickFix campaign exploiting this vulnerability against more than 700 domains, including university portals (Harvard, Oxford, Auburn), AI and SaaS companies, media outlets, fintech firms, security websites, and personal blogs. The search engine DuckDuckGo was also among the compromised sites. Attackers inject malicious JavaScript into article pages, which triggers ClickFix attack flows in visitors’ browsers — a social engineering technique that tricks users into executing malicious commands. SentinelOne previously observed at least two distinct threat activity clusters targeting vulnerable Ghost sites, with attackers sometimes re-infecting the same domains with different scripts after cleanup, or one group cleaning the other’s script to inject its own. This is a patched-from-February vulnerability that is now being exploited at significant scale because organisations failed to apply the update.
How to fix: Upgrade Ghost CMS to version 6.19.1 or later immediately. After updating, rotate all Ghost admin API keys (Settings > Integrations > Custom Integrations). Audit your published article content for injected JavaScript — particularly in posts that were not recently edited by your team. Check your Ghost database for unexpected admin users or API keys. Review web server access logs for unusual POST requests targeting Ghost API endpoints from unrecognised IP addresses.
Recommended action: Urgent for any organisation running Ghost CMS. This is a patched vulnerability from February that is now under mass exploitation. The fact that prestigious university domains and a major search engine were compromised demonstrates that even well-resourced organisations missed this update. If you run Ghost, verify your version immediately — the three-month gap between patch and large-scale exploitation means many instances are still vulnerable.
Official source: Ghost Security Advisories — GitHub | NVD — CVE-2026-26980 | Research by Qianxin XLab and SentinelOne
ChromaDB — CVE-2026-45829 (CVSS 10.0, 73% of Exposed Instances Vulnerable)
Software affected: ChromaDB Python API server (PyPI package chromadb), version 1.0.0 and later. Confirmed unpatched through version 1.5.8. Version 1.5.9 has been released but the fix status is unconfirmed as the maintainer has been unresponsive to multiple contact attempts by the discovering researchers since February 17. The Rust front-end and local-only deployments that do not expose the API server over HTTP are not affected. The PyPI package has nearly 14 million monthly downloads.
CVE: CVE-2026-45829 | CVSS 10.0 Critical (CVSS v4.0) | CWE-94 (Code Injection) | No authentication required
Fixable: Unconfirmed. Version 1.5.9 was released two weeks ago but the maintainer has not confirmed whether it addresses CVE-2026-45829. Until an official patch is confirmed, the primary mitigation is to ensure the ChromaDB API server is not exposed to the internet or untrusted networks.
Business impact: A pre-authentication code injection vulnerability in the ChromaDB Python API server allows unauthenticated attackers to achieve remote code execution on the server. The vulnerability exists because a marked-as-authenticated API endpoint allows attackers to embed model settings before the authentication check is performed. An attacker can send a crafted request specifying a malicious model repository hosted on Hugging Face with trust_remote_code set to true, forcing ChromaDB to fetch and execute the model before authentication is validated. By the time the server rejects the request with an HTTP 500, the malicious payload has already executed on the host. HiddenLayer, which discovered the flaw, reports that approximately 73% of internet-exposed ChromaDB instances are running a vulnerable version. ChromaDB is widely used in AI and LLM application stacks as a vector database for semantic retrieval — making this a supply-chain concern for any organisation running AI agent or RAG (Retrieval-Augmented Generation) workloads that expose ChromaDB over the network.
How to fix: If you expose ChromaDB over HTTP, immediately restrict access to trusted networks only — place it behind a firewall, VPN, or reverse proxy with authentication. Do not expose the ChromaDB API server directly to the internet. Monitor the ChromaDB GitHub repository and the NVD entry for confirmation of a patched version. If version 1.5.9 is confirmed to fix the issue, upgrade immediately. In the interim, consider switching to the ChromaDB Rust front-end which is not affected, or deploying ChromaDB in an isolated network segment with no inbound internet access.
Recommended action: Immediate containment. For any ChromaDB deployment that is internet-facing or accessible from untrusted networks, apply network-level restrictions now — do not wait for a confirmed patch. This is a CVSS 10.0 vulnerability with a known exploit technique and a large exposed attack surface. Audit your AI/ML infrastructure for ChromaDB deployments and verify their network exposure.
Official source: NVD — CVE-2026-45829 | Research by HiddenLayer
Burst Statistics (WordPress Plugin) — CVE-2026-8181 (Actively Exploited, CVSS 9.8)
Software affected: Burst Statistics — Privacy-Friendly WordPress Analytics plugin, versions 3.4.0 through 3.4.1.1. The plugin is active on approximately 200,000 WordPress sites.
CVE: CVE-2026-8181 | CVSS 9.8 Critical | CWE-287 (Authentication Bypass) | Actively exploited in the wild
Fixable: Yes. Update Burst Statistics to the latest version (3.4.2 or later). Wordfence discovered and reported the vulnerability on May 8, 2026.
Business impact: A critical authentication bypass vulnerability allows unauthenticated attackers to fully impersonate any known administrator user during REST API requests by supplying an arbitrary incorrect password in a Basic Authentication header. The root cause is incorrect return-value handling in the is_mainwp_authenticated() function — it treats a WP_Error response from wp_authenticate_application_password() as an indication of successful authentication. In a worst-case scenario, an attacker can exploit this to create a new administrator-level WordPress account with no prior authentication whatsoever, gaining full control of the site. Wordfence has confirmed active exploitation in the wild. With 200,000 active installations, the attack surface is substantial, and WordPress plugin vulnerabilities are routinely scanned and exploited by automated attack tooling within hours of disclosure.
How to fix: Update the Burst Statistics plugin to version 3.4.2 or later via the WordPress admin dashboard (Plugins > Installed Plugins > Burst Statistics > Update) or via WP-CLI. After updating, audit your WordPress user list for any unrecognised administrator accounts. Review the WordPress authentication logs and REST API access logs for unusual Basic Authentication attempts from external IP addresses. If your site was running a vulnerable version, rotate all WordPress user passwords and application passwords as a precaution.
Recommended action: Urgent for any WordPress site running Burst Statistics. Update the plugin immediately. Check for rogue admin accounts. Given confirmed active exploitation and the plugin’s large install base, attackers are likely scanning for vulnerable instances at scale.
Official source: Wordfence Threat Intelligence — CVE-2026-8181 | NVD — CVE-2026-8181
Exim — CVE-2026-45185 (CVSS 9.8)
Software affected: Exim mail transfer agent, versions 4.97 through 4.99.2, on builds compiled with GnuTLS that have STARTTLS and CHUNKING (BDAT) advertised. OpenSSL-based builds are not affected.
CVE: CVE-2026-45185 | CVSS 9.8 Critical | CWE-416 (Use-After-Free) | Remotely exploitable without authentication
Fixable: Yes. Update Exim to version 4.99.3 or later.
Business impact: A remotely reachable use-after-free vulnerability in Exim’s BDAT body parsing path allows unauthenticated remote code execution. The flaw is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. Exim frees a TLS transfer buffer but continues using stale callback references, allowing an attacker to write data into freed memory — the classic use-after-free primitive that can lead to arbitrary code execution. Exim is the default MTA on Debian and Ubuntu distributions and is widely deployed across Linux servers, shared hosting environments, and enterprise mail systems. An attacker exploiting this vulnerability could execute commands on the mail server, access Exim data and stored emails, and potentially pivot laterally into the broader environment. The vulnerability was discovered and reported by XBOW researcher Federico Kirschbaum.
How to fix: Update Exim to version 4.99.3 via your distribution’s package manager (apt update && apt upgrade exim4 on Debian/Ubuntu) or by compiling from source at exim.org. Verify the installed version with exim -bV. If you cannot update immediately, consider temporarily disabling CHUNKING advertisement by removing CHUNKING from the advertise configuration option in your Exim configuration, though this is a partial mitigation and the patch is the only complete fix. After updating, review mail logs for unusual SMTP connection patterns or unexpected TLS negotiation failures.
Recommended action: High priority for all Exim deployments, particularly internet-facing mail servers. The combination of network accessibility, no authentication requirement, and confirmed RCE capability makes this a patch-now vulnerability. Exim has historically been a favoured target for both state-sponsored espionage groups (such as Sandworm’s exploitation of CVE-2019-10149) and financially motivated attackers — do not assume your mail server is too small to be targeted.
Official source: Exim Security Advisory — CVE-2026-45185 | NVD — CVE-2026-45185
SonicWall SSL-VPN — CVE-2024-12802 (Actively Exploited MFA Bypass, Incomplete Patch)
Software affected: SonicWall Gen6 SSL-VPN appliances. Gen7 and Gen8 devices are not affected — a firmware update alone is sufficient to fully remediate the issue on those platforms.
CVE: CVE-2024-12802 | CVSS 9.1 Critical | CWE-305 (Authentication Bypass by Primary Weakness) | Actively exploited in the wild
Fixable: Partially. On Gen6 devices, installing the firmware update alone does NOT fully mitigate the vulnerability. A manual reconfiguration of the LDAP server settings is required. Failing to complete the manual step leaves MFA bypass possible even on “patched” devices.
Business impact: This vulnerability arises from the separate handling of UPN (User Principal Name) and SAM (Security Account Manager) account names when SonicWall SSL-VPN is integrated with Microsoft Active Directory. MFA can be configured independently for each login method, creating a scenario where an attacker can authenticate via one method that has MFA enforcement while bypassing it through the other. ReliaQuest researchers responded to multiple intrusions between February and March 2026 and assessed with medium confidence that these represent the first in-the-wild exploitation of CVE-2024-12802. Critically, in every environment ReliaQuest investigated, the affected devices appeared to be patched — they were running updated firmware — yet they remained vulnerable because the required manual LDAP reconfiguration had not been completed. In one observed incident, the attacker gained access to the internal network and reached a domain-joined file server within 30 minutes of initial access, established remote connectivity, and conducted credential reuse testing across internal systems. The attack chain is consistent with ransomware precursor activity: VPN access, rapid reconnaissance, credential validation, and staged logout.
How to fix: On Gen6 devices: first apply the latest firmware update from SonicWall, then follow the manual LDAP server reconfiguration steps detailed in the SonicWall security advisory. The reconfiguration involves adjusting the LDAP configuration to ensure consistent MFA policy application across UPN and SAM account name login paths. On Gen7 and Gen8 devices: a firmware update to the latest version is sufficient. After completing remediation, verify MFA enforcement by testing login attempts via both UPN and SAM formats from an external test account. Review VPN access logs for successful authentications from unrecognised IP addresses and for accounts that authenticated without a corresponding MFA challenge.
Recommended action: Urgent for any organisation running SonicWall Gen6 SSL-VPN appliances. The false sense of security produced by an incomplete patch is particularly dangerous — organisations that believe they have remediated CVE-2024-12802 because they updated firmware are still exposed. Immediately verify that both the firmware update AND the LDAP reconfiguration have been completed. Given the ransomware association and the rapid 30-minute time-to-impact observed in real intrusions, treat any unverified Gen6 device as potentially compromised until proven otherwise.
Official source: SonicWall PSIRT — SNWLID-2025-0006 | NVD — CVE-2024-12802 | Research by ReliaQuest
Updates on Items from Previous Reports
The following items were covered in full in earlier reports. Brief updates are noted where new information is available. For full technical details and remediation steps, refer to the linked original entries.
Drupal Core — CVE-2026-9082 (CISA KEV, deadline passed): Covered in full in the May 28 report and in a dedicated advisory published May 28. The CISA KEV remediation deadline of May 27 has now passed. A dedicated deep-dive article covering exploitation details, affected versions, and step-by-step remediation is available at the dedicated advisory link above. Organisations still running unpatched Drupal instances are now past the federal deadline and at direct risk. Immediate patching remains the only remediation.
LiteSpeed cPanel Plugin — CVE-2026-48172 (CISA KEV, deadline today May 29): Covered in the May 28 report. Today is the CISA KEV remediation deadline. Update to LiteSpeed cPanel plugin 2.4.7 and WHM plugin 5.3.1.0. Hosting providers and MSPs running LiteSpeed on cPanel infrastructure should treat this as their highest-priority action item for the day.
Daemon Tools Lite — CVE-2026-8398 (CISA KEV, deadline May 30): Covered in the May 28 report. The CISA KEV remediation deadline is tomorrow, May 30. Organisations with Daemon Tools Lite deployments should apply the vendor patch before the deadline.
Nx Console — CVE-2026-48027 (CISA KEV, deadline June 10): Covered in the May 28 report. No new developments. Audit npm dependencies for version 18.95.0.
TanStack — CVE-2026-45321 (CISA KEV, deadline June 10): Covered in the May 28 report. No new developments. Audit lock files for any of the 84 malicious versions published May 11.
Trend Micro Apex One — CVE-2026-34926: Covered in the May 22 report. CISA KEV deadline June 4. Apply SP1 CP Build 18012 for on-premise and agent build 14.0.20731 for SaaS.
Cisco Secure Workload — CVE-2026-20223 (CVSS 10.0): Covered in the May 22 report. No exploitation reported. Update to 3.10.8.3 or 4.0.3.17. Releases 3.9 and earlier require migration.
Microsoft Defender — CVE-2026-41091, CVE-2026-45498, CVE-2026-45584: Covered in the May 22 report. CISA KEV deadline June 3. Verify Malware Protection Engine version 1.1.26040.8 across all Windows endpoints.
Linux Kernel — CVE-2026-46333 (ssh-keysign-pwn): Covered in the May 22 report. Kernel patches available via distribution update channels. Set kernel.yama.ptrace_scope = 2 as interim workaround.
Google Chrome — CVE-2026-9111, CVE-2026-9110: Covered in the May 22 report. Update to Chrome 148.0.7778.178 or later.
Ubiquiti UniFi OS — CVE-2026-34908, CVE-2026-34909, CVE-2026-33000: Covered in the May 23 report. Update UniFi OS firmware to latest. Ensure management interface is not publicly exposed.
Laravel-Lang PHP Supply Chain Compromise: Covered in the May 23 report. Block flipboxstudio[.]info at your perimeter. Rotate credentials on any affected PHP servers.
This report is compiled from official vendor advisories, the CISA Known Exploited Vulnerabilities catalog, the National Vulnerability Database, and primary security research sources. Verify all remediation steps against official vendor documentation before applying changes in production environments.
