Vulnerability Intelligence Report — May 30, 2026
Coverage: May 29–30, 2026 | New items this report: 6 | CISA KEV additions: 1 | Actively exploitable: 3
Previous reports: May 29, 2026 | May 28, 2026
This report covers new vulnerability disclosures and active threat intelligence surfaced between May 29 and 30, 2026. A significant CISA KEV addition — Palo Alto PAN-OS — carries a June 1 remediation deadline just two days from now. Today also marks the CISA KEV deadline for Daemon Tools Lite (CVE-2026-8398). Items covered in earlier reports with no major new information are summarised in the updates section at the bottom.
Quick Reference — New and Active Vulnerabilities
Palo Alto PAN-OS GlobalProtect: CVE-2026-0257 (CISA KEV, due June 1, CVSS 9.1)
WP Maps Pro (WordPress): CVE-2026-8732 (CVSS 9.8, 15,000+ sites)
7-Zip: CVE-2026-48095 (RCE via crafted archive, any file extension)
Starlette / FastAPI: CVE-2026-48710 (BadHost, 123M weekly downloads)
Oracle REST Data Services: CVE-2026-46840 (CVSS 10.0, first-ever Oracle CSPU)
Google Chrome: 151 fixes, 22 critical (CVE-2026-10000 through CVE-2026-10009+), drive-by RCE
Palo Alto PAN-OS GlobalProtect — CVE-2026-0257 (CISA KEV, CVSS 9.1, Deadline June 1)
Software affected: Palo Alto Networks PAN-OS software running GlobalProtect portal and gateway functionality. Affected branches: PAN-OS 10.2.x (versions prior to 10.2.7-h32, 10.2.10-h31, and 10.2.13-h18), PAN-OS 11.1.x (versions prior to 11.1.6-h29 and 11.1.14-h3), PAN-OS 11.2.x (versions prior to 11.2.7-h13 and 11.2.11-h6), and PAN-OS 12.1.x. Prisma Access is also affected. Panorama and Cloud NGFW are not impacted.
CVE: CVE-2026-0257 | CVSS 9.1 Critical | Added to CISA KEV May 29, 2026 — federal agency deadline June 1, 2026 | CWE-287 (Authentication Bypass)
Fixable: Yes. Palo Alto Networks has released patches across all affected PAN-OS branches. Update to the latest fixed version for your release train immediately. CISA has given US federal agencies until June 1 — this Sunday — to remediate.
Business impact: Authentication bypass vulnerabilities in the GlobalProtect portal and gateway allow an unauthenticated attacker to bypass security restrictions and establish an unauthorised VPN connection to the internal network. GlobalProtect is Palo Alto’s SSL-VPN solution and is deployed as the primary remote access gateway in thousands of enterprise environments worldwide. An attacker who successfully exploits this vulnerability does not need valid credentials — they can connect to the VPN and gain network-level access to internal resources, bypassing perimeter security entirely. This is the same attack surface that made PAN-OS CVE-2024-3400 (CVSS 10.0, command injection in GlobalProtect) one of the most impactful vulnerabilities of 2024, exploited by state-sponsored actors within hours of disclosure. While CISA has not confirmed active exploitation of CVE-2026-0257 at the time of the KEV addition, the June 1 deadline — just three days from the KEV addition date — signals an expectation of imminent exploitation.
How to fix: Identify your PAN-OS version and upgrade to the appropriate fixed release for your branch. Verify the update by checking the PAN-OS version in the web interface (Dashboard > General Information) or via CLI (show system info | match sw-version). After patching, audit GlobalProtect connection logs for VPN sessions established from unrecognised IP addresses or geographic locations, and for sessions that lack corresponding user authentication events. Review any recently created or modified firewall policies that could indicate an attacker establishing persistent access. If your GlobalProtect gateway is exposed to the internet — as is typical — prioritise this patch above all other maintenance.
Recommended action: Critical — patch immediately. With a June 1 CISA KEV deadline and a CVSS 9.1 score on a perimeter VPN gateway, this is an emergency-patch item. Palo Alto firewalls and GlobalProtect gateways are consistently among the most targeted enterprise appliances, and the historical precedent of same-day exploitation of PAN-OS VPN vulnerabilities means the window between now and active attacks could be measured in hours. If you have not patched by end of day Friday, treat the weekend as an active-threat window.
Official source: Palo Alto Networks Security Advisory — CVE-2026-0257 | CISA KEV Catalog
WP Maps Pro (WordPress Plugin) — CVE-2026-8732 (CVSS 9.8, 15,000+ Sites)
Software affected: WP Maps Pro — a commercial WordPress plugin for Google Maps and OpenStreetMap integration — all versions up to and including 6.1.0. The plugin has been sold approximately 16,000 times.
CVE: CVE-2026-8732 | CVSS 9.8 Critical | CWE-306 (Missing Authentication for Critical Function) | Published May 29, 2026
Fixable: Yes. A patched version of WP Maps Pro has been released. Update to the latest version immediately via the plugin update mechanism or the developer’s distribution channel (CodeCanyon).
Business impact: The WP Maps Pro plugin includes a “temporary access feature” originally designed to allow the plugin developer to access customer sites for troubleshooting. This feature, implemented via the wpgmp_temp_access_ajax AJAX action, was registered with wp_ajax_nopriv_ — making it accessible to unauthenticated users — and protected only by a nonce check using a nonce value that is publicly embedded in every frontend page via wp_localize_script. An unauthenticated attacker who extracts this nonce from the page source of any site running the plugin can trigger the AJAX action to create a new administrator-level WordPress account, gaining full control of the website. This is effectively an instant site takeover with no authentication, no user interaction, and no prerequisites beyond knowing the target runs the plugin — which is trivially detectable. The plugin is a commercial (paid) product, which means site owners may not receive automatic update notifications through the standard WordPress.org plugin update channel and may be unaware a patch is available.
How to fix: Update WP Maps Pro to the latest patched version via your CodeCanyon account or the plugin developer’s distribution channel. After updating, immediately audit your WordPress user list (Users > All Users) for any unrecognised administrator accounts. Review the WordPress activity logs for unexpected user creation events. If an unrecognised admin account is found, treat the site as compromised — rotate all credentials, review installed themes and plugins for backdoors, and check for unauthorised content changes. Delete the rogue admin account only after confirming no other backdoor accounts exist.
Recommended action: Urgent for any WordPress site running WP Maps Pro. The vulnerability is trivial to exploit — the nonce is visible in every page’s source code, and the AJAX endpoint is exposed to unauthenticated users. Given the 15,000+ install base and the commercial distribution model (which slows update propagation compared to free WordPress.org-hosted plugins), automated scanning and exploitation are highly likely within the coming days. If you cannot patch immediately, disable the plugin until the update can be applied.
Official source: NVD — CVE-2026-8732
7-Zip — CVE-2026-48095 (Remote Code Execution via Crafted Archive)
Software affected: 7-Zip, all versions prior to 26.01. The vulnerability exists in the NTFS archive processing component.
CVE: CVE-2026-48095 | CWE-122 (Heap Buffer Overflow) | Remotely exploitable via crafted archive file
Fixable: Yes. Update 7-Zip to version 26.01 or later. Note: the fix was released in late April 2026 but was not disclosed as a security fix in the release notes. The researchers who discovered it have now published full technical details, making exploitation more likely.
Business impact: A heap buffer overflow in 7-Zip’s NTFS archive processing component allows an attacker to execute arbitrary code on a victim’s system simply by having them open a specially crafted archive file. Critically, the attacker can use any common archive extension — .7z, .zip, .rar, and others — to deliver the malicious payload, making it difficult for users to identify dangerous files by extension alone. The attack vector is social engineering: an attacker sends a malicious archive via email, file sharing, or download link, and code executes when the user opens it in 7-Zip. 7-Zip is one of the most widely installed file archivers on Windows and is commonly deployed in enterprise environments for handling compressed files. While this is a client-side exploit requiring user interaction, the ubiquity of 7-Zip and the fact that opening archives is a routine daily action for most knowledge workers makes this a credible threat for targeted attacks, particularly in combination with phishing campaigns.
How to fix: Download and install 7-Zip version 26.01 or later from 7-zip.org. For enterprise-managed environments, deploy the updated version through your software distribution platform (SCCM, Intune, or equivalent). Verify the installed version by opening 7-Zip and checking Help > About. Because the fix was not flagged as a security update in the original release notes, many users who updated for other reasons may already be protected — but organisations that skip non-security updates for stability reasons are likely still running vulnerable versions.
Recommended action: High priority for enterprise environments where 7-Zip is deployed. Deploy the update through managed software distribution. Add 7-Zip version auditing to your vulnerability management program if it is not already tracked. Educate users on the risks of opening unsolicited archive files, but do not rely on user awareness as a compensating control — patch the software.
Official source: 7-Zip Official Site — Download version 26.01
Starlette / FastAPI — CVE-2026-48710 “BadHost” (123M Weekly Downloads Affected)
Software affected: Starlette ASGI framework, all versions prior to 1.0.1, and any Python web application built on Starlette or FastAPI that uses specific middleware patterns. Starlette has over 123 million weekly downloads via PyPI and forms the foundation of FastAPI, one of the most popular Python web frameworks.
CVE: CVE-2026-48710 | CVSS 6.5 Medium | CWE-444 (Inconsistent Interpretation of HTTP Requests) | Published May 26, 2026
Fixable: Yes. Update Starlette to version 1.0.1 or later. Applications using FastAPI should update their Starlette dependency.
Business impact: Starlette does not validate the HTTP Host request header before using it to reconstruct request.url. Because the routing algorithm relies on the raw HTTP path while request.url is rebuilt from the attacker-controlled Host header, a malformed header can cause request.url.path to differ from the path that was actually requested. This discrepancy — dubbed “BadHost” by the researchers who discovered it — can be exploited by middleware and endpoint code that trusts request.url for security decisions. Practical attack scenarios include: path confusion (middleware authorisation checks pass on the real path but the application processes a different path), Server-Side Request Forgery (SSRF) by manipulating URL construction, and cache poisoning by injecting malicious host values that get reflected in cached responses. The vulnerability affects millions of AI agents and tools built on FastAPI and Starlette — the ecosystem is vast, spanning internal APIs, microservices, AI inference endpoints, and public-facing web applications. While the CVSS score is medium, the breadth of affected deployments and the difficulty of auditing every downstream application for vulnerable middleware patterns elevate the practical risk.
How to fix: Update the Starlette package in your Python environment: pip install --upgrade starlette>=1.0.1. For FastAPI applications, this is typically sufficient as FastAPI pins a minimum Starlette version but allows newer ones. After updating, verify the installed version with pip show starlette. Audit your application’s middleware stack for patterns that rely on request.url for authorisation, routing, or redirect decisions — even after patching, ensure these patterns follow the principle of validating against the raw request path rather than the reconstructed URL. Consider adding explicit Host header validation at your reverse proxy or application entry point as a defence-in-depth measure.
Recommended action: Update Starlette across all Python web applications in your environment. While this is not an emergency-patch item given the medium CVSS score, the enormous install base and the difficulty of discovering vulnerable middleware patterns in large codebases mean you should patch first and audit second. For public-facing FastAPI applications, prioritise this update.
Official source: Starlette Security Advisory — GitHub | BadHost Research — badhost.org | NVD — CVE-2026-48710
Oracle REST Data Services — CVE-2026-46840 (CVSS 10.0, First-Ever Critical Security Patch Update)
Software affected: Oracle REST Data Services (ORDS), versions 24.2.0 through 26.1.0.
CVE: CVE-2026-46840 | CVSS 10.0 Critical | CWE-284 (Improper Access Control) | Published May 28, 2026
Fixable: Yes. Oracle has released a fix as part of its first-ever Critical Security Patch Update (CSPU), published May 29, 2026. Apply the CSPU immediately.
Business impact: An easily exploitable vulnerability in Oracle REST Data Services allows an unauthenticated attacker with network access via HTTPS to take complete control of the affected ORDS instance. The vulnerability carries a CVSS score of 10.0 — the maximum possible — with the scope-changed vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), meaning the attacker can pivot from the compromised ORDS component to impact additional systems beyond the initial target. Oracle REST Data Services is a Java-based middleware that provides RESTful APIs for Oracle databases, serving as the bridge between web applications and backend Oracle Database systems. A compromised ORDS instance gives an attacker a direct pathway to the underlying database and the data it contains. This is a landmark event: Oracle has abandoned its traditional quarterly patch cycle in favour of a more agile Critical Security Patch Update model, explicitly citing AI’s ability to find and fix vulnerabilities faster. Oracle also noted that many customers fail to apply available patches and are subsequently compromised — the CSPU format is designed to make critical patches smaller, more targeted, and easier to deploy with minimal business disruption.
How to fix: Apply the May 2026 Oracle Critical Security Patch Update to your Oracle REST Data Services deployment. The CSPU is available through Oracle’s support portal. After patching, verify the ORDS version and review ORDS access logs for unexpected HTTPS requests from unrecognised IP addresses. If your ORDS instance is internet-facing, consider restricting access to known application servers and administrative networks.
Recommended action: Critical for any organisation running Oracle REST Data Services, particularly internet-facing instances. A CVSS 10.0 with scope change means this is a complete system compromise vector. The fact that Oracle has created an entirely new patching process — the CSPU — for this and future critical vulnerabilities signals the seriousness of the threat. Apply the CSPU before the weekend.
Official source: Oracle Critical Security Patch Update — May 2026 | NVD — CVE-2026-46840
Google Chrome — 151 Vulnerabilities Patched, 22 Critical (Drive-by RCE)
Software affected: Google Chrome for Windows, Mac, and Linux, all versions prior to 148.0.7778.216. Safari WebKit and other Chromium-based browsers may also be affected.
CVEs: CVE-2026-10000 through CVE-2026-10009 and approximately 141 additional identifiers. Twenty-two of the 151 patched vulnerabilities are rated Critical. Critical Chrome vulnerabilities allow an attacker to execute arbitrary code on the user’s system — simply visiting a compromised or malicious website, or viewing a malicious advertisement, is sufficient for exploitation with no further user interaction required.
Fixable: Yes. Update Google Chrome to version 148.0.7778.216 or later. Chrome typically auto-updates, but a browser restart is required for the update to take effect.
Business impact: This is the second consecutive Chrome release with a record number of critical vulnerabilities — the previous update earlier this month patched 14 critical flaws. The 22 critical vulnerabilities patched in this release represent a dramatic escalation. Among the critical and high-severity flaws are use-after-free vulnerabilities in Password Manager, PerformanceManager, PDFium, Views, WebAppInstalls, SVG, and Skia components, as well as integer overflows and race conditions in WebAudio. Many of these can be triggered by a crafted HTML page, PDF document, or SVG image. Chrome’s dominant market share in enterprise environments — where it is often the sanctioned and only allowed browser — means every unpatched endpoint is a potential entry point for drive-by attacks via compromised websites, malvertising, or phishing links.
How to fix: Restart Google Chrome to apply any pending updates. Verify the version by navigating to chrome://settings/help or clicking Chrome menu > Help > About Google Chrome. The version should read 148.0.7778.216 or later. For enterprise-managed Chrome deployments, push the update via your browser management policy (GPO, Intune, or equivalent) and enforce a restart policy to ensure users cannot defer the update indefinitely. For Chromium-based browsers (Edge, Brave, Opera, Vivaldi), check for corresponding updates from each vendor.
Recommended action: Standard priority — apply during the next maintenance window, but do not defer beyond the weekend. While Chrome auto-updates reduce the window of exposure, the sheer volume of critical vulnerabilities in this release means that attackers have a rich target surface to work with. Verify that Chrome auto-update is functioning across your endpoint fleet and that users are not running outdated versions.
Official source: Google Chrome Releases Blog
Updates on Items from Previous Reports
The following items were covered in full in earlier reports. Brief updates are noted where new information is available. For full technical details and remediation steps, refer to the linked original entries.
LiteSpeed cPanel Plugin — CVE-2026-48172 (CISA KEV, deadline passed May 29): Covered in the May 28 and May 29 reports. The CISA KEV remediation deadline of May 29 has now passed. cPanel has begun proactively uninstalling the user-end plugin from customer environments where it remains vulnerable — if you use cPanel, verify whether your provider has already addressed this. Hosting providers and MSPs still running unpatched LiteSpeed cPanel instances are past the federal deadline. Update to LiteSpeed cPanel plugin 2.4.7 and WHM plugin 5.3.1.0 immediately.
Daemon Tools Lite — CVE-2026-8398 (CISA KEV, deadline today May 30): Covered in the May 28 and May 29 reports. Today is the CISA KEV remediation deadline. Apply the vendor patch from blog.daemon-tools.cc if you have not already done so.
Palo Alto PAN-OS — CVE-2026-0257 (CISA KEV, deadline June 1): Covered in full as the lead item in this report. Deadline is this Sunday. Patch before the weekend if at all possible.
Drupal Core — CVE-2026-9082 (CISA KEV, deadline passed May 27): Covered in the May 28 report and dedicated advisory. CISA deadline was May 27 — now three days past due. Organisations still running unpatched Drupal instances on PostgreSQL are operating at direct risk of exploitation.
FortiClient EMS — CVE-2026-35616 (actively exploited, EKZ infostealer): Covered in the May 29 report. Arctic Wolf has published additional technical indicators for the EKZ campaign. If you have not yet applied the Fortinet hotfix for versions 7.4.5 and 7.4.6, do so now. Review EMS-managed endpoints for signs of the EKZ stealer.
Ghost CMS — CVE-2026-26980 (actively exploited, 700+ domains): Covered in the May 29 report. Large-scale ClickFix campaign ongoing. Update Ghost to 6.19.1 or later and rotate admin API keys. XLab continues to identify new compromised domains.
SonicWall SSL-VPN — CVE-2024-12802 (actively exploited, incomplete patch): Covered in the May 29 report. Gen6 devices require both firmware update AND manual LDAP reconfiguration. Treat any unverified Gen6 device as potentially compromised.
Burst Statistics WP Plugin — CVE-2026-8181 (actively exploited, 200,000+ sites): Covered in the May 29 report. Update to version 3.4.2 or later. Check for rogue admin accounts immediately after updating.
ChromaDB — CVE-2026-45829 (CVSS 10.0, fix unconfirmed): Covered in the May 29 report. Version 1.5.9 released but fix status remains unconfirmed. Primary mitigation: do not expose ChromaDB API server to the internet. Monitor the ChromaDB GitHub repository for confirmation.
FortiAuthenticator — CVE-2026-44277 / FortiSandbox — CVE-2026-26083: Covered in the May 29 report. Update FortiAuthenticator to 6.5.7/6.6.9/8.0.3 and FortiSandbox to 4.4.9/5.0.2. Both CVSS 9.8, no active exploitation confirmed but Fortinet products are high-value targets.
Exim — CVE-2026-45185 (CVSS 9.8): Covered in the May 29 report. Update Exim to 4.99.3. GnuTLS builds with CHUNKING advertised are affected. OpenSSL builds are not.
Trend Micro Apex One — CVE-2026-34926: Covered in the May 22 report. CISA KEV deadline June 4. Five days remaining.
Microsoft Defender — CVE-2026-41091, CVE-2026-45498, CVE-2026-45584: Covered in the May 22 report. CISA KEV deadline June 3. Four days remaining. Verify Malware Protection Engine version 1.1.26040.8.
Nx Console — CVE-2026-48027 / TanStack — CVE-2026-45321: Covered in the May 28 report. Both CISA KEV, both due June 10. Audit npm dependencies for the malicious versions.
This report is compiled from official vendor advisories, the CISA Known Exploited Vulnerabilities catalog, the National Vulnerability Database, and primary security research sources. Verify all remediation steps against official vendor documentation before applying changes in production environments.
