Quick Summary

This report covers the following active vulnerabilities:

• Ghost CMS – CVE-2026-26980: SQL injection, mass exploitation of 700+ websites
• KnowledgeDeliver LMS – CVE-2026-5426: ViewState deserialization zero-day, web shell deployment
• OpenPrinting CUPS – CVE-2026-34980 + CVE-2026-34990: Unauthenticated remote code execution to root
• Drupal – CVE-2026-9082: SQL injection in PostgreSQL backends, active exploitation
• dnsmasq – CVE-2026-4890/4891/4892/4893/5172/6507: Multiple vulnerabilities including RCE
• Underminr – CDN infrastructure abuse to hide malicious connections behind trusted domains
• Perl Text-CSV_XS – CVE-2026-7111: Use-after-free leading to memory corruption
• PackageKit – CVE-2026-41651: Race condition allowing arbitrary RPM installation as root

Introduction

This report provides a summary of the vulnerabilities that are most active right now. The selection is based on observed exploitation in the wild, active scanning campaigns, and the severity of the flaws. All CVEs listed below are being actively targeted or have confirmed exploitation, making them high-priority items for security teams to address.

Critical Vulnerabilities

Ghost CMS – CVE-2026-26980 (CVSS 9.4 – CRITICAL)

Affected software: Ghost CMS, versions 3.24.0 through 6.19.0

Description: An SQL injection vulnerability that allows unauthenticated attackers to perform arbitrary reads from the Ghost database. The flaw can be exploited to extract authentication tokens, user credentials, and website content.

Status: Actively exploited in mass attacks. Chinese cybersecurity firm Qianxin identified more than 700 compromised websites, including high-profile targets such as DuckDuckGo, Harvard University, and Oxford University. Nearly half of the compromised sites are personal blogs and independent sites, but dozens belong to software development and tech blogs, AI, cryptocurrency, and other entities. At least two threat groups are conducting poisoning operations, with some sites seeing multiple malicious code implants within a single day.

Attack chain: Attackers exploit the SQL injection to obtain the site’s Admin API Key, then use the API to alter articles and inject malicious JavaScript loaders designed for ClickFix social engineering attacks.

Fix available: Patched in Ghost CMS version 6.19.1. Update immediately.

Recommendation: Upgrade to Ghost CMS 6.19.1 or later immediately. Audit all Ghost instances for signs of compromise, particularly looking for unauthorized API key usage, modified articles, and injected JavaScript. Rotate all API keys and admin credentials.

Sources: NVD – CVE-2026-26980 | GitHub Advisory | Ghost CMS Changelog

KnowledgeDeliver LMS – CVE-2026-5426 (CVSS 7.5 – HIGH)

Affected software: Digital Knowledge KnowledgeDeliver LMS, all deployments before February 24, 2026

Description: Hard-coded ASP.NET/IIS machineKey value in KnowledgeDeliver deployments allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks. The machineKey is used by ASP.NET for data encryption and signing, and the presence of identical hardcoded values across independent installations means knowledge of the keys compromises all deployments.

Status: Actively exploited. Google-owned Mandiant reports that threat actors used this zero-day to deploy Godzilla web shells (also known as Bluebeam) in memory, enabling command execution and payload delivery. The attackers modified web application directory permissions and injected malicious JavaScript to display fake security alerts prompting users to install a fake plugin, ultimately deploying a Cobalt Strike backdoor customized per victim organization.

Attack chain: Known machineKey -> crafted malicious ViewState payload -> deserialization -> web shell deployment -> Cobalt Strike backdoor

Fix available: Update to KnowledgeDeliver deployments patched after February 24, 2026. Rotate machine keys immediately.

Recommendation: Rotate machine keys for all KnowledgeDeliver instances immediately. Restrict access to the LMS. Monitor for web shell deployment, unauthorized ViewState modifications, and Cobalt Strike indicators. Review Mandiant’s published IoCs.

Sources: NVD – CVE-2026-5426 | Mandiant Advisory

OpenPrinting CUPS – CVE-2026-34980 + CVE-2026-34990 (CVSS 7.5 + 7.8 – HIGH)

Affected software: OpenPrinting CUPS, versions 2.4.16 and prior

Description: A two-vulnerability chain enabling unauthenticated remote code execution with root privileges on systems with network-exposed CUPS services sharing PostScript print queues. CVE-2026-34980 allows an unauthorized client to send a Print-Job to a shared PostScript queue without authentication, where a parsing bug in the page-border option enables initial code execution as the lp user. CVE-2026-34990 provides local privilege escalation by coercing cupsd into authenticating to an attacker-controlled localhost IPP service, capturing a reusable Local authentication token that enables root-level file overwrite.

Status: New exploit chain discovered in 2026. Unlike the 2024 CUPS vulnerabilities (CVE-2024-47176 chain) which required user interaction (someone attempting to print), this chain requires zero user interaction. The attack moves from a simple network request directly to a root file overwrite.

Attack chain: Network access to shared PostScript CUPS queue -> CVE-2026-34980 code execution as lp user -> CVE-2026-34990 privilege escalation to root

Fix available: Update CUPS to version 2.4.17 or later.

Recommendation: Update CUPS immediately. Audit systems for shared PostScript queue exposure. Restrict network access to CUPS services (port 631). This is especially critical for enterprise environments with shared printer infrastructure.

Sources: NVD – CVE-2026-34980 | NVD – CVE-2026-34990 | OpenPrinting CUPS Security Advisories | OpenPrinting CUPS Project

Drupal – CVE-2026-9082 (CVSS 6.5 – MEDIUM, Risk Score 23/25)

Affected software: Drupal core, versions 8.9.0-10.4.9, 10.5.0-10.5.9, 10.6.0-10.6.8, 11.0.0-11.1.9, 11.2.0-11.2.8 (PostgreSQL backends only)

Description: SQL injection vulnerability in a Drupal API designed to sanitize database queries. Exploitable by unauthenticated attackers against sites using PostgreSQL databases. Allows information extraction, privilege escalation, and in some cases remote code execution.

Status: Actively exploited. Drupal warned of exploitation attempts within hours of the May 20 patch release. Imperva reported over 15,000 exploitation attempts targeting nearly 6,000 sites across 65 countries. Almost half of attacks targeted gaming and financial services websites. The risk score was raised from 20 to 23 to reflect active exploitation. This is the first Drupal vulnerability exploited in the wild since the 2019 Drupalgeddon incidents.

Attack chain: Unauthenticated request with crafted SQL -> database query manipulation -> data extraction / privilege escalation / RCE

Fix available: Patched in Drupal 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.9.

Recommendation: Update Drupal core immediately if running PostgreSQL. While only ~5% of Drupal sites use PostgreSQL, the active exploitation campaign is broad. Audit for SQL injection indicators and unauthorized database access. This is the first actively exploited Drupal vulnerability in seven years — do not delay patching.

Sources: NVD – CVE-2026-9082 | Drupal Security Advisory SA-CORE-2026-005

High-Severity Advisories

dnsmasq – CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, CVE-2026-4893, CVE-2026-5172, CVE-2026-6507

Affected software: dnsmasq (multiple Linux distributions)

Description: Multiple vulnerabilities in dnsmasq affecting DNSSEC validation, DHCPv6 implementation, and DNS response processing:

• CVE-2026-4890 (CVSS 7.5) – DoS via crafted DNS packet in DNSSEC validation
• CVE-2026-4891 (CVSS 5.3) – Heap-based out-of-bounds read in DNSSEC validation
• CVE-2026-4892 (CVSS 8.4) – Heap-based out-of-bounds write in DHCPv6, local attacker can execute arbitrary code as root
• CVE-2026-4893 (CVSS 5.3) – Information disclosure, bypass source checks via crafted DNS with client subnet info
• CVE-2026-5172 (CVSS 7.3) – Buffer overflow in extract_addresses() via malformed DNS response
• CVE-2026-6507 – Out-of-bounds write in DHCP BOOTREPLY processing leading to DoS

Status: Patches available via distribution security updates (SUSE, Fedora, Debian, openSUSE, Oracle Linux).

Recommendation: Apply distribution security updates for dnsmasq immediately. CVE-2026-4892 is particularly concerning as it allows local privilege escalation to root via DHCPv6.

Sources: NVD – CVE-2026-4890 | NVD – CVE-2026-4891 | NVD – CVE-2026-4892 | NVD – CVE-2026-4893 | NVD – CVE-2026-5172 | NVD – CVE-2026-6507 | SUSE Security

Underminr – CDN Infrastructure Abuse

Affected software: Shared CDN infrastructure (impacting approximately 88 million domains)

Description: A variant of domain fronting dubbed “Underminr” allows attackers to hide connections to malicious domains behind trusted domains on shared CDN edge infrastructure. Instead of using a front domain, the attack presents the SNI and HTTP Host of a trusted domain while forcing a request to the IP address of a different tenant on the same shared edge. This enables attackers to bypass DNS filtering, hide command-and-control traffic, and circumvent network egress policies.

Status: Actively exploited in real-world attacks. ADAMnetworks reports the technique has been used to connect to domains hosted on CDN infrastructure shared with allowed domains via TCP port 443. Four different exploitation strategies have been identified to circumvent Protective DNS (PDNS) services.

Recommendation: Correlate DNS decisions, edge IPs, SNI, Host headers, and CDN tenant routing. Implement monitoring for SNI/Host header mismatches. Review CDN configuration and tenant isolation.

Sources: ADAMnetworks – Underminr Research

Perl Text-CSV_XS – CVE-2026-7111 (CVSS 8.4 – HIGH)

Affected software: Perl Text::CSV_XS, versions before 1.62

Description: Use-after-free when registered callbacks extend the Perl argument stack, potentially enabling type confusion or memory corruption. Affects the Parse, print, getline, and getline_all methods when callbacks are registered.

Fix available: Update to Text::CSV_XS version 1.62 or later.

Recommendation: Update the module via CPAN or distribution packages. Audit Perl applications using Text::CSV_XS with registered callbacks.

Sources: NVD – CVE-2026-7111 | CPAN Text-CSV_XS Changelog

PackageKit – CVE-2026-41651

Affected software: PackageKit (openSUSE, SUSE Linux)

Description: Race condition in PackageKit allows arbitrary RPM package installation as root, leading to local privilege escalation (LPE).

Status: Patched via SUSE security advisory SUSE-2026-1939-1.

Recommendation: Apply SUSE security updates immediately. Restrict access to PackageKit on multi-user systems.

Sources: NVD – CVE-2026-41651 | SUSE – CVE-2026-41651

Additional Notes

This is the first time since 2019 that a Drupal vulnerability has been actively exploited in the wild, marking a significant shift. The Ghost CMS mass exploitation campaign demonstrates how quickly unpatched CMS instances are being targeted — the patch was released in February but hundreds of sites remained vulnerable by May. The CUPS exploit chain evolution from requiring user interaction (2024) to zero-interaction (2026) shows how attackers are refining their approaches to known attack surfaces.

All organizations should prioritize patching the critical vulnerabilities listed above, particularly if they operate Ghost CMS instances, Drupal sites with PostgreSQL backends, or CUPS printing services.