Vulnerability Intelligence Report – May 28, 2026

nick

Vulnerability Intelligence Report – May 28, 2026

by

Quick Reference – Active Vulnerabilities and Affected Software

Nx Console: CVE-2026-48027 (KEV, due June 10)

TanStack: CVE-2026-45321 (KEV, due June 10)

Daemon Tools Lite: CVE-2026-8398 (KEV, due May 30)

LiteSpeed cPanel Plugin: CVE-2026-48172 (KEV, due May 29)

Drupal Core: CVE-2026-9082 (KEV, due May 27)

Joomla: CVE-2026-35221, CVE-2026-35222, CVE-2026-40383, CVE-2026-48899, CVE-2026-48904

Perl: CVE-2026-8376

WordPress Login with OTP Plugin: CVE-2026-8760

IBM Langflow OSS: CVE-2026-7524

FastNetMon Community Edition: CVE-2026-48686, CVE-2026-48687, CVE-2026-48689, CVE-2026-48691

IBM WebSphere / HTTP Server: CVE-2026-8633, CVE-2026-8855

Samba: CVE-2026-4480

OpenWrt luci-app-https-dns-proxy: CVE-2026-46368

Gitea: CVE-2026-27771

This report summarizes the most significant vulnerabilities and active threats as of May 28, 2026. The following assessments are drawn directly from vendor security advisories, the CISA Known Exploited Vulnerabilities catalog, and the National Vulnerability Database.

CISA Known Exploited Vulnerabilities Catalog Update

Three new entries were added to the CISA Known Exploited Vulnerabilities (KEV) catalog on May 27, 2026, all related to supply chain compromises.

CISA KEV: New Entries

Nx Console Embedded Malicious Code (CVE-2026-48027, CVSS 9.8). On May 19, 2026, a malicious version of Nx Console — the user interface for the Nx and Lerna monorepo build tools — was published to the npm registry as version 18.95.0. The compromised package was available for approximately one hour before being removed. Nx Console is widely used by JavaScript and TypeScript development teams for managing monorepo workspaces. CISA has set a remediation due date of June 10, 2026. Organizations using Nx Console should verify that version 18.95.0 is not installed in any environment — either directly or as a transitive dependency — and audit any systems where it may have been present during the exposure window. The CISA KEV entry is available at https://www.cisa.gov/known-exploited-vulnerabilities-catalog.

TanStack Supply Chain Compromise (CVE-2026-45321, CVSS 9.6). On May 11, 2026, between 19:20 and 19:26 UTC, 84 malicious versions across 42 TanStack scoped packages were published to the npm registry. TanStack provides widely adopted libraries for React state management, routing, tables, and forms. The breadth of affected packages — spanning the entire TanStack ecosystem — makes this one of the more extensive npm supply chain incidents of the year. CISA has set a remediation due date of June 10, 2026. Organizations using any TanStack package should immediately audit their lock files and dependency trees for any version published during the May 11 compromise window and ensure all packages are pinned to known-good releases. The NVD entry is available at https://nvd.nist.gov/vuln/detail/CVE-2026-45321.

Daemon Tools Lite Embedded Malicious Code (CVE-2026-8398, CVSS 9.8). A supply chain attack compromised the official installation packages of DAEMON Tools Lite for Windows, affecting versions 12.5.0.2421 through 12.5.0.2434 distributed through the vendor’s official channels. This has an urgent CISA remediation due date of May 30, 2026 — only two days from the publication of this report. Any organization with DAEMON Tools Lite installed should verify the version immediately and remove any instance within the affected range. The NVD entry is available at https://nvd.nist.gov/vuln/detail/CVE-2026-8398.

CISA KEV: Active Entries with Imminent Deadlines

LiteSpeed cPanel Plugin Privilege Escalation (CVE-2026-48172, CVSS 9.8). First added to the KEV catalog on May 26, this vulnerability in the LiteSpeed cPanel plugin has a mandatory remediation deadline of May 29, 2026 — tomorrow. The vulnerability enables privilege escalation on hosting servers running the affected plugin. Organizations managing cPanel servers with the LiteSpeed plugin should treat this as the highest patching priority. The LiteSpeed advisory is available at https://blog.litespeedtech.com/ and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-48172.

Drupal Core SQL Injection (CVE-2026-9082, CVSS 9.8). This actively exploited SQL injection vulnerability in Drupal core has a CISA KEV remediation deadline of May 27, 2026 — today. Organizations still running unpatched Drupal instances are now past the federal remediation deadline and are at direct risk of exploitation. The Drupal security advisory is available at https://www.drupal.org/sa-core-2026-004.

Joomla Multiple Critical Vulnerabilities

A cluster of five critical vulnerabilities in Joomla was published on May 26, 2026, all carrying CVSS scores of 9.8. The affected components span the core Joomla content management system and its built-in extensions.

Joomla com_finder SQL Injection (CVE-2026-35221, CVSS 9.8). Improperly built filter clauses in the search query for the com_finder component allow SQL injection. The NVD entry is at https://nvd.nist.gov/vuln/detail/CVE-2026-35221.

Joomla com_tags SQL Injection (CVE-2026-35222, CVSS 9.8). Improperly validated order clauses in the com_tags component lead to SQL injection. The NVD entry is at https://nvd.nist.gov/vuln/detail/CVE-2026-35222.

Joomla Local File Inclusion (CVE-2026-40383, CVSS 9.8). Improper validation of user-supplied input leads to a local file inclusion vulnerability, potentially enabling attackers to read arbitrary files or achieve remote code execution in combination with other techniques. The NVD entry is at https://nvd.nist.gov/vuln/detail/CVE-2026-40383.

Joomla com_users Privilege Escalation (CVE-2026-48899 and CVE-2026-48904, both CVSS 9.8). Two improper access check vulnerabilities in the com_users component allow privilege escalation — one through the batch task and one through the group editing webservice endpoint. An attacker exploiting these could elevate from a low-privileged account to administrator. The NVD entries are at https://nvd.nist.gov/vuln/detail/CVE-2026-48899 and https://nvd.nist.gov/vuln/detail/CVE-2026-48904.

Joomla administrators should apply the latest security release immediately. Given that three distinct attack vectors — SQL injection, local file inclusion, and privilege escalation — are present in this cluster, unpatched Joomla instances are exposed to a chainable attack surface that can result in full site compromise.

Web Application Vulnerabilities

WordPress Login with OTP Authentication Bypass (CVE-2026-8760, CVSS 9.8). All versions of the Login with OTP plugin for WordPress up to and including version 1.6 are vulnerable to authentication bypass due to an incomplete validation check. An unauthenticated attacker can bypass the one-time password mechanism entirely and gain access to any user account, including administrators. Given the plugin’s purpose as a two-factor authentication solution, the bypass is especially dangerous — site operators who deployed it specifically to strengthen authentication are now exposed to unauthenticated account takeover. Sites using this plugin should disable it immediately and switch to an alternative two-factor authentication method. The NVD entry is at https://nvd.nist.gov/vuln/detail/CVE-2026-8760.

Infrastructure and Platform Vulnerabilities

Perl Heap Buffer Overflow in Regex Compilation (CVE-2026-8376, CVSS 9.8). All versions of Perl through 5.43.10 contain a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. The vulnerability lies in the Perl_study function within the core regex engine. While 32-bit builds are the directly affected target, the pervasiveness of Perl — it ships by default on virtually every Unix-like operating system and is embedded in countless applications, build pipelines, and system administration tools — makes this a vulnerability with an exceptionally broad attack surface. Organizations running 32-bit Perl installations, including those in containerized environments, embedded systems, and legacy infrastructure, should prioritize upgrading to a patched Perl release. The NVD entry is at https://nvd.nist.gov/vuln/detail/CVE-2026-8376.

FastNetMon Multiple Critical Vulnerabilities (CVE-2026-48686, CVE-2026-48687, CVE-2026-48689, CVE-2026-48691, all CVSS 9.8). FastNetMon Community Edition through version 1.2.9 contains four critical vulnerabilities: a stack-based buffer overflow in the BGP NLRI decoder (CVE-2026-48686), an OS command injection in the Juniper router integration (CVE-2026-48687), an off-by-one heap-based buffer overflow in the dynamic binary buffer handler (CVE-2026-48689), and an integer overflow in the BGP AS_PATH attribute encoder (CVE-2026-48691). FastNetMon is a high-performance DDoS detection and mitigation tool deployed at internet service providers, hosting companies, and large enterprises. The combination of network-facing attack vectors — BGP protocol handling and router integration — means these vulnerabilities can potentially be triggered by remote, unauthenticated attackers sending crafted BGP traffic. FastNetMon operators should upgrade to a version beyond 1.2.9 immediately. The NVD entries are at https://nvd.nist.gov/vuln/detail/CVE-2026-48686.

IBM WebSphere / HTTP Server Plug-in Remote Code Execution (CVE-2026-8633, CVSS 9.8 and CVE-2026-8855, CVSS 8.1). IBM has disclosed critical vulnerabilities in the Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty versions 8.5 and 9.0, as well as IBM HTTP Server 8.5 and 9.0. CVE-2026-8633 affects the WebSphere plug-in with a CVSS score of 9.8. CVE-2026-8855 enables remote code execution and denial of service in IBM HTTP Server configurations with TLS mutual authentication enabled. Both affect widely deployed enterprise Java middleware. IBM WebSphere administrators should apply the relevant fixes from IBM’s support portal. The NVD entries are at https://nvd.nist.gov/vuln/detail/CVE-2026-8633 and https://nvd.nist.gov/vuln/detail/CVE-2026-8855.

IBM Langflow OSS Remote Code Execution (CVE-2026-7524, CVSS 9.8). IBM Langflow Open Source Software versions 1.0.0 through 1.9.1 contain a remote code execution vulnerability due to improper validation of symbolic links during archive extraction. Langflow is a widely used low-code platform for building AI agent and retrieval-augmented generation (RAG) workflows, and is frequently deployed with access to sensitive data stores and large language model API keys. An attacker who can supply a crafted archive to a Langflow instance could execute arbitrary code. Langflow users should upgrade to a patched version beyond 1.9.1. The NVD entry is at https://nvd.nist.gov/vuln/detail/CVE-2026-7524.

Samba Printing Subsystem Command Injection (CVE-2026-4480, CVSS 8.5). A flaw in the Samba printing subsystem allows a client-controlled job description string to be passed to the command configured with the print command parameter. An authenticated user with permission to submit print jobs could achieve remote code execution on the Samba server. Samba is deployed in the majority of organizations for file and print sharing across Windows, Linux, and macOS environments. The NVD entry is at https://nvd.nist.gov/vuln/detail/CVE-2026-4480.

OpenWrt luci-app-https-dns-proxy Privilege Escalation (CVE-2026-46368, CVSS 8.8). Versions through 2025.12.29-5 of luci-app-https-dns-proxy, an optional LuCI web UI add-on distributed through the OpenWrt community package repository, contain a vulnerability that allows privilege escalation through the web interface. OpenWrt is the dominant open-source router firmware, powering millions of home and small business routers worldwide. Users with this add-on installed should update to the latest package version. The NVD entry is at https://nvd.nist.gov/vuln/detail/CVE-2026-46368.

Notable Incidents

Gitea Private Container Image Exposure (CVE-2026-27771, CVSS 8.2). A vulnerability in Gitea, the open-source self-hosted version control platform, allows unauthenticated remote attackers to pull private container images from Gitea deployments without requiring an account, password, or other credentials. According to security firm Noscope, the flaw affects all versions of Gitea prior to 1.26.2 and went undetected for approximately four years, likely impacting more than 30,000 deployments across over 30 countries. Affected organizations span healthcare providers, aerospace manufacturers, retail infrastructure, and internet service providers. The private designation on container repositories did not deliver the protection operators reasonably expected. The Gitea fork Forgejo has also been confirmed impacted. Organizations running Gitea or Forgejo with container registries should upgrade to Gitea 1.26.2 or apply the temporary workaround of setting REQUIRE_SIGNIN_VIEW=true in the configuration. The NVD entry is at https://nvd.nist.gov/vuln/detail/CVE-2026-27771.

GlassWorm Malware Takedown. CrowdStrike, in partnership with Google and the Shadowserver Foundation, announced the simultaneous disruption of all command-and-control channels associated with GlassWorm, a persistent software supply chain campaign targeting software developers through trojanized VS Code extensions and malicious packages. Active since early 2025, GlassWorm operators published malicious extensions on both the Microsoft VS Code Marketplace and Open VSX, affecting users of VS Code forks including Cursor, Positron, Windsurf, and VSCodium. Developers were targeted specifically for their access to source code repositories, cloud platforms, CI/CD pipelines, and package registries — enabling a single compromised workstation to potentially impact thousands of downstream organizations. The coordinated takedown represents an important disruption of a persistent supply chain threat, though developers are advised to audit installed VS Code extensions for any that were not sourced from verified publishers.

Recommendations

Organizations should prioritize the following actions based on the vulnerabilities covered in this report, ordered by urgency:

1. Immediate (today, May 28): Patch Drupal instances vulnerable to CVE-2026-9082 — the CISA KEV remediation deadline passed yesterday, and active exploitation is confirmed. Remove DAEMON Tools Lite versions 12.5.0.2421 through 12.5.0.2434 from all endpoints — the KEV deadline is May 30, and discovery and remediation take time. Patch LiteSpeed cPanel plugins before the May 29 KEV deadline.

2. This week: Audit npm registries and dependency trees for Nx Console version 18.95.0 and all TanStack packages published on May 11, 2026. Upgrade all Joomla instances to the latest security release addressing the cluster of five critical CVEs. Disable the WordPress Login with OTP plugin on all sites and replace with an alternative two-factor authentication method. Upgrade FastNetMon Community Edition beyond version 1.2.9.

3. This patch cycle: Upgrade Gitea to version 1.26.2 or later and audit container registries for any images that may have been accessed without authorization over the past four years. Patch Samba servers to address CVE-2026-4480. Upgrade IBM WebSphere plug-ins and IBM HTTP Server. Update Perl to a version beyond 5.43.10 on all 32-bit systems. Patch IBM Langflow beyond version 1.9.1. Update luci-app-https-dns-proxy on OpenWrt routers.

Report compiled May 28, 2026.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!