Vulnerability Intelligence Report — May 31, 2026
Coverage: May 30–31, 2026 | New items this report: 5 | Exploitation status changes: 1 | CISA KEV deadlines this weekend: 1
Previous reports: May 30, 2026 | May 29, 2026
This report covers new vulnerability disclosures and threat intelligence developments from May 30 to 31, 2026. The headline item is the confirmation of active exploitation of Palo Alto PAN-OS CVE-2026-0257 — covered in yesterday’s report and now escalated to actively-exploited status with a CISA KEV deadline of tomorrow, June 1. Three high-severity WordPress plugin vulnerabilities and a 19-year-old Linux kernel privilege escalation flaw round out the new items.
Quick Reference — New and Active Vulnerabilities
Palo Alto PAN-OS GlobalProtect: CVE-2026-0257 (NOW ACTIVELY EXPLOITED, KEV deadline June 1)
Linux Kernel CIFS: CIFSwitch LPE (no CVE, local root on multiple distros, PoC published)
Spectra Gutenberg Blocks (WordPress): CVE-2026-7465 (CVSS 8.8, Contributor to RCE)
Simple History (WordPress): CVE-2026-7459 (CVSS 7.5, Subscriber to account takeover)
GEO my WP (WordPress): CVE-2026-9757 (CVSS 7.5, unauthenticated SQL injection)
Palo Alto PAN-OS GlobalProtect — CVE-2026-0257 (NOW ACTIVELY EXPLOITED, KEV Deadline Tomorrow)
Software affected: Palo Alto Networks PAN-OS devices running GlobalProtect portal and gateway with authentication override cookies enabled and a specific certificate configuration. Full affected version ranges were detailed in the May 30 report.
CVE: CVE-2026-0257 | CVSS 9.1 Critical (severity raised from Medium to High by vendor) | CWE-287 (Authentication Bypass) | CISA KEV — federal agency deadline June 1, 2026 | NOW CONFIRMED ACTIVELY EXPLOITED
Update since May 30 report: This vulnerability was covered in yesterday’s report. Since then, Palo Alto Networks updated its advisory to confirm active exploitation, and Rapid7 published detailed observations of in-the-wild attacks. Rapid7 MDR identified successful exploitation across numerous customers starting as early as May 17, 2026. Two distinct attack waves have been observed: the first wave began May 18 from infrastructure hosted by Vultr, and a second wave was detected May 21 originating from Dromatics Systems. In both waves, attackers used forged authentication override cookies that targeted the local administrator account to authenticate to GlobalProtect gateways and establish unauthorised VPN connections. Rapid7 noted that while lateral movement from compromised devices was not observed, the attackers successfully connected to internal networks via VPN — giving them network-level access equivalent to any authenticated remote user. CISA added this vulnerability to the Known Exploited Vulnerabilities catalog on May 29 with a June 1 deadline. Palo Alto Networks has raised the severity rating from Medium to High in response to the exploitation activity.
Fixable: Yes. Apply the PAN-OS patch for your release branch immediately. If patching cannot be completed today, apply Palo Alto’s documented mitigation steps as an interim measure. The patch was released earlier this month — active exploitation is now occurring against unpatched devices.
How to fix: Upgrade PAN-OS to the patched version for your release train. If immediate patching is not possible, disable authentication override cookies or apply the certificate-based mitigation described in the Palo Alto advisory. After patching, audit GlobalProtect gateway logs for VPN sessions authenticated with override cookies — particularly sessions associated with the local administrator account — and for connections originating from Vultr IP ranges or Dromatics Systems infrastructure. Rapid7 has published indicators that can be used to hunt for exploitation activity in your environment.
Recommended action: Critical — patch before end of day Friday May 30 if at all possible, or over the weekend at the absolute latest. The CISA KEV deadline is tomorrow, Sunday June 1. Active exploitation has been confirmed by both the vendor and an independent MDR provider. Attackers have working exploit tooling and are actively targeting unpatched GlobalProtect gateways. Do not leave this unpatched over the weekend.
Official source: Palo Alto Networks Security Advisory — CVE-2026-0257 | CISA KEV Catalog | Rapid7 MDR Threat Intelligence
Linux Kernel CIFS — CIFSwitch Local Privilege Escalation (No CVE, PoC Published)
Software affected: Linux distributions shipping vulnerable combinations of the kernel CIFS subsystem and cifs-utils package, versions 6.14 and higher (some older versions also affected). The vulnerability has been present in the kernel for 19 years, since 2007. Confirmed vulnerable with default configurations: Linux Mint 21.3 and 22.3, CentOS Stream 9, Rocky Linux 9, AlmaLinux 9, Kali Linux 2021.4 through 2026.1, and SUSE Linux Enterprise Server 15 SP7. Various versions of Ubuntu, Debian, Pop!_OS, openSUSE, Oracle Linux, and Amazon Linux may also be vulnerable if cifs-utils is installed. Not exploitable on Ubuntu 26.04, Fedora 40–44, CentOS Stream 10, Rocky Linux 10, SLES 16, AlmaLinux 10, and openSUSE Leap 16 where default SELinux/AppArmor policies block the attack vector.
CVE: No CVE assigned at time of writing. The vulnerability has been named “CIFSwitch” by its discoverer, Asim Viladi Oglu Manizada, a security engineer at SpaceX.
Fixable: Yes. A kernel patch adding validation of cifs.spnego request origins has been merged upstream (commit 3da1fdf). The exact kernel versions shipping this patch vary per distribution — check your distribution’s security advisory for the specific fixed kernel version.
Business impact: A local privilege escalation vulnerability in the Linux kernel’s CIFS subsystem allows any unprivileged local user to gain root privileges. The attack exploits the kernel’s failure to verify that cifs.spnego key requests originate from the kernel’s CIFS client. An attacker crafts a forged cifs.spnego key request, which triggers the root-privileged cifs.upcall helper to trust attacker-controlled fields. By manipulating these fields to force a namespace switch and triggering a Name Service Switch (NSS) lookup before privileges are dropped, the attacker loads a malicious NSS module that executes arbitrary code as root. Exploitation requires local access, user namespaces to be available, and SELinux/AppArmor policies that do not specifically block this attack path. The discoverer has published a full technical write-up and a proof-of-concept exploit. This is the latest in a string of Linux local privilege escalation vulnerabilities disclosed this year — following Copy Fail, Dirty Frag, Fragnesia, DirtyDecrypt, and PinTheft — and follows the established pattern of kernel subsystems with decades-old code receiving renewed security scrutiny.
How to fix: Apply the kernel update from your Linux distribution once available. In the interim, apply these mitigations: (1) disable or blacklist the CIFS kernel module if CIFS/SMB file sharing is not used: echo "blacklist cifs" > /etc/modprobe.d/blacklist-cifs.conf; (2) remove the cifs-utils package if unnecessary: apt remove cifs-utils or dnf remove cifs-utils; (3) disable unprivileged user namespaces: sysctl -w kernel.unprivileged_userns_clone=0 (this may impact container workloads — test before deploying in production). Monitor your distribution’s security advisory channel for the specific fixed kernel version.
Recommended action: High priority for multi-user Linux systems, shared hosting environments, and any Linux server where unprivileged users have shell access. For single-user workstations and servers with strict access controls, apply during the next maintenance cycle. The 19-year lineage means the vulnerable code exists across an enormous range of kernel versions, but the specific distribution configurations that make exploitation practical are more limited. Use the mitigations above as an immediate bridge to the kernel patch.
Official source: Research by Asim Viladi Oglu Manizada (SpaceX) | Upstream kernel fix — commit 3da1fdf
Spectra Gutenberg Blocks (WordPress Plugin) — CVE-2026-7465 (CVSS 8.8, Contributor to RCE)
Software affected: Spectra — Gutenberg Blocks – Website Builder for the Block Editor (formerly Ultimate Addons for Gutenberg), all versions up to and including 2.19.25. Spectra is one of the most popular WordPress block editor plugins with a large install base.
CVE: CVE-2026-7465 | CVSS 8.8 High | CWE-269 (Improper Privilege Management) | Published May 30, 2026
Fixable: Yes. Update Spectra to version 2.19.26 or later.
Business impact: A remote code execution vulnerability allows authenticated attackers with Contributor-level access or higher to execute arbitrary code on the WordPress server. The exploit requires a two-block payload embedded in post content: the first block registers a fake uagb/-prefixed block type with an attacker-specified render_callback, and the second block of the same fake type triggers the callback during post rendering. Because the Spectra block registration logic does not properly validate that a registered block type is a legitimate Spectra block, an attacker can inject arbitrary PHP callables as render callbacks and achieve code execution. The attack requires the ability to create or edit a post containing block editor content — a permission typically available to Contributor, Author, Editor, and Administrator roles. While not unauthenticated, the low privilege barrier (Contributor) makes this exploitable on sites that allow open user registration or where an attacker has compromised a low-privilege account.
How to fix: Update Spectra to version 2.19.26 or later via the WordPress admin dashboard (Plugins > Installed Plugins > Spectra > Update). After updating, audit posts for unexpected uagb/-prefixed block types — particularly in posts created or edited by low-privilege users. Review the WordPress activity log for Contributor-level accounts that have been creating or modifying posts with unusual block content.
Recommended action: Update Spectra immediately. The combination of a low privilege requirement (Contributor) and the severity of the impact (full server RCE) makes this a high-priority patch. Sites that allow open user registration should treat this as urgent, as an attacker can register a Contributor account and exploit the vulnerability without any additional compromise.
Official source: Spectra Plugin Trac — Vulnerability Source | NVD — CVE-2026-7465
Simple History (WordPress Plugin) — CVE-2026-7459 (CVSS 7.5, Subscriber to Account Takeover)
Software affected: Simple History – Track, Log, and Audit WordPress Changes plugin, all versions up to and including 5.26.0. The plugin is used for activity logging and audit trails on WordPress sites.
CVE: CVE-2026-7459 | CVSS 7.5 High | CWE-640 (Weak Password Recovery Mechanism for Forgotten Password) | Published May 30, 2026
Fixable: Yes. Update Simple History to version 5.26.1 or later.
Business impact: A privilege escalation vulnerability allows authenticated attackers with Subscriber-level access — the lowest WordPress user role — to take over higher-privileged accounts via the event reaction endpoints. The vulnerability exists in the react_to_event() and unreact_to_event() REST API endpoints. These endpoints register get_items_permissions_check() as their permission_callback, which only verifies that the requester is logged in — it does not enforce the per-logger capability checks that the Log_Query class normally applies. As a result, a Subscriber-level user can send crafted requests to the reaction endpoints that trigger actions normally restricted to higher-privilege roles, ultimately enabling account takeover. A compromised Subscriber account — which could be obtained through self-registration on many sites — becomes a stepping stone to full administrative access.
How to fix: Update Simple History to version 5.26.1 or later. After updating, audit the plugin’s event log for unexpected reaction events — particularly reactions associated with Subscriber-level user accounts targeting administrative events. Review WordPress user activity for Subscriber accounts performing actions outside their normal permission scope.
Recommended action: Update Simple History promptly. The vulnerability chain — Subscriber access leading to account takeover — is a well-understood attack pattern in WordPress environments. Sites with open user registration are at elevated risk.
Official source: Simple History Plugin Trac — Vulnerability Source | NVD — CVE-2026-7459
GEO my WP (WordPress Plugin) — CVE-2026-9757 (CVSS 7.5, Unauthenticated SQL Injection)
Software affected: GEO my WP — a geolocation and mapping plugin for WordPress, all versions up to and including 4.5.5.
CVE: CVE-2026-9757 | CVSS 7.5 High | CWE-89 (SQL Injection) | Published May 30, 2026
Fixable: Yes. Update GEO my WP to version 4.5.6 or later.
Business impact: An unauthenticated SQL injection vulnerability allows remote attackers to inject arbitrary SQL queries through the swlatlng and nelatlng URL parameters. The vulnerability is notable for bypassing WordPress’s built-in wp_magic_quotes protection: the parameters are read from $_SERVER['QUERY_STRING'] via parse_str() rather than through the standard $_GET/$_POST/$_COOKIE superglobals that WordPress automatically escapes. The unsanitised parameter values are split on commas via explode() and interpolated directly into a SQL BETWEEN clause in the gmw_get_locations_within_boundaries_sql() function. Successful exploitation allows an attacker to extract sensitive data from the WordPress database, including user credentials, password hashes, and application secrets — and potentially to escalate to administrative access.
How to fix: Update GEO my WP to version 4.5.6 or later. After updating, review web server access logs for requests to GEO my WP endpoints containing suspicious SQL fragments in the swlatlng or nelatlng query parameters. Audit the WordPress database for unexpected administrative users or modified content that could indicate prior exploitation.
Recommended action: Update GEO my WP immediately. Unauthenticated SQL injection is one of the most dangerous vulnerability classes for web applications, and the bypass of WordPress’s automatic input sanitisation makes this trivially exploitable. Any internet-facing WordPress site running this plugin should be patched today.
Official source: GEO my WP Plugin Trac — Vulnerability Source | NVD — CVE-2026-9757
Updates on Items from Previous Reports
The following items were covered in full in earlier reports. Brief updates are noted where new information is available. For full technical details and remediation steps, refer to the linked original entries.
Palo Alto PAN-OS — CVE-2026-0257 (CISA KEV, deadline tomorrow June 1, NOW ACTIVELY EXPLOITED): Covered as the lead item in this report with a full update on confirmed exploitation by Rapid7. This is your highest-priority action for the weekend.
Daemon Tools Lite — CVE-2026-8398 (CISA KEV, deadline passed May 30): Covered in the May 28, May 29, and May 30 reports. The CISA KEV deadline of May 30 has now passed. Patch if you have not already.
LiteSpeed cPanel Plugin — CVE-2026-48172 (CISA KEV, deadline passed May 29): Covered in the May 28 and May 29 reports. cPanel has been proactively removing the vulnerable user-end plugin. Verify with your hosting provider if this affects your environment.
Drupal Core — CVE-2026-9082 (CISA KEV, deadline passed May 27): Covered in the May 28 report and dedicated advisory. CISA deadline was May 27 — now four days past due.
Microsoft Defender — CVE-2026-41091, CVE-2026-45498, CVE-2026-45584: Covered in the May 22 report. CISA KEV deadline June 3 — three days remaining. Verify Malware Protection Engine version 1.1.26040.8 across all Windows endpoints.
Trend Micro Apex One — CVE-2026-34926: Covered in the May 22 report. CISA KEV deadline June 4 — four days remaining. Apply SP1 CP Build 18012 for on-premise, agent build 14.0.20731 for SaaS.
Oracle REST Data Services — CVE-2026-46840 (CVSS 10.0, first CSPU): Covered in the May 30 report. Apply the May 2026 Oracle CSPU. CVSS 10.0 with scope change — complete system compromise vector.
FortiClient EMS — CVE-2026-35616 (EKZ infostealer): Covered in the May 29 report. Arctic Wolf has published additional IOCs. Patch FortiClient EMS 7.4.5/7.4.6 and audit managed endpoints.
Ghost CMS — CVE-2026-26980 (actively exploited, 700+ domains): Covered in the May 29 report. ClickFix campaign continues. Update to Ghost 6.19.1, rotate admin API keys.
SonicWall SSL-VPN — CVE-2024-12802 (incomplete patch, ransomware precursor): Covered in the May 29 report. Gen6 devices: firmware update + manual LDAP reconfiguration required. Treat unverified devices as potentially compromised.
Nx Console — CVE-2026-48027 / TanStack — CVE-2026-45321: Covered in the May 28 report. Both CISA KEV, both due June 10. Audit npm dependencies.
ChromaDB — CVE-2026-45829 (CVSS 10.0, fix unconfirmed): Covered in the May 29 report. Do not expose ChromaDB API server to the internet. Monitor for patch confirmation.
Exim — CVE-2026-45185 (CVSS 9.8): Covered in the May 29 report. Update to 4.99.3. GnuTLS builds affected, OpenSSL builds not.
7-Zip — CVE-2026-48095 (RCE via crafted archive): Covered in the May 30 report. Update to 26.01. Deploy through enterprise software distribution.
Starlette / FastAPI — CVE-2026-48710 (BadHost, 123M weekly downloads): Covered in the May 30 report. Update Starlette to 1.0.1. Audit middleware for Host header trust patterns.
This report is compiled from official vendor advisories, the CISA Known Exploited Vulnerabilities catalog, the National Vulnerability Database, and primary security research sources. Verify all remediation steps against official vendor documentation before applying changes in production environments.
