cve

Squidbleed (CVE-2026-47729) is a Heartbleed-style heap buffer overread in Squid Proxy’s FTP directory listing parser that has lived in every version of Squid since 1997 — 29 years — in its default configuration. It leaks adjacent heap memory, potentially including other users’ HTTP Authorization headers, cookies, and session tokens. Discovered by Calif.io using Claude Mythos Preview. Critical correction: the patch is in Squid 7.7, NOT 7.6. Immediate mitigation: disable FTP in Squid. PoC is public.

SOCRadar discovered an exposed attacker server revealing FortiBleed — a self-sustaining credential-harvesting campaign that has compiled 30,791+ verified working Fortinet administrator and SSL VPN credentials across 194 countries, with Hudson Rock and Kevin Beaumont estimating up to 75,000 affected devices. Telecoms, governments, hospitals, and a Turkish NATO defense contractor confirmed compromised. The initial access vector remains unconfirmed. Most credentials trace to years-old unrotated passwords from prior Fortinet breaches.

Cisco disclosed CVE-2026-20245 on June 5 — the 7th Cisco SD-WAN vulnerability confirmed exploited in 2026. A high-severity command injection in Cisco Catalyst SD-WAN Manager allows root privilege escalation via a crafted file upload. No patch exists. No timeline provided. Discovered by Mandiant during active exploitation investigation. The vulnerability chains directly after CVE-2026-20182 and CVE-2026-20127, both CVSS 10.0. Configuration changes were pushed to edge devices in confirmed exploitation cases. UAT-8616 confirmed involved.

CVE-2026-8732 is a CVSS 9.8 critical vulnerability in the WP Maps Pro WordPress plugin that lets unauthenticated attackers create administrator accounts with zero credentials — a single HTTP request creates the account, generates a passwordless login URL, and exfiltrates it to the attacker. Wordfence blocked 2,858 exploitation attempts in 24 hours. Over 15,800 commercial installs are in the target window. Patch to version 6.1.1 immediately and audit all admin accounts now.

CVE-2026-0257 is an actively exploited authentication bypass in Palo Alto PAN-OS GlobalProtect that lets unauthenticated attackers forge session cookies and establish unauthorized VPN connections — bypassing MFA in affected configurations. CISA added it to the KEV catalog on May 29 with a federal deadline of June 19. Rapid7 MDR confirmed successful exploitation across multiple customers in two distinct waves since May 17. CVSS raised from 7.8 to 9.1 after exploitation confirmed. Patch immediately.

CISA issued a formal advisory on May 28, 2026 warning all organizations to audit developer systems for the Nx Console / GitHub supply chain compromise. CVE-2026-48027 and CVE-2026-45321 are on the CISA KEV catalog — federal deadline June 10. CISA also formally documented the parallel Megalodon campaign targeting GitHub Actions workflows. Full CISA guidance, complete attack chain, expanded credential targeting list, and forensic audit checklist inside.