Weekly Exploit Roundup

Generated 2026-06-02T08:00:17.770671+00:00 (UTC)

1. CVE-2026-0826: Critical unauthenticated stack buffer overflow in HP Poly VVX and Trio VoIP Phones (FIXED)
   Source: Rapid7 Cybersecurity Blog | Published: 2026-06-01T13:00:00+00:00 | Score: 26.934
   Overview Rapid7 Labs conducted a zero-day research project against an HP Poly VVX 450 Voice over Internet Protocol (VoIP) phone. This research resulted in the discovery of a critical unauthenticated stack-based buffer overflow vulnerability, CVE-2026-0826. A remote attacker can leverage CVE-2026-0826 to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability is present in the device's parsing of Session Description Protocol (SDP) attributes for Interactive Connectivity Establishment (ICE). The ICE feature, which is not enabled by default, must be enabled for the device to be exploitable by a remote attacker. While we discovered and validated the vulnerability on a VVX 450 device, the vulnerability has been confirmed to affect all models in the VVX series (VVX 150, VVX 250, VVX 350, and VVX 450), as well as three models from the Trio IP Conference series (Trio 8800, Trio 8500, and Trio 8300). CVE-2026-0826 has a CVSSv4 score of 9.2
2. Metasploit Wrap Up 05/29/2026
   Source: Rapid7 Cybersecurity Blog | Published: 2026-05-29T19:34:41+00:00 | Score: 23.487
   More Linux LPEs Hark the age of the Linux LPE has arrived. This week’s release follows up on recent work bringing new Linux LPEs to Metasploit users. Copy Fail seemed to have kicked off a trend of similar bugs and hot on its heels is Dirty Frag. Dirty Frag is actually two vulnerabilities in a trenchcoat, individually identified as CVE-2026-43284 and CVE-2026-43500. Each is exploitable individually and comes with a new Metasploit module. New module content (5) Citrix ADC (NetScaler) CVE-2026-3055 Scanner Authors: sfewer-r7 and watchTowr Type: Auxiliary Pull request: #21204 contributed by sfewer-r7 Path: scanner/http/citrix_netscaler_cve_2026_3055 AttackerKB reference: CVE-2026-3055 Description: Adds auxiliary module targeting CVE-2026-3055, an info leak in Citrix NetScaler (when configured as an SAML IdP). Similar to the other CitrixBleed vulns, we can leak memory and potentially discover session cookies. Ollama Scanner Author: h00die Type: Auxiliary Pull request: #21271 contributed by
3. Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions
   Source: The Hacker News | Published: 2026-05-26T11:49:53+00:00 | Score: 21.014
   Microsoft has rolled out updates to fix a remote code execution vulnerability impacting SharePoint that could be exploited by bad actors in attacks without requiring any specialized conditions to be met.

   The vulnerability, tracked as CVE-2026-45659, carries a CVSS score of 8.8. It has been assigned an important severity.

   "Deserialization of untrusted data in Microsoft Office SharePoint allows

4. Authenticated RCE via Argument Injection in Gogs (NOT FIXED)
   Source: Rapid7 Cybersecurity Blog | Published: 2026-05-28T12:00:00+00:00 | Score: 20.047
   Overview Rapid7 Labs discovered a critical argument injection ( CWE-88 ) vulnerability in Gogs , a popular open-source self-hosted Git service. Rapid7 Labs scores this vulnerability as CVSSv4 9.4 (Critical). The vulnerability allows any authenticated user to achieve remote code execution (RCE) on the server by creating a pull request with a malicious branch name that injects the –exec flag into git rebase during the "Rebase before merging" merge operation. At the time of publication, the vendor has not released a patch. The exploit requires no admin privileges and no interaction with other users; an attacker operates entirely within their own account. Since Gogs ships with open registration enabled by default ( DISABLE_REGISTRATION = false ) and no limit on repository creation ( MAX_CREATION_LIMIT = -1 ), an unauthenticated attacker can simply create an account and repository on any default-configured instance. Any registered user who creates a repo is automatically its owner. From th
5. CVE-2026-0826: How an Old Bug Can Feed AI-Powered Impersonation
   Source: Rapid7 Cybersecurity Blog | Published: 2026-06-01T13:00:00+00:00 | Score: 19.434
   One of the more persistent myths in security is that old bug classes become old problems. They don’t. They just show up in different places, under different conditions, and usually at the exact moment we’ve convinced ourselves not to pay attention to them. That’s part of what makes enterprise voice infrastructure so interesting. Earlier this year, we wrote about a critical vulnerability in Grandstream VoIP phones that showed how easily a trusted communications device could become something very different. It wasn't especially flashy, but it reinforced the broader issue that phones are still part of the attack surface, even if many organizations don’t model them that way. Today, we'll again discuss the same uncomfortable reality. VoIP technology may sit quietly on a desk and look like a utility, but the security implications are anything but quiet. And when familiar vulnerability classes continue to surface in devices designed to sit at the center of sensitive conversations, it’s worth
6. PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation
   Source: The Hacker News | Published: 2026-05-30T06:41:26+00:00 | Score: 17.418
   Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild.

   The vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), refers to a case of authentication bypass that could be exploited by bad actors to set up VPN connections.

   "Authentication bypass vulnerabilities in the

7. Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)
   Source: Rapid7 Cybersecurity Blog | Published: 2026-05-29T16:49:40+00:00 | Score: 17.405
   Overview On May 13, 2026, Palo Alto Networks published a security advisory for CVE-2026-0257, a medium severity authentication bypass affecting PAN-OS and Prisma Access when a specific configuration is present. Successful exploitation of this vulnerability allows a remote unauthenticated attacker to successfully establish a VPN connection through the GlobalProtect gateway of an affected appliance. Rapid7 MDR identified successful exploitation across numerous customers, however we did not observe any indication of successful lateral movement from the devices. The earliest date for observed exploitation was May 17, 2026.  As of May 29, 2026,  this vulnerability has been added to the CISA KEV. While the assigned CVSSv4 score indicates a medium severity, due to the circumstances surrounding this vulnerability Rapid7 urges that organizations treat this as a critical vulnerability. An authentication bypass in an edge facing enterprise VPN appliance can have significant impact to affected org
8. Critical Windows Netlogon Vulnerability in Attackers’ Crosshairs
   Source: SecurityWeek | Published: 2026-06-01T15:02:17+00:00 | Score: 16.495
   Organizations are advised to patch CVE-2026-41089 as soon as possible, given its severity, the potential ongoing exploitation. The post Critical Windows Netlogon Vulnerability in Attackers’ Crosshairs appeared first on SecurityWeek .
9. Exploit Code Published for Critical Flowise RCE Vulnerability
   Source: SecurityWeek | Published: 2026-05-30T15:55:59+00:00 | Score: 16.293
   The one-click vulnerability allows attackers to execute arbitrary code on self-hosted Flowise servers by tricking users into importing a malicious chatflow. The post Exploit Code Published for Critical Flowise RCE Vulnerability appeared first on SecurityWeek .
10. CISA Adds One Known Exploited Vulnerability to Catalog
    Source: Alerts | Published: 2026-06-01T12:00:00+00:00 | Score: 16.205
    CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog , based on evidence of active exploitation. CVE-2024-21182 Oracle WebLogic Server Unspecified Vulnerability This type of vulnerability is a frequent attack vectors for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog

End of report.