Weekly Exploit Roundup

Generated 2026-05-26T08:00:16.299182+00:00 (UTC)

1. Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability
   Source: Threat Intelligence | Published: 2026-05-25T14:00:00+00:00 | Score: 30.764
   Written by: Takahiro Sugiyama, Peter Revelant, Mathew Potaczek Introduction In late 2025, Mandiant responded to a security incident involving a compromised web server running KnowledgeDeliver . KnowledgeDeliver is a Learning Management System (LMS) developed by Digital Knowledge commonly used in Japan. Mandiant identified a critical vulnerability that allowed unauthenticated Remote Code Execution (RCE). An unknown threat actor leveraged this access to inject malicious code into the LMS platform, with the goal of infecting users visiting the site. This vulnerability stems from the use of identical pre-shared ASP.NET machine keys across multiple customer deployments. The vulnerability was initially exploited as a zero-day, now tracked as CVE-2026-5426 . The Vulnerability KnowledgeDeliver installations deployed before Feb. 24, 2026 relied on a standardized web.config file provided by the vendor. This configuration file contained hardcoded machineKey values used by the ASP.NET framework to
2. Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks
   Source: The Hacker News | Published: 2026-05-21T03:44:11+00:00 | Score: 22.902
   Drupal has released security updates for a "highly critical" security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or information disclosure.
   The vulnerability, now tracked as CVE-2026-9082, carries a CVSS score of 6.5 out of 10.0, per CVE.org. Drupal said the vulnerability resides in a database abstraction API that is
3. Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV
   Source: The Hacker News | Published: 2026-05-23T07:23:48+00:00 | Score: 21.939
   The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security flaw impacting Drupal Core to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

   The vulnerability in question is CVE-2026-9082 (CVSS score: 6.5), an SQL injection vulnerability affecting all supported versions of Drupal Core.

   "Drupal Core

4. Microsoft Warns of Two Actively Exploited Defender Vulnerabilities
   Source: The Hacker News | Published: 2026-05-21T10:55:57+00:00 | Score: 20.616
   Microsoft has disclosed that a privilege escalation and a denial-of-service flaw in Defender has come under active exploitation in the wild.

   The former, tracked as CVE-2026-41091, is rated 7.8 on the CVSS scoring system. Successful exploitation of the flaw could allow an attacker to gain SYSTEM privileges.

   "Improper link resolution before file access ('link following') in Microsoft Defender

5. KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike
   Source: The Hacker News | Published: 2026-05-26T05:19:38+00:00 | Score: 19.52
   A now-patched high-severity security flaw affecting Digital Knowledge KnowledgeDeliver, a Learning Management System (LMS) popular in Japan, was exploited as a zero-day to deliver the Godzilla web shell and ultimately facilitate the deployment of Cobalt Strike Beacon.

   The vulnerability, tracked as CVE-2026-5426 (CVSS score: 7.5), stems from the use of hard-coded ASP.NET machine keys, leading to

6. Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks
   Source: The Hacker News | Published: 2026-05-25T12:02:46+00:00 | Score: 19.506
   Threat actors are exploiting a recently disclosed critical security flaw in Ghost CMS to inject malicious JavaScript code with an aim to fuel ClickFix attacks.

   According to QiAnXin XLab, the activity involves the exploitation of CVE-2026-26980 (CVSS score: 9.4), an SQL injection vulnerability in Ghost's Content API that could allow an unauthenticated attacker to read arbitrary data from the

7. Metasploit Wrap Up 05/22/2026
   Source: Rapid7 Cybersecurity Blog | Published: 2026-05-22T19:10:05+00:00 | Score: 18.975
   Another week, another authentication bypass Our humble Metasploit weekly(ish) blog has been blessed with a new network component vulnerability. The dynamic duo of @sfewer-r7 and @jburgess-r7 have discovered and authored the admin/networking/cisco_sdwan_vhub_auth_bypass module for CVE-2026-20182, a vulnerability gracing the Cisco Catalyst SD-WAN Controller. The devices, whose purpose is to control a software-defined (SD) wide-area-network (WAN) was unfortunately missing an extra A for authentication. An oversight that Cisco has duly patched. Elsewhere this week, the HUSTOJ online judge platform has been caught failing to judge its own zip files (CVE-2026-24479), courtesy of a zip-slip RCE module from LoTuS and friends. Next, @Alpenlol has weaponized the small matter of Barracuda's Email Security Gateway, happily eval()-ing the number format string inside an attached Excel file (CVE-2023-7102). Our own @jburgess-r7 has been rather busy and also contributed a cPanel/WHM authentication byp
8. Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign
   Source: BleepingComputer | Published: 2026-05-24T14:12:32+00:00 | Score: 17.956
   A large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix attack flows. […]
9. LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root
   Source: The Hacker News | Published: 2026-05-23T07:35:13+00:00 | Score: 17.445
   A maximum-severity security vulnerability impacting LiteSpeed User-End cPanel Plugin has come under active exploitation in the wild.

   The flaw, tracked as CVE-2026-48172 (CVSS score: 10.0), relates to an instance of incorrect privilege assignment that an attacker could abuse to run arbitrary scripts with elevated permissions.

   "Any cPanel user (including an attacker or a compromised account) may

10. Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit
    Source: The Hacker News | Published: 2026-05-20T08:28:26+00:00 | Score: 15.328
    Microsoft on Tuesday released a mitigation for a BitLocker bypass vulnerability named YellowKey following its public disclosure last week.

    The zero-day flaw, now tracked as CVE-2026-45585, carries a CVSS score of 6.8. It has been described as a BitLocker security feature bypass.

    "Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as 'YellowKey,'" the

End of report.