LodeHQSubscribe →

Pixel 10 zero-click, LiteSpeed root, Drupal SQL exploited

Infosec · 2026-05-26

Vulnerabilities & Exploits
A 0-click exploit chain for the Pixel 10: When a Door Closes, a Window Opens5 MIN

Google Project Zero published a 0-click exploit chain for the Pixel 10, demonstrating a path from zero-click context to root on Android. The chain adapts their Dolby exploit from Pixel 9 and adds a kernel vulnerability in the VPU driver, which exposes hardware interfaces to userspace.

LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root1 MIN

LiteSpeed's cPanel plugin (CVE-2026-48172, CVSS 10.0) is under active exploitation, allowing attackers to run arbitrary scripts as root. The flaw impacts plugin versions 2.3-2.4.4 and is patched in version 2.4.5 (bundled in WHM plugin 5.3.1.0). Users should upgrade or remove the plugin immediately.

CVE-2026-46333: Local Root Privilege Escalation and Credential Disclosure in the Linux Kernel ptrace Path8 MIN

Qualys TRU disclosed CVE-2026-46333, a 9-year-old logic flaw in the Linux kernel's __ptrace_may_access() that lets unprivileged users escalate to root. The bug (present since 2016) enables credential disclosure (SSH keys, /etc/shadow) and arbitrary command execution on major Linux distributions. Patches are available; working exploits are circulating.

Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks3 MIN

A critical SQL injection vulnerability in Ghost CMS (CVE-2026-26980, CVSS 9.4) is being actively exploited to compromise over 700 websites, including high-profile domains. Attackers steal admin API keys to inject JavaScript loaders that power ClickFix fake CAPTCHA attacks. The flaw, discovered by Anthropic's Claude, was patched in February 2026.

Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV3 MIN

CISA added CVE-2026-9082 to its KEV catalog as Drupal's critical SQL injection flaw in Core sees active exploitation. Over 15,000 attack attempts hit nearly 6,000 sites across 65 countries, targeting PostgreSQL-backed deployments. Patches are available for all supported versions.

Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software3 MIN

Anthropic's Project Glasswing, using Claude Mythos AI, uncovered over 10,000 high/critical-severity flaws across critical global software, with 1,094 confirmed true positives. A critical WolfSSL bug (CVE-2026-5194, CVSS 9.1) was among them. The findings have already led to 97 upstream patches.

Threats & Malware
Tracking Iranian APT Screening Serpens' 2026 Espionage Campaigns27 MIN

Unit 42 details Iranian APT Screening Serpens using AppDomainManager hijacking and six new RAT variants to target technology and defense sectors in the US, Israel, and UAE during 2026 espionage campaigns tied to Middle East conflict.

Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms1 MIN

Fox-IT reveals Lazarus Group's RemotePE, a cross-platform memory-only RAT targeting financial and crypto firms. It uses DPAPILoader and RemotePELoader in a multi-stage chain, executing entirely in memory with EDR evasion. The toolset is purpose-built for stealthy long-term access before high-impact theft.

TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO3 MIN

A coordinated cross-ecosystem supply chain attack codenamed TrapDoor has hit npm, PyPI, and Crates.io with 34+ malicious packages across 384 versions. The packages deploy credential-stealing malware targeting crypto, DeFi, Solana, and AI developers, stealing secrets, crypto wallets, and SSH keys.

Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows5 MIN

An automated campaign called Megalodon pushed 5,718 malicious commits to 5,561 GitHub repos in six hours, injecting Actions workflows that exfiltrate CI secrets and cloud credentials. SafeDep identified two payload variants, a mass variant and a dormant backdoor, with one impacted npm package propagating the malware.

Breaches & Industry News
Go fuzzing was missing half the toolkit. We forked the toolchain to fix it.5 MIN

Trail of Bits released gosentry, a fuzzing-oriented fork of the Go toolchain that integrates LibAFL, adds structured input parsing, grammar-based fuzzing, and detects bug classes like integer overflows and data races. It works with existing Go fuzz harnesses through the standard `go test -fuzz` interface.

We hardened zizmor's GitHub Actions static analyzer5 MIN

Trail of Bits hardened zizmor, a GitHub Actions static analyzer, following the March 2026 Shai-Hulud supply chain attack. They fixed parsing bugs and deserialization edge cases, validated against 41,253 workflows from 6,612 high-value repos. The effort yielded 20 filed issues and 15 merged PRs.

Privacy, Policy & Governance
CISA to allow researchers to report vulnerabilities to exploited bugs catalog3 MIN

CISA launched a nomination form allowing researchers, vendors, and industry partners to report exploited bugs for addition to the Known Exploited Vulnerabilities (KEV) catalog. The move crowdsources exploitation intelligence to accelerate KEV additions and defensive action across the ecosystem.

Lawmakers Demand Answers as CISA Tries to Contain Data Leak10 MIN

A CISA contractor publicly posted AWS GovCloud keys and agency secrets on GitHub via a profile called "Private-CISA." Lawmakers in both houses are demanding answers from CISA, which is still struggling to contain the breach. Experts noted the contractor deliberately disabled GitHub's credential-leak protections.

Research & Tools
CISA Admin Leaked AWS GovCloud Keys on GitHub6 MIN

A CISA contractor exposed highly privileged AWS GovCloud credentials and internal system passwords in a public GitHub repository. Security researchers called it one of the worst government data leaks in recent history, with the admin having deliberately disabled GitHub's secret detection feature.

Other
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks7 MIN

Dutch authorities arrested two hosting company co-owners for providing IT infrastructure used by Russia in cyberattacks and disinformation campaigns against the EU. More than 800 servers were seized in raids targeting MIRhosting and WorkTitans BV, which supported the sanctioned Stark Industries network.

Get Infosec in your inbox, every issue.
Subscribe free
Privacy · Terms · About · Contact
© 2026 LodeHQ