โŒ

Normal view

May 2026 CVE Landscape

8 June 2026 at 02:00

In May 2026, Insikt Groupยฎ identified 41 high-impact vulnerabilities that should be prioritized for remediation, all of which had a Very Critical Recorded Future Risk Score. This represents an 11% increase from last month.

These vulnerabilities affected products from 20 vendors. 21 of the 41 vulnerabilities were included in the US Cybersecurity and Infrastructure Security Agency (CISA)โ€™s Known Exploited Vulnerabilities (KEV) catalog, 19 were surfaced through honeypot data, and one was reported by a cybersecurity vendor.

The 41 vulnerabilities in this report affected products from 20 vendors. Vercel accounted for approximately 27% of the vulnerabilities, driven by honeypot-sourced Next.js activity. The remaining exposure was concentrated across a range of enterprise software, security, networking, developer tooling, and cloud-related products.

Quick Reference: May 2026 Vulnerability Table

All 22 vulnerabilities below were actively exploited in May 2026. This table does not include the 19 CVEs associated with honeypot activity, which are available to Recorded Future customers via the CVE Monthly Report. The table below also provides examples of public PoCs identified by Insikt Groupยฎ. These PoCs were not tested for accuracy or efficacy. Vulnerability management teams should exercise caution and verify the validity of PoCs before testing.

#
Vulnerability
Risk
Score
Vendor/Product
KEV
Malware Analysis
RCE
PoC
1
CVE-2008-4250
99
Microsoft Windows
โœ“
โœ“
2
CVE-2009-1537
99
Microsoft DirectX
โœ“
3
CVE-2009-3459
99
Adobe Acrobat and Reader
โœ“
4
CVE-2010-0249
99
Microsoft Internet Explorer
โœ“
5
CVE-2010-0806
99
Microsoft Internet Explorer
โœ“

โœ“

(available to Recorded Future Customers)

6
CVE-2025-34291
99
Langflow
โœ“
7
CVE-2026-0257
99
Palo Alto Networks PAN-OS, Cloud NGFW, and Prisma Access
โœ“
8
CVE-2026-0300
99
Palo Alto Networks PAN-OS, Cloud NGFW, Prisma Access
โœ“
9
CVE-2026-20182
99
Cisco Catalyst SD-WAN and SD-WAN Manager
โœ“
10
CVE-2026-31431
99
Linux Kernel
โœ“

โœ“

(available to Recorded Future Customers)

11
CVE-2026-34926
99
Trend Micro Apex One (On-Premise)
โœ“
12
CVE-2026-41091
99
Microsoft Defender
โœ“
13
CVE-2026-42208
99
BerriAI LiteLLM
โœ“
14
CVE-2026-42897
99
Microsoft Exchange Server
โœ“
15
CVE-2026-45321
99
TanStack (Multiple Packages)
โœ“
16
CVE-2026-45498
99
Microsoft Defender
โœ“
17
CVE-2026-48027
99
Nx Console
โœ“
18
CVE-2026-48172
99
LiteSpeed cPanel Plugin
โœ“
19
CVE-2026-6973
99
Ivanti Endpoint Manager Mobile (EPMM)
โœ“
โœ“
20
CVE-2026-8398
99
Daemon Tools Lite
โœ“
21
CVE-2026-9082
99
Drupal Core
โœ“
22
CVE-2026-26980
99
Ghost CMS

โœ“

(available to Recorded Future Customers)

Table 1: List of vulnerabilities that were actively exploited in May, 2026 based on Recorded Future data (excluding honeypot-sourced CVEs).

Key Trends: May 2026

  • In May 2026, threat actors exploited a Ghost CMS vulnerability in large-scale ClickFix and FakeCaptcha poisoning campaigns.
    • The campaigns used compromised Ghost CMS websites to inject malicious JavaScript, redirect victims through social engineering lures, and stage dropper and loader payloads from attacker-controlled infrastructure.
  • 12 of the 41 vulnerabilities enabled remote code execution (RCE), affecting products from 8 vendors: Microsoft, Adobe, Langflow, Palo Alto Networks, Apache, openDCIM, Fortinet, and Ivanti.
  • Insikt Group identified public proof-of-concept (PoC) exploits for 32 of the 41 vulnerabilities reported this month.
  • The most commonly observed flaws this month were CWE-79 (Cross-site Scripting), CWE-506 (Embedded Malicious Code), and CWE-89 (SQL Injection), with three CVEs each.
  • 5 of the 41 vulnerabilities in this monthโ€™s prominent vulnerabilities table were first disclosed between 2008 and 2010, making them at least 15 years old, with the oldest vulnerability being approximately 18 years old.
    • This reinforces our finding that attackers continue to exploit long-known weaknesses in environments where patching has lagged.
    • Additionally, the fastest observed time from a vulnerabilityโ€™s public disclosure to exploitation was less than one day.

Exploitation Analysis

This section highlights some of the highest-impact, actively exploited vulnerabilities this month, specifically those linked to known threat actor campaigns or that have public PoC exploits available. Vulnerabilities with no meaningful public technical detail are summarized in the quick reference table above only.

Threat Actors Exploit CVE-2026-26980 in Ghost CMS To Conduct Large-Scale ClickFix Poisoning Campaigns, Sample Available From Recorded Future Malware Intelligence

On May 21, 2026, cybersecurity firm XLab published a technical analysis detailing large-scale ClickFix poisoning campaigns targeting vulnerable Ghost Content Management System (CMS) instances by exploiting CVE-2026-26980. Ghost CMS allows users to create, manage, and publish content for blogs, media sites, newsletters, and subscription-based websites through a node.js-based publishing platform.

CVE-2026-26980 is a critical SQL injection vulnerability in Ghost CMS that allows unauthenticated threat actors to extract Ghost Admin API Keys and modify website content through the Ghost Admin API.

As previously reported by Insikt Groupยฎ, at least two threat groups exploited CVE-2026-26980 to inject malicious JavaScript into more than 700 compromised Ghost CMS websites across industries, including blockchain, artificial intelligence (AI), and financial technology (fintech). According to XLab, the threat actors used the compromised websites to deliver ClickFix and FakeCaptcha social engineering attacks that tricked victims into executing malicious commands and malware payloads on their systems.

Insikt Groupยฎ obtained one of the malicious samples, UtilifySetup.exe, from Recorded Future Malware Intelligence. The sample matched the sandbox YARA rule for detecting Inno Setup packaging. Based on sandbox and static code analysis, the sample performs the following actions on a victimโ€™s machine:

  • Conducts DLL injection
  • Retrieves the system language and geolocation using the Windows registry
  • Drops files named UtilifySetup.tmp (SHA256: 7790fd1035266000ed6d6cc35822f7683f5271663af8a5b5effadff85316df6d) and Grape.exe
  • Enumerates files and directories
  • Retrieves system information
  • Delays execution using the Sleep API function for evasion
  • Detects debuggers using the GetTickCount API function to compare the timing and the IsDebuggerPresent API function
  • Creates a file inside the C:\Users\user\AppData\Local\SuperMaxionQuickMaxlite directory, corroborating XLabโ€™s analysis
  • Terminates running processes

Sandbox analysis categorized UtilifySetup.tmp as malicious due to the sample exhibiting discovery capabilities. Based on sandbox and static code analysis, the sample performs the following actions on a victimโ€™s machine:

  • Conducts DLL injection
  • Retrieves the system language and geolocation using the Windows registry
  • Executes UtilifySetup.exe installer from the %Temp% directory using internal Inno Setup /SL5 launch parameters
  • Executes a file named Grape.exe inside the C:\Users\user\AppData\Local\SuperMaxionQuickMaxlite directory

Once executed, Grape.exe performs the following actions on a victimโ€™s machine:

  • Adds a Windows registry Run key entry named electron.app.Grape set to execute itself when the victim logs in
  • Enumerates running processes
  • Sends DNS request to web-telegram[.]ug

Further technical details associated with this activity, including sample analysis, MITRE ATT&CK techniques, and IoCs, are available to Recorded Future customers via Insikt Groupยฎ reporting.

Recorded Future customers can also access Malware Intelligence queries that surface samples communicating with campaign-associated URLs, domains, and IP addresses.

Figure 1: Risk Rules History from Vulnerability Intelligence Cardยฎ for CVE-2026-26980 in Recorded Future (Source: Recorded Future)

Why Holistic Sourcing Wins: The Numbers Behind the Recorded Future Advantage

5 June 2026 at 02:00
Threats don't operate in silos, and neither should your intelligence. This post, the first in a three-part series, breaks down why comprehensive sourcing is the foundation of effective threat intelligence -- and how Recorded Future's Intelligence Graphยฎ monitors over one million sources across technical, criminal, collective, and open-source domains to surface what narrow or siloed solutions miss. From nation-state TTPs to criminal infrastructure to credential leaks, complete coverage is what separates awareness from action.

Remembering Sir Alex Younger

4 June 2026 at 02:00

There are moments when you meet a person who you immediately know will have a formative influence on you โ€” a person you will learn from, who you will respect, who you will follow anywhere, who you will listen to, who will be your friend. Sir Alex was just that.

I was lucky to meet Sir Alex just as he was leaving MI6 in 2020. I traveled to London, having to navigate a few Covid restrictions. I asked him if this would cause problems. He smiled: โ€œIt is always better to ask for forgiveness than seek permission,โ€ he said. Immediately I knew that this was someone I would get along with very well.

The objective was straightforward: I was hoping to recruit him to the Recorded Future board of directors, which we eventually accomplished after significant complications got in the way, once again solved by the previous method.

Sir Alex joined a Recorded Future board meeting in New York. As I welcomed him, Alex โ€” smiling characteristically โ€” introduced himself as having run the worldโ€™s best intelligence agency, a pointed reminder that superb people, tradecraft, and pedigree can rival any scale. And we wanted to learn from the best.

My assumption, as much as one should not make them, was that Alex could teach us everything in intelligence, except for perhaps around the technical SIGINT-like apparatus that is at the core of Recorded Future. Yet, in our first discussion, talking about โ€œconnecting dots,โ€ Alex said, โ€œit is not about connecting dots, it is about connecting entire collections,โ€ which became the very underpinning of how we build our Intelligence Graphยฎ. I was humbled, having underestimated him, and it taught me a valuable lesson.

Yet, the confidence of having run the worldโ€™s best intelligence agency did not at all hold back Alex from asking even the most basic questions. Coming from public service, driving revenue was not a familiar concept. As opposed to most senior characters who would do anything to not seem to have all the answers, Alex, early in the first meeting, when hearing the terms ARR and revenue, raised his hand and said, โ€œplease explain annualized revenue.โ€ That is the sign of somebody who always wanted to learn and would not let pride get in the way of gaining insights.

Sir Alex brought great moral clarity, yet not the kind that is based on anger, โ€œyouโ€™re either with us or against us,โ€ rather, the kind that leads to an alliance of peers sharing in values that can defeat any autocratic counterpart. Teamwork, he would say, is the unique strength of the West, as we can build on trust, whereas our adversaries fundamentally cannot.

Speaking at the Recorded Future 2023 Predict conference, our audience spellbound, Sir Alex paraphrased Milton Friedman: โ€œNo individual can make a pencil alone.โ€ He was cheered by everyone, and we know that this was the answer to beat our adversaries.

Over the last few months, I asked Alex for some favors, and I now find myself wondering whether I asked too much of him. He gave a briefing to thousands of Recorded Future clients on Iran with an energy and intellect that would put anyone to shame. And more recently, I asked him for help with a personal endeavour, which in hindsight was too much to ask at the time, yet he did something amazing.

I can only hope that I can be such a friend to my friends as Alex was to me.

Six months ago, when Alex was in the midst of treatment, I asked him if I could take him for a special dinner. We enjoyed amazing food and, truth be told, even more amazing wine. I came early to the restaurant and suggested to them, โ€œhe may eat and drink a little, please do not make a fuss about that.โ€ Yet, Alex went at the food and wine with a vengeance, claiming that his treatment left him very hungry. If there ever was a fighting spirit, it was his.

Sir Alex and Christoper sitting at a restaurant and a picture of the course menu on the left.

Please join my Recorded Future colleagues in our cheers for Sir Alex Younger and thoughts for Sarah and their family.

Iโ€™m certain that he would want us to take the fight to the bad guys and build even greater alliances with our friends.

The Vulnerability Flood Is Now a Board Conversation. Here's How to Lead It.

21 May 2026 at 02:00

I've had some version of the same conversation dozens of times since Mythos and Daybreak emerged. CISOs want to know how worried they should be. My honest answer: less than the headlines suggest, and more than most programs are currently prepared for.

Last year, roughly 50,000 software vulnerabilities were disclosed. Recorded Future tracked 446 that were actually weaponized by threat actors. That's less than 1%. The problem was never finding vulnerabilities. It was always knowing which ones adversaries will actually use.

AI makes that distinction harder. Discovery accelerates for everyone, the noise grows faster than any team can manually triage, and the window between a disclosed vulnerability and a working exploit keeps shrinking. Security leaders who've built intelligence-led programs are ready for what's coming. For them, Mythos isn't a crisis. It's the moment their program finally gets the attention it deserves, including in the boardroom.

The threat got faster. The fundamentals didn't.

The instinct to treat AI-assisted vulnerability discovery as a wholesale transformation of the threat landscape isn't quite right, and that imprecision will hurt you in a board conversation.

What's changed is speed. AI has compressed the time between a disclosed vulnerability and a working exploit from days to minutes. Your team has to match that tempo.

What hasn't changed is the fundamental prioritization problem. Disclosed vulnerabilities have more than doubled over the last five years, from roughly 21,000 in 2021 to approximately 50,000 in 2025. That growth happened before AI-assisted discovery became widely accessible. AI makes that challenge faster and more consequential. It doesn't make it new.

That distinction matters because it changes the conversation from "we need to completely rebuild our security program" to "we need to make sure our intelligence capability is operating at the speed the threat environment now demands." The first conversation is expensive and destabilizing. The second is actionable.

Most programs have a triage problem, not a discovery problem

When an AI model returns hundreds of new vulnerability findings, the bottleneck shifts immediately to prioritization. In most organizations, that process is still largely manual. Analysts research each finding, assess severity, cross-reference existing guidance, and attempt to sequence a response. At the volume and velocity these models produce, that workflow canโ€™t keep pace.

The result is a backlog where genuinely critical exposures sit alongside noise, and triage decisions get made without the context needed to get them right. That's not a tooling problem. It's an intelligence problem.

The organizations handling this well have built a layer between discovery and action that automatically correlates every finding against real-world adversary activity, flags vulnerabilities tied to active campaigns, and tells the analyst what it means and what to do about it, not just what was found. Raw discovery tells you that you have a problem. Intelligence-led response tells you which one to solve first, then hunts it down autonomously at machine speed.

There's a second exposure worth naming, and it can produce an uncomfortable board conversation. Most enterprise security investment is concentrated on what enters the environment and what executes at the endpoint. AI-assisted discovery surfaces a different category of risk: exposures that already exist inside the environment, in software running on your infrastructure today, in third-party components that weren't fully inventoried, in vendor systems connected to yours in ways that aren't fully mapped.

Organizations that have concentrated their posture at the edge may find that some of their most consequential vulnerabilities sit somewhere else. That's a hard answer to give a board that just read about Mythos. It's better to surface it yourself than to have someone else surface it for you.

The programs that didn't panic had something in common

The CISOs I talk to who've been building intelligence-led programs for years have handled Mythos differently than organizations that haven't. They didn't need to rebuild anything from the ground up. They used the moment to sharpen programs they'd already been investing in.

But not every organization was already there when Mythos was announced, and that's the more important story for most security leaders reading this. The announcement was a forcing function. The organizations that treated it as one are already in a different position than the ones that didn't.

A financial services customer who came to us shortly after the Mythos announcement is a good example of what moving quickly actually produces. They rebuilt their vulnerability workflow around our automation capability and within two weeks their team had recovered over 20 hours a week that had previously gone to manual triage and research. Those aren't hours saved on busywork. They're hours now going toward work that actually reduces exposure. And when the next wave hits, they won't be caught flat-footed.

What made that possible wasn't just better tooling. It was an intelligence layer that automatically matches vulnerabilities to known threat actors, ties findings to active campaigns where relevant, and scores on real-world exploitation evidence rather than theoretical severity. Every finding arrives with the context an analyst needs to act, without hours of manual research standing between the signal and a response.

The practical outcome is coverage at scale without proportionally growing the team. That's what operating at machine speed means in practice, and it can hold up in a board conversation for a simple reason: it's not just a security answer, it's a business one.

What wins the board conversation

Boards are asking about AI-driven vulnerability discovery because it's broken into mainstream coverage in a way most threat developments haven't. That attention isn't going away. Security leaders who can walk into that conversation with a clear, specific answer about how they're managing the risk will come out with more credibility and more resource authority.

Mythos and Daybreak are the start of a longer trend. The right response isn't to treat each new model as a fresh crisis. It's to build the intelligence foundation that makes your program resilient regardless of what comes next. When you've done that, AI-assisted discovery stops being a source of anxiety and becomes what it should be: a faster path to finding and fixing what actually matters.

Ready to go deeper on the operational response? Recorded Future Chief Product Officer Jamie Zajac lays out the full playbook here.

โŒ