Vulnerability Report - May 2026
Introduction
This vulnerability report has been generated with the help of AI, using the VulnMCP tooling on top of Vulnerability-Lookup, with contributions from the platform’s community.
It highlights the most frequently mentioned vulnerabilities for May 2026, based on data aggregated from Vulnerability-Lookup, the CISA Known Exploited Vulnerabilities catalog, the CIRCL KEV catalog, the ENISA EUVD feed, and contributor comments and bundles. Sightings come from MISP, Exploit-DB, Bluesky, Mastodon, Telegram, GitHub Gists, The Shadowserver Foundation, Nuclei, SPLOITUS, Metasploit, and more. For further details, please visit this page.
The Month at a Glance
May 2026 was, once again, the month of the Linux kernel “Copy Fail” flaw. CVE-2026-31431 (algif_aead in-place operation regression) more than doubled its activity, drawing 574 sightings – up from 279 in April – and remaining the most observed vulnerability on the platform by a wide margin. Two further Linux kernel networking flaws in the same family of “shared skb fragment” issues, CVE-2026-43284 (xfrm/ESP) and CVE-2026-43500 (rxrpc), also entered the top ranking, underlining sustained scrutiny of the kernel crypto and networking paths.
Edge-security appliances dominated the exploited side of the month. Palo Alto Networks PAN-OS suffered two separate KEV-listed flaws: a critical unauthenticated buffer overflow in the User-ID Authentication Portal (CVE-2026-0300, CVSS 9.3) added to CISA KEV on May 6, and GlobalProtect authentication bypass CVE-2026-0257 added on May 29. Cisco’s Catalyst SD-WAN authentication bypass CVE-2026-20182 (CVSS 10.0) prompted CISA Emergency Directive ED 26-03. WebPros cPanel & WHM CVE-2026-41940 carried over from April as the second-most-sighted issue (320 sightings) and was confirmed in ransomware campaigns by the ENISA / EU CSIRTs Network.
A clear software supply-chain theme emerged: CISA added three “embedded malicious code” entries within a single week – TanStack (CVE-2026-45321), Nx Console (CVE-2026-48027, CWE-506) and Daemon Tools Lite (CVE-2026-8398) – all involving trojanised packages or extensions used to harvest credentials.
The AI stack continued to be a recurring exposure surface. CISA KEV-listed BerriAI LiteLLM SQLi (CVE-2026-42208) and Langflow CVE-2025-34291, while contributors documented an unauthenticated memory-leak in Ollama (CVE-2026-7482, “Bleeding Llama”). NGINX heap overflow CVE-2026-42945 and a long tail of WordPress/Freemius reflected-XSS (CVE-2024-13362) rounded out the high-volume sightings.
The CISA Known Exploited Vulnerabilities catalog added 21 entries during May, spanning fresh edge-appliance and AI-stack RCEs, supply-chain malware, and a notable re-anchoring batch of legacy Microsoft and Adobe issues from 2008-2010 (CVE-2008-4250 / MS08-067, CVE-2010-0249, CVE-2009-3459). The CIRCL KEV catalog added the Linux kernel “Copy Fail” flaw on the basis of incident-response host-log evidence, and the ENISA EUVD KEV catalog surfaced three entries during May, including the cPanel & WHM authentication bypass flagged as ransomware-linked by CERT-PL.
By CWE, the month was characterised by memory-corruption in the kernel and edge appliances (CWE-787, CWE-122), authentication bypass (CWE-565, CWE-287, CWE-306), SQL injection in AI/web tooling (CWE-89), cross-site scripting (CWE-79), and a distinct spike in embedded-malicious-code supply-chain entries (CWE-506).
Top 10 Vendors of the Month
Top 10 Assigners of the Month
Top 10 vulnerabilities of the Month
| Vulnerability | Sighting Count | Vendor | Product | VLAI Severity |
|---|---|---|---|---|
| CVE-2026-31431 | 574 | Linux | Kernel (algif_aead) | High (confidence: 0.9482) |
| CVE-2026-41940 | 320 | WebPros | cPanel & WHM | Critical (confidence: 0.8211) |
| CVE-2026-42945 | 180 | F5 | NGINX | High (confidence: 0.8166) |
| CVE-2026-43284 | 174 | Linux | Kernel (xfrm/ESP) | High (confidence: 0.9722) |
| CVE-2026-0300 | 172 | Palo Alto Networks | PAN-OS | Critical (confidence: 0.9876) |
| CVE-2026-42897 | 117 | Microsoft | Exchange Server | High (confidence: 0.4482) |
| CVE-2024-13362 | 112 | Freemius | Freemius SDK (WordPress) | Medium (confidence: 0.9807) |
| CVE-2026-43500 | 106 | Linux | Kernel (rxrpc) | High (confidence: 0.4832) |
| CVE-2026-0257 | 95 | Palo Alto Networks | PAN-OS (GlobalProtect) | Medium (confidence: 0.953) |
| CVE-2026-20182 | 86 | Cisco | Catalyst SD-WAN Manager | Critical (confidence: 0.995) |
Known Exploited Vulnerabilities
New entries have been added to major Known Exploited Vulnerabilities catalogs.
Exploited CVE ratio
CISA
| CVE ID | Date Added | Vendor | Product | VLAI Severity |
|---|---|---|---|---|
| CVE-2026-0257 | 2026-05-29 | Palo Alto Networks | PAN-OS (GlobalProtect) | Medium (confidence: 0.953) |
| CVE-2026-45321 | 2026-05-27 | TanStack | TanStack | High (confidence: 0.8857) |
| CVE-2026-48027 | 2026-05-27 | Nx | Nx Console | Critical (confidence: 0.7056) |
| CVE-2026-8398 | 2026-05-27 | Daemon | Daemon Tools Lite | High (confidence: 0.5318) |
| CVE-2026-48172 | 2026-05-26 | LiteSpeed | cPanel Plugin | High (confidence: 0.7521) |
| CVE-2026-9082 | 2026-05-22 | Drupal | Core | Critical (confidence: 0.621) |
| CVE-2026-34926 | 2026-05-21 | Trend Micro | Apex One | High (confidence: 0.9918) |
| CVE-2025-34291 | 2026-05-21 | Langflow | Langflow | High (confidence: 0.987) |
| CVE-2026-41091 | 2026-05-20 | Microsoft | Defender | High (confidence: 0.9057) |
| CVE-2026-45498 | 2026-05-20 | Microsoft | Defender | Medium (confidence: 0.9434) |
| CVE-2008-4250 | 2026-05-20 | Microsoft | Windows (Server Service) | Critical (confidence: 0.795) |
| CVE-2009-3459 | 2026-05-20 | Adobe | Acrobat and Reader | High (confidence: 0.8861) |
| CVE-2010-0249 | 2026-05-20 | Microsoft | Internet Explorer | High (confidence: 0.7062) |
| CVE-2010-0806 | 2026-05-20 | Microsoft | Internet Explorer | Medium (confidence: 0.7167) |
| CVE-2009-1537 | 2026-05-20 | Microsoft | DirectX | Medium (confidence: 0.4378) |
| CVE-2026-42897 | 2026-05-15 | Microsoft | Exchange Server | High (confidence: 0.4482) |
| CVE-2026-20182 | 2026-05-14 | Cisco | Catalyst SD-WAN Manager | Critical (confidence: 0.995) |
| CVE-2026-42208 | 2026-05-08 | BerriAI | LiteLLM | Critical (confidence: 0.851) |
| CVE-2026-6973 | 2026-05-07 | Ivanti | Endpoint Manager Mobile (EPMM) | High (confidence: 0.9765) |
| CVE-2026-0300 | 2026-05-06 | Palo Alto Networks | PAN-OS | Critical (confidence: 0.9876) |
| CVE-2026-31431 | 2026-05-01 | Linux | Kernel (algif_aead) | High (confidence: 0.9482) |
More KEV entries from the CISA Catalog.
CIRCL
| Vulnerability ID | Date Added | Vendor | Product | VLAI Severity |
|---|---|---|---|---|
| CVE-2026-31431 | 2026-05-04 | Linux | Kernel (algif_aead) | High (confidence: 0.9482) |
Added on the basis of incident-response host logs (“seen exploited on a system giving shell access to users”), confirming local privilege escalation in the wild.
More KEV entries from the CIRCL Catalog.
ENISA (EUVD)
The following entries from the ENISA / EU CSIRTs Network (CNW) KEV feed were surfaced in Vulnerability-Lookup during May. The cPanel & WHM authentication bypass is flagged as ransomware-linked by CERT-PL; the Roundcube XSS is attributed to APT activity (UNC1151).
| Vulnerability ID | Date Reported | Vendor | Product | VLAI Severity |
|---|---|---|---|---|
| CVE-2026-41940 | 2026-05-08 | WebPros | cPanel & WHM | Critical (confidence: 0.8211) |
| CVE-2024-42009 | 2026-04-27 | Roundcube | Webmail | Medium (confidence: 0.9215) |
| CVE-2026-20963 | 2026-03-12 | Microsoft | SharePoint | High (confidence: 0.9949) |
More KEV entries from the ENISA Catalog.
Top 10 Weaknesses of the Month
Insights from Contributors
Community contributions in May combined hands-on mitigation guidance for the “Copy Fail” kernel flaw with deep-dive analysis of emerging AI-stack risks.
- Deny alg_socket to Containers with SELinux to Mitigate CVE-2026-31431 – a detailed, tested walk-through of an SELinux deny rule (
alg_socket) for container runtimes, plusRestrictAddressFamilies=~AF_ALG/SystemCallArchitectures=nativeper-service hardening and Red Hat’sinitcall_blacklistboot-argument approach. The recurring theme: AF_ALG /algif_aeadis rarely needed by user workloads, so denying it at the container or systemd-unit boundary is a pragmatic mitigation. - Bleeding Llama: Critical Unauthenticated Memory Leak in Ollama (CVE-2026-7482) – a shared write-up of Cyera Research’s analysis of an out-of-bounds heap read in Ollama’s GGUF quantization path (
/api/create), exfiltratable via/api/pushto an attacker-controlled URI. With ~300,000 Ollama servers exposed (listening on0.0.0.0with no authentication by default), three unauthenticated API calls can leak user prompts, system prompts, and host environment variables. - CVE-2026-0300 PAN-OS Authentication Portal buffer overflow – a pointer to the Palo Alto Networks advisory for the critical unauthenticated User-ID Authentication Portal overflow.
Contributors also curated a number of vendor advisories into bundles during May, helping group related fixes for triage:
- Unauthenticated Remote Code Execution in Samba printing subsystem and the corresponding Debian DSA 6297-1 samba security update (6 CVEs).
- Security content of iOS / iPadOS 26.5 (61 CVEs) and macOS Tahoe 26.5 (79 CVEs).
- rsync 3.4.3 (7 CVEs), dnsmasq May 2026 advisory (6 CVEs), Firefox 150.0.3 / MFSA 2026-45 (5 CVEs), Moodle May 2026 (7 CVEs), Exim 4.99.2 (4 CVEs), and ImageMagick DSA 6240-1 (15 CVEs).
Thank you
Thank you to all the contributors and our diverse sources!
If you want to contribute to the next report, you can create your account.
Feedback and Support
If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/
Funding
The main objective of Federated European Team for Threat Analysis (FETTA) is improvement of Cyber Threat Intelligence (CTI) products available to the public and private sector in Poland, Luxembourg, and the European Union as a whole.
Developing actionable CTI products (reports, indicators, etc) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.
The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCL’s contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.