12 News Items
HN · BleepingComputer · Krebs · Dark Reading · SANS · THN Intel · Unit 42 · Security.com
HN · BleepingComputer · Krebs · Dark Reading · SANS · THN Intel · Unit 42 · Security.com
📰 Cybersecurity News Headlines
Top stories from leading cybersecurity publications as of May 8, 2026.
-
Canvas Breach Disrupts Schools & Colleges Nationwide
— Krebs on Security
An ongoing data extortion attack targeting the widely-used education technology platform Canvas disrupted classes and coursework at school d… -
ISC Stormcast For Friday, May 8th, 2026 https://isc.sans.edu/podcastdetail/9924, (Fri, May 8th)
— SANS ISC
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. -
Canvas login portals hacked in mass ShinyHunters extortion campaign
— Bleeping Computer
The ShinyHunters extortion gang has breached education technology giant Instructure again, this time exploiting another vulnerability to def… -
New TCLBanker malware self-spreads over WhatsApp and Outlook
— Bleeping Computer
A new trojan named TCLBanker, which targets 59 banking, fintech, and cryptocurrency platforms, uses a trojanized MSI installer for Logitech … -
After Replacing TeamPCP Malware, 'PCPJack' Steals Cloud Secrets
— Dark Reading
PCPJack makes innovative use of parquet files for stealthy, pre-validated target discovery as it canvasses multiple cloud environments. -
Has CISA Finally Found Its New Leader in Tom Parker?
— Dark Reading
Dark Reading investigates rumors that Tom Parker, a board room "operator" and longtime cyber exec, could be next in line to take over CISA. -
New PCPJack worm steals credentials, cleans TeamPCP infections
— Bleeping Computer
A new malware framework called PCPJack is stealing credentials from exposed cloud infrastructure while actively removing TeamPCP's access to… -
Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access
— The Hacker News
Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild. The hi… -
PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems
— The Hacker News
Cybersecurity researchers have disclosed details of a new credential theft framework dubbed PCPJack that targets exposed cloud infrastructur… -
One Click, Total Shutdown: The "Patient Zero" Webinar on Killing Stealth Breaches
— The Hacker News
The hardest part of cybersecurity isn't the technology, it’s the people. Every major breach you’ve read about lately usually starts the … -
'TrustFall' Convention Exposes Claude Code Execution Risk
— Dark Reading
Malicious repositories can trigger code execution in Claude Code, Cursor CLI, Gemini CLI, and CoPilot CLI with minimal or no user interactio… -
ISC Stormcast For Thursday, May 7th, 2026 https://isc.sans.edu/podcastdetail/9922, (Thu, May 7th)
— SANS ISC
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
🪲 NVD — Last 20 Scored Vulnerabilities
Latest scored CVEs from the National Vulnerability Database (5934 in last 30 days).
Critical: 1 · High: 12 · Medium: 6 · Low: 1. View full dashboard →
-
CVE-2026-8138
— CVSS 8.8 (HIGH)
A vulnerability was found in Tenda CX12L 16.03.53.12. This issue affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg”. The manipulation results in stack-based buffer overflow. The attack can be ⦠-
CVE-2026-8137
— CVSS 8.8 (HIGH)
A vulnerability has been found in Totolink X5000R 9.1.0u.6369_B20230113. This vulnerability affects the function sub_458E40 of the file /boafrm/formDdns. The manipulation of the argument submit-url leads to buffer overfl⦠-
CVE-2026-42279
— CVSS 5.8 (MEDIUM)
solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has ti⦠-
CVE-2026-42277
— CVSS 6.5 (MEDIUM)
Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the GET /chat/file/{file_id} endpoint allows any authenticated user to download any other user's uploaded files by providing the file UUID. T⦠-
CVE-2026-42276
— CVSS 4.3 (MEDIUM)
Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the POST /chat/stop-chat-session/{chat_session_id} endpoint lets any authenticated user stop any other user's active chat session. The endpoi⦠-
CVE-2026-8136
— CVSS 2.4 (LOW)
A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /index.php?page=users. Executing a manipulation of the argument Name can lead to cross site script⦠-
CVE-2026-8133
— CVSS 7.3 (HIGH)
A security vulnerability has been detected in zyx0814 FilePress up to 2.2.0. Affected by this vulnerability is an unknown functionality of the file dzz/shares/admin.php of the component Shares Filelist API. Such manipula⦠-
CVE-2026-8132
— CVSS 7.3 (HIGH)
A weakness has been identified in CodeAstro Leave Management System 1.0. Affected is an unknown function of the file /login.php. This manipulation of the argument txt_username causes sql injection. The attack can be init⦠-
CVE-2026-8131
— CVSS 7.3 (HIGH)
A security flaw has been discovered in SourceCodester SUP Online Shopping 1.0. This impacts an unknown function of the file /admin/replymsg.php. The manipulation of the argument msgid results in sql injection. It is poss⦠-
CVE-2026-8130
— CVSS 7.3 (HIGH)
A vulnerability was identified in SourceCodester SUP Online Shopping 1.0. This affects an unknown function of the file /admin/message.php. The manipulation of the argument seenid leads to sql injection. It is possible to⦠-
CVE-2026-8129
— CVSS 7.3 (HIGH)
A vulnerability was determined in SourceCodester SUP Online Shopping 1.0. The impacted element is an unknown function of the file wishlist.php. Executing a manipulation of the argument delwlistid can lead to sql injectio⦠-
CVE-2026-44298
— CVSS 4.1 (MEDIUM)
Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin (ROLE_SYSTE_ADMIN) and the permission upload_invoice_template can upload PDF invoice templ⦠-
CVE-2026-43943
— CVSS 7.8 (HIGH)
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.9, a code execution (RCE) vulnerability exists in electerm's SFTP open with system editor or "Edit with custo⦠-
CVE-2026-43942
— CVSS 5.5 (MEDIUM)
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, the getConstants() IPC handler in src/app/lib/ipc-sync.js serialises the entire process.env object a⦠-
CVE-2026-43941
— CVSS 9.6 (CRITICAL)
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openE⦠-
CVE-2026-43940
— CVSS 8.4 (HIGH)
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating⦠-
CVE-2026-42275
— CVSS 8.7 (HIGH)
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent s⦠-
CVE-2026-42264
— CVSS 7.4 (HIGH)
Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapt⦠-
CVE-2026-42261
— CVSS 7.1 (HIGH)
PromptHub is an all-in-one AI toolbox for prompt, skill, and agent management. From version 0.4.9 to before version 0.5.4, apps/web/src/routes/skills.ts exposes an authenticated endpoint POST /api/skills/fetch-remote tha⦠-
CVE-2026-42150
— CVSS 5.1 (MEDIUM)
wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is râ¦
Source: NVD CVE API 2.0
Generated by CryptXNet.ai Threat Intelligence Platform · May 8, 2026 · Sources: The Hacker News, Bleeping Computer, Krebs on Security, Dark Reading, SANS ISC, THN Threat Intel, Unit 42, Security.com
Leave a Comment