📰 DAILY THREAT BRIEFING
Thursday, May 21, 2026
12 News Items
HN · BleepingComputer · Krebs · Dark Reading · SANS · THN Intel · Unit 42 · Security.com

📰 Cybersecurity News Headlines

Top stories from leading cybersecurity publications as of May 21, 2026.

  1. Ukraine identifies infostealer operator tied to 28,000 stolen accounts
    — Bleeping Computer

    The Ukrainian cyberpolice, working in conjunction with U.S. law enforcement, has identified an 18-year-old man from Odesa suspected of runni…
  2. Hackers bypass SonicWall VPN MFA due to incomplete patching
    — Bleeping Computer

    Threat actors brute-forced VPN credentials and bypassed multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances to deploy too…
  3. Cyber Pros Can't Decide If AI Is a Good or a Bad Thing
    — Dark Reading

    There is nothing cybersecurity professionals are more excited about, and nothing they fear more, than AI.
  4. GitHub Confirms Breach, 4K Internal Repos Stolen
    — Dark Reading

    Open source software giant GitHub confirmed a data breach this week involving the theft of thousands of repos. One threat actor — TeamPCP …
  5. Fake Android Apps Commit Carrier Billing Fraud for Premium Svcs.
    — Dark Reading

    The disguised apps use WebView automation, JavaScript injection, and OTP interception to avoid detection and complete fraudulent subscriptio…
  6. The npm Threat Landscape: Attack Surface and Mitigations (Updated May 20)
    — Unit 42

    Unit 42 analyzes npm supply chain evolution post-Shai Hulud. Discover wormable malware, CI/CD persistence, multi-stage attacks and more. The…
  7. Microsoft Open-Sources RAMPART and Clarity to Secure AI Agents During Development
    — The Hacker News

    Microsoft has unveiled two new open-source tools called RAMPART and Clarity to assist developers in better testing the security of artificia…
  8. Grafana breach caused by missed token rotation after TanStack attack
    — Bleeping Computer

    The Grafana data breach was caused by a single GitHub workflow token that slipped through the rotation process following the TanStack npm su…
  9. Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks
    — The Hacker News

    Microsoft on Tuesday said it disrupted a malware-signing-as-a-service (MSaaS) operation that weaponized the company's Artifact Signing syste…
  10. Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API
    — The Hacker News

    Cybersecurity researchers have flagged fresh activity from a China-aligned threat actor known as Webworm in 2025, deploying custom backdoors…
  11. Tracking TamperedChef Clusters via Certificate and Code Reuse
    — Unit 42

    Unit 42 analyzes TamperedChef malware clusters that use trojanized productivity apps and malvertising to deliver stealthy payloads to target…
  12. ISC Stormcast For Wednesday, May 20th, 2026 https://isc.sans.edu/podcastdetail/9938, (Wed, May 20th)
    — SANS ISC

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

🪲 NVD — Last 20 Scored Vulnerabilities

Latest scored CVEs from the National Vulnerability Database (6476 in last 30 days).
Critical: 2 · High: 10 · Medium: 7 · Low: 1. View full dashboard →

  1. CVE-2026-9149
    — CVSS 6.5 (MEDIUM)

    A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted `.solv` file containing negative size values in the `repo_add_solv` function. This leads to an under…
  2. CVE-2026-40165
    — CVSS 8.7 (HIGH)

    authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 were vulnerable to Authentication Bypass through SAML NameID XML Comment Injection. Due to how authe…
  3. CVE-2026-9150
    — CVSS 6.5 (MEDIUM)

    A flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could exploit this by provi…
  4. CVE-2026-47782
    — CVSS 3.3 (LOW)

    Android App "RoboForm Password Manager" provided by Siber Systems, Inc. handles Android intents without sufficient URL validation, user confirmation nor notification. If a URL to some malicious web page is given through …
  5. CVE-2026-40102
    — CVSS 6.5 (MEDIUM)

    Plane is an open-source project management tool. In versions 1.3.0 and below, SavedAnalyticEndpoint passes the user-controlled segment query parameter directly to a Django F() expression without validation (unlike the re…
  6. CVE-2026-40094
    — CVSS 4.3 (MEDIUM)

    nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In versions 1.3.0 and prior, network-libp2p discovery accepts signed PeerContact updates from untrusted peers and stores them in a peer …
  7. CVE-2026-40092
    — CVSS 7.5 (HIGH)

    nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In versions 1.3.0 and below, a malicious network peer can crash any Nimiq full node by publishing a crafted Kademlia DHT record. The mal…
  8. CVE-2026-39960
    — CVSS 5.4 (MEDIUM)

    Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and below contain flawed logic that causes improper escaping of a textarea custom field's contents in the Update Issue page, (bug_update_page…
  9. CVE-2026-9144
    — CVSS 7.6 (HIGH)

    Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a stored cross-site scripting vulnerability in the embedded web configuration interface that allows authenticated attackers to execute persistent JavaScript b…
  10. CVE-2026-9141
    — CVSS 9.8 (CRITICAL)

    Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains an authentication bypass vulnerability in the embedded web configuration interface that allows unauthenticated attackers to access internal application pages …
  11. CVE-2026-9139
    — CVSS 9.8 (CRITICAL)

    Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a hard-coded credential vulnerability in the embedded web configuration interface where authentication is implemented entirely in client-side JavaScript in lo…
  12. CVE-2026-9133
    — CVSS 7.7 (HIGH)

    Active debug code exists in the ARN resolver of amazon-mq rabbitmq-aws before version 0.2.1. A debug ARN scheme (arn:aws-debug:file) accepted by the PUT /api/aws/arn/validate validation endpoint might allow remote authen…
  13. CVE-2026-9126
    — CVSS 8.8 (HIGH)

    Use after free in DOM in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
  14. CVE-2026-9124
    — CVSS 5.3 (MEDIUM)

    Insufficient validation of untrusted input in Input in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chrom…
  15. CVE-2026-9123
    — CVSS 7.5 (HIGH)

    Heap buffer overflow in Chromecast in Google Chrome on Android, Linux, ChromeOS prior to 148.0.7778.179 allowed a local attacker to execute arbitrary code inside a sandbox via malicious network traffic. (Chromium securit…
  16. CVE-2026-9122
    — CVSS 6.5 (MEDIUM)

    Out of bounds read in GPU in Google Chrome on Mac prior to 148.0.7778.179 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Me…
  17. CVE-2026-9121
    — CVSS 8.8 (HIGH)

    Out of bounds read in GPU in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
  18. CVE-2026-9120
    — CVSS 8.8 (HIGH)

    Use after free in WebRTC in Google Chrome prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
  19. CVE-2026-9119
    — CVSS 8.8 (HIGH)

    Heap buffer overflow in WebRTC in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
  20. CVE-2026-9118
    — CVSS 8.8 (HIGH)

    Use after free in XR in Google Chrome on Windows prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Source: NVD CVE API 2.0

Generated by CryptXNet.ai Threat Intelligence Platform · May 21, 2026 · Sources: The Hacker News, Bleeping Computer, Krebs on Security, Dark Reading, SANS ISC, THN Threat Intel, Unit 42, Security.com