VYPR
Get started
AI Brief2026-05-16

What you need to know today.

CISA has added a critical Cisco Catalyst SD-WAN controller authentication bypass to its Known Exploited Vulnerabilities catalog due to active exploitation.

Synthesized by Vypr AI·Read full brief →
Latest stories
288 stories · 1,084 sources
trend1 source

Risky Business Soap Box: AI in Cloud Security

The latest Risky Business podcast episode explores the practical role of AI in cloud security, arguing that AI is augmenting rather than replacing traditional security tools.

May 15, 2026
trend1 source

Infosec Product Roundup: May 15, 2026

This week's infosec product roundup features updates from Alation, Apricorn, Versa Networks, and TrustCloud, with a focus on new AI-driven capabilities.

May 15, 2026
Top stories · 7d roundup
Synthesized by Vypr AI

Active Exploitation of cPanel Vulnerabilities

A critical vulnerability in cPanel is currently being leveraged by threat actors in active campaigns to deploy file manager backdoors on compromised servers. This poses a significant risk to web hosting environments, allowing unauthorized access and potential data exfiltration. Organizations using cPanel are urged to apply the latest security patches immediately to mitigate the risk of compromise CVE-2026-41940, CVE-2026-32199, CVE-2026-32200. www.helpnetsecurity.com

Cisco SD-WAN Zero-Day Under Active Attack

Cisco has released patches for a critical SD-WAN vulnerability that has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog due to active exploitation in the wild. This marks the sixth zero-day affecting Cisco's SD-WAN products in 2026, highlighting a persistent threat to network infrastructure. Administrators must prioritize patching to prevent unauthorized administrative access to their systems CVE-2026-20182, CVE-2026-41586. www.helpnetsecurity.com

Fragnesia Privilege Escalation in Linux Kernel

Researchers have detailed "Fragnesia," a new privilege escalation vulnerability within the Linux kernel's XFRM ESP-in-TCP implementation. This flaw allows local attackers to escalate privileges on affected systems, posing a serious risk to Linux-based environments. Users are advised to update their kernels to the latest patched versions to defend against potential exploitation CVE-2026-46300. www.tenable.com

Most critical
Sorted by risk + recency
Critical · 2026
CVSS ≥ 9, ranked
All →
  1. 01CVE-2026-41940KEV0.88
    CPanel/Cpanel

    cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

  2. 02CVE-2026-1340KEV0.84
    Ivanti/Endpoint Manager Mobile

    A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

  3. 03CVE-2026-20182KEV0.83

    May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks.  A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.

  4. 04CVE-2026-21643KEV0.81
    Fortinet/Forticlientems

    An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

  5. 05CVE-2026-42208KEV0.79
    Litellm/Litellm

    LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.

  6. 06CVE-2026-35616KEV0.79
    Fortinet/Forticlientems

    A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

  7. 07CVE-2026-0300KEV0.77
    Paloaltonetworks/Pan Os

    A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses. Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.