What you need to know today.

CISA adds a critical Langflow AI unauthenticated build endpoint flaw to KEV, as attackers weaponize it within 20 hours of disclosure. CVE-2026-33017 (CVSS 9.8, EPSS 0.44) affects Langflow versions prior to 1.9.0, allowing unauthenticated remote code execution via the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint. As The Hacker News reported, the vulnerability was quickly incorporated into attacker tooling, and Check Point Research documented active exploitation in the wild. Infosecurity Magazine noted that attackers moved from disclosure to exploitation in roughly 20 hours. With a risk score of 0.72 (high) and a KEV listing, organizations running Langflow should treat this as an emergency-patch priority — the public-facing nature of AI workflow builders makes them an attractive initial-access vector.

Ubiquiti discloses three max-severity CVSS 10.0 flaws in UniFi OS, all exploitable by an attacker with network access. CVE-2026-34910 (command injection), CVE-2026-34909 (path traversal leading to account access), and CVE-2026-34908 (improper access control enabling unauthorized system changes) each carry a CVSS 10.0 and a risk score of 0.65. As BleepingComputer reported, the vulnerabilities require network access but no authentication, making them especially dangerous for exposed UniFi consoles. Ubiquiti has released patches; given the trio of critical flaws and the widespread deployment of UniFi gear in enterprise and SMB environments, administrators should prioritize firmware updates immediately.

A LiteSpeed cPanel plugin privilege-escalation flaw is being exploited in the wild, with a detection signature already available. CVE-2026-48172 (CVSS 9.8, risk score 0.65) affects the LiteSpeed User-End cPanel Plugin before version 2.4.5 and allows privilege escalation possibly up to root. The vulnerability is confirmed as actively exploited as of May 2026. Detection guidance recommends running grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs on affected systems. This is a straightforward, high-impact attack on a common web-hosting control panel component — hosting providers and cPanel administrators should patch immediately and scan logs for signs of compromise.

Microsoft ships patches for a wave of critical Azure and identity flaws, including a CVSS 10.0 Azure Local authentication bypass. CVE-2026-42822 (CVSS 10.0) allows unauthenticated privilege escalation over the network in Azure Local Disconnected Operations. Additional critical Microsoft CVEs disclosed today include CVE-2026-41104 (deserialization RCE in Planetary Computer Pro), CVE-2026-42901 (origin validation bypass in Entra ID), CVE-2026-40412 (unrestricted file upload in Azure Orbital Spatio), CVE-2026-47280 (authentication bypass in Azure Resource Manager), and CVE-2026-40411 (input validation RCE in Azure Virtual Network Gateway). Each carries a risk score of 0.64–0.65. Azure tenants should review the June 2026 Patch Tuesday rollup and prioritize the Entra ID and ARM flaws given their potential for lateral movement across cloud resources.

Two critical ScadaBR vulnerabilities disclosed via CISA ICS advisory, exposing industrial control systems to remote compromise. CVE-2026-8603 (CVSS 9.8) is an OS command injection flaw allowing root-level command execution, while CVE-2026-8605 (CVSS 9.8) leverages hard-coded credentials to grant admin access to the SCADA system. Both affect ScadaBR version 1.2.0. As CISA's advisory notes, these vulnerabilities are exploitable with low attack complexity and no user interaction. Given ScadaBR's use in critical infrastructure environments, asset owners in energy, water, and manufacturing should isolate affected systems from the internet and apply vendor mitigations immediately.

Additional critical vulnerabilities across the stack: HP Linux printing, Apache PyFory, Linux kernel, Ruby zlib, and PyTorch Lightning. CVE-2026-8631 (CVSS 9.8) in HP Linux Imaging and Printing could allow privilege escalation via integer overflow — The Hacker News included it in their ThreatsDay roundup. CVE-2026-48207 (CVSS 9.8) in Apache Fory PyFory enables deserialization bypass of validation hooks. CVE-2026-43402 (CVSS 9.8) is a Linux kernel use-after-free in kthread exit paths. CVE-2026-27820 (CVSS 9.8) is a buffer overflow in Ruby's Zlib::GzipReader. CVE-2026-44484 (CVSS 9.8) describes credential-harvesting functionality introduced in PyTorch Lightning 2.6.2. CVE-2026-6960 (CVSS 9.8) allows arbitrary file uploads in the BookingPress Pro WordPress plugin. CVE-2026-33816 is a memory-safety issue in the pgx PostgreSQL driver for Go. Each of these warrants attention based on organizational exposure, with the Linux kernel and Ruby zlib flaws having the broadest potential blast radius.