Supply-Chain Attacks Dominate KEV List

Two supply-chain attacks land on CISA's KEV list today, both involving malicious updates pushed through trusted distribution channels. CVE-2026-48027 targets the Nx Console VS Code extension (the UI for Nx & Lerna monorepo tools): a malicious version 18.95.0 was published to the Visual Studio Marketplace on May 19 for just 18 minutes before removal, but during that window it was downloaded by users who may have had access to GitHub repositories, CI/CD pipelines, and cloud credentials. As Infosecurity Magazine reported, this incident is linked to a broader GitHub breach. CISA's alert notes the extension's broad IDE integration makes it a high-value pivot point for lateral movement into development environments. Separately, CVE-2026-8398 describes a compromise of DAEMON Tools Lite installer packages (versions 12.5.0.2421 through 12.5.0.2434) distributed from the legitimate daemon-tools.cc site between April 8 and May 27, 2026 — a six-week supply-chain window that could have affected millions of users. Both CVEs carry a 9.8 CVSS score and are now flagged as known exploited, as CISA confirmed.

Fortinet disclosed a critical improper-access-control vulnerability in FortiAuthenticator that allows unauthenticated remote code execution. CVE-2026-44277 (CVSS 9.8) affects FortiAuthenticator versions 8.0.0–8.0.2 and 6.5.0–6.6.8, and BleepingComputer reported that the flaw is already under active exploitation in the wild. The vulnerability stems from improper access control that lets an attacker execute unauthorized code or commands without authentication. SecurityWeek noted that Fortinet's advisory urges immediate patching, and The Hacker News included this in a broader roundup of critical patches from Ivanti, SAP, VMware, and n8n. Given FortiAuthenticator's role as a centralized authentication gateway in many enterprise networks, a full compromise here could enable lateral movement across VPN, firewall, and wireless infrastructure.

Microsoft Power Pages shipped with a critical pre-auth command-injection flaw that allows unauthenticated remote code execution. CVE-2026-23652 (CVSS 10.0) is a command-injection vulnerability in Microsoft Power Pages — the low-code web hosting platform formerly known as Power Apps Portals. The advisory states that an unauthorized attacker can execute code over the network by exploiting improper neutralization of special elements used in a command. With a perfect CVSS score and no authentication required, this represents a severe risk for any organization using Power Pages to host customer-facing or internal portals. No public PoC or exploitation reports have surfaced yet, but the EPSS score of 0.00 suggests it has not been widely weaponized — though that may change rapidly given the attack surface.

Two critical RCE chains hit Gladinet Triofox Cloud Server, with three CVEs totaling a 9.8 CVSS each. CVE-2026-8364 describes an unauthenticated remote code execution vulnerability in the GladServerAgentService.exe process, which listens on TCP port 7878 and processes HTTP messages with URL paths starting with /resources, /status, /sysinfo, /woshome, /Settings, /schedule, or /DavC. CVE-2026-8363 and CVE-2026-8362 are stack-based buffer overflows in WOSDeviceDropFolder.dll (triggered via long /resources paths) and WOSDefaultHttpModule.dll (triggered via long /woshome paths), respectively. Together, these give an unauthenticated remote attacker a triple path to code execution on the Triofox appliance. Gladinet Triofox is used by enterprises for hybrid-cloud file sharing and remote access, making this a high-priority patch for organizations running the agent service.

Pi.Alert, the open-source network intrusion detector, disclosed two critical pre-auth RCE vulnerabilities in its web configuration interface. CVE-2026-44888 and CVE-2026-44887 (both CVSS 9.8) affect Pi.Alert versions prior to the May 7, 2026 release. The first allows injection of arbitrary values into pialert.conf via the SaveConfigFile() endpoint's numeric config fields (e.g., SMTP_PORT), while the second permits arbitrary Python code injection into the same configuration file. Since the background scan daemon loads pialert.conf with full Python evaluation, either vector leads to unauthenticated remote code execution. Pi.Alert is widely deployed on Raspberry Pi devices for home and small-office network monitoring, and the lack of authentication on the configuration endpoint makes these especially dangerous for exposed instances.

A wave of critical infrastructure flaws rounds out today's bulletin, including IBM WebSphere, Synology BeeStation, free5GC, and KubeVirt. CVE-2026-9170 (CVSS 9.8) hits IBM HTTP Server 8.5 and 9.0, while CVE-2026-8633 (CVSS 9.8) affects IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty — both enabling remote code execution. Synology's BeeStation OS before 1.3.2-65648 carries CVE-2025-12686 (CVSS 9.8), a classic buffer overflow in AdminCenter allowing unauthenticated RCE. In the 5G core space, CVE-2026-44330 (CVSS 10.0) affects free5GC's NEF component, which mounts the nnef-pfdmanagement route group without inbound OAuth2/bearer-token authorization, allowing any network attacker who can reach NEF on the SBI to gain full access. Finally, CVE-2026-7374 (CVSS 9.9) in KubeVirt's virt-handler allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation when connecting to VM console sessions, potentially escaping namespace isolation.