What you need to know today.

TanStack npm supply-chain worm lands on CISA KEV after 84 malicious packages hit the registry. On May 11, 2026, an attacker published 84 malicious versions across 42 @tanstack/* npm packages over a six-minute window, authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding (CVE-2026-45321). This is the core of the "Mini Shai-Hulud" campaign, which The Hacker News reports also compromised Mistral AI, Guardrails AI, and other packages. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on May 27, as noted in CISA's alert. The Tenable Blog provides a detailed FAQ on the campaign, which used a worm-like mechanism to spread through the npm dependency graph. Organizations using TanStack packages should audit their lock files for any of the 42 affected packages and rotate any credentials or secrets that may have been exposed during the compromise window.

Google Chrome 148 patches 151 vulnerabilities, including a critical use-after-free in Dawn. CVE-2026-9874 is a use-after-free in Dawn, Chrome's WebGPU implementation, that could allow a remote attacker to escape the browser sandbox via a crafted HTML page. SecurityWeek reports that the Chrome 148 update addresses 151 total vulnerabilities, 22 of which are rated Critical. Cyber Security News adds that this is one of the largest single-update patch counts in Chrome's history. Given the sandbox-escape vector and the Critical severity, this update should be treated as an emergency deployment priority for all enterprise browser installations.

Three critical vulnerabilities in Gladinet Triofox Cloud Server Agent expose unauthenticated RCE. CVE-2026-8364 allows unauthenticated remote attackers to execute arbitrary code via crafted HTTP requests to TCP port 7878, while CVE-2026-8363 and CVE-2026-8362 are stack-based buffer overflows in WOSDeviceDropFolder.dll and WOSDefaultHttpModule.dll, respectively, triggered by long URL paths. All three carry a CVSS score of 9.8 and require no authentication. Gladinet Triofox is used for hybrid cloud file-sharing in enterprise environments; the service listens on a default port that may be exposed to the internet. Organizations should immediately restrict network access to port 7878 and apply any available vendor patches.

Dokploy patches two critical flaws allowing authenticated RCE and privilege escalation. CVE-2026-45629 is an authenticated OS command injection in the /listen-deployment WebSocket endpoint that lets any organization member execute arbitrary system commands on remote servers. CVE-2026-45632 is a missing authorization check in the schedule router that allows any authenticated user to create, update, run, or delete schedules belonging to any organization. Both affect Dokploy versions up to 0.28.8 and 0.26.7 respectively, and carry CVSS scores of 9.9. Dokploy is a self-hosted PaaS platform; organizations running it should upgrade immediately and audit existing schedules and deployments for signs of tampering.

Oracle E-Business Suite and Hospitality OPERA 5 hit by multiple critical pre-auth vulnerabilities. CVE-2026-46824 (CVSS 9.9) affects Oracle Universal Work Queue in E-Business Suite 12.2.3–12.2.15, allowing low-privileged attackers to take over the product. CVE-2026-46822 (CVSS 9.9) similarly impacts Oracle iAssets in the same EBS versions. CVE-2026-34311 (CVSS 9.8) affects Oracle Hospitality OPERA 5 Property Services across versions 5.6.19.24 through 5.6.28, enabling unauthenticated remote takeover. These are all easily exploitable over a network without user interaction. Given Oracle's prevalence in enterprise and hospitality environments, these should be prioritized in the next patch cycle.

Critical flaws in industrial IoT and OT devices: PUSR Wi-Fi converters and Delta Electronics DIAView. CVE-2026-7786 (CVSS 9.8) affects Jinan USR IOT's USR-W610 RS232/485 to Wi-Fi/Ethernet converters, with plaintext administrative credentials embedded in the firmware that can be extracted through analysis, as detailed in CISA's ICS advisory. CVE-2026-9642 (CVSS 9.8) is a mitigation bypass for CVE-2025-62582 in Delta Electronics DIAView, allowing unauthenticated remote database access. Both devices are commonly deployed in industrial control and IoT environments where patching is difficult. Organizations should isolate these devices behind firewalls and ensure they are not directly internet-facing.