🔍 CISA flags exploited Drupal SQL injection flaw
CISA added CVE-2026-9082 to its Known Exploited Vulnerabilities catalog after active abuse of a highly critical Drupal Core SQL injection bug affecting PostgreSQL-backed deployments. The issue stems from improper sanitization in the EntityQuery condition handler, with exploitation observed less than 48 hours after disclosure. Reporting cites 15,000+ attack attempts against roughly 6,000 sites in 65 countries.
The exposure is notable because it is unauthenticated and remote, making public-facing Drupal sites on PostgreSQL the immediate risk set. MySQL, MariaDB, SQLite, and Drupal 7 are not affected; patched releases are available across supported branches, while older 8.9 and 9.5 installs require manual hotfixes.
🛰️ Open sources - closed narratives
@sitreports
CISA added CVE-2026-9082 to its Known Exploited Vulnerabilities catalog after active abuse of a highly critical Drupal Core SQL injection bug affecting PostgreSQL-backed deployments. The issue stems from improper sanitization in the EntityQuery condition handler, with exploitation observed less than 48 hours after disclosure. Reporting cites 15,000+ attack attempts against roughly 6,000 sites in 65 countries.
The exposure is notable because it is unauthenticated and remote, making public-facing Drupal sites on PostgreSQL the immediate risk set. MySQL, MariaDB, SQLite, and Drupal 7 are not affected; patched releases are available across supported branches, while older 8.9 and 9.5 installs require manual hotfixes.
🛰️ Open sources - closed narratives
@sitreports
🔍 Ghost CMS flaw used to hijack 700+ sites
Attackers are exploiting CVE-2026-26980 in Ghost CMS to compromise more than 700 websites and redirect visitors into ClickFix-style social engineering flows. The activity turns legitimate sites into delivery points for malicious prompts and user-driven execution.
The case shows how a single CMS vulnerability can be scaled into broad access for traffic hijacking and malware staging. For defenders, the key issue is not only patch latency but trust abuse: compromised publisher domains can make fake remediation prompts appear routine and lower user suspicion.
🛰️ Open sources - closed narratives
@sitreports
Attackers are exploiting CVE-2026-26980 in Ghost CMS to compromise more than 700 websites and redirect visitors into ClickFix-style social engineering flows. The activity turns legitimate sites into delivery points for malicious prompts and user-driven execution.
The case shows how a single CMS vulnerability can be scaled into broad access for traffic hijacking and malware staging. For defenders, the key issue is not only patch latency but trust abuse: compromised publisher domains can make fake remediation prompts appear routine and lower user suspicion.
🛰️ Open sources - closed narratives
@sitreports
🤖 MuddyWater Uses DLL Side-Loading in Espionage Campaign Targeting 9 Countries
Threat group MuddyWater conducted an espionage campaign in Q1 2026, targeting nine organizations across nine countries. The actors relied on DLL side-loading to execute payloads, steal data, and evade detection.
Operationally, this highlights ongoing abuse of signed binaries and search-order hijacking. Defenders should monitor unsigned modules loaded by trusted processes, tighten application control around vulnerable loaders, and hunt for atypical DLL paths and child-process chains consistent with side-loaded execution.
🛰️ Open sources - closed narratives
@sitreports
Threat group MuddyWater conducted an espionage campaign in Q1 2026, targeting nine organizations across nine countries. The actors relied on DLL side-loading to execute payloads, steal data, and evade detection.
Operationally, this highlights ongoing abuse of signed binaries and search-order hijacking. Defenders should monitor unsigned modules loaded by trusted processes, tighten application control around vulnerable loaders, and hunt for atypical DLL paths and child-process chains consistent with side-loaded execution.
🛰️ Open sources - closed narratives
@sitreports
🔍 KnowledgeDeliver flaw exploited as a zero-day to install web shells
Attackers are leveraging a zero-day in the KnowledgeDeliver learning management system to deploy web shells on vulnerable servers, enabling unauthorized remote access and control.
Operationally, organizations with internet-facing LMS deployments should map exposed instances, retain and review logs, and inspect web roots for unfamiliar scripts while restricting external access (e.g., via WAF or VPN). Web shell footholds enable command execution, lateral movement, and data theft, making rapid containment, credential hygiene, and segmentation reviews priority actions until hardening is complete.
🛰️ Open sources - closed narratives
@sitreports
Attackers are leveraging a zero-day in the KnowledgeDeliver learning management system to deploy web shells on vulnerable servers, enabling unauthorized remote access and control.
Operationally, organizations with internet-facing LMS deployments should map exposed instances, retain and review logs, and inspect web roots for unfamiliar scripts while restricting external access (e.g., via WAF or VPN). Web shell footholds enable command execution, lateral movement, and data theft, making rapid containment, credential hygiene, and segmentation reviews priority actions until hardening is complete.
🛰️ Open sources - closed narratives
@sitreports
📡 Malware Found in Laravel-Lang Composer Packages After Git Tag Poisoning Attack
Attackers injected malware into four Laravel-Lang Composer packages by rewriting hundreds of Git tags, using a tag-poisoning technique. Numerous Laravel apps may be exposed.
This is a software supply-chain breach via version metadata. Prioritize audits for altered tag history, pin to commit hashes, verify signatures, and roll back affected builds. Review CI caches and watch for unexpected package updates.
🛰️ Open sources - closed narratives
@sitreports
Attackers injected malware into four Laravel-Lang Composer packages by rewriting hundreds of Git tags, using a tag-poisoning technique. Numerous Laravel apps may be exposed.
This is a software supply-chain breach via version metadata. Prioritize audits for altered tag history, pin to commit hashes, verify signatures, and roll back affected builds. Review CI caches and watch for unexpected package updates.
🛰️ Open sources - closed narratives
@sitreports
⚡ Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions
Microsoft has released security updates for SharePoint Server, addressing a remote code execution vulnerability tracked as CVE-2026-45659 (CVSS 8.8). Fixes apply across supported server versions, closing a high-severity path to arbitrary code execution.
On‑prem SharePoint admins should fast‑track these patches, prioritizing internet-facing servers. Validate update success, review external access routes and service account scopes, and watch for anomalous activity to contain RCE exposure.
🛰️ Open sources - closed narratives
@sitreports
Microsoft has released security updates for SharePoint Server, addressing a remote code execution vulnerability tracked as CVE-2026-45659 (CVSS 8.8). Fixes apply across supported server versions, closing a high-severity path to arbitrary code execution.
On‑prem SharePoint admins should fast‑track these patches, prioritizing internet-facing servers. Validate update success, review external access routes and service account scopes, and watch for anomalous activity to contain RCE exposure.
🛰️ Open sources - closed narratives
@sitreports
🔍 Critical Memcached SASL Flaw Lets Attackers Infer Usernames
A critical vulnerability in Memcached allows attackers to determine which usernames exist in SASL-enabled deployments. The flaw enables identification of valid accounts without verifying passwords.
Operationally, exposure of confirmed usernames lowers barriers for credential stuffing, brute-force attempts, and targeted phishing against services relying on SASL. Internet-exposed and multi-tenant environments are most at risk, as pre-validating accounts streamlines follow-on intrusion and complicates detection.
🛰️ Open sources - closed narratives
@sitreports
A critical vulnerability in Memcached allows attackers to determine which usernames exist in SASL-enabled deployments. The flaw enables identification of valid accounts without verifying passwords.
Operationally, exposure of confirmed usernames lowers barriers for credential stuffing, brute-force attempts, and targeted phishing against services relying on SASL. Internet-exposed and multi-tenant environments are most at risk, as pre-validating accounts streamlines follow-on intrusion and complicates detection.
🛰️ Open sources - closed narratives
@sitreports
📡 Charter confirms data breach after ShinyHunters extortion threat
U.S. telecom Charter Communications has confirmed a data breach following an extortion threat by the ShinyHunters group to leak stolen data unless a ransom is paid.
Confirmation signals adversary access and a shift from intrusion to pressure operations. This raises risk of phishing using breach themes, credential reuse attempts, and closer regulatory attention. Organizations should review vendor exposure, tighten access controls, and prepare customer communications while monitoring for ShinyHunters-branded leak channels.
🛰️ Open sources - closed narratives
@sitreports
U.S. telecom Charter Communications has confirmed a data breach following an extortion threat by the ShinyHunters group to leak stolen data unless a ransom is paid.
Confirmation signals adversary access and a shift from intrusion to pressure operations. This raises risk of phishing using breach themes, credential reuse attempts, and closer regulatory attention. Organizations should review vendor exposure, tighten access controls, and prepare customer communications while monitoring for ShinyHunters-branded leak channels.
🛰️ Open sources - closed narratives
@sitreports
🤖 Microsoft Defender can now automatically isolate hacked endpoints
Microsoft is testing a Microsoft Defender for Endpoint feature that automatically isolates compromised devices to hinder lateral movement. It severs network access while keeping management channels live for investigation and recovery.
This compresses response time and shifts containment from manual playbooks to policy. Teams should validate coverage on critical assets, tune isolation thresholds, and define override paths to limit disruption.
🛰️ Open sources - closed narratives
@sitreports
Microsoft is testing a Microsoft Defender for Endpoint feature that automatically isolates compromised devices to hinder lateral movement. It severs network access while keeping management channels live for investigation and recovery.
This compresses response time and shifts containment from manual playbooks to policy. Teams should validate coverage on critical assets, tune isolation thresholds, and define override paths to limit disruption.
🛰️ Open sources - closed narratives
@sitreports
📡 Air Force looks to accelerate F-15 EW upgrades at new ‘Speedline’
The Air Force Life Cycle Management Center has opened a dedicated facility, the Speedline, to accelerate installation of modern electronic warfare and survivability upgrades on F-15E Strike Eagles.
Accelerated retrofits cut depot time, raise availability, and field upgraded jets sooner. A single line standardizes configurations and training baselines, bolstering survivability and mission endurance in contested airspace.
🛰️ Open sources - closed narratives
@sitreports
The Air Force Life Cycle Management Center has opened a dedicated facility, the Speedline, to accelerate installation of modern electronic warfare and survivability upgrades on F-15E Strike Eagles.
Accelerated retrofits cut depot time, raise availability, and field upgraded jets sooner. A single line standardizes configurations and training baselines, bolstering survivability and mission endurance in contested airspace.
🛰️ Open sources - closed narratives
@sitreports
🔍 Banned Russian Submunitions Found After Mali's Military Announces Airstrikes
Unexploded banned Russian submunitions were identified after Mali's military announced airstrikes, linking the discovery to the period immediately following declared operations.
Operationally, the find indicates cluster-type ordnance in the strike area, elevating contamination and casualty risks and requiring clearance. It also intensifies scrutiny of munition supply, strike records, and preserved evidence for attribution and compliance.
🛰️ Open sources - closed narratives
@sitreports
Unexploded banned Russian submunitions were identified after Mali's military announced airstrikes, linking the discovery to the period immediately following declared operations.
Operationally, the find indicates cluster-type ordnance in the strike area, elevating contamination and casualty risks and requiring clearance. It also intensifies scrutiny of munition supply, strike records, and preserved evidence for attribution and compliance.
🛰️ Open sources - closed narratives
@sitreports
📡 Canada's Telesat eyes secure Italian satellite connectivity contract, sources say
Canada's Telesat is pursuing a contract to provide secure satellite connectivity for Italy, with discussions reported to be underway.
A deal would signal Italy’s intent to harden national communications and broaden procurement options via commercial satellite services, placing a Canadian operator in a sensitive European role and shaping interoperability, resilience, and supplier diversification in government networks.
🛰️ Open sources - closed narratives
@sitreports
Canada's Telesat is pursuing a contract to provide secure satellite connectivity for Italy, with discussions reported to be underway.
A deal would signal Italy’s intent to harden national communications and broaden procurement options via commercial satellite services, placing a Canadian operator in a sensitive European role and shaping interoperability, resilience, and supplier diversification in government networks.
🛰️ Open sources - closed narratives
@sitreports