🛑 3rd Linux kernel LPE in just ~2 weeks: Fragnesia (CVE-2026-46300) just dropped.

Attackers can now gain root by corrupting the kernel page cache through a flaw in XFRM ESP-in-TCP.

PoC is public. Major distros have already issued advisories.

Details: https://thehackernews.com/2026/05/new-fragnesia-linux-kernel-lpe-grants.html

🔥 Two new Windows zero-days expose a BitLocker bypass in WinRE and a CTFMON privilege escalation issue.

YellowKey affects Windows 11 and Server 2022/2025; GreenPlasma could enable abuse of SYSTEM-writable paths.

Full story: https://thehackernews.com/2026/05/windows-zero-days-expose-bitlocker.html

🔥 Two new Windows zero-days expose a BitLocker bypass in WinRE and a CTFMON privilege escalation issue.

YellowKey affects Windows 11 and Server 2022/2025; GreenPlasma could enable abuse of SYSTEM-writable paths.

Full story: https://thehackernews.com/2026/05/windows-zero-days-expose-bitlocker.html

⚠️ AI hallucinations just became a real cyber weapon.

2025 benchmark of 40 AI models: 36/40 were more likely to give confident wrong answers than correct ones on hard questions.

That’s not a glitch. That’s your new attack surface.

Read → https://thehackernews.com/2026/05/how-ai-hallucinations-are-creating-real.html

🚨 Threat actors targeted PraisonAI CVE-2026-44338, an authentication bypass vulnerability, within hours of disclosure.

The flaw affects versions 2.5.6–4.6.33 and can expose the /agents endpoint without authorization.

Read the full report: https://thehackernews.com/2026/05/praisonai-cve-2026-44338-auth-bypass.html

You've heard us say compliance should be part of how you operate, not a project.

On May 20, we're showing you exactly what that means.

Watch Rippling Automated Compliance for SOC 2 collect evidence continuously, catch issues the moment they happen, and resolve them, all without leaving the platform. No bouncing between tools. No quarterly scramble. No mystery about what your auditors will find.

This is the live demo. Come with questions.

🖥Automated Compliance: From Manual Chaos to Continuous Control

📅May 20 | Live Product Demo | Free

Save your spot → https://thn.news/compliance-automation-webinar

🚨 Belarus-aligned Ghostwriter has targeted Ukrainian government organizations since March 2026 with spear-phishing PDFs impersonating Ukrtelecom.

The campaign uses Ukraine IP geofencing, JavaScript PicassoLoader, 10-minute host fingerprinting, and Cobalt Strike after victim validation.

Full infection chain: https://thehackernews.com/2026/05/ghostwriter-targets-ukrainian.html

🔥 ThreatsDay Bulletin is out!

• PAN-OS root RCE actively exploited
• AI model hijacks
• GhostLock file lock trick
• Zero-auth defense leak
• OnlyFans ransomware
• ClickFix upgrade
+ 9 more stories.

Full read 👇 https://thehackernews.com/2026/05/threatsday-bulletin-pan-os-rce-mythos.html

🚨 ALERT - Three newly published node-ipc npm versions have been confirmed as malicious, with obfuscated stealer/backdoor behavior targeting developer and cloud secrets.

Full details on affected versions and how the payload triggers at runtime: https://thehackernews.com/2026/05/stealer-backdoor-found-in-3-node-ipc.html

🚨 Limited attacks are exploiting CVE-2026-20182, a CVSS 10.0 auth bypass in Cisco Catalyst SD-WAN Controller.

Unauthenticated remote attackers can gain admin privileges and manipulate SD-WAN configurations.

Affected: on-prem, cloud, government deployments.

Full details and mitigation steps: https://thehackernews.com/2026/05/cisco-catalyst-sd-wan-controller-auth.html

🚨 CISA added CVE-2026-20182, a CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN Controller, to its KEV catalog amid active exploitation.

Remote attackers can gain admin privileges. FCEB agencies must remediate by May 17, 2026.

Full details: https://thehackernews.com/2026/05/cisa-adds-cisco-sd-wan-cve-2026-20182.html

🚨 On-prem Microsoft Exchange Server CVE-2026-42897 is under active exploitation.

The CVSS 8.1 spoofing flaw stems from XSS and can allow arbitrary JavaScript execution when crafted emails are opened in Outlook Web Access under certain conditions.

Read: https://thehackernews.com/2026/05/on-prem-microsoft-exchange-server-cve.html

🚨 Two OpenAI employee devices were impacted in the Mini Shai-Hulud supply chain attack via TanStack.

Limited credentials were exfiltrated from internal code repos, prompting macOS certificate revocation and required app updates before June 12, 2026.

Read: https://thehackernews.com/2026/05/tanstack-supply-chain-attack-hits-two.html

Your biggest blind spot isn't malware. It's the trusted tools your team already uses every day.

PowerShell. Certutil. netsh.

Attackers love them too — and Bitdefender just proved it in 700,000+ incidents.

What happens when you watch your own tools for 45 days? Learn here → https://thehackernews.com/2026/05/what-45-days-of-watching-your-own-tools.html

🚨 Four OpenClaw vulnerabilities dubbed Claw Chain can be chained to steal sensitive data, escalate privileges, and establish persistence.

All four flaws are fixed in OpenClaw 2026.4.22.

Full technical breakdown of the attack chain and CVEs: https://thehackernews.com/2026/05/four-openclaw-flaws-enable-data-theft.html

⚠️ Turla has rebuilt Kazuar into a modular P2P botnet designed for stealth and persistent access.

The upgraded .NET backdoor uses Kernel, Bridge, and Worker modules to handle C2, tasking, collection, and exfiltration.

Learn more: https://thehackernews.com/2026/05/turla-turns-kazuar-backdoor-into.html