How real attackers operate, and what to do about it.
Built from data we observe across our customers and the public threat landscape. Each piece walks the attacker's decision tree end-to-end: what they're doing right now, why it works, and the concrete steps a defender takes this week to break it. Verifiable security.
CVE-2026-35273 turns an internet-reachable management endpoint on Oracle PeopleSoft PeopleTools into code execution with no credentials required. It is rated CVSS 9.8, it is in the CISA known-exploited catalog, and the fix is a version and an exposure decision. Here is the mechanism at defender altitude, how to spot it on your perimeter, and what closes it.
Broken Object Level Authorization is still the number one API risk, and the numbers say most of it is worse than a data leak. A taxonomy of 107 classified bug-bounty disclosures finds 78.5 percent were confirmed in-scope BOLA and 41.7 percent of those were state-changing actions on another user's object, not simple reads. Here is the evidence, the shape of the BOLA family, and the two-identity test harness that finds it before an attacker does.
Fast-moving 2026 CVEs are being exploited within hours of disclosure: LMDeploy inside about thirteen hours, NetScaler inside a day. You cannot win that race with a meeting. Here is a repeatable N-day triage runbook that turns a same-day advisory into a version fingerprint, a safe proof of exposure, an exact patched build, and a verified fix, run in order under a countdown.
A confused deputy is a privileged component tricked into using its authority on behalf of a caller who was never entitled to it. It is a 1988 idea, and in 2026 it still hands attackers someone else's cloud role. Here is the mechanism across AWS cross-account trust and a fresh Azure Monitor privilege-escalation CVE, why delegated trust without a per-tenant discriminator is the shared root cause, how to find it on your own tenancy, and how to close it.
A package manager that runs install scripts by default turns a passive download into remote code execution. In 2026, three npm and PyPI campaigns weaponized that one default to steal AWS, Azure, GCP, and Kubernetes credentials, and one of them shipped valid SLSA provenance while doing it. Here is how registry worms work, how to find the affected versions in your build, and the controls that break the loop.
Almost every AI server wants to fetch a URL for you, and in 2026 three separate CVEs turned that convenience into a straight line from an attacker-supplied link to cloud IAM credentials at 169.254.169.254. LMDeploy, mcp-atlassian, and Crawl4AI each forgot the instance metadata endpoint or validated one field while leaving the transport open, and one was exploited within roughly thirteen hours. Here is the shared mechanism, how to find it across your own AI services, and the controls that close the metadata path for good.
Adding a custom MCP server over the STDIO transport does not fill in a setting, it specifies a program to launch. When that config field is weakly sanitized and reachable by an ordinary user, the field is a shell. Flowise CVE-2026-40933 turns an authenticated MCP registration into OS code execution. Here is the mechanism, how to detect the exposure across your AI hosts, and what closes it.
The 9router npm package left one install route out of its dashboard auth middleware, then piped a request field straight into a root shell. Before 0.4.44, an unauthenticated POST could turn a JSON sudoPassword value into a command running as root. Here is the two-bug stack behind CVE-2026-59800, how to find it in your dependency tree, and what closes it.
CVE-2026-10520 is an unauthenticated OS command injection in Ivanti Sentry scored at the CVSS ceiling of 10.0. Because the service runs as root, one crafted request to an internet-facing mobility gateway becomes a root shell and a pivot into the enrolled-device trust boundary. Here is the mechanism, how to recognize your exposure, and what closes it.
A double quote in a Kubernetes Ingress annotation breaks out of the nginx configuration the ingress-nginx controller generates and injects arbitrary directives. Because directives can run code, the controller executes attacker input, and in a default install it can read every Secret in the cluster. Here is how CVE-2026-3288 works, why anyone who can create an Ingress can reach it, and what closes it.
CVE-2026-8451 is an out-of-bounds read in NetScaler ADC and NetScaler Gateway configured as a SAML identity provider. A crafted request makes the appliance read past an intended buffer and return adjacent heap memory, and repeated requests let an attacker harvest session tokens and authentication material from a box that is built to face the internet. Public reporting had exploitation underway within about a day of disclosure. Here is the mechanism, how to recognize the exposure, and why patching alone does not close it.
Everyone knows to parameterize SQL. Almost nobody thinks to parameterize Dgraph Query Language, so when Dgraph builds DQL text by string-formatting user input, the injection lands the same way it did in SQL twenty years ago. Three 2026 flaws show it: a login-path oracle (CVE-2026-44840, CVSS 7.5), and two pre-auth paths (CVE-2026-41327 and CVE-2026-41328, CVSS 9.1) that read the entire graph from a single unauthenticated request. Here is the shared mechanism, how to recognize the exposure, and what closes it.
Around 1.5 million cPanel and WHM control panels were reachable on the internet when a missing-authentication flaw let an unauthenticated attacker reach a fully authenticated control-panel session with no valid credentials. CVE-2026-41940 sat as a zero-day for roughly two months before the patch and landed in CISA KEV. Here is the class, the mechanism as scoped by NVD and detailed by Rapid7, how to recognize your exposure, and what closes it.
CVE-2026-21643 is an unauthenticated SQL injection in FortiClient EMS that escalates to command execution because the data tier runs with high privilege on the management host. The mechanism, why endpoint managers are a blind spot, how to detect exposure without weaponizing anything, and how a boolean or time-based differential proves the bug and confirms the fix in 7.4.5.
CVE-2026-20131 is a CVSS 10.0, pre-authentication Java deserialization bug in the web console of Cisco Secure Firewall Management Center, the box that manages your firewalls. A crafted object stream deserializes into arbitrary code running as root, with no login. It is in CISA KEV and tied to Interlock ransomware. Here is the mechanism, the exposure, and the fix.
Three of the most-exploited bug classes of 2026 share one trait: they turn a single unauthenticated request into code execution on the system you trust most. Deserialization of untrusted data, SQL injection, and OS command injection keep landing pre-auth on collaboration servers, security appliances, and remote-access gateways. Here is why they dominate the known-exploited list, how to recognize the exposure, and what closes it.
An endpoint management server is the one box on your network allowed to run code on every laptop and phone you own. When it is internet-facing and unauthenticated code execution lands on it, the attacker does not get one machine, they get the fleet. Here is why the management plane is the highest-value target on the perimeter, grounded in three 2026 known-exploited Ivanti CVEs, how to tell if you are exposed, and the controls that contain it.
Threat actors do not exploit one vulnerability. They compose a sequence: get in, read secrets, move sideways, take control. A defensive program that tests one CVE at a time will never see the chain. Here is how we turn each day's published threat intelligence into composed, multi-step detection chains, with this week's Cisco Catalyst SD-WAN Manager double-CVE controller takeover, CVE-2026-20182 and CVE-2026-20262, as the worked example.
An edge appliance ships with a self-signed certificate so it can boot before you provision it. If you never finish provisioning, that certificate stays on the public internet, and its private key is shared across every unit of the product line. Here is why a factory default certificate is a default-credential problem in disguise, grounded in CWE-1392 and CWE-295, how to spot it, and the one provisioning step that closes it.
On a shared host, the boundary between two tenants is the file system, and the file system trusts a symlink. A privileged plugin follows a link a low-privileged tenant planted, then acts on the other side of the jail. Grounded in CVE-2026-54420 (CVSS 8.5, CWE-61), the LiteSpeed cPanel plugin symlink-following flaw that escalates a web shell to root on CloudLinux and CageFS shared hosting. Here is the link-following decision tree and the contract that ends the class.
Most security tooling optimizes for recall: catch everything, sort it out later. We optimize for the opposite. A finding ships only if a human can reproduce the underlying fact off the wire at verification time. Here are the four tests every candidate must pass before we sign it, and why a scanner that calls everything critical is worse than no scanner at all.
A CVE is a backlog item until the moment it lands on the CISA Known Exploited Vulnerabilities catalog. Then it is an emergency with a deadline, sometimes measured in days. Mid-June 2026 put three edge-and-hosting CVEs on the KEV list inside one week, each with a short remediation window. Here is how the KEV clock should drive your prioritization, why version-banded exposure detection beats waiting for a pen test, and how to act inside the window.
The defining SaaS breach pattern of 2026 is not a cracked password and not a phish. It is a stolen third-party-integration OAuth token that skips your login, never triggers MFA, and pivots across your connected platforms. Here is how integration-token theft works, why your login alerts stay quiet, and how to audit your connected-app surface with evidence.
Your read endpoints are authorization-hardened. Your DELETE route is one line of code nobody tenant-scoped, and a single request erases every tenant's sources, agents, and assessments at once. Destructive operations are routinely under-gated relative to reads. Here is the decision tree from finding the destructive endpoint to platform-wide destruction, grounded in CVE-2026-53469, and the class test that covers every write and delete route.
The token's signature is valid. The agent verifies it and proceeds. But it never checks that the token's source_id claim matches the resource the caller asked for, so a tenant with a perfectly valid token of its own reads and rewrites another tenant's object. Here is the JWT claim-binding decision tree, grounded in CVE-2026-53471 against the kubev2v migration-planner, and the contract that ends the class.
The main application authenticates every request. A PostgreSQL helper process bundled alongside it listens on the network and authenticates nothing. Truncate the right file, a config, a license, an audit log, and a weird endpoint becomes an integrity and availability compromise. Grounded in CVE-2026-20253 (CVSS 9.8), the unauthenticated file create and truncate in Splunk's PostgreSQL sidecar. Here is the trust-boundary decision tree your front-door scanner never walks.
OWASP's State of Agentic AI names the lethal trifecta: untrusted input, access to private data, and the ability to act or exfiltrate. When one agent holds all three, no prompt filter saves you. Here is why the fix is an architecture boundary, not a smarter guardrail, and the controls that break the chain.
A migration agent installed to manage infrastructure hardcodes an insecure TLS configuration when it connects to vCenter. An adjacent-network attacker intercepts the session and harvests vCenter admin credentials. CVE-2026-53475 (CVSS 9.3, CWE-295) is the anchor. Here is the attacker decision tree, why version scanners miss it, and the fix that ends the class.
A serverless platform hands tenants a builder and a router so they can ship functions without touching the cluster. The moment either is reachable without authentication, or accepts an unvalidated pod spec, the convenience becomes the breach: deploy a pod, reach the node, lift the service-account token, own the cluster. Grounded in the Fission RCE pair CVE-2026-50545 and CVE-2026-50563 (CVSS 9.9) and the unauthenticated-router invocation CVE-2026-46614.
You run untrusted code inside a sandbox and trust the boundary. CI jobs, AI tool-execution, multi-tenant build runners: all of it leans on the assumption that the box holds. A sandbox or micro-VM escape collapses that assumption and the host runs the attacker's code. Here is the escape decision tree, grounded in CVE-2026-46695 (Boxlite, CVSS 10.0) and the runc and cgroups escapes before it, and the defense-in-depth that ends the class.
A team stands up a low-code LLM app builder for a prototype, leaves the UI and API reachable, and forgets it. That instance holds the model-provider keys, the database credentials, and the tools the agent can call. CVE-2026-46442 (CVSS 9.9) turns Flowise into authenticated remote code execution through the custom-function node. Here is the decision tree from a discovered builder to host compromise, and the boundary that ends it.
A WordPress plugin ships a frontend AJAX endpoint that skips the capability check and trusts the client-supplied Content-Type. An unauthenticated visitor uploads what they want, or self-registers as an administrator. CVE-2026-9067 and CVE-2025-6254 are this week's reminders that the per-plugin CVE churn never ends, but the underlying class is one repeatable test. Here is the decision tree, and the control that closes the whole family.
A framework's own templating is trusted as safe. Then attacker-influenced text reaches the template compiler and edit your profile bio becomes code execution on the app server. Server-side template injection recurs across every framework, from Jinja2 sandbox escapes to OGNL remote code execution to modern HEEx-style HTML templating. Here is the decision tree from a template-rendered sink to RCE, why a CVE-by-CVE scanner lags a class test, and the fix that ends the class.
Your ops and monitoring tooling holds every tenant's server inventory, configs, and the SSH credentials it uses to reach them. When its object-level authorization is the weakest link, a scoped guest account reads and rewrites another tenant's data with no exploit at all. Here is the cross-tenant BOLA decision tree in ops tooling, grounded in CVE-2026-45550, CVE-2026-45552, and CVE-2026-45563 against Roxy-WI, and the contract that ends the class.
A product ships with a fixed JWT signing key baked into its source, image, or binary. Anyone who pulls the artifact mints valid tokens and walks in as anyone. CVE-2026-48031 set the secret to the literal string random. Here is the attacker decision tree, why runtime scanners never see it, and the fix that ends the class.
A developer wraps untrusted input in a quoting helper they believe neutralizes the shell, then hands the result to a command. But the helper has a bypass, or was never applied to the path that re-parses the string back into argv. The input arrives at the shell as a flag or an operator, and a trusted dependency executes attacker commands. Atril (CVE-2026-46529), Dulwich (CVE-2026-42563), and Gogs (CVE-2026-52806) all shipped this class in 2026. Here is the attacker decision tree and the dependency-aware test that finds it.
A time-of-check to time-of-use window in a privileged service is a quiet primitive: win the race and a low-privilege account is handed SYSTEM. CVE-2026-47281 is the clean specimen. Here is the decision tree from a local foothold to full host control, why a banner-matching scanner misses it, and the fix that closes the window.
A record-setting Patch Tuesday buried the one fix that actually mattered: an Exchange zero-day already exploited in the wild. Here is how to read a giant patch batch for the vulnerabilities that change your risk this week, the decision tree behind the Exchange flaw, and the prioritization that beats patching by CVSS alone.
The remote-access gateway is the front door to the building, and CVE-2026-50751 lets an attacker walk through it without a password. An IKEv1 authentication bypass on a Check Point edge appliance is a pre-auth pivot into the internal network. Here is the attacker decision tree, and why a single-request probe misses it.
A misused pull_request_target workflow runs a fork's untrusted code with the repository's own secrets, and that single trust mistake poisoned 172 packages (CVE-2026-45321). Here is the decision tree from an opened pull request to credential theft and supply-chain compromise, and the workflow contract that ends the class.
The rug-pull was the symptom. The class behind it is an MCP server that invokes tools for a caller it never authenticated. CVE-2026-33032 is one CVE old. The official SDK ships DNS-rebinding protection off by default. Here is the decision tree from an exposed MCP server to unauthenticated tool execution, and the auth boundary that ends it.
Your IAM policy is correct. Your namespace RBAC is correct. And an attacker with a scoped foothold in one tenant still reads another tenant's data. Isolation fails at the runtime trust boundary your static cloud-posture scanner cannot see. Here is the cross-tenant read decision tree, grounded in CVE-2024-7646 and CVE-2024-9594, and the contract that ends the class.
The cyber-extortion economy runs on commodity tooling: TamperedChef's reused signing certs, ROADtools' Azure AD recon, the copy_file_range Linux LPE (CVE-2026-31431). None of it is exotic. All of it is instrumentable. Here is the detection decision tree defenders should wire up, signal by signal.
A cluster of PAN-OS and GlobalProtect CVEs landed this quarter, CVE-2026-0227 through CVE-2026-0265, with one captive-portal zero-day (CVE-2026-0300) already exploited in the wild. The common thread is an exposed management plane. Here is the attacker decision tree from an exposed mgmt interface to config and credential access, and the re-audit that closes it.
A SAML assertion is signed XML. The signature covers a digest of the document, but which bytes are the document? When the canonicalizer and the signature verifier disagree, an attacker injects a forged assertion the verifier validates and the application trusts. CVE-2024-45409 turned ruby-saml into exactly that. Here is the attacker decision tree from an altered assertion to any authenticated session, and the assertion-binding fix.
A developer accepts an extension auto-update. Buried in the bundle is a credential stealer that walks .npmrc, .git-credentials, the AWS profile and SSH keys, then phones home. CVE-2026-48027 turned the Nx Console extension into initial access for an entire CI estate. Here is the attacker decision tree from one malicious install to GitHub, cloud, and pipeline compromise.
CitrixBleed taught the world to read NetScaler memory. CVE-2026-4368 is the quieter sibling: a race-condition session mixup on the edge appliance that hands one user another user's authenticated session, and a probe that checks a banner or fires a single request misses it entirely. Here is the decision tree from an unauthenticated request to an internal pivot.
Commodity scanners stop at single-issue depth. Real operators don't. They cross a business-logic primitive into a cloud-admin primitive over five, six, seven steps. MOVEit (CVE-2023-34362) and Confluence (CVE-2023-22515) showed the world that the deep chain is the breach. Here is the attacker decision tree, and why your scanner never sees it.
Mandiant's M-Trends 2026 reports the median initial-access-to-handoff time has collapsed from eight hours to twenty-two seconds. The fastest observed lateral move took four minutes. If your detection pipeline runs on hourly batches, you are watching a movie of an attacker who already left.
Five new alg-confusion CVEs landed in Q1 2026 alone, rated CVSS 8.2 to 9.1, with working PoCs on day one. The pattern is fifteen years old. The libraries that ship with it are everywhere. Here is the attacker decision tree, and the one-line validation rule that ends the class.
OAuth's state parameter is the protocol's CSRF token. Most teams treat it as boilerplate, copy a sample value, and ship. Attackers know this. We walk the four-step exploit, the recent in-the-wild campaigns, and the validation contract that closes it permanently.
SSRF into the instance metadata service is the dominant 2025-2026 cloud-side initial-access pattern. We walk the attacker's decision tree from a benign-looking image upload to keys-of-the-kingdom IAM credentials, and the seven configuration changes that cut the class in one sprint.
Mandiant says mean time-to-exploit has gone negative: attackers now weaponise vulnerabilities before vendors patch. Quarterly pentests cannot keep up. Here is what a continuous, signed, replayable validation loop looks like at sixty-second cadence, and the operational changes it forces.
One piece every two weeks. Attacker-decision-first, defender-action-driven, sourced against public threat data. No vendor noise, no upsell letters. Proof beats promises.
One email every two weeks. Unsubscribe in one click. We do not share your address.