Belgium’s national cybersecurity authority warns threat actors are actively exploiting CVE-2026-41089, a critical Netlogon vulnerability patched in May 2026, to achieve remote code execution on domain controllers across all supported Windows Server versions; admins should patch immediately as exploitation is underway and advisories from Microsoft have not yet been updated.
Rapid7 reports a critical Gogs vulnerability (CVSS 9.4) that lets any authenticated user achieve remote code execution by crafting a pull request with a malicious branch name that injects a --exec command into git rebase during the Rebase before merging step; no admin rights are required and an attacker can trigger it simply by registering and creating a repository with rebase merging enabled. If unpatched (as of March 17, 2026), this could allow server compromise, access to all repos, credential dumps, cross-tenant data breaches, or further network access. Mitigations include disabling new registrations, restricting repository creation, and auditing rebase merge settings; a Metasploit module exists to automate the exploit. Estimates put internet-facing Gogs instances around 1,141, likely higher in internal deployments behind VPNs.
Security researchers say CVE-2026-42945, a heap buffer overflow in NGINX Open Source and NGINX Plus, is being actively exploited in the wild. The flaw can crash NGINX worker processes via crafted requests, with remote code execution possible only if ASLR is disabled and a specific rewrite configuration is present; despite ASLR generally enabled, estimates show up to 5.7 million internet-facing servers may be affected. Organizations should patch promptly, ensure ASLR remains enabled, and audit rewrite rules to mitigate risk while threat actors rapidly scan for vulnerable systems.
A critical remote code execution vulnerability in Anthropic’s Claude Code CLI allowed attackers to execute arbitrary commands through crafted deeplinks. The flaw came from a context-blind argument parser that treated --settings overrides found inside a deeplink’s q parameter as legitimate, enabling injection of a SessionStart hook at startup. Anthropic released a fix in Claude Code 2.1.118 and urged users to update; the issue highlights the risks of eager CLI parsing and deeplink handling.
A severe heap-buffer-overflow bug in NGINX’s ngx_http_rewrite_module (CVE-2026-42945, CVSS 9.2) allows unauthenticated remote code execution when rewrite and set directives are used together, affecting NGINX Open Source 0.6.27–1.30.0 and several F5/NGINX products; a working PoC is public. Patch guidance includes upgrading to NGINX 1.30.1 or 1.31.0 and auditing configurations that combine rewrite+set directives, with a recommendation to add a WAFlayer until patching is complete. Additional related CVEs include CVE-2026-42946 (high severity, memory corruption), CVE-2026-40701 (medium, use-after-free), and CVE-2026-42934 (medium, out-of-bounds read).
An 18-year-old heap buffer overflow in NGINX's rewrite_module (CVE-2026-42945) can cause denial of service and, under specific rewrite configurations, unauthenticated remote code execution. Patches are available in NGINX Open Source 1.31.0 and 1.30.1 and related F5 products; real-world exploitability is debated, but the DoS risk makes patching or applying mitigations urgent, especially where ASLR is disabled to enable RCE in PoC tests.
A rogue researcher, Nightmare-Eclipse, released a second Windows Defender privilege-escalation exploit (RedSun) after Microsoft patched the first CVE-2026-33825 vulnerability. The PoC allegedly lets unprivileged users gain SYSTEM privileges by abusing Defender to overwrite system files; the researcher warns of more remote code execution exploits to come. Microsoft patched the flaw on Patch Tuesday and credited Zen Dodd and Yuanpei Xu, while the researcher continues to air grievances and threaten further disclosures.
F5 Networks reclassified the BIG-IP APM vulnerability CVE-2025-53521 from a DoS issue to a critical remote code execution flaw, with attackers exploiting unpatched systems to deploy webshells. CISA has ordered federal agencies to patch, and F5 issued mitigations and indicators of compromise as online exposure of BIG-IP instances remains high. Patch now and review disks, logs, and terminal history for signs of intrusion.
Researchers analyze CVE-2026-32746, a pre-auth RCE in GNU inetutils Telnetd via a LINEMODE SLC buffer overflow. The issue stems from overflowing a small slcbuf when processing SLC triplets during LINEMODE negotiation, with exploitation heavily dependent on OS and architecture (64-bit vs 32-bit); while a reliable full RCE wasn't achieved across tested targets, a heap leak and an arbitrary-free primitive were demonstrated, potentially enabling code execution under favorable libc conditions. The vulnerability affects inetutils Telnetd and many forks across major distros (Ubuntu, Debian, FreeBSD, NetBSD, macOS, etc.), and patches have not been widely released at publication time. Detection strategies include probing for LINEMODE support and non-invasive overflow checks; watchTowr provides a detection artifact generator. Patch urgently, but note there is no universal fixed version yet; users should build from fixed commits or apply vendor mitigations.
Security researchers LayerX revealed a zero-click remote code execution flaw in Claude Desktop Extensions (DXT) that leverages the Model Context Protocol to chain untrusted data from Google Calendar into a privileged local executor. An attacker can trigger the payload via a malicious calendar event with no user interaction, potentially compromising the host with the user’s privileges. The issue affects over 10,000 active Claude users and more than 50 DXT extensions; Anthropic has reportedly not fixed it yet, citing the architecture of MCP autonomy. Mitigations include disconnecting high-privilege local extensions from untrusted data sources and awaiting a patch or architectural changes to MCP. This serves as a warning about the security risks of AI agents autonomously bridging data to local systems.
Researchers detail WT-2026-0001 in SmarterMail, a pre-authentication admin password-reset bypass that can be triggered by calling a force-reset-password API with IsSysAdmin set to true, enabling admin access without verifying OldPassword and potentially yielding remote code execution via the Volume Mount feature. A PoC shows a JSON payload including IsSysAdmin, Username, and NewPassword. SmarterTools released patch 9511 on Jan 15, 2026 to fix the flaw, but exploitation was observed shortly after the patch, highlighting urgent need to upgrade. The patched flow enforces admin verification and old-password checks, mitigating this bypass; the report also notes the ongoing risk and how attackers monitor patches to exploit high-value targets.
MongoDB has issued an urgent warning to patch a severe remote code execution vulnerability (CVE-2025-14847) affecting multiple versions of its database software. The flaw, due to improper handling of length parameters, allows unauthenticated attackers to execute arbitrary code. Admins are advised to upgrade to patched versions immediately or disable zlib compression to mitigate the risk. The vulnerability has been actively exploited in the past, emphasizing the need for prompt action.
Cisco has issued a warning about a high-severity, actively exploited vulnerability in IOS and IOS XE Software (CVE-2025-20352) that affects SNMP protocols, allowing remote attackers with certain credentials to execute arbitrary code or cause a denial-of-service. The flaw, rooted in a stack overflow, has been patched in Cisco IOS XE Software Release 17.15.4a, but mitigation involves restricting SNMP access to trusted users and monitoring SNMP activity.
Threat actors exploited a zero-day vulnerability in legacy Sitecore systems (CVE-2025-53690) involving a ViewState deserialization flaw caused by reused sample ASP.NET machine keys, leading to remote code execution and deployment of reconnaissance malware WeepSteel. The attack involved multi-stage exploits including privilege escalation and persistence techniques. Sitecore recommends immediate replacement and encryption of static machine keys to mitigate the vulnerability.
Cybersecurity researchers disclosed a high-severity vulnerability (CVE-2025-54136) in the AI code editor Cursor that allows remote code execution through malicious MCP file swaps, which has been addressed in version 1.3 by requiring repeated user approval for configuration changes. The flaw exposes significant risks in AI development environments, especially as AI tools become more integrated into workflows, and is part of broader concerns about AI security vulnerabilities and attack vectors.