The Zero-Day Dispatch: Weekly Threat Intelligence Briefing (May 18 – May 24, 2026)

Welcome to your weekly threat intelligence briefing. Between May 18 and May 24, 2026, security teams faced another relentless wave of cyber attacks. Furthermore, threat actors dug deep into the past. They actively weaponized vulnerabilities from over a decade ago. Consequently, defenders must balance modern patching with legacy risk management.

Our sensors recorded 1,134 new vulnerabilities this week. Therefore, you need actionable intelligence to prioritize your incident response effectively.

The Week at a Glance

Triage requires clear and immediate context. Here is the severity breakdown for the latest vulnerability disclosures:

• Critical (CVSS 9.0–10.0): 114
• High (CVSS 7.0–8.9): 363
• Medium (CVSS 4.0–6.9): 419
• Low (CVSS 0.1–3.9): 51
• Unknown/Pending Analysis: 186

Additionally, we detected nine specific vulnerabilities currently experiencing active exploitation. You must prioritize these active threats immediately.

CISA KEV Additions: The Ghosts of Exploits Past

The Cybersecurity and Infrastructure Security Agency (CISA) added 10 vulnerabilities to its catalog. Surprisingly, half of these additions originated between 2008 and 2010. For instance, attackers are actively exploiting a critical Windows Server RPC flaw from 2008 (CVE-2008-4250).

Moreover, they are targeting ancient memory bugs in Adobe Reader and Internet Explorer 6. As a result, organizations cannot ignore legacy systems residing on their networks. You must isolate or decommission these outdated endpoints immediately.

Securing the Modern Web Perimeter

Beyond legacy systems, modern web infrastructure took a severe beating. Specifically, attackers weaponized a maximum-severity flaw in the LiteSpeed cPanel Plugin (CVE-2026-48172). This CVSS 10.0 vulnerability allows malicious actors to escalate privileges directly to the root user.

Furthermore, the Drupal core suffered a critical SQL injection vulnerability (CVE-2026-9082). Consequently, attackers can effortlessly manipulate databases on unpatched Drupal installations.

Active Exploitation Radar

Our Watchtower telemetry flagged several other severe threats currently in the wild. First, the Ghost content management system contains a critical data exposure flaw (CVE-2026-26980). Unauthenticated attackers can read arbitrary database records without restriction.

Second, Four-Faith F3x36 routers contain hard-coded administrative credentials (CVE-2024-9643). Therefore, hackers can easily bypass authentication on these remote edge devices. Finally, NGINX Open Source and NGINX Plus harbor a high-severity vulnerability within the rewrite module (CVE-2026-42945).

The VM2 Sandbox Nightmare Continues

The cybersecurity community witnessed another catastrophic VM2 sandbox escape (CVE-2026-47208). This marks the third consecutive week of critical VM2 vulnerabilities. Attackers can easily break out of the JavaScript virtual machine.

Subsequently, they can execute arbitrary commands directly on the host operating system. Therefore, developers must completely stop relying on VM2 for secure code isolation.

Actionable Intelligence for Defenders

System administrators must act quickly to secure their perimeters. First, patch any servers running the LiteSpeed cPanel plugin immediately. Next, update your Drupal and Ghost CMS installations to block active web exploits.

Additionally, review your network for vulnerable Four-Faith routers and isolate them from the public internet. Finally, security directors must audit their environments for legacy Windows machines. Ultimately, proactive defense requires aggressive patching and ruthless legacy decommissioning.