Here are today’s top cybersecurity stories for Tuesday, May 19, 2026.
CISA Contractor Exposes AWS GovCloud Keys in Public GitHub Repository
A contractor for the Cybersecurity and Infrastructure Security Agency (CISA), linked to government services firm Nightwing, maintained a public GitHub repository named “Private-CISA” that contained plaintext credentials for three AWS GovCloud accounts, internal CISA system passwords, Kubernetes configuration files, and SAML certificates. The repository was created November 13, 2025, and remained public until May 18, 2026, when CISA pulled it offline after being notified by researcher Guillaume Valadon of GitGuardian and security consultant Philippe Caturegli. The exposed AWS keys remained valid for 48 hours after takedown. CISA stated it found no evidence of active exploitation but confirmed it is investigating.
Krebs on Security
DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability
Researchers at Zellic and V12 Security published proof-of-concept exploit code today for CVE-2026-31635 (CVSS 7.5), dubbed DirtyDecrypt, a local privilege escalation flaw in the Linux kernel’s rxgk_decrypt_skb() function. The bug exploits a missing copy-on-write guard that allows writes to reach privileged files such as /etc/shadow or SUID binaries, granting unprivileged local users root access. The vulnerability affects distributions with CONFIG_RXGK enabled, including Fedora, Arch Linux, and openSUSE Tumbleweed, and presents a pod-escape risk in containerized environments. It is a variant in the growing Copy Fail / Dirty Frag / Fragnesia family of Linux kernel page-cache write bugs.
The Hacker News
Threat Actor Claims Adobe Breach, Lists 832GB Dataset on Hacker Forum
A threat actor is advertising an 832GB dataset allegedly stolen from Adobe’s business and enterprise marketing infrastructure on a well-known hacker forum. The dataset reportedly includes sensitive corporate contact information and customer engagement data. The claim follows a separate alleged breach in April 2026 in which a threat actor going by “Mr. Raccoon” claimed to have stolen 13 million Adobe support tickets and 15,000 employee records. Adobe has not publicly confirmed or denied the latest claim.
Cybernews
Avada Builder Plugin Flaws Expose One Million WordPress Sites to Credential Theft and SQL Injection
Two vulnerabilities in the Avada Builder WordPress plugin affect approximately one million active installations. CVE-2026-4782 (CVSS 6.5) lets authenticated users with subscriber-level access read any file on the server. CVE-2026-4798 (CVSS 7.5) allows unauthenticated SQL injection when WooCommerce has been installed and then deactivated. A partial fix was released April 13 in version 3.15.2; the fully patched version 3.15.3 was released May 12. Site owners are urged to update immediately.
BleepingComputer
Ivanti, Fortinet, SAP, VMware, and n8n Release Critical Security Patches
Multiple major vendors shipped security updates on May 18, 2026, addressing remote code execution, SQL injection, and privilege escalation flaws. Ivanti patched CVE-2026-8043 (CVSS 9.6) in Xtraction, allowing remote authenticated attackers to read sensitive files and write arbitrary HTML. Fortinet addressed critical vulnerabilities in FortiAuthenticator and FortiSandbox capable of resulting in code execution. SAP, VMware, and workflow automation platform n8n also issued fixes for high-severity flaws in their respective products.
The Hacker News
PraisonAI CVE-2026-44338 Auth Bypass Exploited Within Four Hours of Disclosure
Attackers began probing internet-exposed PraisonAI deployments within three hours and 44 minutes of CVE-2026-44338 being published on May 11, 2026. The flaw is a missing authentication control in PraisonAI’s legacy Flask API server, which hard-codes AUTH_ENABLED = False and exposes the /agents and /chat endpoints without credentials. Sysdig observed automated scanner activity executing targeted requests against the exact vulnerable endpoint. The vulnerability affects versions 2.5.6 through 4.6.33 and is patched in version 4.6.34.
The Hacker News
Apache HTTP/2 CVE-2026-23918 Critical Flaw Enables DoS and Potential RCE
A critical double-free vulnerability in Apache HTTP Server’s HTTP/2 module, tracked as CVE-2026-23918, allows unauthenticated remote attackers to trigger denial-of-service conditions and potentially achieve remote code execution. The flaw affects Apache 2.4.66. Organizations running Apache web infrastructure are urged to apply available patches without delay, as HTTP/2 is widely enabled in modern web server deployments.
The Hacker News
Silver Fox Deploys ABCDoor Backdoor via Tax-Themed Phishing
The China-linked cybercrime group Silver Fox has been observed targeting organizations in India and Russia with a new Python-based backdoor called ABCDoor, delivered through phishing emails mimicking tax authority correspondence. ABCDoor contacts an external server via HTTPS and supports persistence, screenshot capture, remote keyboard and mouse control, process management, and clipboard exfiltration. The campaign has impacted industrial, consulting, retail, and transportation sector organizations.
The Hacker News
Microsoft Exchange CVE-2026-42897 Added to CISA KEV With May 29 Patch Deadline
CISA added CVE-2026-42897, a spoofing vulnerability in on-premises Microsoft Exchange Server, to its Known Exploited Vulnerabilities catalog on May 15, 2026, setting a May 29 federal remediation deadline. The flaw allows attackers to execute arbitrary JavaScript in a victim’s browser by sending a crafted email opened in Outlook Web Access. Affected versions include Exchange Server 2016, 2019, and the Subscription Edition. Microsoft has released an emergency mitigation via the Exchange Emergency Mitigation Service while preparing a permanent patch.
The Hacker News
MiniPlasma Windows Zero-Day PoC Grants SYSTEM Privileges on Fully Patched Systems
A proof-of-concept exploit for a Windows privilege escalation zero-day dubbed MiniPlasma has been released publicly, reliably granting a SYSTEM-level command prompt on Windows 11 systems running the latest May 2026 updates. The flaw is a regression in cldflt.sys introduced during recent patching. Microsoft has not yet issued a fix. The release follows a pattern of recent Windows kernel zero-days including the BitLocker-bypassing YellowKey and GreenPlasma variants disclosed earlier this month.
BleepingComputer
Stay tuned for today’s in-depth analysis posts.
