Here are today’s top cybersecurity stories for Monday, May 18, 2026.
New Windows ‘MiniPlasma’ Zero-Day Gives SYSTEM Access on Fully Patched Systems — PoC Released
A researcher known as Nightmare-Eclipse published a working proof-of-concept exploit on GitHub for a Windows local privilege escalation flaw dubbed MiniPlasma. The exploit abuses the cldflt.sys Cloud Filter driver to elevate a standard user to SYSTEM on fully patched Windows 11 systems, including those updated with the May 2026 Patch Tuesday. Microsoft has not issued a patch or advisory as of publication.
BleepingComputer
NGINX CVE-2026-42945 ‘NGINX Rift’: 18-Year-Old Critical Heap Overflow Now Actively Exploited
A critical heap buffer overflow in NGINX’s ngx_http_rewrite_module, present since 2008 and tracked as CVE-2026-42945 (CVSS 9.2), is under active exploitation after a public PoC dropped on May 13. Unauthenticated attackers can crash NGINX worker processes and, under certain conditions, achieve remote code execution. The flaw affects NGINX Open Source 0.6.27 through 1.30.0 and NGINX Plus R32 through R36. F5’s NGINX Ingress Controller and F5 WAF for NGINX are also affected.
The Hacker News
Microsoft Exchange Server CVE-2026-42897 Zero-Day Exploited in the Wild — CISA KEV Added
Microsoft confirmed active exploitation of CVE-2026-42897 (CVSS 8.1), a spoofing flaw rooted in a cross-site scripting vulnerability in Outlook Web Access affecting on-premises Exchange Server 2016, 2019, and Subscription Edition. Attackers send a crafted email; opening it in OWA executes arbitrary JavaScript in the victim’s browser. CISA added the flaw to its Known Exploited Vulnerabilities catalog on May 15 with a federal remediation deadline. Exchange Online is not affected.
The Hacker News
Mini Shai-Hulud: TeamPCP Compromises TanStack and 160+ npm Packages — Two OpenAI Devices Hit
The TeamPCP extortion group launched a coordinated supply chain attack on May 11, compromising 84 malicious artifacts across 42 packages in the @tanstack npm namespace — including @tanstack/react-router with roughly 12 million weekly downloads. The malware harvests password vault contents, cloud credentials, SSH keys, and developer tool configurations. OpenAI confirmed two employee devices were compromised, requiring certificate rotations; no customer data or production systems were affected.
The Hacker News
node-ipc npm Package With 822K Weekly Downloads Hit by Credential-Stealing Supply Chain Attack
Three malicious versions of the node-ipc Node.js library were published on May 14 carrying an obfuscated payload that harvests over 90 credential categories including AWS, Azure, GCP, SSH keys, Kubernetes tokens, GitHub CLI configurations, and database passwords. The attacker regained publish access by re-registering an expired maintainer domain and resetting the npm account password. Compromised versions were live for approximately two hours before removal.
The Hacker News
Fragnesia CVE-2026-46300: Third Linux Kernel LPE in Two Weeks — Patches Now Available
Researcher William Bowling disclosed Fragnesia (CVE-2026-46300), a high-severity local privilege escalation flaw in the Linux kernel’s XFRM ESP-in-TCP subsystem, in the Dirty Frag vulnerability family. The flaw affects all major distributions — Ubuntu, Debian, Red Hat, SUSE, and Amazon Linux — allowing any unprivileged local user to gain root in a single command. Patched kernels rolled out to production repositories on May 16.
Help Net Security
Pwn2Own Berlin 2026: Researchers Earn $1.298 Million for 47 Zero-Days Including Exchange and VMware ESXi
The Pwn2Own Berlin 2026 competition held at OffensiveCon from May 14 to 16 paid out $1,298,250 for 47 unique zero-day vulnerabilities. DEVCORE took Master of Pwn with $505,000, including $200,000 for a SYSTEM-level RCE in Microsoft Exchange. STARLabs SG earned $200,000 for a VMware ESXi exploit with cross-tenant code execution. All findings have been submitted to vendors under responsible disclosure.
BleepingComputer
Iran-Linked Hackers Suspected in Breaches of US Gas Station Fuel Tank Monitors
US officials suspect Iranian-linked threat actors breached automatic tank gauge (ATG) systems at gas stations across multiple states on May 15. The attackers gained access through internet-exposed systems lacking password protection and manipulated display readings on fuel tank monitors. Actual fuel levels were not altered and no physical damage occurred. The incident highlights persistent warnings about unprotected OT and ICS devices connected to the internet.
SecurityWeek
Critical n8n Vulnerabilities Disclosed With Public Exploits — Over 100,000 Servers at Risk
Researchers at Endor Labs disclosed CVE-2026-25049, sanitization bypasses in the n8n workflow automation platform enabling any authenticated user to achieve unrestricted remote code execution. A working proof-of-concept accompanies the disclosure. More than 100,000 n8n instances are estimated to be vulnerable. Users should update to version 1.123.17 or 2.5.2.
BleepingComputer
Stay tuned for today’s in-depth analysis posts.
