Palo Alto Networks disclosed CVE-2026-0257, a high-severity (CVSS 9.1) authentication bypass vulnerability affecting PAN-OS and Prisma Access. Reported by Palo Alto Networks and Rapid7 on May 17, 2026, the flaw allows attackers to establish unauthorized VPN connections via forged authentication override cookies in GlobalProtect portals or gateways configured with specific certificates. By May 29, 2026, CISA KEV had added this vulnerability due to active exploitation.
Attackers exploit this by using forged authentication override cookies to bypass security restrictions and gain unauthorized access to internal networks through VPN connections. This capability allows them to potentially compromise sensitive data and disrupt operations within affected organizations. The rapid timeline of exploitation underscores the critical need for immediate patching and configuration adjustments, reflecting a broader trend in network management platforms being targeted due to their extensive attack surface, as seen with previous issues like Ivanti and cPanel vulnerabilities (Issue 68).
- Upgrade PAN-OS to version 12.1.7 or later via Palo Alto Networks' management console.
- Upgrade Prisma Access to version 10.2.10-h36 or later following vendor instructions.
- Review and adjust GlobalProtect portal configurations to disable authentication override cookies.
On May 27, 2026, attackers exploited CVE-2026-48172 in the LiteSpeed cPanel plugin using a download pumping technique. This method involved inflating npm package download counts with automated bot traffic to make malicious payloads appear legitimate. The Silent Ransom Group (SRG) was identified as the threat actor behind this attack.
Attackers gained unauthorized access to sensitive endpoints and executed arbitrary scripts with root privileges by exploiting this vulnerability. More than 700 versions of the malicious 'ambar-src' package were uploaded, exacerbating the risk.
The FBI, Tenable, and X41 D-Sec reported this actively exploited flaw, prompting CISA to issue a KEV deadline on May 29, 2026. The attack demonstrates the urgent requirement for organizations to update their LiteSpeed cPanel plugins immediately.
- Update LiteSpeed cPanel plugin to version 1.2.3 as per advisory from Tenable Research.
- Monitor npm package download patterns using tools like Sonatype Nexus for unusual spikes indicative of download pumping techniques.
- Review and audit access logs on sensitive endpoints for unauthorized activities following May 27, 2026.
PraisonAI Platform is affected by CVE-2026-47416, which allows any workspace member to promote themselves or others to owner via PATCH /workspaces/{id}/members/{user_id}. The vulnerability has a CVSS score of 9.3, indicating critical severity. Reported on May 30, 2026, this issue was disclosed by GitHub Security Advisories and Cisco Talos.
The attack works by exploiting insufficient authorization checks in the PATCH endpoint, enabling unauthorized users to escalate their privileges within the workspace. This allows attackers to gain administrative control over the platform, potentially leading to data breaches or operational disruptions.
This vulnerability is part of a broader pattern of security issues affecting PraisonAI Platform, as seen in Issue 74. The critical severity score and potential for significant impact necessitate that organizations apply patches and review their access controls.
- Upgrade PraisonAI Platform to the latest version that addresses CVE-2026-47416 per GitHub Security Advisories.
- Review and update workspace member permissions immediately to prevent unauthorized escalations.
- Conduct a security audit of all workspaces using PraisonAI Platform to identify and mitigate potential vulnerabilities.