May 2026 CVE Landscape

In May 2026, Insikt Group® identified 41 high-impact vulnerabilities that should be prioritized for remediation, all of which had a Very Critical Recorded Future Risk Score. This represents an 11% increase from last month.

These vulnerabilities affected products from 20 vendors. 21 of the 41 vulnerabilities were included in the US Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, 19 were surfaced through honeypot data, and one was reported by a cybersecurity vendor.

The 41 vulnerabilities in this report affected products from 20 vendors. Vercel accounted for approximately 27% of the vulnerabilities, driven by honeypot-sourced Next.js activity. The remaining exposure was concentrated across a range of enterprise software, security, networking, developer tooling, and cloud-related products.

Quick Reference: May 2026 Vulnerability Table

All 22 vulnerabilities below were actively exploited in May 2026. This table does not include the 19 CVEs associated with honeypot activity, which are available to Recorded Future customers via the CVE Monthly Report. The table below also provides examples of public PoCs identified by Insikt Group®. These PoCs were not tested for accuracy or efficacy. Vulnerability management teams should exercise caution and verify the validity of PoCs before testing.

Table 1: List of vulnerabilities that were actively exploited in May, 2026 based on Recorded Future data (excluding honeypot-sourced CVEs).

Key Trends: May 2026

• In May 2026, threat actors exploited a Ghost CMS vulnerability in large-scale ClickFix and FakeCaptcha poisoning campaigns.
  • The campaigns used compromised Ghost CMS websites to inject malicious JavaScript, redirect victims through social engineering lures, and stage dropper and loader payloads from attacker-controlled infrastructure.
• 12 of the 41 vulnerabilities enabled remote code execution (RCE), affecting products from 8 vendors: Microsoft, Adobe, Langflow, Palo Alto Networks, Apache, openDCIM, Fortinet, and Ivanti.
• Insikt Group identified public proof-of-concept (PoC) exploits for 32 of the 41 vulnerabilities in this report.
• The most commonly observed flaws this month were CWE-79 (Cross-site Scripting), CWE-506 (Embedded Malicious Code), and CWE-89 (SQL Injection), with three CVEs each.
• 5 of the 41 vulnerabilities in this month’s prominent vulnerabilities table were first disclosed between 2008 and 2010, making them at least 15 years old, with the oldest vulnerability being approximately 18 years old.
  • This reinforces our finding that attackers continue to exploit long-known weaknesses in environments where patching has lagged.
  • Additionally, the fastest observed time from a vulnerability’s public disclosure to exploitation was less than one day.

Exploitation Analysis

This section highlights some of the highest-impact, actively exploited vulnerabilities this month, specifically those linked to known threat actor campaigns or that have public PoC exploits available. Vulnerabilities with no meaningful public technical detail are summarized in the disclosures table only.

Threat Actors Exploit CVE-2026-26980 in Ghost CMS To Conduct Large-Scale ClickFix Poisoning Campaigns, Sample Available From Recorded Future Malware Intelligence

On May 21, 2026, cybersecurity firm XLab published a technical analysis detailing large-scale ClickFix poisoning campaigns targeting vulnerable Ghost Content Management System (CMS) instances by exploiting CVE-2026-26980. Ghost CMS allows users to create, manage, and publish content for blogs, media sites, newsletters, and subscription-based websites through a node.js-based publishing platform.

CVE-2026-26980 is a critical SQL injection vulnerability in Ghost CMS that allows unauthenticated threat actors to extract Ghost Admin API Keys and modify website content through the Ghost Admin API.

As previously reported by Insikt Group®, at least two threat groups exploited CVE-2026-26980 to inject malicious JavaScript into more than 700 compromised Ghost CMS websites across industries, including blockchain, artificial intelligence (AI), and financial technology (fintech). According to XLab, the threat actors used the compromised websites to deliver ClickFix and FakeCaptcha social engineering attacks that tricked victims into executing malicious commands and malware payloads on their systems.

Insikt Group® obtained one of the malicious samples, UtilifySetup.exe, from Recorded Future Malware Intelligence. The sample matched the sandbox YARA rule for detecting Inno Setup packaging. Based on sandbox and static code analysis, the sample performs the following actions on a victim’s machine:

• Conducts DLL injection
• Retrieves the system language and geolocation using the Windows registry
• Drops files named UtilifySetup.tmp (SHA256: 7790fd1035266000ed6d6cc35822f7683f5271663af8a5b5effadff85316df6d) and Grape.exe
• Enumerates files and directories
• Retrieves system information
• Delays execution using the Sleep API function for evasion
• Detects debuggers using the GetTickCount API function to compare the timing and the IsDebuggerPresent API function
• Creates a file inside the C:\Users\user\AppData\Local\SuperMaxionQuickMaxlite directory, corroborating XLab’s analysis
• Terminates running processes

Sandbox analysis categorized UtilifySetup.tmp as malicious due to the sample exhibiting discovery capabilities. Based on sandbox and static code analysis, the sample performs the following actions on a victim’s machine:

• Conducts DLL injection
• Retrieves the system language and geolocation using the Windows registry
• Executes UtilifySetup.exe installer from the %Temp% directory using internal Inno Setup /SL5 launch parameters
• Executes a file named Grape.exe inside the C:\Users\user\AppData\Local\SuperMaxionQuickMaxlite directory

Once executed, Grape.exe performs the following actions on a victim’s machine:

• Adds a Windows registry Run key entry named electron.app.Grape set to execute itself when the victim logs in
• Enumerates running processes
• Sends DNS request to web-telegram[.]ug

Further technical details associated with this activity, including sample analysis, MITRE ATT&CK techniques, and IoCs, are available to Recorded Future customers via Insikt Group® reporting.

Recorded Future customers can also access Malware Intelligence queries that surface samples communicating with campaign-associated URLs, domains, and IP addresses.

Figure 1: Risk Rules History from Vulnerability Intelligence Card® for CVE-2026-26980 in Recorded Future (Source: Recorded Future)

Technical Blog and Alleged PoC for Actively Exploited Critical SQL Injection Vulnerability Affecting BerriAI LiteLLM (CVE-2026-42208)

On April 27, 2026, Michael Clark published a technical report on Sysdig detailing CVE-2026-42208. The Sysdig Threat Research Team observed the first exploitation attempt 36 hours and seven minutes after GitHub advisory GHSA-r75f-5x8p-qvmc, later assigned CVE-2026-42208.

On May 5, 2026, GitHub user Ashraf Zaryouh (0xBlackash on GitHub) shared an alleged PoC exploit for CVE-2026-42208. On May 8, 2026, CISA added CVE-2026-42208 to its KEV catalog. CVE-2026-42208 is a critical Structured Query Language (SQL) Injection vulnerability affecting BerriAI LiteLLM versions 1.81.16 to 1.83.6.

BerriAI LiteLLM is a proxy server and an AI gateway used to call large language model (LLM) application programming interfaces (APIs) in OpenAI-compatible or native formats, helping route requests and manage model access and credentials across providers.

Exploiting CVE-2026-42208 allows unauthenticated remote threat actors to read and potentially modify LiteLLM proxy database data, resulting in unauthorized access to the proxy and the credentials it manages. On April 21, 2026, LiteLLM released version 1.83.7 and later to fix CVE-2026-42208. If upgrading immediately is not possible, administrators can set disable_error_logs: true under general_settings to remove the code path through which unauthenticated input reaches the vulnerable query.

The vulnerability resides in the LiteLLM proxy application programming interface (API) key verification logic, where affected versions insert the caller-supplied Bearer token into an SQL query against the LiteLLM_VerificationToken table rather than passing the value through parameter binding. This unsafe query construction allows a threat actor to manipulate the database query before authentication completes.

The vulnerable code path runs during the pre-authentication API key validation process for reachable OpenAI-compatible API routes, including POST /chat/completions, and processes unauthenticated HTTP requests before identity-based access controls can apply. The affected verification path also exposes access to high-value LiteLLM data stores, including virtual API keys, provider credentials, and proxy configuration values. As a result, an unauthenticated remote threat actor with network access to the proxy could read data from the backend database and modify database records, exposing LiteLLM-managed API keys, provider credentials, and proxy configuration values. This exposure could lead to unauthorized access to the LiteLLM proxy and the credentials it manages.

According to the Sysdig report, the observed exploitation required network access to a LiteLLM proxy reachable by the threat actor and a request path that triggered proxy key verification, such as POST /chat/completions or /v1/chat/completions. The observed activity occurred in two phases: Sysdig attributed the first to the same operator using two adjacent egress IP addresses, followed by a short unauthenticated probe of key-management endpoints.

For Phase 1, the threat actor used 65[.]111[.]27[.]132 to conduct schema enumeration against a reachable LiteLLM proxy. The threat actor sent POST /chat/completions requests with the Python/3.12 aiohttp/3.9.1 user agent and an Authorization header beginning with Bearer sk-litellm, using the single quote to terminate the expected key string and inject UNION-based SQL queries. The threat actor targeted LiteLLM tables containing virtual API keys, stored provider credentials, and proxy environment configuration, including a retry from the lowercase litellm_verificationtoken table name to the quoted PascalCase LiteLLM_VerificationToken table name.

Sysdig assessed this retry as evidence of LiteLLM schema awareness rather than generic scanning. After a ten-minute pause, the same IP performed column-count enumeration by varying the number of NULL placeholders in UNION payloads to identify the expected query shape and return leaked data in the response body.

For Phase 2, the threat actor shifted to a second adjacent egress IP address, 65[.]111[.]25[.]67, after a 21-minute pause. The second IP belonged to the same /22 and AS200373 network context as the Phase 1 source and used the same Python/3.12 aiohttp/3.9.1 user agent. The threat actor replayed and refined the prior UNION-based SQL injection payloads, performed additional column-count discovery by varying NULL placeholders, and focused on LiteLLM tables associated with verification tokens, stored credentials, and proxy environment configuration. The threat actor also probed /key/generate and /key/info without authentication and ended with a terminal sk-litellm OR 1=1– payload, which Sysdig assessed as consistent with an automation harness exhausting its payload list. Sysdig reporting did not identify confirmed follow-through, such as authenticated key reuse, new virtual-key creation, or chained provider credential reuse.

Based on Ashraf Zaryouh’s repository, the PoC requires a target LiteLLM server URL and, optionally, a custom SQL payload and endpoint path. If the operator does not provide a custom payload, the PoC uses the default boolean-based payload 1' OR '1'='1. If the operator does not provide a custom endpoint path, the PoC targets /chat/completions.

Once the threat actor provides the target URL, the PoC removes trailing slashes, combines it with the selected endpoint path, prepends the payload with sk- to resemble a LiteLLM API key, and places the crafted value in the Authorization: Bearer header. It then prepares a normal-looking chat completion request body with a model name and a simple user message.

The PoC sends an HTTP POST request with the crafted authorization header and JSON body, unconditionally disables TLS certificate verification, suppresses the related warning, and uses a ten-second timeout. After receiving a response, it prints the HTTP status code, response length, and first 500 characters of the response for manual review. The PoC treats 200, 400, 401, and 500 responses as possible indicators that the request reached the relevant backend code path, but these status codes do not confirm successful SQL injection.

It also checks the response body for error or sql as indicators of a potential error path. If the request fails due to a timeout, connection issue, DNS failure, or similar error, the PoC catches the exception and prints the failure message instead of unexpectedly terminating. After the request completes or an exception occurs, the PoC prints a reminder message stating that the PoC serves demonstration purposes only and recommends upgrading LiteLLM to version 1.83.7 or later.

Insikt Group® has not tested this PoC for accuracy or efficacy. At the time of writing, the alleged PoC has been forked once on GitHub. Further technical details associated with this activity, including MITRE ATT&CK techniques and IoCs, are available to Recorded Future customers via Insikt Group® reporting.

Figure 2: Vulnerability Intelligence Card® for CVE-2026-42208 in Recorded Future (Source: Recorded Future)

Take Action

Timely and relevant information on vulnerabilities in your environment and that of your vendors and suppliers is critical for reducing risk. Find out how Recorded Future can support your team by increasing visibility, improving efficiency, and enabling confident decisions.

Vulnerability Intelligence – Prioritize vulnerabilities based on the likelihood of exploitation – not just the severity. Easily understand the risk of exploitation alongside severity, and real-time contextualized intelligence to help you quickly make confident decisions, patch what matters, and prevent attacks.

Attack Surface Intelligence – Identify internet-facing assets vulnerable to a specific CVE. Attack Surface Intelligence provides an outside-in view of your organization to help you actively discover, prioritize, and respond to unknown, vulnerable, or misconfigured assets.

Third-Party Intelligence – Gain an external view of the security posture of your vendors and partners. Eliminate time-consuming research and vendor communication cycles with the ability to promptly assess vulnerabilities in their internet-facing systems.

Insikt Group® – Receive access to exclusive reports on new vulnerabilities and trends from Recorded Future’s team of experts, the Insikt Group®. Download Nuclei templates created by Insikt Group® for select CVEs to test potentially vulnerable instances.

Recorded Future Professional Services – Work with our Professional Services team on a Vulnerability Analysis Engagement. Designed to equip your team with advanced strategies for identifying, prioritizing, and mitigating threats effectively, this program delves into technologies and operations essential for a successful vulnerability management program. (Learn more about how our Professional Services team can help your elevate your team by watching our recent Vulnerability Prioritization Workshop)

About Insikt Group®

Recorded Future’s Insikt Group®, the company’s threat research division, comprises analysts and security researchers with deep government, law enforcement, military, and intelligence agency experience. Their mission is to produce intelligence that reduces risk for customers, enables tangible outcomes, and prevents business disruption.

Related Resources

Explore expert insights, reports, and tools to strengthen your cybersecurity strategy.