Oracle released its May 2026 Critical Security Patch Update on May 28, addressing 77 vulnerabilities including CVE-2026-46817 in Oracle E-Business Suite. The vulnerability is in the File Transmission component of Oracle Payments and is caused by improper privilege management, improper authentication, and missing authentication for a critical function. Oracle describes it as easily exploitable by an unauthenticated attacker with network access via HTTP, with successful exploitation resulting in complete takeover of Oracle Payments.
On June 27, 2026, Defused Cyber’s Oracle EBS honeypots recorded the first in-the-wild exploitation of CVE-2026-46817. Defused described it as a single source running an unauthenticated file-read against the Payments component, consistent with targeted proof-of-concept testing by an attacker validating a privately built exploit rather than automated broad scanning. No public proof-of-concept existed at that time, meaning whoever performed the exploitation derived their exploit from the Oracle patch diff independently.
This follows a well-established pattern in Oracle enterprise software targeting. CVE-2025-61882, a previous Oracle EBS critical flaw, was exploited by Cl0p ransomware operators. CVE-2026-35273 in Oracle PeopleSoft was exploited by ShinyHunters in a campaign that confirmed Nissan as a victim. Shadowserver tracked over 450 internet-exposed Oracle EBS instances as of the time of reporting. Organizations should assume that any unpatched internet-accessible EBS instance may have been subject to exploitation attempts since June 27.
- Apply Oracle’s May 2026 Critical Security Patch Update to all Oracle E-Business Suite instances immediately, regardless of whether they are internet-facing, as internal networks are reachable from compromised perimeter systems.
- Treat any internet-facing Oracle EBS instance that was unpatched between May 28 and today as potentially compromised. Review Oracle Payments logs for POST requests to /OA_HTML/ibytransmit and for unexpected file access in the File Transmission working directories.
- Restrict Oracle EBS web interfaces to internal networks and VPN-protected access rather than allowing direct internet exposure. Oracle has repeatedly recommended this as a standing mitigation across multiple EBS vulnerability advisories.
Progress published a security advisory on June 4, 2026 describing a command injection remote code execution vulnerability in Kemp LoadMaster’s API, CVE-2026-8037. The advisory affected GA release v7.2.63.1 and earlier and LTSF release v7.2.54.17 and earlier. On June 29, watchTowr Labs published a full technical breakdown of the vulnerability with a working exploit chain, marking the first public detailed analysis of the flaw.
The vulnerability lives in a function called escape_quotes() that is supposed to sanitize user input before it is passed to a shell command via the /accessv2 API endpoint. The function has two implementation defects. It uses malloc() to allocate a new buffer for the escaped output, leaving the buffer uninitialized, and it neglects to write a null terminator after generating the escaped string. When the escaped pointer is subsequently used in a sprintf and system() call chain to build a command line, the missing null terminator allows sprintf to read past the intended buffer into adjacent heap memory. Because malloc can return previously freed chunks that still hold controlled data, an attacker can position command fragments in adjacent heap memory that get incorporated into the executed command, achieving injection despite the attempted sanitization.
Progress reported no exploitation of CVE-2026-8037 as of its advisory date. No exploitation has been confirmed in the wild as of today. However, CVE-2024-1212, a previous LoadMaster critical command injection flaw, was added to CISA’s Known Exploited Vulnerabilities catalog in November 2024 after confirmed exploitation. The public watchTowr exploit significantly reduces the time and capability required for any attacker to weaponize CVE-2026-8037.
- Update Kemp LoadMaster to the patched versions resolving CVE-2026-8037. Affects GA v7.2.63.1 and earlier, LTSF v7.2.54.17 and earlier.
- Restrict the LoadMaster API to internal management networks. If the API does not need to be internet-accessible, removing that exposure eliminates the attack surface for this and future API-targeted flaws entirely.
- Apply the fix for CVE-2026-33691 from the same advisory, a high-severity WAF bypass via whitespace padding in uploaded filenames that was patched concurrently.
GitHub and npm announced today that a security overhaul for the npm registry will begin rolling out in July 2026. The changes were developed in response to a series of supply chain attacks against the npm ecosystem, including the Mastra framework compromise attributed to North Korean Sapphire Sleet in Issue 66 and the earlier Axios attack in April.
The first change is mandatory two-factor authentication for any npm account that holds publish access to a package. The requirement will be enforced at publish time, meaning an account without a registered second factor will be unable to publish package versions regardless of whether the package previously had no MFA requirement. npm will support hardware security keys, passkeys, and time-based one-time password authenticators. SMS-based verification will not satisfy the requirement given documented SIM-swapping risks.
The second change is automated provenance attestation verification for packages classified as high-impact based on download volume and dependency depth. Provenance attestation is a mechanism introduced by GitHub Actions and Sigstore that cryptographically links a specific package version to the exact build pipeline run that produced it. When a package is published with a provenance attestation, consumers and the registry can verify that the package was built by a known, trusted CI/CD workflow rather than published directly from an arbitrary machine. Packages that cannot produce attestations for new versions will be flagged in the registry interface.
The third change is enhanced account takeover detection using behavioral signals including publishing location, timing, and package content changes that deviate from a maintainer’s historical patterns.
- For any team maintaining npm packages: audit all accounts with publish access to your organization’s packages and ensure each has phishing-resistant MFA enrolled before the July enforcement deadline. Hardware security keys or passkeys are recommended over authenticator apps given that the Mastra attack compromised the device running the authenticator.
- Review whether any accounts with publish access to your packages belong to former contributors or prototype integrations that are no longer actively maintained. Revoke publish access for any account that does not have a current, active reason to hold it.
- For organizations consuming npm packages: use npm audit signatures and check for provenance attestations on high-value dependencies once the registry-wide enforcement is active in July.