Lostbrain

🚨 CRITICAL ALERT: 2 Active Exploits Detected (2026-05-27)

🚨 CRITICAL ALERT: 2 Active Exploits Detected (2026-05-27)

🚨 CRITICAL ALERT: Active Zero-Day Exploits

Two CVSS 9.8 vulnerabilities are currently in CISA KEV and require immediate action: CVE-2026-9082 in Drupal core, which is actively exploited and affects multiple supported branches, and CVE-2026-48172 in the LiteSpeed User-End cPanel Plugin, which has been exploited in the wild and may allow privilege escalation to root. Treat affected systems as high-risk until patched and verified.

Critical Vulnerabilities (CVSS >= 8.0)

  • CVE-2026-9082 (CVSS: 9.8): Improper Neutralization of Special Elements used in an SQL Command (‚SQL Injection‘) in Drupal core. Affects Drupal core from 8.9.0 before 10.4.10, 10.5.0 before 10.5.10, 10.6.0 before 10.6.9, 11.0.0 before 11.1.10, 11.2.0 before 11.2.12, and 11.3.0 before 11.3.10; this vulnerability is in CISA KEV and is under active exploitation.View NVD | CISA KEV
  • CVE-2026-48172 (CVSS: 9.8): LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation, possibly to root, due to mishandling of Redis enable/disable features; it has been exploited in the wild and is included in CISA KEV.View NVD | CISA KEV

âš¡ Immediate Actions Required

Patch Drupal core immediately to the fixed release for your branch: 10.4.10+, 10.5.10+, 10.6.9+, 11.1.10+, 11.2.12+, or 11.3.10+. If your deployment uses PostgreSQL and exposes JSON:API or related endpoints, prioritize containment and review for suspicious database-related requests and unexpected data access.

Upgrade the LiteSpeed User-End cPanel Plugin to 2.4.7 or later immediately. Run the recommended detection command against cPanel logs: grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null; any output indicates likely exploitation and requires investigation of the listed IP addresses and associated system activity.

Until remediation is complete, restrict external exposure where possible, monitor authentication and administration logs, block suspicious source IPs, and assume any unpatched internet-facing host may already be compromised. Perform forensic review of affected systems, validate privilege changes, and rotate credentials if abuse is suspected.

Sarah

,