A Hectic Spring on the Cybersecurity Front
The past few weeks have been particularly busy in the world of information security. Between late April and mid-May 2026, more than twenty critical vulnerabilities were publicly disclosed, affecting the essential components that run virtually every web server on the planet: the Linux kernel, cPanel/WHM, the Exim mail server, as well as the Apache and NGINX web servers.
Several of these flaws are rated critical, with severity scores reaching 9.8 out of 10. A few were even being actively exploited by attackers at the time of their public disclosure.
If you follow tech news, you may have seen terms like Copy Fail, Dirty Frag, Fragnesia, or NGINX Rift go by. No need to panic: we’ll explain everything, and most importantly, we’ll explain why your sites hosted with us are protected.
✅ Your Servers Are Up to Date and Secured
Most important first: as soon as each of these vulnerabilities was disclosed, our team applied the necessary measures to protect our entire infrastructure.
Specifically, here’s what was done:
- Applied official patches as soon as they were released by the vendors;
- Put temporary mitigation measures in place when patches were not yet available (notably in the case of Dirty Frag, whose exploit code was disclosed before the patches);
- Updated cPanel/WHM servers within hours of the patched versions being released;
- Updated mail servers to Exim 4.99.2;
- Applied Apache 2.4.67 and NGINX 1.30.1/1.31.0 patches;
- Updated the Linux kernel and scheduled reboots on the affected servers.
As you read these lines, our servers are protected against all the vulnerabilities described in this article.
⚠️ But Beware: Bots Are More Active Than Ever
A predictable side effect of this wave of disclosures: malicious bot networks (botnets) have been intensely active for several weeks. They’re scanning the Internet 24/7, looking for servers, admin panels, and websites that haven’t been updated yet.
Every newly disclosed vulnerability triggers a wave of automated intrusion attempts within the hours that follow. And with so many flaws published in such a short time, malicious traffic is at levels we haven’t seen in a long while.
This is exactly why updates to your websites have never been more important. More on that below.
🤔 Why So Many Vulnerabilities at Once?
That’s the question many people are asking. The answer comes down to two letters: AI.
Artificial intelligence (like Claude.ai, ChatGPT, and their counterparts) has made huge leaps in recent months. These tools are extraordinary at helping programmers code faster, better understand complex code, and uncover problems.
But here’s the flip side: the same tools that help a developer find bugs in their own code also help a malicious person dig up flaws in everyone else’s code. And security researchers are now using AI to systematically scan the source code of software that’s been around for 20 years.
A few concrete examples among the recent vulnerabilities:
- NGINX Rift: a flaw that had been sleeping in the NGINX codebase since 2008 (18 years!) was discovered in a few hours by an automated analysis system.
- Copy Fail: according to the researchers who disclosed it, their AI-powered analysis tool identified this critical flaw in the Linux kernel in roughly one hour of scanning.
- Fragnesia and Dirty Frag: three similar vulnerabilities in the Linux kernel discovered within a two-week span, all tied to the same kind of problem.
In short, flaws that would have taken years to find using traditional methods are now being uncovered in a matter of hours. That’s good news when vendors and “ethical” researchers find them first. It’s much less good when malicious actors do.
Our prediction: this accelerated pace of disclosures is likely the new normal. Expect to see more flaws, disclosed more quickly, in the months and years ahead.
🔑 What You Need to Do: Update Your Websites
Our job is to secure the operating system, the web server, the admin panel, and the mail server. That’s done.
Your job is to keep your website itself up to date. That means:
- WordPress, Joomla, Drupal, or any other CMS: update to the latest version as soon as it’s released.
- Themes and plugins: these are often the entry points for attacks. Uninstall any you’re not using.
- Admin passwords: if you’re still using a password you’ve had since 2020, now is the time to change it.
- Two-factor authentication (2FA): enable it wherever possible (website admin, email, cPanel).
- Backups: make sure you have recent copies of your site, ideally stored in multiple locations.
The bots scanning the Internet right now aren’t only going after the flaws described in this article. They’re also testing every weak password, every outdated WordPress version, and every vulnerable plugin they can find. A website that’s been abandoned for six months is an easy target.
📋 The Complete List of Vulnerabilities Addressed
For the more technically inclined among you (or those who like to know what’s happening behind the scenes), here’s a complete overview of the vulnerabilities we’ve dealt with in recent weeks.
Linux (Kernel) Vulnerabilities
| CVE | Date | Official Link | Brief Description | Why It’s Dangerous |
|---|---|---|---|---|
| CVE-2026-46300 (Fragnesia) | May 13, 2026 | NVD | Flaw in the Linux kernel (ESP-in-TCP network subsystem) that allows an ordinary user to modify normally protected files in memory. | A user with no privileges who simply has local access to the server can become “root” (all-powerful administrator). Especially risky for shared servers, containers, and cloud environments. Public exploit code already exists. |
| CVE-2026-43284 & CVE-2026-43500 (Dirty Frag) | May 7, 2026 | NVD 43284 — NVD 43500 | Two chained flaws in the kernel’s networking modules (IPsec ESP and RxRPC). Combined, they let a local attacker gain administrator rights. | Exploit code was publicly disclosed before the patches were ready (broken embargo). Microsoft has observed real exploitation attempts. Works with a single command on most Linux distributions. |
| CVE-2026-31431 (Copy Fail) | April 29, 2026 | NVD | Flaw in the kernel’s cryptography module (algif_aead). A Python script of only 732 bytes is enough to become administrator. | Affects all Linux distributions since 2017 (Ubuntu, Red Hat, Debian, SUSE, etc.). Added to the CISA catalogue of actively exploited vulnerabilities. Very simple to use, no advanced skills required. |
cPanel & WHM Vulnerabilities
| CVE | Date | Official Link | Brief Description | Why It’s Dangerous |
|---|---|---|---|---|
| CVE-2026-32993 | May 13, 2026 | cPanel | An unprotected endpoint in the cpsrvd service allows injection of arbitrary HTTP headers (versions 132+). | Can be used to manipulate communications between the server and the browser, opening the door to session theft or attacks against visitors. |
| CVE-2026-32992 | May 13, 2026 | cPanel | SSL verification was not enforced in the DNS cluster system (versions 126+). | An attacker positioned between servers can intercept encrypted communications and steal administrator credentials. |
| CVE-2026-32991 | May 13, 2026 | NVD | A team user with minimal privileges can access the full powers of the owner account via certain UAPI modules (versions 110+). | Allows an employee or collaborator with limited access to take full control of the hosting account. |
| CVE-2026-29206 | May 13, 2026 | cPanel | SQL injection possible via the sqloptimizer script (all versions). | Allows manipulation of the database: reading sensitive information, modifying or deleting data, even taking control. |
| CVE-2026-29205 | May 13, 2026 | cPanel | Poor privilege handling and insufficient path filtering in cpdavd (versions 120+). | Allows reading of arbitrary files on the server, including potentially configuration files containing passwords. |
| CVE-2026-29203 | May 8, 2026 | cPanel | Unsafe handling of symbolic links lets a user modify the permissions of an arbitrary file. | Can cause a denial of service (system out of commission) or privilege escalation to the administrator account. |
| CVE-2026-29202 | May 8, 2026 | cPanel | Perl code injection in the create_user API call via the plugin parameter. | Allows arbitrary code execution on the server as soon as a user is created — full compromise possible. |
| CVE-2026-29201 | May 8, 2026 | cPanel | The LOADFEATUREFILE call doesn’t properly validate the file name, allowing a relative path. | Makes an arbitrary file readable by everyone on the server — possible leak of sensitive configurations. |
| CVE-2026-41940 | April 28, 2026 | NVD | Critical authentication bypass: an unauthenticated attacker can inject CRLF data to become administrator without a password (all versions after 11.40). | CVSS score 9.8/10 (critical). About 1.5 million cPanel instances exposed on the Internet. Actively exploited “in the wild” since February 23, 2026 (two months before the patch). Added to the CISA KEV catalogue. Hosting providers like Namecheap and KnownHost had to emergency-block ports. |
Exim (Mail Server) Vulnerabilities
| CVE | Date | Official Link | Brief Description | Why It’s Dangerous |
|---|---|---|---|---|
| CVE-2026-40684 | April 29, 2026 | Exim | Server crash caused by malformed DNS PTR records (systems using the musl C library, such as Alpine Linux). | A remote attacker can crash the mail service simply by sending a message — email outage for the entire organization. |
| CVE-2026-40685 | April 29, 2026 | Exim | Out-of-bounds read/write in the handling of external JSON configurations — can corrupt memory. | Memory corruption in a mail server opens the door to more serious attacks: crashes or execution of malicious code. |
| CVE-2026-40686 | April 29, 2026 | Exim | Out-of-bounds read via UTF-8 characters in malformed email headers. | Can leak sensitive data from server memory. An ideal tool for reconnaissance before a larger attack. |
| CVE-2026-40687 | April 29, 2026 | Exim | Flaw in SPA/NTLM authentication — connecting to a malicious external server can crash Exim or leak memory. | Particularly targets enterprise environments connected to Microsoft. Service crash or memory leak (potentially including passwords). |
Key takeaway: All fixed in Exim 4.99.2.
Apache HTTP Server Vulnerabilities
| CVE | Date | Official Link | Brief Description | Why It’s Dangerous |
|---|---|---|---|---|
| CVE-2026-23918 | May 4, 2026 | Apache | “Double free” bug in the HTTP/2 module of Apache 2.4.66 (memory corruption caused by an “early reset” of a connection). | CVSS 8.8 (high). No authentication required. Can cause a server crash or, in the worst case, remote code execution — the attacker takes control of the web server. Affects roughly a quarter of the world’s web. |
| CVE-2026-24072 | May 4, 2026 | Apache | Privilege escalation bug in several Apache 2.4.66 modules and earlier: an author of a .htaccess file can read files with the web server’s privileges. | On shared hosting where multiple clients share a server, a user can read other clients’ files (passwords, databases, source code). |
Both fixed in Apache HTTP Server 2.4.67.
NGINX Vulnerabilities
| CVE | Date | Official Link | Brief Description | Why It’s Dangerous |
|---|---|---|---|---|
| CVE-2026-42945 (NGINX Rift) | May 13, 2026 | NGINX | Memory overflow in the URL rewrite module (ngx_http_rewrite_module). Bug present for 18 years (since 2008). | CVSS 9.2 (critical). No authentication required. Can lead to remote code execution or a server crash. NGINX serves roughly 34% of the world’s websites. Public exploit code is available on GitHub. |
| CVE-2026-42946 | May 13, 2026 | NGINX | Out-of-bounds read in the SCGI and uWSGI modules when an attacker can control responses from the upstream server. | CVSS 8.3. Can leak server memory contents (potentially sensitive data) or crash the process. |
| CVE-2026-42926 | May 13, 2026 | NGINX | HTTP/2 request injection in the proxy module when the proxy_set_body directive is used. | Allows an attacker to inject data into requests sent to the backend server — can bypass access controls or poison responses. |
| CVE-2026-42934 | May 13, 2026 | NGINX | Out-of-bounds read in the character set handling module (ngx_http_charset_module). | CVSS 6.3. May reveal a limited portion of server memory contents or cause a process restart. |
| CVE-2026-40460 | May 13, 2026 | NGINX | HTTP/3 address spoofing vulnerability (during a connection migration, the new stream may receive a new client address without validation). | Lets an attacker impersonate another IP address — can bypass filtering rules based on source address. |
| CVE-2026-40701 | May 13, 2026 | NGINX | Use-after-free during OCSP requests to the DNS resolver. | CVSS 6.3. Can cause memory corruption in the worker process, leading to a server crash or potentially unpredictable behaviour. |
All fixed in NGINX 1.30.1 and NGINX 1.31.0.
In Summary
- An exceptional wave of critical vulnerabilities hit the Linux/web ecosystem between late April and mid-May 2026.
- Artificial intelligence plays a major role in this acceleration — for defenders as much as for attackers.
- Our servers are up to date and protected against all these vulnerabilities at the time of publication.
- Malicious bots are scanning the Internet more than ever in search of vulnerable targets.
- Your part: keep your website (CMS, themes, plugins, passwords) up to date. It’s the best defence against automated attacks.
Have questions about your site’s security or need a hand updating it? Don’t hesitate to contact us — our team is here to help.
Leave a Reply