11 Security Incidents in 12 Days: May 2026 Is the Worst Month for Hosting Security

The first twelve days of May 2026 have produced more critical security incidents affecting hosting and web infrastructure than most entire years. From zero-day exploits weaponized within hours to supply chain breaches compromising hundreds of millions of users — and now ransom payments, repeat breaches, and security vendors getting hacked themselves — the pattern is unmistakable: the attack surface for web hosting is expanding faster than anyone can defend it.

Here are the eleven incidents that defined what is now officially the worst stretch in hosting security history.

1. cPanel Authentication Bypass (CVE-2026-41940)

CVSS: 9.8 | Actively exploited | Ransomware deployed

The most impactful incident of the month. CVE-2026-41940 is a critical authentication bypass in cPanel — the control panel running on millions of shared hosting servers worldwide. Attackers exploited this zero-day as early as February 2026, two months before cPanel published a patch on April 28.

Within 24 hours of disclosure, exploitation went industrial. Over 44,000 IP addresses were targeted. By May 2, threat actors were deploying a Go-based Linux ransomware (appending the .sorry extension) against government agencies, military domains, and managed service providers across at least five countries including the Philippines and Laos.

This is the scenario every hosting provider fears: a control panel vulnerability that gives attackers root-level access to every site on the server. If you run cPanel, patch immediately. If you rely on a host that runs cPanel, ask them when they patched.

2. Palo Alto PAN-OS Root RCE (CVE-2026-0300)

CVSS: 9.3 | State-sponsored exploitation | CISA KEV listed

A buffer overflow in the User-ID Authentication Portal of Palo Alto firewalls allows unauthenticated attackers to execute arbitrary code with root privileges. Palo Alto believes these attacks are the work of state-sponsored threat actors, with exploitation attempts starting April 9 and successful RCE achieved a week later via shellcode injection.

CISA added this to the Known Exploited Vulnerabilities catalog on May 6, requiring federal agencies to apply mitigations by May 9 — a three-day window. Patches for some versions are not available until late May, leaving organizations in a difficult position: disable the portal or accept the risk.

3. Microsoft SharePoint Zero-Day (CVE-2026-32201)

CVSS: 6.5 | Zero-day exploited before patch | 1,300+ servers unpatched

A spoofing vulnerability in SharePoint Server that requires no authentication, no user interaction, and no special conditions to exploit. Microsoft confirmed it was exploited in the wild before patches were available. CISA added it to the KEV catalog with an April 28 remediation deadline.

Over 1,300 SharePoint servers remained exposed online after patches were released, with fewer than 200 patched in the initial window. This vulnerability affects SharePoint Enterprise Server 2016, 2019, and Subscription Edition.

4. Next.js Vulnerability Dump — 6+ CVEs in One Release

Multiple CVEs | XSS, middleware bypass, cache poisoning, SSRF, DoS

On May 6-7, Next.js and React Server Components received patches for six or more security vulnerabilities simultaneously:

• CVE-2026-44573 — Middleware authorization bypass via locale-less requests in Pages Router
• CVE-2026-44581 — Cross-site scripting through CSP nonces (the security mechanism itself becomes the attack vector)
• CVE-2026-23870 — Denial of service via crafted HTTP requests against React Server Components
• CVE-2026-44578 — SSRF through WebSocket upgrade request handling
• Cache poisoning in React Server Component responses (two separate advisories)

These flaws affect Next.js versions 13.x through 16.x using the App Router. Vercel has started blocking deployments of vulnerable versions by default — an aggressive but necessary move given the breadth of the attack surface.

5. Vercel Context AI Supply Chain Breach

Supply chain attack | ShinyHunters involvement | Customer credentials exposed

On April 19, Vercel disclosed a breach originating from Context.ai, a third-party AI tool used by a Vercel employee. The attack chain: Lumma Stealer malware compromised a Context.ai employee, which gave attackers access to a Vercel employee's Google Workspace, which led to their Vercel account.

Non-sensitive customer environment variables stored on Vercel were compromised. A threat actor associated with ShinyHunters posted on BreachForums claiming to have internal Vercel data. The incident demonstrates how AI tool adoption creates new attack surfaces that traditional security models do not cover.

6. Medtronic Data Breach — 9 Million Records

ShinyHunters | 9M records | Multiple lawsuits filed

ShinyHunters claimed access to terabytes of internal Medtronic data on April 18, with Medtronic confirming the breach on April 24. The group claims to have exfiltrated over 9 million records containing personal information. Multiple law firms have launched investigations, and Medtronic has not yet reported the breach to state attorney general offices.

7. Canvas/Instructure Breach — 275 Million Users

ShinyHunters again | 275M users | 9,000 schools affected | RESOLVED — Ransom paid

ShinyHunters struck again on May 3, claiming a massive breach of Instructure's Canvas learning management system. The numbers: 275 million individuals across 9,000 school districts, universities, and education platforms. Stolen data allegedly includes names, email addresses, student IDs, and billions of private messages exchanged between users.

Harvard's Canvas site went down. North Carolina schools lost access during end-of-year testing. This is the same group behind the Vercel and Medtronic incidents — a single threat actor responsible for multiple entries on this list.

Update (May 12): This incident has been resolved — see entry #11 below for the full ransom payment story.

8. ConnectWise ScreenConnect Path Traversal (CVE-2024-1708)

CVSS: 8.4 | CISA KEV listed | Ransomware campaigns

A path traversal vulnerability in ConnectWise ScreenConnect that allows unauthenticated attackers to traverse directories and execute payloads outside the web root. CISA added it to the KEV catalog on April 28 with a May 12 remediation deadline. This vulnerability has been linked to North Korea-affiliated campaigns and ransomware attacks by China-linked threat actors.

9. ADT Breached for the Third Time — 5.5 Million Accounts

5.5M accounts | Okta SSO misconfiguration | Third breach in pattern

ADT, the home security giant trusted by millions of households, has been breached for the third time. Attackers compromised 5.5 million customer accounts by exploiting an Okta SSO misconfiguration, then pivoted into ADT's Salesforce CRM to extract customer data at scale.

The attack vector is a textbook case of identity infrastructure failure: a misconfigured single sign-on provider became the skeleton key to the entire customer database. What makes this particularly damning is that this is ADT's third significant breach — establishing a pattern of systemic security failures rather than isolated incidents.

For hosting providers and their customers, ADT's story is a warning: enterprise security products and brand recognition do not equal actual security. Companies that get breached repeatedly have structural problems — inadequate access controls, poor configuration management, insufficient post-incident hardening — that no amount of marketing can fix. When evaluating any vendor's security claims, ask about their breach history. Repeat breaches reveal more about an organization's security culture than any certification or compliance badge.

10. Trellix Source Code Breached via Exposed GitLab

Full source code exfiltration | Security company breached | GitLab misconfiguration

In perhaps the most ironic entry on this list, Trellix — the security company formed from the merger of McAfee Enterprise and FireEye — had its full source code exfiltrated through an exposed GitLab instance.

Trellix sells endpoint detection, threat intelligence, and security operations platforms to enterprises worldwide. Their products are deployed to protect other companies from exactly the kind of breach they just suffered. An exposed, likely misconfigured GitLab instance gave attackers access to the proprietary source code that powers their security products.

The implications extend beyond embarrassment. With source code in hand, threat actors can identify vulnerabilities in Trellix products deployed across thousands of enterprise environments. Every organization running Trellix software now has a heightened risk profile — not because of anything they did wrong, but because their security vendor could not secure its own code repository.

This follows a pattern of security companies getting breached in recent years (SolarWinds, LastPass, Okta). The vendors organizations trust to defend their infrastructure are themselves becoming the attack surface.

11. Canvas Breach Resolution — Instructure Pays the Ransom

Ransom paid to ShinyHunters | 275M records at stake | Data allegedly destroyed

The Canvas/Instructure saga that started on May 2 has reached its conclusion — and it is a controversial one. Instructure, Canvas's parent company, confirmed that they paid ShinyHunters' ransom demand. In exchange, ShinyHunters claims the stolen data — 275 million records spanning 9,000 schools — has been "destroyed."

This is now the largest education data breach in history, resolved not through incident response, law enforcement, or technical recovery, but through a wire transfer to the attackers. Whether the data was actually destroyed is, of course, unprovable. ShinyHunters' claim rests entirely on trust — trust in a criminal organization that has breached at least three major platforms (Vercel, Medtronic, Canvas) in the span of three weeks.

The decision to pay is understandable but sets a dangerous precedent. Instructure was facing potential exposure of billions of private messages between students and teachers — data with real safeguarding implications. But every ransom payment funds the next attack. ShinyHunters now has confirmation that targeting education platforms yields payouts, making every other LMS and EdTech platform a more attractive target.

No public leak has occurred as of this writing. The FBI and CISA have consistently advised against paying ransoms, noting that payment does not guarantee data deletion and directly finances criminal operations.

The Pattern

Four patterns emerge from these twelve days:

1. Control panels and identity infrastructure are the biggest risks. cPanel's authentication bypass gave attackers root access to every site on affected servers. ADT's Okta SSO misconfiguration unlocked their entire CRM. If your hosting provider uses a shared control panel or relies on misconfigurable SSO, that infrastructure is your largest attack surface.
2. Supply chain attacks are accelerating. The Vercel breach started with an AI tool. The Canvas breach affected 9,000 schools through one platform. Trellix's source code exposure puts every customer running their products at risk. A single compromised dependency cascades to millions of users.
3. ShinyHunters is on a historic spree. One threat group claimed four major actions in three weeks: Vercel, Medtronic, Canvas breach, and the Canvas ransom payment. They are targeting infrastructure and platform providers, maximizing blast radius per attack — and now they have confirmed that their targets will pay.
4. Security companies are not immune. Trellix, the company formed from McAfee Enterprise and FireEye, could not secure its own GitLab. ADT, the company whose entire brand is security, has been breached three times. The organizations we trust to defend infrastructure are themselves becoming the weakest links.

What You Can Do

• Patch immediately. Every vulnerability on this list has patches or mitigations available. The cPanel and PAN-OS flaws were exploited within hours of disclosure.
• Audit your control panel exposure. If you use cPanel, WHM, Plesk, or any web-based hosting panel, verify it is patched and consider whether you need it exposed to the internet at all.
• Update Next.js. If you deploy Next.js applications, update to the latest patched version immediately. The middleware bypass and CSP nonce XSS are particularly dangerous for applications that rely on middleware for authentication.
• Review third-party AI tool access. The Vercel breach originated from an AI tool with OAuth access. Audit what third-party tools your team has connected to your infrastructure accounts.
• Audit your SSO and identity infrastructure. ADT was breached through an Okta misconfiguration. Review your SSO provider settings, enforce least-privilege access, and enable conditional access policies. Identity infrastructure misconfigurations are the new open ports.
• Assess your security vendor risk. If you run Trellix, SolarWinds, or any security product from a vendor that has been breached, evaluate whether their source code exposure creates downstream risk for your environment.
• Consider panel-free hosting. Platforms like DeployBase deploy applications via Git and CLI without exposing a web-based control panel. No panel means no panel-level attack surface — one less category of vulnerability to worry about.

May 2026 is not over. Eleven incidents in twelve days — including a ransom payment to a criminal group, a security company getting its own source code stolen, and a home security giant breached for the third time. The rest of the month will test every hosting provider's security posture. Stay patched, stay vigilant, and question every assumption about what is "secure" in your stack.