The first fifteen days of May 2026 have produced more critical security incidents affecting hosting and web infrastructure than most entire years. From zero-day exploits weaponized within hours to supply chain breaches compromising hundreds of millions of users — and now a ransomware attack stealing confidential files from Apple, Nvidia, and Google through a manufacturing partner, plus a critical remote code execution flaw in Nginx that has existed since 2008 — the pattern is unmistakable: the attack surface for web hosting is expanding faster than anyone can defend it.
Here are the thirteen incidents that defined what is now officially the worst stretch in hosting security history.
1. cPanel Authentication Bypass (CVE-2026-41940)
CVSS: 9.8 | Actively exploited | Ransomware deployed
The most impactful incident of the month. CVE-2026-41940 is a critical authentication bypass in cPanel — the control panel running on millions of shared hosting servers worldwide. Attackers exploited this zero-day as early as February 2026, two months before cPanel published a patch on April 28.
Within 24 hours of disclosure, exploitation went industrial. Over 44,000 IP addresses were targeted. By May 2, threat actors were deploying a Go-based Linux ransomware (appending the .sorry extension) against government agencies, military domains, and managed service providers across at least five countries including the Philippines and Laos.
This is the scenario every hosting provider fears: a control panel vulnerability that gives attackers root-level access to every site on the server. If you run cPanel, patch immediately. If you rely on a host that runs cPanel, ask them when they patched.
2. Palo Alto PAN-OS Root RCE (CVE-2026-0300)
CVSS: 9.3 | State-sponsored exploitation | CISA KEV listed
A buffer overflow in the User-ID Authentication Portal of Palo Alto firewalls allows unauthenticated attackers to execute arbitrary code with root privileges. Palo Alto believes these attacks are the work of state-sponsored threat actors, with exploitation attempts starting April 9 and successful RCE achieved a week later via shellcode injection.
CISA added this to the Known Exploited Vulnerabilities catalog on May 6, requiring federal agencies to apply mitigations by May 9 — a three-day window. Patches for some versions are not available until late May, leaving organizations in a difficult position: disable the portal or accept the risk.
3. Microsoft SharePoint Zero-Day (CVE-2026-32201)
CVSS: 6.5 | Zero-day exploited before patch | 1,300+ servers unpatched
A spoofing vulnerability in SharePoint Server that requires no authentication, no user interaction, and no special conditions to exploit. Microsoft confirmed it was exploited in the wild before patches were available. CISA added it to the KEV catalog with an April 28 remediation deadline.
Over 1,300 SharePoint servers remained exposed online after patches were released, with fewer than 200 patched in the initial window. This vulnerability affects SharePoint Enterprise Server 2016, 2019, and Subscription Edition.
4. Next.js Vulnerability Dump — 6+ CVEs in One Release
Multiple CVEs | XSS, middleware bypass, cache poisoning, SSRF, DoS
On May 6-7, Next.js and React Server Components received patches for six or more security vulnerabilities simultaneously:
- CVE-2026-44573 — Middleware authorization bypass via locale-less requests in Pages Router
- CVE-2026-44581 — Cross-site scripting through CSP nonces (the security mechanism itself becomes the attack vector)
- CVE-2026-23870 — Denial of service via crafted HTTP requests against React Server Components
- CVE-2026-44578 — SSRF through WebSocket upgrade request handling
- Cache poisoning in React Server Component responses (two separate advisories)
These flaws affect Next.js versions 13.x through 16.x using the App Router. Vercel has started blocking deployments of vulnerable versions by default — an aggressive but necessary move given the breadth of the attack surface.
5. Vercel Context AI Supply Chain Breach
Supply chain attack | ShinyHunters involvement | Customer credentials exposed
On April 19, Vercel disclosed a breach originating from Context.ai, a third-party AI tool used by a Vercel employee. The attack chain: Lumma Stealer malware compromised a Context.ai employee, which gave attackers access to a Vercel employee's Google Workspace, which led to their Vercel account.
Non-sensitive customer environment variables stored on Vercel were compromised. A threat actor associated with ShinyHunters posted on BreachForums claiming to have internal Vercel data. The incident demonstrates how AI tool adoption creates new attack surfaces that traditional security models do not cover.
6. Medtronic Data Breach — 9 Million Records
ShinyHunters | 9M records | Multiple lawsuits filed
ShinyHunters claimed access to terabytes of internal Medtronic data on April 18, with Medtronic confirming the breach on April 24. The group claims to have exfiltrated over 9 million records containing personal information. Multiple law firms have launched investigations, and Medtronic has not yet reported the breach to state attorney general offices.
7. Canvas/Instructure Breach — 275 Million Users
ShinyHunters again | 275M users | 9,000 schools affected | RESOLVED — Ransom paid
ShinyHunters struck again on May 3, claiming a massive breach of Instructure's Canvas learning management system. The numbers: 275 million individuals across 9,000 school districts, universities, and education platforms. Stolen data allegedly includes names, email addresses, student IDs, and billions of private messages exchanged between users.
Harvard's Canvas site went down. North Carolina schools lost access during end-of-year testing. This is the same group behind the Vercel and Medtronic incidents — a single threat actor responsible for multiple entries on this list.
Update (May 12): This incident has been resolved — see entry #11 below for the full ransom payment story.
8. ConnectWise ScreenConnect Path Traversal (CVE-2024-1708)
CVSS: 8.4 | CISA KEV listed | Ransomware campaigns
A path traversal vulnerability in ConnectWise ScreenConnect that allows unauthenticated attackers to traverse directories and execute payloads outside the web root. CISA added it to the KEV catalog on April 28 with a May 12 remediation deadline. This vulnerability has been linked to North Korea-affiliated campaigns and ransomware attacks by China-linked threat actors.
9. ADT Breached for the Third Time — 5.5 Million Accounts
5.5M accounts | Okta SSO misconfiguration | Third breach in pattern
ADT, the home security giant trusted by millions of households, has been breached for the third time. Attackers compromised 5.5 million customer accounts by exploiting an Okta SSO misconfiguration, then pivoted into ADT's Salesforce CRM to extract customer data at scale.
The attack vector is a textbook case of identity infrastructure failure: a misconfigured single sign-on provider became the skeleton key to the entire customer database. What makes this particularly damning is that this is ADT's third significant breach — establishing a pattern of systemic security failures rather than isolated incidents.
For hosting providers and their customers, ADT's story is a warning: enterprise security products and brand recognition do not equal actual security. Companies that get breached repeatedly have structural problems — inadequate access controls, poor configuration management, insufficient post-incident hardening — that no amount of marketing can fix. When evaluating any vendor's security claims, ask about their breach history. Repeat breaches reveal more about an organization's security culture than any certification or compliance badge.
10. Trellix Source Code Breached via Exposed GitLab
Full source code exfiltration | Security company breached | GitLab misconfiguration
In perhaps the most ironic entry on this list, Trellix — the security company formed from the merger of McAfee Enterprise and FireEye — had its full source code exfiltrated through an exposed GitLab instance.
Trellix sells endpoint detection, threat intelligence, and security operations platforms to enterprises worldwide. Their products are deployed to protect other companies from exactly the kind of breach they just suffered. An exposed, likely misconfigured GitLab instance gave attackers access to the proprietary source code that powers their security products.
The implications extend beyond embarrassment. With source code in hand, threat actors can identify vulnerabilities in Trellix products deployed across thousands of enterprise environments. Every organization running Trellix software now has a heightened risk profile — not because of anything they did wrong, but because their security vendor could not secure its own code repository.
This follows a pattern of security companies getting breached in recent years (SolarWinds, LastPass, Okta). The vendors organizations trust to defend their infrastructure are themselves becoming the attack surface.
11. Canvas Breach Resolution — Instructure Pays the Ransom
Ransom paid to ShinyHunters | 275M records at stake | Data allegedly destroyed
The Canvas/Instructure saga that started on May 2 has reached its conclusion — and it is a controversial one. Instructure, Canvas's parent company, confirmed that they paid ShinyHunters' ransom demand. In exchange, ShinyHunters claims the stolen data — 275 million records spanning 9,000 schools — has been "destroyed."
This is now the largest education data breach in history, resolved not through incident response, law enforcement, or technical recovery, but through a wire transfer to the attackers. Whether the data was actually destroyed is, of course, unprovable. ShinyHunters' claim rests entirely on trust — trust in a criminal organization that has breached at least three major platforms (Vercel, Medtronic, Canvas) in the span of three weeks.
The decision to pay is understandable but sets a dangerous precedent. Instructure was facing potential exposure of billions of private messages between students and teachers — data with real safeguarding implications. But every ransom payment funds the next attack. ShinyHunters now has confirmation that targeting education platforms yields payouts, making every other LMS and EdTech platform a more attractive target.
No public leak has occurred as of this writing. The FBI and CISA have consistently advised against paying ransoms, noting that payment does not guarantee data deletion and directly finances criminal operations.
12. Foxconn Ransomware — Nitrogen Gang Steals 8TB from Apple, Nvidia, Intel, Google
8TB exfiltrated | 11M+ files | Apple/Nvidia/Intel/Google data exposed | Supply chain breach
The Nitrogen ransomware group breached Foxconn's North American manufacturing operations on May 1, causing a full network collapse at the Mount Pleasant, Wisconsin campus. The scope of the theft is staggering: 8 terabytes of data comprising over 11 million files.
What makes this breach exceptional is not Foxconn itself — it is what Foxconn manufactures and for whom. The stolen files include confidential project documentation, technical drawings, and internal communications from Apple, Nvidia, Intel, Google, and Dell. Foxconn is the world's largest electronics manufacturer, assembling devices for nearly every major tech company. A breach of Foxconn is a breach of its entire client roster.
This is the most significant supply chain breach since SolarWinds. While SolarWinds compromised software update channels, Foxconn's breach exposes hardware-level intellectual property — product designs, manufacturing specifications, and engineering documents that competitors and nation-state actors would pay dearly to obtain. The stolen technical drawings alone could reveal unreleased product specifications across multiple companies.
Foxconn has confirmed the attack and says factories are resuming production, but the data exfiltration cannot be undone. For hosting and infrastructure providers, this incident underscores that supply chain risk extends far beyond software dependencies — it includes the physical hardware your servers run on, the manufacturers who build your networking equipment, and every vendor in between.
13. Nginx-Rift — Critical RCE in Nginx (CVE-2026-42945)
CVSS: Critical | Remote code execution | 18-year-old bug | ~30% of web servers affected
Security researchers at DepthFirst Disclosures published a proof-of-concept exploit for CVE-2026-42945, a critical remote code execution vulnerability in Nginx's rewrite module that has existed since 2008 — hiding in plain sight for nearly two decades.
The vulnerability is a heap buffer overflow triggered by a two-pass processing flaw: during the length-calculation phase, Nginx miscalculates the buffer size, but the copy phase expands data through URI escaping, causing an overflow with attacker-controlled data. The exploit uses heap manipulation across requests to corrupt memory structures and achieve arbitrary command execution — no authentication required.
Affected versions span nearly the entire Nginx ecosystem: Nginx Open Source 0.6.27 through 1.30.0 and Nginx Plus R32 through R36. Given that Nginx powers approximately 30% of all web servers worldwide, the blast radius of this vulnerability is enormous.
The critical caveat: the vulnerability only manifests on servers configured with rewrite and set directives in their Nginx configuration. Default installations without rewrite rules are not vulnerable. However, rewrite rules are extremely common in production configurations — URL normalization, HTTPS redirects, and reverse proxy setups frequently use them.
DepthFirst also discovered three additional memory corruption bugs in Nginx alongside this CVE. If you run Nginx in any production capacity, audit your configurations for rewrite rules and update immediately when patches are available.
The Pattern
Five patterns emerge from these fifteen days:
- Supply chain attacks are the defining threat of 2026. The Foxconn breach is the most significant supply chain incident since SolarWinds — but instead of software updates, attackers now have hardware-level intellectual property from Apple, Nvidia, Intel, and Google. The Vercel breach started with an AI tool. The Canvas breach affected 9,000 schools through one platform. Trellix's source code exposure puts every customer running their products at risk. A single compromised link in the supply chain cascades to millions of users.
- Ancient code hides critical vulnerabilities. The Nginx-Rift RCE existed for 18 years before discovery. cPanel's bypass was exploited for months before disclosure. The longer code runs without scrutiny, the more dangerous the eventual discovery becomes — especially when that code runs on 30% of all web servers.
- Control panels and identity infrastructure are the biggest risks. cPanel's authentication bypass gave attackers root access to every site on affected servers. ADT's Okta SSO misconfiguration unlocked their entire CRM. If your hosting provider uses a shared control panel or relies on misconfigurable SSO, that infrastructure is your largest attack surface.
- ShinyHunters is on a historic spree. One threat group claimed four major actions in three weeks: Vercel, Medtronic, Canvas breach, and the Canvas ransom payment. They are targeting infrastructure and platform providers, maximizing blast radius per attack — and now they have confirmed that their targets will pay.
- Security companies are not immune. Trellix, the company formed from McAfee Enterprise and FireEye, could not secure its own GitLab. ADT, the company whose entire brand is security, has been breached three times. The organizations we trust to defend infrastructure are themselves becoming the weakest links.
What You Can Do
- Patch immediately. Every vulnerability on this list has patches or mitigations available. The cPanel and PAN-OS flaws were exploited within hours of disclosure.
- Audit your Nginx configurations. If you run Nginx with
rewriteandsetdirectives, you are potentially vulnerable to CVE-2026-42945. Update to patched versions as soon as they are available, and consider WAF rules to mitigate in the interim. - Audit your control panel exposure. If you use cPanel, WHM, Plesk, or any web-based hosting panel, verify it is patched and consider whether you need it exposed to the internet at all.
- Update Next.js. If you deploy Next.js applications, update to the latest patched version immediately. The middleware bypass and CSP nonce XSS are particularly dangerous for applications that rely on middleware for authentication.
- Review third-party AI tool access. The Vercel breach originated from an AI tool with OAuth access. Audit what third-party tools your team has connected to your infrastructure accounts.
- Audit your SSO and identity infrastructure. ADT was breached through an Okta misconfiguration. Review your SSO provider settings, enforce least-privilege access, and enable conditional access policies. Identity infrastructure misconfigurations are the new open ports.
- Assess your supply chain risk. The Foxconn breach proves that hardware supply chains are targets too. If your infrastructure depends on components from major manufacturers, understand that their security posture directly affects yours.
- Consider panel-free hosting. Platforms like DeployBase deploy applications via Git and CLI without exposing a web-based control panel. No panel means no panel-level attack surface — one less category of vulnerability to worry about.
May 2026 is not over. Thirteen incidents in fifteen days — including the largest supply chain hardware breach since SolarWinds, a critical RCE in the web server that powers a third of the internet, a ransom payment to a criminal group, and a security company getting its own source code stolen. The rest of the month will test every hosting provider's security posture. Stay patched, stay vigilant, and question every assumption about what is "secure" in your stack.
