May 2026 has produced more critical security incidents affecting hosting and web infrastructure than most entire years. From zero-day exploits weaponized within hours, to three separate supply chain attacks across npm, VS Code, and Composer poisoning hundreds of millions of packages, to a ransomware attack stealing 8TB from Apple and Nvidia through a manufacturing partner — the pattern is unmistakable: the hosting industry's attack surface is expanding faster than its defenses.
Here are the thirteen incidents that defined what is now officially the worst stretch in hosting security history.
1. cPanel Authentication Bypass (CVE-2026-41940)
CVSS: 9.8 | Actively exploited | Ransomware deployed
The most impactful incident of the month. CVE-2026-41940 is a critical authentication bypass in cPanel — the control panel running on millions of shared hosting servers worldwide. Attackers exploited this zero-day as early as February 2026, two months before cPanel published a patch on April 28.
Within 24 hours of disclosure, exploitation went industrial. Over 44,000 IP addresses were targeted. By May 2, threat actors were deploying a Go-based Linux ransomware (appending the .sorry extension) against government agencies, military domains, and managed service providers across at least five countries including the Philippines and Laos.
This is the scenario every hosting provider fears: a control panel vulnerability that gives attackers root-level access to every site on the server. If you run cPanel, patch immediately. If you rely on a host that runs cPanel, ask them when they patched.
2. Palo Alto PAN-OS Root RCE (CVE-2026-0300)
CVSS: 9.3 | State-sponsored exploitation | CISA KEV listed
A buffer overflow in the User-ID Authentication Portal of Palo Alto firewalls allows unauthenticated attackers to execute arbitrary code with root privileges. Palo Alto believes these attacks are the work of state-sponsored threat actors, with exploitation attempts starting April 9 and successful RCE achieved a week later via shellcode injection.
CISA added this to the Known Exploited Vulnerabilities catalog on May 6, requiring federal agencies to apply mitigations by May 9 — a three-day window. Patches for some versions are not available until late May, leaving organizations in a difficult position: disable the portal or accept the risk.
3. Microsoft SharePoint Zero-Day (CVE-2026-32201)
CVSS: 6.5 | Zero-day exploited before patch | 1,300+ servers unpatched
A spoofing vulnerability in SharePoint Server that requires no authentication, no user interaction, and no special conditions to exploit. Microsoft confirmed it was exploited in the wild before patches were available. CISA added it to the KEV catalog with an April 28 remediation deadline.
Over 1,300 SharePoint servers remained exposed online after patches were released, with fewer than 200 patched in the initial window. This vulnerability affects SharePoint Enterprise Server 2016, 2019, and Subscription Edition.
4. Next.js Vulnerability Dump — 6+ CVEs in One Release
Multiple CVEs | XSS, middleware bypass, cache poisoning, SSRF, DoS
On May 6-7, Next.js and React Server Components received patches for six or more security vulnerabilities simultaneously:
- CVE-2026-44573 — Middleware authorization bypass via locale-less requests in Pages Router
- CVE-2026-44581 — Cross-site scripting through CSP nonces (the security mechanism itself becomes the attack vector)
- CVE-2026-23870 — Denial of service via crafted HTTP requests against React Server Components
- CVE-2026-44578 — SSRF through WebSocket upgrade request handling
- Cache poisoning in React Server Component responses (two separate advisories)
These flaws affect Next.js versions 13.x through 16.x using the App Router. Vercel has started blocking deployments of vulnerable versions by default — an aggressive but necessary move given the breadth of the attack surface.
5. Vercel Context AI Supply Chain Breach
Supply chain attack | ShinyHunters involvement | Customer credentials exposed
On April 19, Vercel disclosed a breach originating from Context.ai, a third-party AI tool used by a Vercel employee. The attack chain: Lumma Stealer malware compromised a Context.ai employee, which gave attackers access to a Vercel employee's Google Workspace, which led to their Vercel account.
Non-sensitive customer environment variables stored on Vercel were compromised. A threat actor associated with ShinyHunters posted on BreachForums claiming to have internal Vercel data. The incident demonstrates how AI tool adoption creates new attack surfaces that traditional security models do not cover.
6. Medtronic Data Breach — 9 Million Records
ShinyHunters | 9M records | Multiple lawsuits filed
ShinyHunters claimed access to terabytes of internal Medtronic data on April 18, with Medtronic confirming the breach on April 24. The group claims to have exfiltrated over 9 million records containing personal information. Multiple law firms have launched investigations, and Medtronic has not yet reported the breach to state attorney general offices.
7. Canvas/Instructure Breach — 275 Million Users
ShinyHunters again | 275M users | 9,000 schools affected | RESOLVED — Ransom paid
ShinyHunters struck again on May 3, claiming a massive breach of Instructure's Canvas learning management system. The numbers: 275 million individuals across 9,000 school districts, universities, and education platforms. Stolen data allegedly includes names, email addresses, student IDs, and billions of private messages exchanged between users.
Harvard's Canvas site went down. North Carolina schools lost access during end-of-year testing. This is the same group behind the Vercel and Medtronic incidents — a single threat actor responsible for multiple entries on this list.
Update (May 12): This incident has been resolved — see entry #11 below for the full ransom payment story.
8. ConnectWise ScreenConnect Path Traversal (CVE-2024-1708)
CVSS: 8.4 | CISA KEV listed | Ransomware campaigns
A path traversal vulnerability in ConnectWise ScreenConnect that allows unauthenticated attackers to traverse directories and execute payloads outside the web root. CISA added it to the KEV catalog on April 28 with a May 12 remediation deadline. This vulnerability has been linked to North Korea-affiliated campaigns and ransomware attacks by China-linked threat actors.
9. ADT Breached for the Third Time — 5.5 Million Accounts
5.5M accounts | Okta SSO misconfiguration | Third breach in pattern
ADT, the home security giant trusted by millions of households, has been breached for the third time. Attackers compromised 5.5 million customer accounts by exploiting an Okta SSO misconfiguration, then pivoted into ADT's Salesforce CRM to extract customer data at scale.
The attack vector is a textbook case of identity infrastructure failure: a misconfigured single sign-on provider became the skeleton key to the entire customer database. What makes this particularly damning is that this is ADT's third significant breach — establishing a pattern of systemic security failures rather than isolated incidents.
For hosting providers and their customers, ADT's story is a warning: enterprise security products and brand recognition do not equal actual security. Companies that get breached repeatedly have structural problems — inadequate access controls, poor configuration management, insufficient post-incident hardening — that no amount of marketing can fix. When evaluating any vendor's security claims, ask about their breach history. Repeat breaches reveal more about an organization's security culture than any certification or compliance badge.
10. Trellix Source Code Breached via Exposed GitLab
Full source code exfiltration | Security company breached | GitLab misconfiguration
In perhaps the most ironic entry on this list, Trellix — the security company formed from the merger of McAfee Enterprise and FireEye — had its full source code exfiltrated through an exposed GitLab instance.
Trellix sells endpoint detection, threat intelligence, and security operations platforms to enterprises worldwide. Their products are deployed to protect other companies from exactly the kind of breach they just suffered. An exposed, likely misconfigured GitLab instance gave attackers access to the proprietary source code that powers their security products.
The implications extend beyond embarrassment. With source code in hand, threat actors can identify vulnerabilities in Trellix products deployed across thousands of enterprise environments. Every organization running Trellix software now has a heightened risk profile — not because of anything they did wrong, but because their security vendor could not secure its own code repository.
This follows a pattern of security companies getting breached in recent years (SolarWinds, LastPass, Okta). The vendors organizations trust to defend their infrastructure are themselves becoming the attack surface.
11. Canvas Breach Resolution — Instructure Pays the Ransom
Ransom paid to ShinyHunters | 275M records at stake | Data allegedly destroyed
The Canvas/Instructure saga that started on May 2 has reached its conclusion — and it is a controversial one. Instructure, Canvas's parent company, confirmed that they paid ShinyHunters' ransom demand. In exchange, ShinyHunters claims the stolen data — 275 million records spanning 9,000 schools — has been "destroyed."
This is now the largest education data breach in history, resolved not through incident response, law enforcement, or technical recovery, but through a wire transfer to the attackers. Whether the data was actually destroyed is, of course, unprovable. ShinyHunters' claim rests entirely on trust — trust in a criminal organization that has breached at least three major platforms (Vercel, Medtronic, Canvas) in the span of three weeks.
The decision to pay is understandable but sets a dangerous precedent. Instructure was facing potential exposure of billions of private messages between students and teachers — data with real safeguarding implications. But every ransom payment funds the next attack. ShinyHunters now has confirmation that targeting education platforms yields payouts, making every other LMS and EdTech platform a more attractive target.
No public leak has occurred as of this writing. The FBI and CISA have consistently advised against paying ransoms, noting that payment does not guarantee data deletion and directly finances criminal operations.
12. Foxconn Ransomware — Nitrogen Gang Steals 8TB from Apple, Nvidia, Intel, Google
8TB exfiltrated | 11M+ files | Apple/Nvidia/Intel/Google data exposed | Supply chain breach
The Nitrogen ransomware group breached Foxconn's North American manufacturing operations on May 1, causing a full network collapse at the Mount Pleasant, Wisconsin campus. The scope of the theft is staggering: 8 terabytes of data comprising over 11 million files.
What makes this breach exceptional is not Foxconn itself — it is what Foxconn manufactures and for whom. The stolen files include confidential project documentation, technical drawings, and internal communications from Apple, Nvidia, Intel, Google, and Dell. Foxconn is the world's largest electronics manufacturer, assembling devices for nearly every major tech company. A breach of Foxconn is a breach of its entire client roster.
This is the most significant supply chain breach since SolarWinds. While SolarWinds compromised software update channels, Foxconn's breach exposes hardware-level intellectual property — product designs, manufacturing specifications, and engineering documents that competitors and nation-state actors would pay dearly to obtain. The stolen technical drawings alone could reveal unreleased product specifications across multiple companies.
Foxconn has confirmed the attack and says factories are resuming production, but the data exfiltration cannot be undone. For hosting and infrastructure providers, this incident underscores that supply chain risk extends far beyond software dependencies — it includes the physical hardware your servers run on, the manufacturers who build your networking equipment, and every vendor in between.
13. Nginx-Rift — Critical RCE in Nginx (CVE-2026-42945)
CVSS: Critical | Remote code execution | 18-year-old bug | ~30% of web servers affected
Security researchers at DepthFirst Disclosures published a proof-of-concept exploit for CVE-2026-42945, a critical remote code execution vulnerability in Nginx's rewrite module that has existed since 2008 — hiding in plain sight for nearly two decades.
The vulnerability is a heap buffer overflow triggered by a two-pass processing flaw: during the length-calculation phase, Nginx miscalculates the buffer size, but the copy phase expands data through URI escaping, causing an overflow with attacker-controlled data. The exploit uses heap manipulation across requests to corrupt memory structures and achieve arbitrary command execution — no authentication required.
Affected versions span nearly the entire Nginx ecosystem: Nginx Open Source 0.6.27 through 1.30.0 and Nginx Plus R32 through R36. Given that Nginx powers approximately 30% of all web servers worldwide, the blast radius of this vulnerability is enormous.
The critical caveat: the vulnerability only manifests on servers configured with rewrite and set directives in their Nginx configuration. Default installations without rewrite rules are not vulnerable. However, rewrite rules are extremely common in production configurations — URL normalization, HTTPS redirects, and reverse proxy setups frequently use them.
DepthFirst also discovered three additional memory corruption bugs in Nginx alongside this CVE. If you run Nginx in any production capacity, audit your configurations for rewrite rules and update immediately when patches are available.
14. Microsoft Exchange OWA XSS (CVE-2026-42897)
When: May 14, 2026
Severity: CVSS 8.1 — Actively exploited
Microsoft disclosed CVE-2026-42897, a cross-site scripting vulnerability in Exchange Server's Outlook Web Access that allows arbitrary JavaScript execution via specially crafted emails. The vulnerability affects on-premises Exchange Server 2016, 2019, and Subscription Edition — Exchange Online is not impacted.
The attack is elegant in its simplicity: send a crafted email, and when the target opens it in OWA, JavaScript executes in their browser context with full access to their email session. CISA added it to the Known Exploited Vulnerabilities catalog on May 15 with a remediation deadline of May 29, confirming active exploitation in the wild.
Why it matters for hosting: On-premises Exchange deployments remain a soft target. Organizations that haven't migrated to Exchange Online or cloud email continue to face zero-day exploitation windows, and this vulnerability requires no user interaction beyond opening an email — the most basic action in any workflow.
15. Drupal Core SQL Injection (CVE-2026-9082)
When: May 20, 2026
Severity: Highly Critical — CISA KEV listed May 22
A critical SQL injection vulnerability in Drupal Core's database abstraction API allows attackers to execute arbitrary SQL statements on PostgreSQL-backed sites via specially crafted HTTP requests. The vulnerability resides in how the PostgreSQL database driver handles array structures passed from HTTP requests, allowing attackers to control array keys and inject SQL.
Successful exploitation enables data extraction, record modification, privilege escalation to administrator level, and in some configurations, full remote code execution. Since disclosure, security researchers observed over 15,000 attack attempts targeting nearly 6,000 individual sites across 65 countries, primarily hitting gaming and financial services sites. All Drupal versions from 8.9.0 through 11.3.9 are affected.
Why it matters for hosting: Drupal powers an estimated 1.3 million websites globally. Any shared hosting or managed hosting provider with Drupal sites on PostgreSQL backends faces exposure. The attack requires no authentication — just a crafted HTTP request — making it trivially exploitable at scale.
16. Laravel-Lang Supply Chain Attack — 700+ PHP Package Versions Backdoored
When: May 22-23, 2026
Severity: Critical — Credential stealer targeting hosting platforms
Over 700 versions across four popular Laravel localization packages (laravel-lang/lang, laravel-lang/attributes, laravel-lang/http-statuses, laravel-lang/actions) were compromised with a 5,900-line cross-platform credential stealer. The laravel-lang/lang package alone has 7,800 GitHub stars.
The attack exploited GitHub's tag-from-fork feature — a mechanism that allows version tags to point to commits from a fork of the same repository. The attacker created tags pointing to commits in a malicious fork they controlled. No malicious code was ever committed to the official repositories, making this invisible to standard code review.
The credential stealer is the most comprehensive yet seen in a supply chain attack, targeting:
- Hosting platforms: DigitalOcean, Heroku, Vercel, Netlify, Railway, Fly.io
- Cloud providers: AWS, GCP, Azure credentials and configurations
- Infrastructure: Kubernetes profiles, Docker auth tokens, HashiCorp Vault secrets
- Developer tools: SSH private keys, Git credentials, shell history, .env files, CI/CD tokens
- Password managers: 1Password, Bitwarden, LastPass databases
- Crypto wallets: Ledger, Trezor, MetaMask keystores
Stolen data was AES-256 encrypted and exfiltrated to flipboxstudio.info. Packagist responded by taking down the malicious versions and temporarily unlisting the packages.
Why it matters for hosting: This is the third major supply chain attack in May 2026 — after TanStack/npm and the Nx Console/VS Code extension cascade. The credential stealer's target list reads like a directory of hosting competitors. Every major hosting platform's API tokens are explicitly targeted, meaning any developer who installed the compromised packages may have had their hosting credentials stolen. The PHP/Composer ecosystem is now confirmed as a supply chain target alongside npm and PyPI.
17. LiteSpeed cPanel Plugin Root Privilege Escalation (CVE-2026-48172)
When: May 19, 2026 (actively exploited as zero-day before discovery)
Severity: CVSS 10.0 — Maximum severity, actively exploited
CVE-2026-48172 is the highest-rated vulnerability of the entire month — a perfect CVSS 10.0. A critical flaw in the LiteSpeed User-End cPanel Plugin (versions 2.3 through 2.4.4) allows any cPanel user to execute arbitrary scripts with root-level permissions via the lsws.redisAble function.
The vulnerability was discovered by security researcher David Strydom and was confirmed by LiteSpeed to be actively exploited in the wild before its discovery — making it a true zero-day. The attack requires only a valid cPanel account (or a compromised one), meaning any shared hosting user on an affected server could escalate to full root access.
LiteSpeed patched the issue in plugin version 2.4.5, with additional hardening in version 2.4.7 bundled with WHM Plugin 5.3.1.0. Administrators can detect exploitation attempts by checking logs:
grep -rE "cpanelplugin_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/
Why it matters for hosting: This is the second critical cPanel vulnerability in May 2026 — following the authentication bypass earlier in the month. cPanel manages millions of hosting accounts worldwide. A CVSS 10.0 that gives any user root access is an existential threat to the shared hosting model. Any hosting provider running LiteSpeed with cPanel must patch immediately or face complete server compromise from any tenant account.
18. Ghost CMS Mass Compromise via SQL Injection (CVE-2026-26980)
When: May 7, 2026 (mass exploitation discovered)
Severity: CVSS 9.4 — 700+ domains compromised
CVE-2026-26980 is an unauthenticated SQL injection in Ghost CMSâs Content API that allows attackers to read arbitrary data from the database without any authentication. Affected versions span Ghost v3.24.0 through v6.19.0 â covering years of releases.
Attackers exploited the vulnerability to extract Admin API keys, admin credentials (bcrypt hashes), session secrets, and site configuration data. With the Admin API keys in hand, they used Ghostâs own Admin API to bulk-inject malicious JavaScript loaders into published articles. The injected scripts used the Adspect cloaking service to evade security scanners and supported 19 different commands for remote control.
Visitors to compromised sites were served fake CAPTCHA pages (ClickFix attacks) that tricked them into executing Base64-encoded commands via the Windows Run dialog, distributing malware including trojanized PuTTY clients and Electron applications. Over 700 domains were compromised, including Harvard University, Oxford University, Auburn University, and DuckDuckGo. At least two distinct threat actor clusters were identified operating the campaign.
Why it matters for hosting: Ghost CMS is a popular self-hosted blogging platform running on Node.js. The attack demonstrates how a single unauthenticated API vulnerability can cascade into mass website defacement and malware distribution. For hosting providers, this is another CMS platform â alongside Drupal and WordPress â that requires proactive patching and monitoring. The 700+ domain compromise shows the scale that automated exploitation achieves when hosting providers and site owners delay updates.
The Pattern
Eighteen incidents. Six patterns:
- Supply chains are the primary attack surface. Three separate supply chain attacks in one month (TanStack/npm, Nx Console/VS Code, Laravel-Lang/Composer) across three different ecosystems. The Laravel-Lang attack introduced a new technique — tag-from-fork — that leaves zero trace in official repositories. Attackers are systematically working through every package manager.
- Ancient code hides critical vulnerabilities. The Nginx-Rift CVE existed for 18 years. Drupal's SQL injection affects every version back to 8.9.0. Exchange's XSS targets on-premises infrastructure that organizations have been running for a decade. Legacy systems are not just technical debt — they are ticking time bombs.
- AI compresses exploitation timelines. The gap between disclosure and exploitation has shrunk from months to hours. Every vulnerability on this list was actively exploited within days of disclosure — some within hours.
- Identity infrastructure is the new perimeter. Multiple breaches originated from SSO misconfigurations, stolen OAuth tokens, and compromised developer credentials. The hosting credential stealer in the Laravel-Lang attack targets every major platform's API tokens.
- Hosting panels and web-based management interfaces are the weakest links. Two cPanel critical CVEs (authentication bypass AND a CVSS 10.0 root privilege escalation), Exchange's OWA XSS, and Drupal's SQL injection all target web-accessible management interfaces. The attack surface of "managing your infrastructure" is now larger than the infrastructure itself.
- CMS platforms are being mass-compromised at scale. Ghost CMS (700+ domains including Harvard and Oxford), Drupal (15,000+ attacks on 6,000 sites), and two cPanel critical CVEs â three different web platforms suffered mass exploitation in a single month. The common thread: unauthenticated vulnerabilities in web-facing APIs that require zero user interaction to exploit.
What You Can Do
- Update Ghost CMS immediately. If you run Ghost, upgrade to version 6.19.1 or higher. Rotate your Admin API keys, reset all admin passwords, and audit your published articles for injected JavaScript. Check for ClickFix/FakeCaptcha script injections at the bottom of your posts.
- Patch LiteSpeed cPanel Plugin immediately. If you run LiteSpeed Web Server with cPanel, update the user-end plugin to version 2.4.5 or higher (ideally 2.4.7 with WHM Plugin 5.3.1.0). Check for exploitation:
grep -rE "cpanelplugin_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/. If unpatched, consider removing the plugin entirely with/usr/local/lsws/admin/misc/lscmctl cpanelplugin --uninstall. - Lock your Composer dependencies. If you use PHP/Composer, verify your
composer.lockfile hasn't changed unexpectedly. Runcomposer auditto check for known vulnerabilities. If you used any laravel-lang packages between May 22-23, rotate ALL credentials immediately — especially hosting platform API tokens, cloud credentials, and SSH keys. - Patch Drupal immediately. If you run Drupal on PostgreSQL, update to the latest patched version (10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, or 11.3.10). Over 15,000 attacks have been observed since disclosure.
- Patch Exchange Server. Apply the May 2026 security update for CVE-2026-42897. If you run Exchange EM Service, the mitigation is applied automatically. Otherwise, use the Exchange On-Premises Mitigation Tool (EOMT).
- Patch immediately. Every vulnerability on this list has patches or mitigations available. The cPanel and PAN-OS flaws were exploited within hours of disclosure.
- Audit your Nginx configurations. If you run Nginx with
rewriteandsetdirectives, you are potentially vulnerable to CVE-2026-42945. Update to patched versions as soon as they are available, and consider WAF rules to mitigate in the interim. - Audit your control panel exposure. If you use cPanel, WHM, Plesk, or any web-based hosting panel, verify it is patched and consider whether you need it exposed to the internet at all.
- Update Next.js. If you deploy Next.js applications, update to the latest patched version immediately. The middleware bypass and CSP nonce XSS are particularly dangerous for applications that rely on middleware for authentication.
- Review third-party AI tool access. The Vercel breach originated from an AI tool with OAuth access. Audit what third-party tools your team has connected to your infrastructure accounts.
- Audit your SSO and identity infrastructure. ADT was breached through an Okta misconfiguration. Review your SSO provider settings, enforce least-privilege access, and enable conditional access policies. Identity infrastructure misconfigurations are the new open ports.
- Assess your supply chain risk. The Foxconn breach proves that hardware supply chains are targets too. If your infrastructure depends on components from major manufacturers, understand that their security posture directly affects yours.
- Consider panel-free hosting. Platforms like DeployBase deploy applications via Git and CLI without exposing a web-based control panel. No panel means no panel-level attack surface — one less category of vulnerability to worry about.
May 2026 is not over. Eighteen incidents across the full month — including three separate supply chain attacks across npm, Composer, and VS Code extensions, a critical RCE in the web server that powers a third of the internet, SQL injection in Drupal hitting 6,000 sites, and a credential stealer specifically targeting every major hosting platform. The rest of the month will test every hosting provider's security posture. Stay patched, stay vigilant, and question every assumption about what is "secure" in your stack.



