The first ten days of May 2026 have produced more critical security incidents affecting hosting and web infrastructure than most entire years. From zero-day exploits weaponized within hours to supply chain breaches compromising hundreds of millions of users, the pattern is clear: the attack surface for web hosting is expanding faster than most organizations can defend it.
Here are the eight incidents that defined what may be the worst ten-day stretch in hosting security history.
1. cPanel Authentication Bypass (CVE-2026-41940)
CVSS: 9.8 | Actively exploited | Ransomware deployed
The most impactful incident of the month. CVE-2026-41940 is a critical authentication bypass in cPanel — the control panel running on millions of shared hosting servers worldwide. Attackers exploited this zero-day as early as February 2026, two months before cPanel published a patch on April 28.
Within 24 hours of disclosure, exploitation went industrial. Over 44,000 IP addresses were targeted. By May 2, threat actors were deploying a Go-based Linux ransomware (appending the .sorry extension) against government agencies, military domains, and managed service providers across at least five countries including the Philippines and Laos.
This is the scenario every hosting provider fears: a control panel vulnerability that gives attackers root-level access to every site on the server. If you run cPanel, patch immediately. If you rely on a host that runs cPanel, ask them when they patched.
2. Palo Alto PAN-OS Root RCE (CVE-2026-0300)
CVSS: 9.3 | State-sponsored exploitation | CISA KEV listed
A buffer overflow in the User-ID Authentication Portal of Palo Alto firewalls allows unauthenticated attackers to execute arbitrary code with root privileges. Palo Alto believes these attacks are the work of state-sponsored threat actors, with exploitation attempts starting April 9 and successful RCE achieved a week later via shellcode injection.
CISA added this to the Known Exploited Vulnerabilities catalog on May 6, requiring federal agencies to apply mitigations by May 9 — a three-day window. Patches for some versions are not available until late May, leaving organizations in a difficult position: disable the portal or accept the risk.
3. Microsoft SharePoint Zero-Day (CVE-2026-32201)
CVSS: 6.5 | Zero-day exploited before patch | 1,300+ servers unpatched
A spoofing vulnerability in SharePoint Server that requires no authentication, no user interaction, and no special conditions to exploit. Microsoft confirmed it was exploited in the wild before patches were available. CISA added it to the KEV catalog with an April 28 remediation deadline.
Over 1,300 SharePoint servers remained exposed online after patches were released, with fewer than 200 patched in the initial window. This vulnerability affects SharePoint Enterprise Server 2016, 2019, and Subscription Edition.
4. Next.js Vulnerability Dump — 6+ CVEs in One Release
Multiple CVEs | XSS, middleware bypass, cache poisoning, SSRF, DoS
On May 6-7, Next.js and React Server Components received patches for six or more security vulnerabilities simultaneously:
- CVE-2026-44573 — Middleware authorization bypass via locale-less requests in Pages Router
- CVE-2026-44581 — Cross-site scripting through CSP nonces (the security mechanism itself becomes the attack vector)
- CVE-2026-23870 — Denial of service via crafted HTTP requests against React Server Components
- CVE-2026-44578 — SSRF through WebSocket upgrade request handling
- Cache poisoning in React Server Component responses (two separate advisories)
These flaws affect Next.js versions 13.x through 16.x using the App Router. Vercel has started blocking deployments of vulnerable versions by default — an aggressive but necessary move given the breadth of the attack surface.
5. Vercel Context AI Supply Chain Breach
Supply chain attack | ShinyHunters involvement | Customer credentials exposed
On April 19, Vercel disclosed a breach originating from Context.ai, a third-party AI tool used by a Vercel employee. The attack chain: Lumma Stealer malware compromised a Context.ai employee, which gave attackers access to a Vercel employee’s Google Workspace, which led to their Vercel account.
Non-sensitive customer environment variables stored on Vercel were compromised. A threat actor associated with ShinyHunters posted on BreachForums claiming to have internal Vercel data. The incident demonstrates how AI tool adoption creates new attack surfaces that traditional security models do not cover.
6. Medtronic Data Breach — 9 Million Records
ShinyHunters | 9M records | Multiple lawsuits filed
ShinyHunters claimed access to terabytes of internal Medtronic data on April 18, with Medtronic confirming the breach on April 24. The group claims to have exfiltrated over 9 million records containing personal information. Multiple law firms have launched investigations, and Medtronic has not yet reported the breach to state attorney general offices.
7. Canvas/Instructure Breach — 275 Million Users
ShinyHunters again | 275M users | 9,000 schools affected
ShinyHunters struck again on May 3, claiming a massive breach of Instructure’s Canvas learning management system. The numbers: 275 million individuals across 9,000 school districts, universities, and education platforms. Stolen data allegedly includes names, email addresses, student IDs, and billions of private messages exchanged between users.
Harvard’s Canvas site went down. North Carolina schools lost access during end-of-year testing. This is the same group behind the Vercel and Medtronic incidents — a single threat actor responsible for three of the eight incidents on this list.
8. ConnectWise ScreenConnect Path Traversal (CVE-2024-1708)
CVSS: 8.4 | CISA KEV listed | Ransomware campaigns
A path traversal vulnerability in ConnectWise ScreenConnect that allows unauthenticated attackers to traverse directories and execute payloads outside the web root. CISA added it to the KEV catalog on April 28 with a May 12 remediation deadline. This vulnerability has been linked to North Korea-affiliated campaigns and ransomware attacks by China-linked threat actors.
The Pattern
Three patterns emerge from these ten days:
- Control panels are the biggest risk. cPanel’s authentication bypass gave attackers root access to every site on affected servers. If your hosting provider uses a shared control panel as its primary management interface, that control panel is your largest attack surface.
- Supply chain attacks are accelerating. The Vercel breach started with an AI tool. The Canvas breach affected 9,000 schools through one platform. A single compromised dependency can cascade to millions of users.
- ShinyHunters is on a spree. One threat group claimed three major breaches in three weeks: Vercel, Medtronic, and Canvas/Instructure. They are targeting infrastructure and platform providers, not individual companies — maximizing blast radius per attack.
What You Can Do
- Patch immediately. Every vulnerability on this list has patches or mitigations available. The cPanel and PAN-OS flaws were exploited within hours of disclosure.
- Audit your control panel exposure. If you use cPanel, WHM, Plesk, or any web-based hosting panel, verify it is patched and consider whether you need it exposed to the internet at all.
- Update Next.js. If you deploy Next.js applications, update to the latest patched version immediately. The middleware bypass and CSP nonce XSS are particularly dangerous for applications that rely on middleware for authentication.
- Review third-party AI tool access. The Vercel breach originated from an AI tool with OAuth access. Audit what third-party tools your team has connected to your infrastructure accounts.
- Consider panel-free hosting. Platforms like DeployBase deploy applications via Git and CLI without exposing a web-based control panel. No panel means no panel-level attack surface — one less category of vulnerability to worry about.
May 2026 is not over. If the first ten days are any indication, the rest of the month will test every hosting provider’s security posture. Stay patched, stay vigilant, and question every assumption about what is secure in your stack.
