Nogosee Intelligence - Page 6 of 9 - See the no-go signals before they become incidents.

AI Security, Cloud Security, Incidents & Breaches, Vulnerability Intelligence

Microsoft May 2026 Patch Tuesday: 137 Microsoft CVEs disclosed; 13 flagged as likely exploitation targets

May 13, 2026

Microsoft’s May 12, 2026 Patch Tuesday release disclosed 137 CVEs across Microsoft products (down from 165 the prior month, per iThome). Including third‑party component fixes Microsoft shipped, the total reaches 265 vulnerabilities. iThome highlights 13 vulnerabilities Microsoft assessed as more likely to be targeted by attackers; most are elevation-of-privilege issues across Windows components, plus two Word remote code execution bugs. Four of the 13 are rated Critical, and the highest CVSS score called out is 9.1 for a Microsoft Single Sign-On (SSO) plugin used with Jira and Confluence.

Claude Chrome Extension Vulnerability Permits Unauthorized AI Hijacking

May 13, 2026May 13, 2026

Security researchers at LayerX have identified a design flaw dubbed ‘ClaudeBleed’ in the Claude in Chrome extension. The vulnerability allows malicious extensions with zero permissions to inject commands and hijack the Claude AI agent, potentially leading to unauthorized data exfiltration and sensitive cross-site operations.

Dual High-Severity Vulnerabilities Identified in SunNet Corporate Training and Performance Management Systems

May 13, 2026May 13, 2026

Taiwan’s TWCERT/CC has disclosed two high-severity security vulnerabilities affecting SunNet’s Corporate Training Management System (CTMS) and Corporate Appraisal Performance System (CAPS). These flaws include a SQL injection vulnerability and an arbitrary file upload weakness that could lead to full system compromise.

Taiwan CERT warns of two high-severity flaws in Galaxia Info’s Vitals ESP (≤ 6.3)

May 13, 2026

TWCERT/CC published a Taiwan Vulnerability Note (TVN-202603007) describing two high-severity vulnerabilities affecting Galaxia Information’s Vitals ESP up to and including version 6.3. One issue could allow an authenticated remote attacker to perform some admin functions and escalate privileges (CVE-2026-4639, CVSS 8.8). The other could allow an unauthenticated remote attacker to access some functions and obtain sensitive information (CVE-2026-4640, CVSS 7.5). TWCERT/CC advises customers to contact the vendor for a patch.

Adobe Issues May Security Updates for 52 Vulnerabilities, Prioritizes Commerce Platforms

May 13, 2026May 13, 2026

Adobe released its May routine security updates addressing 52 vulnerabilities across 10 application systems, with a particular emphasis on critical patches for the Adobe Commerce (Magento) e-commerce platform and high-risk flaws in Adobe Connect.

DMTF SPDM Protocol Integrated into FIPS 140-3 Standard for Hardware Security Validation

May 13, 2026May 13, 2026

The Distributed Management Task Force (DMTF) announced that its Security Protocol and Data Model (SPDM) has been officially incorporated into the U.S. FIPS 140-3 Implementation Guidance, establishing a new federal reference for hardware and firmware authentication.

IDOR Vulnerability in Sun Rise School Management App Exposes Student and User Data

May 13, 2026May 13, 2026

A high-severity Insecure Direct Object Reference (IDOR) vulnerability has been identified in the ‘App好校通’ (App School Link) mobile application developed by Sun Rise Technology, potentially allowing authenticated users to access and modify unauthorized records.

Taiwan CERT warns of two medium-severity a+HRD flaws enabling authenticated database read via SQL injection and missing authorization

May 13, 2026

TWCERT/CC published a Taiwan Vulnerability Note (TVN-202604004) for two vulnerabilities affecting Yuqi Digital Technology’s a+HRD product in versions 7.1 and earlier. The issues—SQL injection (CVE-2026-6833) and missing authorization (CVE-2026-6834)—could allow an authenticated remote attacker to read database contents. TWCERT/CC advises upgrading to a patched release referenced by the vendor’s security notice.

Taiwan CERT warns of high-severity arbitrary file write in Gigabyte Control Center (CVE-2026-4415)

May 13, 2026

TWCERT/CC published a Taiwan Vulnerability Note for a high-severity arbitrary file write flaw in Gigabyte Control Center. The advisory says that when the product’s pairing function is enabled, an unauthenticated remote attacker could write arbitrary files to any OS path, potentially enabling code execution or privilege escalation. Gigabyte Control Center versions up to 25.07.21.01 are listed as affected, and upgrading to 25.12.10.01 or later is recommended.

Taiwan CERT warns of arbitrary file upload flaw in a+HCM (CVE-2026-6835) enabling unauthenticated uploads

May 13, 2026

TWCERT/CC published a vulnerability note for an arbitrary file upload issue in Digiwin (育碁數位科技) a+HCM affecting versions up to and including 8.1. The note states an unauthenticated remote attacker could upload arbitrary files to arbitrary paths, including HTML files that could produce XSS-like effects. TWCERT/CC rates the issue CVSS 6.1 (Medium) and points users to the vendor’s security notice and patches.