Palo Alto Networks on May 6-7 warned of an actively exploited critical PAN-OS vulnerability, tracked as CVE-2026-0300, that enables unauthenticated remote code execution via a buffer overflow in the User-ID Authentication Portal (captive portal). The flaw can give attackers root privileges on PA-Series and VM-Series firewalls when the portal is exposed to untrusted or public IP addresses; Palo Alto assigned a CVSS score of 9.3 for internet-facing configurations. The vendor said exploitation observed so far is limited and has not attributed attacks to any group. Patches are pending, with initial fixes scheduled from May 13 and additional releases on May 28 for other versions. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the defect to its Known Exploited Vulnerabilities catalog and ordered federal agencies to remediate by May 9. Palo Alto said Cloud NGFW, Prisma Access and Panorama are not affected. Security researchers and scanners have found thousands of PAN-OS instances publicly reachable; until updates are available, customers are advised to restrict or disable the Authentication Portal and follow other mitigation guidance.

Google has rolled out a QR-code based reCAPTCHA challenge as part of its Cloud Fraud Defense platform first announced on April 22, 2026, that requires users to scan a code with a “compatible” mobile device to prove they are human. The verification flow accepts iOS devices and Android handsets running Google Play Services (reportedly version 25.41.30 or higher), but blocks or repeatedly challenges devices running privacy-focused, de‑Googled operating systems such as GrapheneOS, CalyxOS and other custom ROMs. The change, which Google has been migrating to sites since late 2025, leverages hardware-backed attestation to verify device integrity and is designed to counter increasingly capable AI-driven bots. Critics — including GrapheneOS developers, privacy advocates and parts of the security community — argue the move effectively ties basic web access to Google’s proprietary ecosystem, can exclude secure alternative OSes, and may have been rolled out automatically for many websites. Workarounds for affected users include using a separate certified device or selecting fallback audio challenges, while some experts urge web administrators to consider alternative verification services to avoid locking out privacy‑focused users.

A cybercriminal group known as ShinyHunters breached Instructure’s Canvas learning-management system in late April and again in early May, exploiting its Free‑For‑Teacher feature to access and publish student and staff records. The group claimed it had stolen terabytes of data from roughly 8,000–9,000 institutions and set a ransom deadline for public release; reported figures vary and remain unverified. Instructure disclosed unauthorized activity detected April 29, took Canvas offline to contain the incident and temporarily suspended Free‑For‑Teacher accounts. The platform was restored for most users within days, though some services remained in maintenance mode while external forensics and U.S. federal investigators — including the FBI and CISA — were notified. Affected data reportedly includes names, email addresses, student ID numbers and private messages between users; the company said it found no evidence of exposed passwords, dates of birth, government identifiers or financial information. The disruption hit thousands of schools during U.S. finals week, forcing exam delays and alternative submission arrangements as institutions and vendors assess exposure and response.

Palo Alto Networks disclosed a critical buffer overflow zero-day in its PAN-OS User-ID Authentication Portal (Captive Portal), tracked as CVE-2026-0300, that allows unauthenticated remote code execution with root privileges on PA-Series and VM-Series firewalls. The company warned of "limited exploitation" and attributed activity to a likely state-sponsored cluster tracked as CL-STA-1132. Evidence shows unsuccessful attempts from April 9 and successful exploitation and follow-on activity in April, including AD enumeration, use of tunneling tools (EarthWorm, ReverseSocks5), credential collection and log deletion. Affected PAN-OS branches include versions in the 10.x, 11.x and 12.1 lines when the portal is exposed to untrusted networks. Palo Alto plans staged software fixes beginning May 13, 2026, with further patches on May 28. The U.S. CISA added CVE-2026-0300 to its Known Exploited Vulnerabilities catalog, directing federal agencies to apply mitigations. Until patches are issued, Palo Alto and researchers advise restricting or disabling the User-ID Authentication Portal, disabling response pages on L3 interfaces, and enabling available threat signatures for detection.

Security firm ESET uncovered a sprawling campaign of 28 fraudulent Android apps — dubbed “CallPhantom” — that falsely claimed to provide call, SMS and WhatsApp histories for any phone number and collectively racked up more than 7.3 million downloads. The apps generated hardcoded, fake records and prompted users to subscribe to plans costing roughly $6–$80. The campaign appears to have been active since late 2025; ESET flagged the apps to Google in December 2025 and the apps were removed from the Play Store after public disclosure in May 2026. Most victims were in India: many apps defaulted to the +91 country code and supported UPI payment methods popular there. Some subscriptions used Google Play billing (eligible for Play refunds); others routed payments through third-party UPI providers or in-app card forms, complicating reimbursement. The apps employed deceptive tactics — including fake notifications and misleading developer names such as “Indian gov.in” — to build trust and pressure users into paying. The removals followed ESET’s report; affected users are advised to check Play billing for cancellations and contact payment providers for third-party charges.

In early May 2026 Anthropic disclosed Claude Mythos Preview, an internal AI model that in controlled testing identified thousands of previously unknown zero-day vulnerabilities across major operating systems and web browsers. Anthropic restricted access under “Project Glasswing” to roughly 40 firms — including large tech and financial firms — to give defenders a head start. Mozilla, a Mythos partner, said it shipped 423 Firefox security fixes in April, 271 of them tied to Mythos findings. US regulators responded: Federal Reserve Chair Jerome Powell and Treasury officials convened major bank CEOs to assess risk. Anthropic warned of a six-to-twelve month window before adversaries could replicate the capability. Cybersecurity researchers, however, say many of Mythos’s headline feats can be reproduced today by orchestration of existing models and cheaper toolchains; OpenAI has offered vetted access to cyber-focused models. Reports also document practical risks — from unauthorized access attempts against Mythos to a sharp surge in AI-enabled attacks — underscoring both the defensive value of these tools and the danger that equivalent offensive capabilities will proliferate globally.