ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories

ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories

https://thehackernews.com/2026/05/threatsday-bulletin-pan-os-rce-mythos.html

Publish Date: 2026-05-14 12:07:00

Source Domain: thehackernews.com

Ravie LakshmananMay 14, 2026Hacking News / Cybersecurity News

Everything is still on fire.

This week feels dumb in the worst way — bad links, weak checks, fake help desks, shady forum posts, and people turning supply chain attacks into some cursed little game for clout and cash. Half of it feels new. Half of it feels like crap we should have fixed years ago.

The mess keeps getting louder: users get tricked, boxes get popped, tools meant for normal work get used for bad stuff, and nobody seems shocked anymore. Great. Love that for us.

Anyway. Let’s get into it.

1. Exploited PAN-OS RCE

   Palo Alto Networks has released the first round of fixes to address CVE-2026-0300, a critical buffer overflow vulnerability in the User-ID Authentication Portal service of PAN-OS software that could allow an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets. The company said it has observed the flaw being exploited in limited attacks since at least last month, with unknown threat actors leveraging it to drop payloads like EarthWorm and ReverseSocks5.

2. Private AI chats

   Meta has announced Incognito Chat with Meta AI in its namesake app and WhatsApp. Incognito Chat is “a completely private way to interact with AI, similar to how end-to-end encryption means no one can read your conversations, even Meta or WhatsApp,” CEO Mark Zuckerberg said. “Incognito Chat handles all AI inference in a Trusted Execution Environment that ensures your messages are not accessible to us. The conversations on your phone also disappear when you exit the session.” The feature is powered by Private Processing, which already underlies its message summarization and composition tools.

3. Zero-auth data leak

   A defense technology company with Department of Defense contracts exposed user records and military training materials through API…

Source