{"vulnerability": "CVE-2026-6722", "sightings": [{"uuid": "b7508df6-c018-439e-a961-cfc546c0a3be", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-6722", "type": "seen", "source": "https://gist.github.com/ichintu/ea04ce0b76eacb84d613fca74acd1b81", "content": "**Key Takeaways \u2013\u202fMay\u202f11\u202f2026 Update**\n\n| Area | Highlights |\n|------|------------|\n| **Purple\u2011Team / Night\u2011time Defense** | \u2022 Manual, ad\u2011hoc actions (hash copy\u2011paste, script tweaks, slow patching) block automated night\u2011time response.\u2022 Problem is system design, not individual skill. |\n| **New CVEs** | \u2022 **CVE\u20112025\u201110470** \u2013 WSO2 Identity Server DoS via unlimited \u201cMagic Link\u201d auth requests.\u2022 **CVE\u20112026\u201140636** \u2013 Dell ECS hard\u2011coded creds (severity\u202f9.8), local attacker CRUD file system.\u2022 **CVE\u20112026\u201132658** \u2013 Dell Automation Platform missing auth \u2192 privilege escalation (severity\u202f8.0).\u2022 **CVE\u20112026\u20116909** \u2013 ATutor\u202f2.2.4 Improper Input Validation.\u2022 **CVE\u20112026\u201142208** \u2013 LiteLLM SQL\u2011Injection (actively exploited). Patch on .\u2022 **CVE\u20112026\u20116722** \u2013 PHP SOAP RCE (severity\u202f9.5) \u2013 see . |\n| **LLM\u2011Steganography Research** | \u2022 arXiv\u202f2510.20075 shows LLMs can embed/translate hidden data in natural language without detectable distortion.\u2022 Demonstrates dual\u2011use: secure covert comms vs. malicious exfiltration. |\n| **AI\u2011Enabled SOC Trends** | \u2022 Shift from signature\u2011based AV to behavior\u2011driven monitoring of AI agents.\u2022 Agentic SOCs (DXC, Accenture, Virgin Atlantic) use AI as analyst assistants, not replacements.\u2022 \u201cAgentic Trust Framework\u201d (ATF) and zero\u2011trust modular control plane proposed: integrity verification, semantic anomaly detection, tool\u2011metadata checks, fine\u2011grained policy enforcement. |\n| **Operational Exposure Hotspots** | \u2022 1,862 publicly reachable MCP servers (2024\u201122\u201123\u202f% of 8,500); many lack auth, exposing finance/CRM data.\u2022 High\u2011risk CVEs (EchoLeak\u202fCVE\u20112025\u201132711, mcp\u2011remote\u202fCVE\u20112025\u20116514) allow zero\u2011click remote code execution via office files or JFrog packages.\u2022 Recommended mitigations: patch, enforce auth, micro\u2011segmentation, run agents in read\u2011only containers, implement continuous audit. |\n| **Malware on Hugging Face** | \u2022 \u201cOpen\u2011OSS/privacy\u2011filter\u201d repo (prime trending, 244\u202fk downloads) mimics OpenAI model but contains Rust malware that steals Windows credentials. |\n| **Action Items** | 1. Update all affected products (WSO2, Dell ECS/Automation, ATutor, LiteLLM, PHP).2. Move to zero\u2011trust architecture with continuous AI\u2011behavior monitoring.3. Vet third\u2011party ML models and repos rigorously.4. Treat AI as an analyst aid, not a replacement; give teams sandbox access, audit trails, and override rights.5. Harden all exposed MCP servers: enforce MFA, sign\u2011builds, isolate, and require human approval for sensitive actions. |\n\n*Bottom line*: Night\u2011time defense fails because of procedural gaps; a new wave of CVEs, LLM\u2011based covert channels, and exposed MCP servers demand a zero\u2011trust, behavior\u2011centric approach that treats AI agents as first\u2011line analysts while keeping human oversight and robust governance.", "creation_timestamp": "2026-05-11T12:00:59.000000Z"}, {"uuid": "04b817f5-48c6-4135-b5d5-535cc2b420a7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-6722", "type": "seen", "source": "https://bsky.app/profile/remirepo.net/post/3mlczxuq7ac2w", "content": "\ud83d\udee1\ufe0f Security updates:\n\n- php-8.1.34-2 (in the php:remi-8.1 module)\n- php80-php-8.1.34-2 (in the php81 Software Collection)\n\nWith security fixes backported from 8.2.31 (CVE-2026-6735, CVE-2026-7259, CVE-2025-14179, CVE-2026-6722, CVE-2026-7261, CVE-2026-7262, CVE-2026-7568, CVE-2026-7258)", "creation_timestamp": "2026-05-08T05:51:09.146911Z"}, {"uuid": "e5ac919b-8f14-45fa-9d38-c66063740872", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-6722", "type": "seen", "source": "https://bsky.app/profile/slackers.it/post/3mldbcb5xiz22", "content": "8/18\n\nhttps://www.cve.org/CVERecord?id=CVE-2026-6104\n    https://www.cve.org/CVERecord?id=CVE-2025-14179\n    https://www.cve.org/CVERecord?id=CVE-2026-6722\n    https://www.cve.org/CVERecord?id=CVE-2026-7261\n    https://www.cve.org/CVERecord?id=CVE-2026-7262", "creation_timestamp": "2026-05-08T08:02:14.944679Z"}, {"uuid": "6eb4bd7c-c868-48ae-99d3-4e4370aa5fea", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-6722", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116548752322459359", "content": "\ud83d\udea9 CRITICAL: CVE-2026-6722 in PHP SOAP (8.2 \u2013 8.5) allows unauthenticated RCE via use-after-free. No patch confirmed \u2014 restrict SOAP access or disable if not needed. Details: https://radar.offseq.com/threat/cve-2026-6722-cwe-416-use-after-free-in-php-group--8d881999 #OffSeq #PHP #Vuln #RCE #InfoSec", "creation_timestamp": "2026-05-10T06:00:29.363548Z"}, {"uuid": "ee71fc46-059d-49db-afa7-9fa5914a7965", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-6722", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3mli3ghb3if2v", "content": "PHP SOAP CRITICAL vuln (CVE-2026-6722): RCE risk in PHP 8.2 \u2013 8.5. Patch unconfirmed \u2014 restrict or disable SOAP endpoints ASAP. Full details: https://radar.offseq.com/threat/cve-2026-6722-cwe-416-use-after-free-in-php-group--8d881999 #OffSeq #PHP #AppSec", "creation_timestamp": "2026-05-10T06:00:30.504359Z"}, {"uuid": "a2dd20d1-3a74-479c-8713-7bf97fe191d9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-6722", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mlibo63qs32e", "content": "CVE-2026-6722 - Use-After-Free in SOAP using Apache map\nCVE ID : CVE-2026-6722\n \n Published : May 10, 2026, 5:16 a.m. | 1\u00a0hour, 12\u00a0minutes ago\n \n Description : In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP exten...", "creation_timestamp": "2026-05-10T07:52:10.829433Z"}, {"uuid": "6b63bb5a-7612-4334-9cc0-65a306f12d85", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-6722", "type": "seen", "source": "https://bsky.app/profile/remirepo.net/post/3mlkr672pc225", "content": "\ud83d\udee1\ufe0f Security updates:\n\n- php-8.0.30-16 (in the php:remi-8.0 module)\n- php80-php-8.0.30-16 (in the php80 Software Collection)\n\nWith security fixes backported from 8.1.34 (CVE-2026-6735, CVE-2026-7259, CVE-2025-14179, CVE-2026-6722, CVE-2026-7261, CVE-2026-7262, CVE-2026-7568, CVE-2026-7258)", "creation_timestamp": "2026-05-11T07:34:54.964256Z"}, {"uuid": "e08b9f7b-6fe8-41b9-83b5-1040878c1a33", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-6722", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mllakdpahl2k", "content": "\ud83d\udd17 CVE : CVE-2025-14179, CVE-2026-42371, CVE-2026-6104, CVE-2026-6722, CVE-2026-6735, CVE-2026-7258, CVE-2026-7259, CVE-2026-7261, CVE-2026-7262, CVE-2026-7263, CVE-2026-7568", "creation_timestamp": "2026-05-11T12:10:08.848769Z"}, {"uuid": "8b6fd223-913c-4ec6-81eb-7ec2ad75c3b9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-6722", "type": "seen", "source": "https://bsky.app/profile/remirepo.net/post/3mlnbxdu4qk2i", "content": "\ud83d\udee1\ufe0f Security updates:\n\n- php-7.4.33-26 (in the php:remi-7.4 module)\n- php74-php-7.4.33-26 (in the php74 Software Collection)\n\nWith security fixes backported from 8.1.34 (CVE-2026-6735, CVE-2026-6722, CVE-2026-7261, CVE-2026-7262, CVE-2026-7568, CVE-2026-7258)", "creation_timestamp": "2026-05-12T07:40:38.104312Z"}, {"uuid": "2e33b673-defc-4909-89e3-38e219316ad1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-6722", "type": "published-proof-of-concept", "source": "https://t.me/bdufstecru/3157", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 soap_add_xml_ref() \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0442\u043e\u0440\u0430 \u044f\u0437\u044b\u043a\u0430 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f PHP \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c\u044e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f \u043f\u0430\u043c\u044f\u0442\u0438 \u043f\u043e\u0441\u043b\u0435 \u043e\u0441\u0432\u043e\u0431\u043e\u0436\u0434\u0435\u043d\u0438\u044f. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434\n\nBDU:2026-06622\nCVE-2026-6722\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://github.com/php/php-src/releases", "creation_timestamp": "2026-05-13T14:44:49.000000Z"}]}