Attackers began actively exploiting a critical unauthenticated server-side request forgery flaw in Cisco Unified Communications Manager, tracked as CVE-2026-20230, using the WebDialer service to write files and drop JSP webshells on enterprise telephony servers.
Ivanti patched a maximum-severity unauthenticated command-injection flaw in its Sentry mobile gateway that gives attackers root-level remote code execution, and within days real-world exploitation followed a public proof-of-concept, prompting CISA to add it to its Known Exploited Vulnerabilities catalog.
ServiceNow disclosed that a misconfigured, unauthenticated REST API endpoint allowed actors to query data from hosted customer instances, an issue the company patched on 5 June but did not publish a (login-gated) advisory for until days later.
Attackers abused a verification flaw in Meta's AI-assisted Instagram account-recovery tool, High Touch Support, to trigger password resets and hijack 20,225 accounts before Meta detected and disabled the tool.
Disclosed around 22 May 2026, the Haute-Garonne departmental media library network (Mรฉdia31) was breached via exploited website vulnerabilities, exposing data on roughly 765 users including names, emails, dates of birth, cities and login details.
Victim
Haute-Garonne Departmental Council digital media library
In May 2026, Maeva โ the holiday-rental brand of Pierre & Vacances-Center Parcs โ disclosed a breach in which an attacker scraped up to ten years of booking data, exposing names, dates of birth, phone numbers and stay details for around 4.5 million customers across 1.6 million reservations.
On 9 May 2026, the threat actor AplaGroup claimed an intrusion into Mรฉdia31, the online media-library platform of the Haute-Garonne departmental libraries (France), exposing data on roughly 765 users; the breach was confirmed on 21 May 2026.
French domain registrar BookMyName detected a security incident on 5 May 2026 in which an attacker exploited a vulnerability to fraudulently alter domain contact data, exposing logins, names, emails, phone numbers and postal addresses of some customers.
A global automated campaign exploiting an unauthenticated file-upload weakness in Magento defaced 7,500+ e-commerce sites across 15,000+ hostnames, dropping malicious files on stores tied to brands including Toyota, Fiat, Asus and FedEx.
In April 2026 a threat actor known as HexDex advertised the sale of a database stolen from France's university sport federation (FFSU), exposing the identities, contact details and registration data of roughly 1.1 million students, licensees and staff.
I-Cad, France's national dog, cat and ferret identification registry, disclosed in March 2026 that a September 2025 software vulnerability had allowed automated querying of its database, exposing users' email addresses and fuelling phishing campaigns against pet owners.
In mid-2025, Sorbonne Universitรฉ (Paris) suffered a breach of its HR/payroll system that exposed personal data of roughly 32,000 current and former staff, including contact details, identity information and family members' names.
In late March 2025, a threat actor known as 'rose87168' claimed to have stolen roughly 6 million authentication records from an Oracle Cloud SSO/LDAP endpoint, potentially affecting over 140,000 tenants; Oracle initially denied any breach before privately confirming a compromise to customers.
An attacker exploited an unpatched vulnerability in a remote access server to breach the City of Helsinki's Education Division, exposing personal data of tens of thousands of students, guardians, and staff, plus sensitive welfare records.
Chinese state-linked hackers exploited unpatched Microsoft Exchange ProxyShell flaws to dwell undetected in the UK Electoral Commission's systems for over a year, accessing electoral-register data on roughly 40 million voters.
Attackers exploited an Ivanti Endpoint Manager Mobile zero-day (CVE-2023-35078, CVSS 10.0) to breach a shared ICT platform used by 12 Norwegian government ministries, with exploitation traced back to at least April 2023.
In May 2023, coordinated waves of attacks exploited Zyxel firewall vulnerabilities to breach 22 Danish energy companies, forcing some operators into island mode in what SektorCERT called Denmark's largest critical-infrastructure cyber incident to date.
An unauthenticated API endpoint exposed personal data of 9.8 million current and former Optus customers โ names, dates of birth, passport and driver's licence numbers โ to a single anonymous attacker.
Attackers compromised the data centre of Pakistan's Federal Board of Revenue by exploiting a pirated copy of Microsoft Hyper-V, taking down all tax-authority websites and putting network access for 360 virtual machines up for sale on a Russian dark-web forum.
Attackers exploited a zero-day in the legacy Accellion File Transfer Appliance to breach New Zealand's central bank, accessing commercially and personally sensitive files; the cleanup cost the Reserve Bank around NZ$3.5 million.
An unauthorised party exploited a flaw in Virgin Mobile Polska's prepaid-registration application to access the personal data of over 114,000 subscribers, including PESEL identity numbers and ID-card details. Poland's data-protection authority fined the operator nearly PLN 2 million for inadequate security testing.
Former AWS engineer Paige Thompson exploited a misconfigured Web Application Firewall to extract personal data on roughly 106 million Capital One credit-card applicants and customers from S3.
A single SQL injection against a rarely-used VAT service let an attacker exfiltrate tax, income, health and pension records on more than 6 million people โ almost the entire adult population of Bulgaria.
An insecure direct object reference (IDOR) flaw on First American Financial's website exposed roughly 885 million title-insurance and mortgage documents โ including Social Security numbers, bank account details, and driver's-license images โ dating back to 2003, accessible to anyone without authentication.
Attackers exploited third-party software connecting Mexican banks to SPEI, the central bank's interbank payment system, injecting phantom transfers and draining roughly 300-400 million pesos (~$15-20 million) via cash withdrawals by money mules.
Victim
Banco de Mรฉxico (Banxico) / SPEI participant banks
An unpatched Apache Struts vulnerability let attackers exfiltrate Social Security numbers, dates of birth, addresses, and driver's license numbers for 147 million U.S., U.K., and Canadian consumers.
A flaw in Infineon's RSA key-generation library (ROCA, CVE-2017-15361) made it theoretically possible to forge digital identities for some 750,000 Estonian ID-cards, forcing a nationwide certificate suspension and emergency remote re-keying.
Victim
Republic of Estonia (national ID-card / e-residency)
A buffer-overflow bug in Cloudflare's edge servers caused them to leak adjacent chunks of memory โ including passwords, cookies, and private messages from other customers โ into web pages, where some were cached by search engines. The flaw was active for months before Google's Project Zero discovered it.
A local file inclusion flaw let attackers steal 412 million accounts across FriendFinder Networks' adult and dating sites, including AdultFriendFinder. Most passwords were stored in plain text or as unsalted SHA-1, and 'deleted' accounts were never actually removed.
A SQL-injection attack against Hong Kong toymaker VTech's Learning Lodge service exposed the personal data of 6.4 million children and nearly 5 million parent accounts, becoming the first major breach to focus on data about minors.
An SQL injection attack โ committed primarily by four British teenagers โ exposed personal data on roughly 157,000 TalkTalk customers including bank account details. Triggered a record ยฃ400,000 UK ICO fine.
An intruder gained total control of Dutch certificate authority DigiNotar, issuing more than 500 fraudulent SSL certificates โ including a wildcard for *.google.com used to wiretap some 300,000 Iranian Gmail users โ and triggering the company's collapse.