The Top 10 External Attack Surface Exposures of 2026
Adversarial Exposure Validation (AEV) / CTEM — Proving What's Actually Exploitable
Joomla JCE CVE-2026-48907 — Unauthenticated PHP Code Execution
FortiBleed - The Mass Fortinet Credential-Harvesting Campaign
Hiding in Plain Sight: How a China-Nexus Group Lived in the Linux Login Layer for Nearly a Decade
Atomic Arch: How 400+ Hijacked Linux Packages Turned Developer Machines Into an Open Door
LangGraph RCE — the AI-agent attack surface
The Login That Bypasses Your Passkeys: How Device-Code Phishing Went From Spy Tool to Off-the-Shelf Kit
13,000 Fake FIFAs: What the World Cup Scam Wave Teaches Every Brand About Its Real Attack Surface
No Patch, No Workaround, Already Exploited: The Cisco SD-WAN Zero-Day That Proves NCSC's Point
India Just Made Patching a 12-Hour Job — and the Rest of the World Will Follow
The Page Is the Payload: How ChatGPhish Turns Every Web Summary You Ask For Into a Phishing Attack
17 Million Routers, One Dutch Raid, and the Quiet Economy of Disguising Cybercrime as Your Neighbour's Wi-Fi
Forged Cookies on the Front Door: Why CVE-2026-0257 Is the Worst Possible Bug in Your VPN Right Now
npm Finally Slammed the Door - But TrapDoor Walked Through Your AI Assistant Instead
48 Hours From Patch to Exploit: Why CVE-2026-9082 Is Hunting Your Drupal Sites Right Now
Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation
Most Remediation Programs Never Confirm the Fix Actually Worked
What 45 Days of Watching Your Own Tools Will Tell You About Your Real Attack Surface
From Phishing to Smishing: Addressing Mobile Threats with EASM
