The mean time from CVE publication to working exploit has collapsed to approximately 10 hours in 2026 — down from 56 days in 2024 and 23 days in 2025, across 3,532 CVE-exploit pairs. Google's Threat Intelligence Group confirmed it thwarted a hacker group using AI to discover a zero-day and plan a mass vulnerability exploitation operation — the first confirmed case of AI-powered coordinated mass exploitation planning. Ivanti EPMM CVE-2026-6973 was exploited as a zero-day. Palo Alto PAN-OS CVE-2026-0300 allows unauthenticated root-level RCE on firewalls through the authentication portal — active exploitation, no patch available. Dirty Frag, an unpatched Linux kernel flaw, enables root privilege escalation with public PoC. cPanel CVE-2026-41940 (max severity auth bypass) is under mass exploitation from 2,000+ attacker IPs. 84 TanStack npm package artifacts were compromised in a supply chain attack.

Links & Resources

• https://www.cnbc.com/2026/05/11/google-thwarts-effort-hacker-group-use-ai-mass-exploitation-event.html
• https://thehackernews.com/2026/05/ivanti-epmm-palo-alto-pan-os-zero-day.html
• https://research.checkpoint.com/2026/11th-may-threat-intelligence-report/
• https://thehackernews.com/2026/05/cpanel-cve-2026-41940-mass-exploitation.html
• https://thehackernews.com/2026/05/dirty-frag-linux-kernel-privilege-escalation.html
• https://cybersecuritynews.com/tanstack-npm-supply-chain-compromise/
• https://thehackernews.com/2026/05/exploitation-window-10-hours-2026.html
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog