Japanese cybersecurity firm Trend Micro has released security updates to fix a zero-day vulnerability in its Apex One endpoint protection platform that has been actively exploited in attacks targeting Windows systems.
The flaw, tracked as CVE-2026-34926, affects Apex One on-premises servers and allows local attackers with administrator privileges to inject malicious code through a directory traversal issue. Successful exploitation could enable attackers to compromise enterprise environments and deploy additional malware or ransomware payloads. The US Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2026-34926 to its catalog of actively exploited vulnerabilities.
Besides CVE-2026-34926, Trend Micro has patched multiple privilege escalation vulnerabilities. At present, there’s no evidence of active exploitation.
Separately, LiteSpeed has issued patches for a security flaw in its user-end plugin for cPanel that is reportedly being actively exploited in the wild. Tracked as CVE-2026-48172, the vulnerability stems from incorrect privilege assignment, allowing attackers to execute arbitrary scripts with elevated permissions. The issue affects plugin versions 2.3 through 2.4.4; LiteSpeed’s WHM plugin remains unaffected. The company confirmed active exploitation but has yet to disclose further technical details about the attacks.
In an unrelated campaign, threat actors have been exploiting an SQL injection flaw in Ghost CMS (CVE-2026-26980) to inject malicious JavaScript that launches ClickFix attack chains. Researchers at Qianxin discovered over 700 affected websites, including university portals, AI/SaaS platforms, media sites, fintech services, security websites, and personal blogs. Compromised organizations reportedly include Harvard University, University of Oxford, Auburn University, and DuckDuckGo's official blog.
The vulnerability affects Ghost versions 3.24.0 through 6.19.0. It allows attackers to access sensitive database information, including admin API keys, without authentication. Threat actors then use stolen credentials to gain elevated access and insert malicious JavaScript into website articles.