THU 02 JUL 2026 · GMT EDITION A WHITESTONE INTELLIGENCE PUBLICATION
MARKETS · CYBER · MEMOS · MODELS
DAILY ISSUES26 MAY27 MAY28 MAY29 MAY30 MAY31 MAY01 JUN02 JUN03 JUN04 JUN05 JUN06 JUN07 JUN08 JUN09 JUN10 JUN11 JUN12 JUN13 JUN14 JUN15 JUN16 JUN17 JUN18 JUN19 JUN21 JUN22 JUN23 JUN24 JUN25 JUN26 JUN27 JUN28 JUN29 JUN30 JUN01 JUN02 JUNALL ›
FRONT PAGE / CYBER / CYB-30D-013
CYBER · cves zero days · 2026-05-13SCOOP 52

Microsoft's May 2026 Patch Tuesday Fixes ~120+ Flaws With No Zero-Days — First Since June 2024

Microsoft's May 13, 2026 Patch Tuesday addressed a large batch of vulnerabilities with no actively exploited or publicly disclosed zero-days—the first such cycle since June 2024.

·FILED 2026-05-13·1 MIN READ·RE-VERIFIED 2026-07-02 UTC·✓ RE-VERIFIED 2026-07-02

VERDICT — CONFIRMED

QA-reviewed confidence · primary + corroborating sources verified · re-verified 2026-07-02 UTC
Microsoft's May 2026 Patch Tuesday Fixes ~120+ Flaws With No Zero-Days — First Since June
Malwarebytes / Microsoft

Microsoft's May 13, 2026 Patch Tuesday addressed a large batch of vulnerabilities with no actively exploited or publicly disclosed zero-days—the first such cycle since June 2024. Tallies varied slightly by source: BleepingComputer and several outlets reported approximately 120 CVEs including 17 critical (with 14 remote-code-execution flaws, two elevation-of-privilege and one information-disclosure), while Malwarebytes counted 137 vulnerabilities including 31 marked critical.

Notable fixes included CVE-2026-42898, a remote-code-execution flaw in on-premises Microsoft Dynamics 365 rated CVSS 9.9 that requires no user interaction; CVE-2026-40361 (CVSS 8.4), a use-after-free flaw in Microsoft Word allowing local code execution when a malicious document is opened; and CVE-2026-35421 (CVSS 7.8), a heap-based buffer-overflow in Windows GDI triggered by processing a specially crafted Enhanced Metafile via Microsoft Paint. Outlets stressed that despite the absence of zero-days, the cycle remained significant because many critical bugs enabled RCE across Windows services, Office, Azure, SharePoint and graphics components, and they urged prompt patching.

The zero-day-free month was framed as a notable, if temporary, reprieve following an extended run of monthly in-the-wild exploitation, and stands in contrast to the same period's out-of-band Defender and Exchange fixes, which addressed separately disclosed actively exploited flaws.

Share
Filed by the Cyber desk · verified by the verification desk · re-verified 2026-07-02 · Our standards: the two-source rule ›
CITE THIS FILE — The Dossier Wire · cyb-30d-013 · filed 2026-05-13 · https://thedwire.com/wire/cyb-30d-013-microsoft-s-may-2026-patch-tuesday-fixes-120-flaws-with-no.html · Primary and corroborating sources listed above; archived at publication. Republishing & licensing: hello@thedwire.com.
More from Cyber FULL DESK ›
Instructure Pays Ransom After ShinyHunters Breaches Canvas Twice, Claiming 275 M
Inside Higher Ed
CYBER · SCOOP 84

Instructure Pays Ransom After ShinyHunters Breaches Canvas Twice, Claiming 275 Million Records From ~8,800 Schools

Instructure, operator of the Canvas learning-management system, paid a ransom to the extortion group ShinyHunters after two breaches of Canvas within roughly ten days, in what reporting describes as the largest education-sector data incident on record. ShinyHunters claimed to have stolen 3.65 TB of data on approximately 275 million users

✓ verified
READ THE FILE ›
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · SCOOP 55

Fortinet: FortiClient Windows flaw lets local attacker decrypt a logged-in user's saved VPN password (CVSSv3 2.1)

Fortinet advisory FG-IR-26-129, revised May 12, describes a missing-authorization weakness (CWE-862) in FortiClient for Windows that may allow an authenticated local attacker to decrypt a currently logged-in user's VPN password via an unprotected DLL function. The advisory title ties the issue to a hardcoded encryption key used for saved

✓ verifiednewSOURCE ↗
READ THE FILE ›
SAP May 2026 Patch Day Fixes Critical S/4HANA SQL Injection (CVE-2026-34260, CVS
Onapsis
CYBER · SCOOP 50

SAP May 2026 Patch Day Fixes Critical S/4HANA SQL Injection (CVE-2026-34260, CVSS 9.6) and NetWeaver XSS

SAP released its May 2026 Security Patch Day on May 12, 2026, publishing 17 new and updated Security Notes, including three HotNews notes and one High Priority note. The most severe issue, CVE-2026-34260, is a SQL-injection vulnerability in the SAP Enterprise Search component for ABAP (relevant to S/4HANA), rated CVSS 9.6: an authenticate

✓ verified
READ THE FILE ›

The morning wire in your inbox — every brief, primary sources linked, no noise.

Free tier. The Wire — continuous desk briefs · Records archive · Bureau alerts.

Stored to the wire's subscriber list. No spam, unsubscribe any time.