Microsoft's May Patch Tuesday included 16 vulnerabilities found by MDASH, their new AI system that orchestrates over 100 specialized agents. Four of those were critical RCEs in the Windows kernel. Palo Alto Networks doubled its typical monthly advisories and said most findings came from AI models scanning their code. Mozilla found 271 bugs in Firefox using Mythos last month, then used the same approach again. At the same time, bug bounty programs are collapsing under the weight of AI-generated reports. cURL suspended its bug bounty program. Nextcloud suspended theirs. Bugcrowd vulnerability reports quadrupled in March, but the majority were invalid. HackerOne saw a 76% jump in submissions, but only 25% were genuine flaws. Linus Torvalds called the Linux security mailing list "unmanageable." And honestly, I side with Linus on this. The majority of vendors are now running AI against their own code, and the patches are coming in waves. Buckle up and prepare for a ride. 😑

Have you embraced AI for security checks? How is your team handling the volume of critical vulns?

Top CVEs to patch

• Microsoft Defender PrivEsc (CVE-2026–41091)
• DoS flaw in Exchange Server (CVE-2026–42897)
• Cisco SD-WAN auth bypass (CVE-2026–20182)
• Linux kernel 9-year-old flaw, reads SSH keys and shadow file (CVE-2026–4633)
• PAN-OS urgent vuln (CVE-2026–0300)
• NGINX RCE (CVE-2026–42945)
• Worker crashes and possible RCE Drupal Core (PSA-2026–05–18)
• Ivanti EPMM RCE (CVE-2026–6973)
• Gitlab path validation issue (CVE-2026–45571)
• PostgreSQL (CVE-2026–6472 and others)
• valkey-io/valkey (CVE-2026–23479)

Follow me

Join my Telegram channel and LinkedIn for updates.