Threat Radar

Today’s AI & cyber tracking.

A sanitized public view of the AI and cyber threats SAI is watching this morning — mapped to NIST AI RMF, NIST 800‑53, ISO 27001/27002, and ITSG‑33. The full internal briefing carries operator notes and action items; this page is the share-able outside view.

As of Tuesday, May 26, 2026 · 08:00 UTC · 18 items tracked · refreshed each weekday morning
4
Critical
8
High
5
Medium
1
Low
18
Total tracked
What you’re looking at. Each card is one item from today’s briefing — severity, CVSS where applicable, title, a one-line summary, the source, and the controls it maps to in the major frameworks. Internal action items and operator notes are kept off this public view.

Critical

4 items · act today
CriticalCVSS 9.82026-0526-001

CVE-2026-42208 — LiteLLM SQL injection (CISA KEV)

Authenticated SQL injection in the LiteLLM AI proxy, with in-the-wild exploitation reported.

Source: CISA Known Exploited Vulnerabilities
NIST AI RMF Measure 2.7NIST AI RMF Manage 2.3800-53 SI-10 / SC-8 / AC-3ISO 27001 A.8.2ISO 27002 8.26 / 8.28ITSG-33 SI-10 / AC-3
CriticalSystemic2026-0526-002

Anthropic MCP by-design RCE

Architectural remote-code-execution issue in the official MCP SDK — ~200K exposed instances, 150M+ downloads of affected components.

Source: OX Security research
NIST AI RMF Govern 1.5NIST AI RMF Map 4.1800-53 SA-12 / CM-7 / SI-7ISO 27001 A.5.19ISO 27002 5.19 / 5.21 / 8.30ITSG-33 SA-12 / CM-7
CriticalCVSS 9.0–9.62026-0526-003

Microsoft class advisory — RCE in AI agent frameworks

Retrieved content reaches tool calls and bypasses prompt-level guardrails — a category-level advisory, not a single CVE.

Source: Microsoft MSRC
NIST AI RMF Measure 2.6NIST AI RMF Manage 2.4800-53 SI-3 / SC-44 / SI-10ISO 27001 A.8.7ISO 27002 8.7 / 8.26ITSG-33 SI-3 / SC-44
CriticalCVSS 9.62026-0526-004

CVE-2026-26030 — Semantic Kernel RCE via tool-call hijack

A single adversarial RAG document triggers arbitrary tool calls and code execution through Microsoft Semantic Kernel.

Source: Microsoft MSRC
NIST AI RMF Map 5.1NIST AI RMF Measure 2.6800-53 SI-10 / AC-4 / SC-7ISO 27001 A.8.26ISO 27002 8.26 / 8.28 / 8.7ITSG-33 SI-10 / AC-4

High

8 items · plan this week
HighCVSS 8.72026-0526-005

CVE-2026-26118 — Microsoft MCP server tool hijacking

Tool-description override re-routes agent actions to attacker-chosen tools.

Source: PointGuard AI
NIST AI RMF Measure 3.1NIST AI RMF Manage 4.1800-53 CM-7 / AC-6 / AU-12ISO 27001 A.5.15ISO 27002 5.15 / 8.2 / 8.16ITSG-33 CM-7 / AC-6
HighCVSS 8.82026-0526-006

CVE-2026-32207 — Azure ML Notebook XSS spoofing

Stored XSS in Azure ML Notebook UI enabling session spoofing.

Source: Microsoft Patch Tuesday
NIST AI RMF Measure 2.5800-53 SI-10 / AC-4 / AU-2ISO 27001 A.8.26ISO 27002 8.26 / 8.27ITSG-33 SI-10 / AC-4
HighCVSS 8.62026-0526-007

CVE-2026-35435 — Azure AI Foundry privilege escalation

Improper access control in Foundry M365-published agents.

Source: Microsoft Patch Tuesday
NIST AI RMF Govern 1.4800-53 AC-2 / AC-3 / AC-6ISO 27001 A.5.15ISO 27002 5.15 / 5.18 / 8.2ITSG-33 AC-2 / AC-3 / AC-6
HighHigh2026-0526-008

Hugging Face fake-OpenAI infostealer supply chain

Typosquatted Hugging Face repository drops an infostealer that harvests developer tokens.

Source: Rescana / Acronis TRU
NIST AI RMF Govern 6.1NIST AI RMF Map 4.1800-53 SA-12 / SR-3 / SR-11ISO 27001 A.5.19ISO 27002 5.19 / 5.21 / 5.23ITSG-33 SA-12 / SR-3
HighTrend2026-0526-009

Google — 32% surge in indirect prompt-injection payloads

Web-embedded indirect prompt-injection payloads up 32% between November 2025 and February 2026.

Source: Google research
NIST AI RMF Measure 2.6800-53 SC-44 / SI-3 / SI-10ISO 27001 A.8.23ISO 27002 8.7 / 8.23 / 8.26ITSG-33 SI-3 / SC-44
HighHigh2026-0526-010

MCP tool-poisoning enterprise campaign

Malicious-but-valid MCP servers reshape allow-listed behavior inside enterprise agent stacks.

Source: ITECS / DevSecOps
NIST AI RMF Measure 3.1800-53 CM-7 / CM-10 / AC-6ISO 27001 A.8.19ISO 27002 8.19 / 8.30 / 5.21ITSG-33 CM-7 / CM-10
HighHigh2026-0526-011

RAG single-document knowledge-base poisoning

One optimized adversarial document is enough to dominate retrieval results in a RAG corpus.

Source: Vectra AI
NIST AI RMF Measure 2.7800-53 SI-10 / SI-7 / AC-4ISO 27001 A.8.12ISO 27002 8.12 / 8.26 / 5.34ITSG-33 SI-7 / SI-10
HighCVSS 9.62026-0526-012

CVE-2025-53773 — GitHub Copilot hidden PR prompt injection

Hidden prompt injection inside a PR description drives RCE via GitHub Copilot.

Source: Cycode / Vectra
NIST AI RMF Measure 2.6800-53 SI-3 / SI-10 / SC-44ISO 27001 A.8.7ISO 27002 8.7 / 8.26ITSG-33 SI-3 / SI-10

Medium

5 items · trend & context
MediumTrend2026-0526-013

Iranian APTs pivot to destructive critical-infrastructure operations

Shift observed from data-leak campaigns to destructive intrusions in Western OT environments.

Source: Industrial Cyber
NIST AI RMF Govern 4.1800-53 IR-4 / IR-8 / RA-3ISO 27001 A.5.24ISO 27002 5.7 / 5.24 / 5.30ITSG-33 IR-4 / RA-3
MediumPatch2026-0526-014

Microsoft May 2026 Patch Tuesday — 130 CVEs (30 critical)

Includes AI-relevant CVE-2026-32207, -35435, and -41103 among others.

Source: Tenable / CrowdStrike
NIST AI RMF Manage 1.3800-53 SI-2 / CM-3 / CM-8ISO 27001 A.8.8ISO 27002 8.8 / 8.9 / 8.32ITSG-33 SI-2 / CM-3
MediumSupply chain2026-0526-015

Hugging Face typosquatting model campaigns

Pickle-deserialization payloads on typosquatted model names; Hugging Face hosts 1.2M+ models.

Source: Acronis TRU
NIST AI RMF Govern 6.1800-53 SA-12 / SR-3 / SR-11ISO 27001 A.5.19ISO 27002 5.19 / 5.21 / 5.23ITSG-33 SA-12 / SR-3
MediumCVSS 9.8 (2025)2026-0526-016

Cursor IDE production prompt-injection exploit resurfaces

Malicious-extension prompt injection combined with MCP allow-list bypass.

Source: Cycode
NIST AI RMF Measure 2.6800-53 CM-7 / SI-3 / SC-44ISO 27001 A.8.19ISO 27002 8.19 / 8.26 / 8.30ITSG-33 CM-7 / SC-44
MediumTrend2026-0526-017

Encryptionless extortion becomes the dominant ransomware mode

Q1 2026: 1,138 publicly-claimed incidents, mostly data-theft and leak-site pressure rather than encrypt-and-demand.

Source: BlackFog / Securelist
NIST AI RMF Govern 4.1800-53 IR-4 / MP-6 / CP-9ISO 27001 A.5.24ISO 27002 5.24 / 5.30 / 8.13ITSG-33 IR-4 / CP-9

Low

1 item · awareness
LowTrend2026-0526-018

AI-generated voice-clone phishing targets finance functions

Cloned executive voices drive wire-fraud and MFA-approval attacks against finance teams.

Source: VikingCloud
NIST AI RMF Govern 4.1800-53 AT-2 / IA-2(13) / IR-6ISO 27001 A.6.3ISO 27002 6.3 / 5.34ITSG-33 AT-2 / IA-2

Want the narrative version?

Today’s daily briefing reads the radar and tells you what to do about it — the pattern, the action items, the trend behind the numbers.

Read today’s briefing → Book a security review