Security Breaches and Vulnerabilities Reported in May 2026

OpenAI confirmed a security breach in May 2026, though specific details about the scope or data compromised were not disclosed. An 18-year-old remote code execution (RCE) vulnerability was identified in NGINX, affecting versions prior to 1.25.3, with no CVE assigned yet. Microsoft disclosed two new unpatched Windows zero-day vulnerabilities, though technical specifics and exploitation details remain undisclosed. The NGINX flaw stems from improper input validation in HTTP/3 QUIC handling, potentially allowing attackers to execute arbitrary code on affected servers. The Windows zero-days were reported as actively exploited in limited attacks, but no mitigation guidance was provided. The incidents were reported on May 15, 2026.