Cybersecurity Brief – May 16, 2026

Microsoft's May 2026 Patch Tuesday addresses a significant security load with fixes for over 120 vulnerabilities, including 17 rated critical and 14 remote code execution flaws. Notably absent are zero-day exploits, though one Exchange Server vulnerability (CVE-2026-42897) is already under active attack. The cross-site scripting flaw in Exchange Outlook Web Access requires immediate attention from organizations running on-premises Exchange deployments. Separately, a missing authentication vulnerability in PraisonAI's legacy API server (CVE-2026-44338) was exploited within hours of public disclosure, underscoring the compressed window defenders face between vulnerability announcement and active exploitation.

The education sector faces disruption as Instructure's Canvas learning management system suffered a nationwide cybersecurity incident, with the threat actor ShinyHunters claiming responsibility. The breach affects institutions relying on the widely-deployed platform, though impact details remain limited. Meanwhile, Comcast has agreed to a $117.5 million settlement over a 2023 Xfinity data breach that exposed usernames, passwords, and personal information of millions of customers—a reminder that breach consequences extend well beyond the initial compromise. On the regulatory front, NIST is finalizing enhanced security requirements for federal contractors handling Controlled Unclassified Information, particularly for high-value assets and critical programs, signaling stricter baseline controls ahead.

Sources: Bleeping Computer · Microsoft Tech Community · Cryptika · Cybersecurity Dive · Yahoo Finance · Wiley Law