may 22, 2026
5 links from the engineering internet.
authentik ships 2026.5.0 with interactive oauth2 in scim provider
authentik 2026.5.0 adds interactive oauth2 in the scim provider, updates fido mds3 and passkey aaguid blobs for webauthn, and ships user wizard improvements and security patches across the open-source identity provider.
outlook classic breaks embedded image rendering in build 19929.20164
a bug in outlook classic version 2604 build 19929.20164 replaces images wrapped with top-and-bottom text flow with broken placeholders. microsoft's interim fix is to avoid that wrap style until a patch ships.
trump mobile site exposes 27,000 customer records via unauthenticated api
trump mobile's launch website exposed over 27,000 customer records via an unauthenticated http post endpoint. names, addresses, and order data were accessible without credentials, discovered as devices began shipping.
ubiquiti patches three cvss 10 unifi os flaws including command injection
ubiquiti fixed cve-2026-34908 (improper access control), cve-2026-34909 (path traversal), and cve-2026-34910 (command injection) in unifi os, all cvss 10 and remotely exploitable without credentials. fixed in unifi os 5.0.8.
megalodon malware backdoors 5,561 github repos via fake ci/cd workflow commits
an automated campaign pushed 5,718 malicious commits to 5,561 github repositories in six hours, injecting github actions workflows that exfiltrate secrets and credentials to a c2 server using forged automated-commit messages to evade review.