It’s a Paper Trail for the week ending in May 2, 2026, and we’ll cover what happened last week in the Information Security space.
The Bottom Line
AI is fundamentally changing the speed of cyberattacks. The window between a vulnerability being discovered and it being weaponized is now measured in hours, not days. Simultaneously, the security teams are underpaid, understaffed, and leaving. These two forces together represent a material shift in organizational risk that requires attention, not just a patch cycle.
Last Week, in Review
- Fortinet released its 2026 Global Threat Landscape Report drawing on telemetry from millions of sensors deployed worldwide. The headline numbers are stark: ransomware victims surged 389% year-over-year. More significant for every organization than that count, however, is what’s happening to timing. As AI accelerates reconnaissance, weaponization, and execution, FortiGuard Intelligence shows time-to-exploit has dropped to 24–48 hours for critical outbreaks, a sharp increase from earlier reports that showed a time-to-exploit of 4.76 days. [Fortinet]
- Google announced a significant restructuring of its Vulnerability Reward Programs for Chrome and Android as AI starts to get introduced in the vulnerability research pipeline. Google is now prioritizing flaw categories that are more difficult for AI tools to find, while reducing some lower-tier Chrome awards. For organizations running their own bug bounty programs, the future may hold a higher number of AI-generated low-quality submissions which will swamp triage capacity unless programs are redesigned around it. [SecurityWeek]
- A Harvey Nash Global Tech Talent & Salary Report, based on a survey of over 3,600 technology professionals across 53 countries, found that cybersecurity staff are among the most financially overlooked workers in tech. Globally, 71% of security professionals received no salary increase in 2025. Only 40% of security staff expect a pay rise in 2026. Almost half (49%) are actively looking to move jobs in the next twelve months, well above the global average of 39% across all tech roles. [The Register, InfoSecurity Magazine]
Pulse
LayerX disclosed a high-severity vulnerability (CVSS 8.2) in Cursor – one of the most widely used AI-powered code editors for developers – that allows installed extensions to access sensitive credentials, exposing API keys and session tokens without any user interaction. The issue stems from how Cursor stores secrets locally in plaintext in a local SQLite database, leaving them accessible to any extension regardless of permissions. Cursor enforces no OS-level protected storage or access control boundary between installed extensions and this database. Cursor was notified in February, responded that extensions are within the user’s trust boundary, and as of April 28 had not issued a fix. [LayerX, InfoSecurity]
Vimeo published a security notice confirming that an unauthorized actor accessed customer and user data – not by breaking into Vimeo itself, but by compromising Anodot, a third-party analytics platform Vimeo uses. Exposed data primarily includes technical data, video titles, metadata, and in some cases customer email addresses; video content, login credentials, and payment data were not accessed. This is the third-party risk story in its purest form that highlights that a vendor’s security posture is part of an organizations’ attack surface. [Vimeo, Bleeping Computer, SecurityWeek]
Fix-it Frank
A CRLF injection in cPanel’s pre-authentication session handling allows an unauthenticated remote adversary to inject arbitrary values directly into a session file written to disk before any credential check occurs. This allows adversaries to receive a fully authenticated root WHM session, bypassing both the password gate and two-factor authentication with no requirement for valid credentials. The flaw affects all supported versions of cPanel & WHM after v11.40 and WP Squared prior to v136.1.7, spanning an estimated 650,000+ internet-exposed instances. Confirm with the hosting provider or sysadmin that cPanel is patched to a fixed version, then audit WHM session logs and server-side accounts for unauthorized root-level changes going back to February 23, 2026. [cPanel, Rapid7, watchTowr Labs, Help Net Security]
The Jenkins project – one of the most widely deployed CI/CD platforms – published a security advisory addressing seven plugin vulnerabilities across multiple widely-deployed Jenkins plugins, including high-severity path traversal flaws and stored cross-site scripting (XSS) vulnerabilities. Organizations should review and update all flagged plugins immediately via the Jenkins Plugin Manager. Additionally, Jenkins UI access should be limited to internal networks or VPN and the Jenkins controller should not be directly accessible from the internet under any circumstances. [Jenkins Project]
—
Paper Trail is a weekly briefing, not professional advice. Consult qualified professionals before acting on anything we report.
—
Thanks for tuning-in to this edition of Paper Trail. You can read it, hear it, or bookmark it – find every format at hackwithheart.com.