Patch Tuesday February 2026

Patch Tuesday February 2026 Updates – Vulnerability Digest from Action1

This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.

For even more information, join our next Patch Tuesday webinar and visit our Patch Tuesday Watch page.

Microsoft Vulnerabilities

This Patch Tuesday brings 55 vulnerability fixes from Microsoft, well below the recent average, with only two rated critical. However, the release stands out for its six zero-days, making it a more urgent update than the numbers alone suggest.

CVE-2026-23655 – Microsoft ACI Confidential Containers Information Disclosure Vulnerability

“A single misstep in how secrets are stored can expose keys that unlock entire cloud environments.”

CVE-2026-23655 is a critical information disclosure vulnerability affecting Microsoft Azure Container Instances (ACI) Confidential Containers. The issue stems from cleartext storage of sensitive data, which may allow an authorized attacker to access secret tokens and cryptographic keys over the network. While no active exploitation has been observed, the nature of the exposed data makes this vulnerability highly sensitive in cloud and enterprise environments.

CVSS Score: 6.5 SEVERITY: Critical THREAT: Information Disclosure

EXPLOITS: There are no publicly disclosed exploits or known in-the-wild attacks at the time of release. Microsoft assessed exploitation as less likely, and no proof-of-concept code has been published.

TECHNICAL SUMMARY: The vulnerability is caused by improper handling of sensitive information within Azure Compute infrastructure supporting ACI Confidential Containers. Certain secrets, including tokens and keys, may be stored in cleartext rather than being securely protected at rest. An attacker with low privileges and authorized access could retrieve this data over the network, leading to unintended disclosure of confidential information.

EXPLOITABILITY: This issue affects Azure environments using ACI Confidential Containers. Exploitation requires low privileges but no user interaction. An attacker who already has authorized access could leverage the weakness remotely to obtain sensitive secrets.

BUSINESS IMPACT: Exposure of secret tokens and cryptographic keys can have serious consequences for organizations running sensitive workloads in Azure. Compromised secrets may enable lateral movement, unauthorized access to cloud resources, data exposure, or service abuse. In regulated or high-trust environments, this could lead to compliance violations, reputational damage, and loss of customer confidence.

WORKAROUND: If immediate patching is not possible, organizations should minimize access to affected container environments, rotate secrets frequently, and review access permissions to ensure only strictly necessary roles are assigned. Monitoring for unusual access to container metadata or secret stores can help reduce risk.

URGENCY: This vulnerability should be addressed promptly due to its critical severity and the high sensitivity of the data at risk. Even without active exploitation, exposure of secrets in cloud environments presents a high-impact risk that can rapidly escalate if abused.

CVE-2026-21522 – Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability

“A command injection flaw inside confidential containers can turn trusted workloads into a path for full control.”

CVE-2026-21522 is a critical elevation of privilege vulnerability affecting Microsoft Azure Container Instances (ACI) Confidential Containers. The vulnerability is caused by improper neutralization of special elements in command handling, allowing an authorized attacker with high privileges to inject and execute arbitrary commands locally. Successful exploitation enables attackers to elevate privileges within the container environment and potentially access protected secrets and sensitive workloads.

CVSS Score: 6.7 SEVERITY: Critical THREAT: Elevation of Privilege

EXPLOITS: No public exploitation has been observed in the wild at the time of release. However, proof-of-concept exploit code exists, confirming the vulnerability is practically exploitable under the right conditions.

TECHNICAL SUMMARY: The vulnerability originates from insufficient input sanitization in command execution logic within Azure Compute Gallery components supporting ACI Confidential Containers. Special characters or crafted command input are not properly neutralized, enabling command injection. An attacker with authorized, high-privilege access can exploit this flaw to execute arbitrary commands within the container’s runtime context. In confidential container deployments, this undermines isolation guarantees and may expose secrets or trusted execution boundaries.

EXPLOITABILITY: This issue affects Azure environments running ACI Confidential Containers. Exploitation is local, requires high privileges, and does not require user interaction. Once exploited, attackers can run commands with the same privileges as the affected container, effectively elevating control within that environment.

BUSINESS IMPACT: Privilege escalation within confidential containers presents a serious risk to organizations relying on Azure for sensitive or regulated workloads. Attackers could access protected secrets, manipulate workloads, disrupt availability, or compromise trust assumptions tied to confidential computing. This could result in data exposure, operational disruption, and loss of confidence in cloud security controls.

WORKAROUND: If the patch cannot be applied immediately, organizations should strictly limit administrative access to ACI environments, review role assignments, and monitor container activity for unexpected command execution. Reducing the number of users with elevated privileges can significantly lower exposure.

URGENCY: This vulnerability warrants rapid remediation due to its critical severity, confirmed proof-of-concept exploitability, and its impact on confidential computing environments where trust and isolation are essential.

CVE-2026-21533 – Windows Remote Desktop Services Elevation of Privilege Vulnerability

“A flaw in Remote Desktop turns limited access into full SYSTEM control, putting entire Windows hosts at risk.”

CVE-2026-21533 is an important-severity elevation of privilege vulnerability in Windows Remote Desktop Services. Due to improper privilege management, an authorized local attacker with low privileges can exploit this flaw to elevate access to SYSTEM level. Microsoft has confirmed exploitation has already been detected, making this vulnerability a real and active threat rather than a theoretical risk.

CVSS Score: 7.8 SEVERITY: Important THREAT: Elevation of Privilege

EXPLOITS: Exploitation has been detected in the wild. Functional exploit code exists, demonstrating that attackers can reliably leverage this vulnerability to gain SYSTEM privileges on affected Windows systems.

TECHNICAL SUMMARY: The vulnerability is caused by improper handling of privilege checks within Windows Remote Desktop Services. When certain local operations are performed, the service fails to correctly enforce privilege boundaries, allowing a low-privileged authenticated user to execute actions reserved for higher privilege levels. This results in a full privilege escalation to SYSTEM, granting complete control over the affected host.

EXPLOITABILITY: This vulnerability affects supported Windows systems running Remote Desktop Services. Exploitation is local, requires only low privileges, and does not require user interaction. An attacker with basic access can trigger the flaw to gain SYSTEM-level permissions.

BUSINESS IMPACT: Successful exploitation allows attackers to fully compromise Windows systems, install persistent malware, disable security tools, steal sensitive data, and pivot deeper into enterprise networks. Because Remote Desktop is commonly enabled in enterprise and administrative environments, this vulnerability poses a serious risk to domain-joined systems and critical infrastructure.

WORKAROUND: If immediate patching is not possible, organizations should restrict local user access, closely monitor Remote Desktop activity, and apply the principle of least privilege. Reducing the number of users with local access can lower exposure until updates are applied.

URGENCY: This vulnerability requires immediate attention because active exploitation has been confirmed and functional exploit code exists. Systems left unpatched remain exposed to rapid privilege escalation attacks that can result in full system takeover.

CVE-2026-21525 – Windows Remote Access Connection Manager Denial of Service Vulnerability

“A simple local trigger can knock critical Windows networking services offline without warning.”

CVE-2026-21525 is a moderate-severity denial of service vulnerability affecting the Windows Remote Access Connection Manager. The flaw is caused by a null pointer dereference condition that allows an unauthorized local attacker to crash the affected service. While it does not expose data or allow code execution, it can disrupt network connectivity and availability on impacted systems. Microsoft has confirmed that exploitation has been detected.

CVSS Score: 6.2 SEVERITY: Moderate THREAT: Denial of Service

EXPLOITS: There are no publicly disclosed exploit tools or proof-of-concept code. However, Microsoft has confirmed that exploitation has been detected, indicating the vulnerability has been abused in real-world scenarios despite the lack of public exploit details.

TECHNICAL SUMMARY: The vulnerability occurs when Windows Remote Access Connection Manager processes certain requests and fails to properly handle a null pointer reference. This results in a system-level exception that causes the service to terminate unexpectedly. An attacker does not need authentication or user interaction to trigger the condition locally, leading to a denial of service affecting remote access and networking functionality.

EXPLOITABILITY: This issue affects supported Windows systems where the Remote Access Connection Manager service is enabled. Exploitation is local, requires no privileges, and does not rely on user interaction. An attacker with basic local access can repeatedly trigger the flaw to cause persistent service disruption.

BUSINESS IMPACT: Denial of service conditions on Windows systems can disrupt remote connectivity, VPN access, and dependent services. In enterprise environments, this may lead to operational downtime, loss of remote workforce productivity, and potential service outages. Repeated exploitation could be used as a distraction or to degrade system reliability during broader attack activity.

WORKAROUND: If the patch cannot be applied immediately, organizations should restrict unnecessary local access to systems, monitor service crashes related to remote access components, and ensure rapid service recovery procedures are in place to reduce downtime.

CVE-2026-21519 – Desktop Window Manager Elevation of Privilege Vulnerability

“A flaw in Windows graphics handling lets attackers turn basic access into full SYSTEM control.”

CVE-2026-21519 is an important-severity elevation of privilege vulnerability in the Windows Desktop Window Manager (DWM). The issue is caused by a type confusion error that allows an authorized local attacker with low privileges to exploit improper resource handling and escalate access to SYSTEM level. Microsoft has confirmed that this vulnerability has been exploited, making it a high-risk issue despite not being rated Critical.

CVSS Score: 7.8 SEVERITY: Important THREAT: Elevation of Privilege

EXPLOITS: Exploitation has been detected in real-world attacks. No public proof-of-concept code has been disclosed, but confirmed exploitation indicates attackers have reliable methods to abuse this vulnerability.

TECHNICAL SUMMARY: The vulnerability arises from type confusion within Desktop Window Manager when handling certain graphical objects and memory structures. Due to incorrect assumptions about object types, DWM may access resources using incompatible data types. An attacker can craft actions that manipulate this behavior, leading to memory corruption and execution of code with elevated privileges. Successful exploitation results in SYSTEM-level access.

EXPLOITABILITY: This issue affects supported Windows versions where Desktop Window Manager is enabled. Exploitation is local, requires low privileges, and does not involve user interaction. An attacker with basic access to the system can trigger the flaw to gain full control of the affected host.

BUSINESS IMPACT: Privilege escalation vulnerabilities in core Windows components are especially dangerous because they enable full system compromise. Attackers can disable security controls, establish persistence, access sensitive data, and pivot laterally across enterprise networks. Since DWM runs on nearly all Windows desktops and servers with GUI access, the attack surface is widespread.

WORKAROUND: If patching cannot be applied immediately, organizations should restrict local access to systems, enforce least-privilege user policies, and monitor for abnormal behavior related to Desktop Window Manager. Reducing local user exposure lowers the likelihood of exploitation.

URGENCY: This vulnerability should be remediated quickly due to confirmed exploitation and the ability to escalate privileges to SYSTEM. Systems left unpatched remain exposed to full takeover once initial access is obtained.

CVE-2026-21514 – Microsoft Word Security Feature Bypass Vulnerability

“A malicious document can quietly bypass Word’s built-in defenses and open the door to full system compromise.”

CVE-2026-21514 is an important-severity security feature bypass vulnerability in Microsoft Word. The issue is caused by reliance on untrusted inputs during security decisions, allowing an attacker to bypass OLE protection mechanisms. By convincing a user to open a specially crafted Word document, attackers can defeat safeguards designed to block dangerous COM and OLE content. Microsoft has confirmed that this vulnerability has been publicly disclosed and actively exploited.

CVSS Score: 7.8 SEVERITY: Important THREAT: Security Feature Bypass

EXPLOITS: The vulnerability has been publicly disclosed and is actively exploited in the wild. Functional exploit code exists, demonstrating reliable bypass of Word’s OLE mitigation protections through crafted documents delivered via social engineering.

TECHNICAL SUMMARY: The flaw occurs when Microsoft Word relies on untrusted input while making security decisions related to embedded OLE and COM objects. This improper trust model allows malicious document metadata or object data to influence execution paths that should be restricted. As a result, Word may incorrectly treat unsafe embedded content as trusted, bypassing security mitigations meant to prevent exploitation of vulnerable controls. Once bypassed, attackers can trigger follow-on actions that compromise confidentiality, integrity, and availability.

EXPLOITABILITY: This vulnerability affects supported versions of Microsoft Word, including Microsoft 365 Apps and Microsoft Office installations where OLE protections are enforced. Exploitation requires no privileges but does require user interaction — the victim must open a malicious document. The Preview Pane is not an attack vector.

BUSINESS IMPACT: Because Microsoft Word is widely used and heavily targeted, this vulnerability presents a significant risk to organizations. Successful exploitation can lead to malware execution, credential theft, data exfiltration, and persistent access. Security feature bypass vulnerabilities are especially dangerous because they undermine user trust in built-in protections and increase phishing campaign success rates.

WORKAROUND: If patching cannot be applied immediately, organizations should strengthen email filtering, block untrusted Office attachments, and enforce protected document handling policies. User awareness and reduced exposure to external documents can help lower risk temporarily.

URGENCY: This vulnerability requires immediate remediation due to confirmed active exploitation, public disclosure, and the availability of functional exploit techniques. Delayed patching significantly increases exposure to phishing-based compromise campaigns.

CVE-2026-21513 – MSHTML Framework Security Feature Bypass Vulnerability

“A crafted file can silently bypass Windows security prompts and trigger dangerous actions with a single click.”

CVE-2026-21513 is an important-severity security feature bypass vulnerability in the Microsoft MSHTML Framework, a core component used by Windows and multiple applications to render HTML content. The vulnerability is caused by a protection mechanism failure that allows attackers to bypass execution prompts when users interact with malicious files. Microsoft has confirmed that this issue has been publicly disclosed and actively exploited.

CVSS Score: 8.8 SEVERITY: Important THREAT: Security Feature Bypass

EXPLOITS: This vulnerability has been publicly disclosed and exploitation has been detected in real-world attacks. While no standalone proof-of-concept code has been published, confirmed exploitation indicates attackers are successfully abusing this flaw in active campaigns.

TECHNICAL SUMMARY: The vulnerability stems from a failure in MSHTML’s enforcement of security protections when processing specially crafted HTML or shortcut (.lnk) files. By manipulating how the Windows Shell and MSHTML handle embedded content, attackers can bypass execution warning prompts that normally protect users. When a user opens or interacts with the malicious file, the operating system may process and execute content without proper security validation, undermining built-in defenses.

EXPLOITABILITY: This issue affects supported Windows systems that rely on the MSHTML Framework. Exploitation occurs over the network and requires user interaction, such as opening a malicious HTML file or clicking a shortcut delivered via email, link, or download. No privileges are required by the attacker.

BUSINESS IMPACT: Security feature bypass vulnerabilities significantly increase the success rate of phishing and malware campaigns. In enterprise environments, this flaw can lead to unauthorized code execution, malware deployment, credential theft, and system compromise. Because MSHTML is deeply integrated into Windows, exploitation can impact a wide range of systems and users.

WORKAROUND: If patching cannot be applied immediately, organizations should restrict the handling of HTML and shortcut files from untrusted sources, strengthen email and web filtering, and educate users to avoid opening unexpected attachments or links. Reducing exposure to external content lowers the risk of exploitation.

URGENCY: This vulnerability requires rapid remediation due to confirmed active exploitation and its ability to bypass core Windows security prompts. Delayed patching leaves users exposed to phishing-driven attacks that can directly lead to system compromise.

CVE-2026-21510 – Windows Shell Security Feature Bypass Vulnerability

“A single click on a malicious link can quietly bypass Windows protections and run attacker-controlled content without warning.”

CVE-2026-21510 is an important-severity security feature bypass vulnerability in Windows Shell. The issue is caused by a protection mechanism failure that allows an unauthorized attacker to bypass Windows SmartScreen and security prompt protections. By convincing a user to open a malicious link or shortcut file, attackers can execute content without the usual warnings or consent dialogs. Microsoft has confirmed that this vulnerability has been publicly disclosed and actively exploited.

CVSS Score: 8.8 SEVERITY: Important THREAT: Security Feature Bypass

EXPLOITS: This vulnerability has been publicly disclosed and exploitation has been detected in the wild. Functional exploit techniques exist, demonstrating reliable bypass of Windows Shell and SmartScreen security prompts through crafted links or shortcut files.

TECHNICAL SUMMARY: The vulnerability stems from improper handling of attacker-controlled content within Windows Shell components. When processing specially crafted links or shortcut files, Windows Shell fails to correctly enforce security protections designed to warn users before executing potentially dangerous content. This protection mechanism failure allows malicious payloads to execute without triggering SmartScreen or standard security prompts, undermining Windows’ trust and execution safeguards.

EXPLOITABILITY: This issue affects supported Windows systems that rely on Windows Shell for file and link handling. Exploitation occurs over the network and requires user interaction, specifically opening a malicious link or shortcut file. No privileges are required by the attacker, making this vulnerability highly attractive for phishing-based attacks.

BUSINESS IMPACT: Bypassing Windows Shell and SmartScreen protections significantly increases the success rate of malware delivery and phishing campaigns. Organizations may face unauthorized code execution, malware infections, credential theft, and lateral movement within networks. Because Windows Shell is a core component used by nearly all users, the attack surface is broad and difficult to fully restrict without patching.

WORKAROUND: If the patch cannot be applied immediately, organizations should strengthen email and web filtering, block untrusted shortcut files, and limit the execution of files from untrusted sources. User awareness training and restrictive attachment policies can help reduce exposure.

URGENCY: This vulnerability should be addressed immediately due to confirmed active exploitation and the availability of functional exploit methods. Delayed remediation leaves systems exposed to phishing-driven attacks that bypass core Windows security protections.

Fortinet FortiSIEM

“This critical FortiSIEM weakness allows attackers to run commands without logging in, putting full system control at risk.”

Fortinet has released a security update for FortiSIEM to address CVE-2025-64155, a critical command-injection vulnerability that could allow an unauthenticated remote attacker to execute arbitrary commands on affected systems. The issue exists due to improper handling of special elements within operating system commands, enabling attackers to send specially crafted network requests to an internal service and gain root-level code execution.

This vulnerability carries a CVSS score of 9.4 (Critical), reflecting the high impact and low complexity required to exploit it. Public proof-of-concept exploit code is available, which significantly increases the likelihood of real-world exploitation. While active attacks have not been publicly confirmed, the availability of exploit code makes unpatched systems a high-value target.

Multiple FortiSIEM versions across several release branches are affected. Fortinet has issued patched versions that fully address the vulnerability. Organizations running impacted releases should treat this issue as urgent due to the potential for complete system compromise.

Fortinet FortiOS, FortiManager, and FortiAnalyzer FortiCloud SSO

“A trusted cloud login feature can become a master key that opens the wrong doors.”

This patch addresses three critical authentication bypass vulnerabilities affecting Fortinet FortiOS, FortiManager, and FortiAnalyzer products when FortiCloud Single Sign-On (SSO) is enabled. CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858 all stem from improper access control in FortiCloud SSO authentication paths, allowing attackers to bypass expected security boundaries.

CVE-2025-59718 and CVE-2025-59719 allow remote attackers to bypass authentication by abusing weaknesses in FortiCloud SSO handling. These issues can enable unauthorized administrative access to affected devices, leading to exposure of configurations, credentials, logs, and security policies. Both vulnerabilities are rated Critical, with CVSS scores 9.1, reflecting the ease of exploitation and the potential for full device compromise. These vulnerabilities have been used in real-world attacks, increasing their urgency.

CVE-2026-24858 extends this risk further by breaking isolation between FortiCloud accounts. An attacker with a valid FortiCloud account and a registered device could log into other Fortinet devices registered under different customer accounts, as long as FortiCloud SSO is enabled. This vulnerability affects multiple major versions of FortiOS, FortiManager, and FortiAnalyzer and carries a CVSS score of 9.4 (Critical). The impact includes cross-tenant access, unauthorized administrative control, and potential large-scale compromise in shared or managed environments.

Together, these vulnerabilities represent a serious threat to organizations relying on FortiCloud SSO for centralized management. If left unpatched, they can allow attackers to bypass authentication entirely, move laterally across devices, and undermine trust boundaries between Fortinet customers.

Gogs

“This issue turns a simple file upload into a full server takeover.”

This security issue affects Gogs, the self-hosted Git service, and involves a high-severity remote code execution vulnerability tracked as CVE-2025-8110. The flaw exists in the PutContents API, where improper handling of symbolic links allows attackers to write files outside the intended repository directory. By abusing this behavior, an attacker can overwrite sensitive system or application files on the host server.

The vulnerability has a CVSS score of 8.7 (High severity). Successful exploitation can allow attackers to modify configuration settings, including Git command execution parameters, ultimately leading to arbitrary code execution on the Gogs server. This issue is particularly dangerous for internet-exposed instances with open registration enabled.

CVE-2025-8110 has been actively exploited in real-world attacks, with large-scale campaigns targeting publicly accessible Gogs servers. Due to confirmed exploitation, the risk is immediate and severe. At the time of disclosure, No Patch Available had been formally released, increasing exposure for unprotected environments.

FortiOS and FortiSwitchManager  

“A single memory handling error can open the door to full firewall takeover.”  

This security issue affects FortiOS and FortiSwitchManager and involves a heap-based buffer overflow weakness classified as CWE-122. The vulnerability exists within the cw_acd daemon, where improper input handling can cause memory corruption. A remote, unauthenticated attacker can exploit this condition by sending specially crafted network traffic, potentially leading to arbitrary code execution on the affected device.

The issue is tracked as CVE-2025-25249 and carries a CVSS score of 9.8 (Critical severity). Successful exploitation could allow attackers to execute system-level commands, take control of firewall operations, bypass security controls, or pivot deeper into enterprise networks. Due to the network-facing nature of the affected service, exploitation does not require valid credentials, significantly increasing risk.

Fortinet has released patches to address this vulnerability. There have been no confirmed reports of active exploitation at the time of disclosure, but the severity and ease of attack make this issue especially dangerous for exposed systems. Organizations using vulnerable FortiOS or FortiSwitchManager versions face a high risk of full device compromise if left unpatched.

Chromium Security Updates  

“This update blocks high-severity bugs that could let crafted pages crash or corrupt your browser.”  

Google and the Chromium project released Chromium/Chrome 144 as a stable security update that fixes 10 disclosed CVEs across the browser’s JavaScript engine (V8), rendering engine (Blink), and other components, and another release that fixes CVE-2026-1220, a race condition in V8. It’s rolling out to desktop platforms (Windows, macOS, Linux) and should be installed immediately to reduce risk of exploitation.   

What the Update Fixes
These two releases patch a total of 11 security issues, including several rated high severity that could lead to critical impacts like remote code execution or memory corruption if triggered by malicious web content.   

High-Severity CVEs  

• CVE-2026-0899 — High: Out-of-bounds memory access in the V8 JavaScript engine, allowing crafted web pages to corrupt memory and potentially enable further exploitation.   

• CVE-2026-0900 — High: Inappropriate implementation in V8 that could be manipulated for harmful effects.   

• CVE-2026-0901 — High: Inappropriate implementation in Blink, the rendering engine, potentially permitting unsafe behavior from web content.   

• CVE-2026-1220 — High: Race condition in V8 that can lead to memory corruption and instability — this type of flaw can be particularly dangerous in multi-threaded code paths.   

Medium-Severity CVEs  

• CVE-2026-0902: Inappropriate implementation in V8.   

• CVE-2026-0903: Insufficient validation in the Downloads component, which could affect how untrusted input is handled.   

• CVE-2026-0904: Incorrect security UI in Digital Credentials.   

• CVE-2026-0905: Insufficient policy enforcement in network code.   

Low-Severity CVEs  

• CVE-2026-0906: General incorrect security UI issue.   

• CVE-2026-0907: Incorrect security UI in Split View.   

• CVE-2026-0908: Use-after-free in ANGLE graphics abstraction layer.   

Real-World Threat Context
There are no confirmed public reports of these specific vulnerabilities being actively exploited in the wild at the time of patch release. However, the high-severity bugs — especially the memory safety issues in V8 and race condition in CVE-2026-1220 — represent real risks if attackers chain them with social engineering or malicious content to escape the browser sandbox or execute unsafe actions.

Microsoft Edge 

“These updates fix browser weaknesses where simply visiting a malicious web page could disrupt the browser or open the door to deeper compromise.”  

This patch addresses two security vulnerabilities in Microsoft Edge (Chromium-based), a browser that routinely processes untrusted web content. Because Edge is exposed to the internet by design, flaws in its memory and security handling can pose serious risk if not addressed.  

CVE-2026-1861 is a High severity vulnerability with a CVSS score of 7.5. The issue involves heap corruption and allows a remote attacker to potentially exploit unsafe memory handling by delivering a crafted HTML page. Exploitation requires no authentication and only normal user browsing activity. If successful, the attack could crash the browser or be leveraged as part of a broader exploitation chain. There are no confirmed reports of real-world exploitation or public proof-of-concept code.  

CVE-2026-21223 affects Microsoft Edge and is rated High severity. This vulnerability involves improper handling of browser operations, which could allow an attacker to interfere with browser execution or security boundaries. While the CVSS score has not been publicly finalized, the issue is considered impactful due to its potential to undermine browser stability or security when processing malicious web content. There is no evidence of active exploitation at this time.  

Microsoft has released Edge updates that resolve both issues by improving memory safety and strengthening internal validation checks. Applying the latest updates helps reduce exposure to web-based attacks and maintains secure, stable browsing environments.  

Microsoft Power Apps

“This issue could allow attackers to run unauthorized code inside Power Apps and interfere with business data.”  

Microsoft addressed CVE-2026-20960 (CVSS 8.0), a remote code execution vulnerability in Microsoft Power Apps, as part of its January 2026 security updates. The flaw affects the Power Apps platform and could allow an attacker to execute arbitrary code if the vulnerability is successfully exploited. Because Power Apps is commonly used to build and run business-critical workflows, this type of issue carries meaningful risk.  

Remote code execution vulnerabilities are considered especially dangerous because they may allow attackers to take control of applications, manipulate data, or disrupt operations. In this case, exploitation could impact the integrity and availability of Power Apps environments and any connected services or data sources. Microsoft has confirmed that the issue has been fixed through platform updates.  

At the time of release, there were no reports of real-world exploitation, no zero-day activity, and no public proof-of-concept code associated with this vulnerability. The update reduces the risk of attackers abusing Power Apps to execute malicious actions within enterprise environments.

Microsoft Office CVE-2026-21509 Security Update

“Microsoft rushed an emergency security update to block a zero-day flaw in Office that attackers were already abusing — don’t wait to update and restart your apps.”

Office that attackers were already abusing — don’t wait to update and restart your apps.”

Microsoft has released an out-of-band security update to address CVE-2026-21509, a high-severity zero-day vulnerability in Microsoft Office that was already being exploited in attacks at the time of release.

What CVE-2026-21509 Is
CVE-2026-21509 (CVSS 7.8) is a security feature bypass vulnerability affecting multiple Microsoft Office versions, including:

• Microsoft 365 Apps for Enterprise
• Microsoft Office LTSC 2021 and LTSC 2024
• Office 2016 and 2019

The issue arises from relying on untrusted input when making a security decision. This allows a locally executed malicious Office file to bypass OLE and COM mitigations, which are internal defenses designed to block unsafe controls in Office documents. To exploit this issue, an attacker must deliver a specially crafted Office file and persuade a user to open it.

Affected Software and Protection Status

• Microsoft 365 and Office 2021 or later: Protection is delivered via a service-side update; users and admins must restart Office applications for the mitigation to take effect.
• Office 2016 and 2019: Security updates became available a day later. 

Severity and Exploitation 
This flaw is actively exploited in the wild by attackers, making it urgent for organizations to apply the update and ensure users restart Office to activate protections. Public details about the exploit method beyond the bypass behavior have not been broadly disclosed by Microsoft.

How to Mitigate 
Deployment of the emergency update and restarting Office applications on affected systems is required to mitigate CVE-2026-21509 for supported Office versions.

Cisco   

“A critical zero-day that can let attackers take full system takeover.”  

Cisco CVE-2025-20393 is a critical remote command execution vulnerability with a CVSS score of 10.0 (Critical) affecting Cisco AsyncOS Software used by Cisco Secure Email Gateway (SEG) and Cisco Secure Email and Web Manager (SEWM) appliances. The issue occurs when the Spam Quarantine feature is enabled and exposed to the internet. Due to insufficient input validation in HTTP requests, an unauthenticated attacker can exploit this weakness to execute arbitrary commands with root privileges, giving them full control of the affected appliance.  

This vulnerability was actively exploited in real-world attacks prior to patching. A China-linked advanced threat actor leveraged the flaw to gain persistent access to targeted systems, deploy backdoors, establish covert remote tunnels, and remove logs to hide activity. Successful exploitation allows attackers to monitor email traffic, manipulate security controls, and potentially pivot deeper into internal networks, making the impact especially severe for enterprise environments.  

Cisco has released software updates that fully address this issue and remove known attacker persistence. No Patch Available statements do not apply in this case, as Cisco has confirmed fixes are available. Given the critical severity and confirmed exploitation, unpatched systems face a high risk of complete compromise.

Palo Alto Networks

“A single unauthenticated request can push a firewall offline and strip away network protection in seconds.”  

This update addresses CVE-2026-0227, a high-severity vulnerability (CVSS 7.7 – High) in Palo Alto Networks PAN-OS when GlobalProtect portals or gateways are enabled. The issue is caused by improper handling of exceptional conditions, allowing a remote, unauthenticated attacker to repeatedly send crafted network traffic that forces the firewall into maintenance mode. When this happens, the device stops inspecting or enforcing security policies until an administrator manually restores service.  

The vulnerability affects multiple PAN-OS versions across supported branches and also impacts Prisma Access deployments using GlobalProtect. While this issue does not expose data or allow code execution, it poses a serious availability risk, potentially disrupting business operations and leaving networks unprotected during an outage window. Proof-of-concept code exists, increasing the likelihood of misuse, though no confirmed real-world exploitation has been reported at this time. Palo Alto Networks has released patches to fully resolve the issue, and no workaround is available.

WordPress

“These WordPress bugs let attackers jump straight to admin control or take over the database without logging in.”  

Two critical vulnerabilities have been identified in popular WordPress plugins, tracked as CVE-2025-14502 and CVE-2026-23550. Both issues allow unauthenticated attackers to compromise WordPress sites, making them especially dangerous for publicly accessible installations.  

CVE-2025-14502 (CVSS 9.8 – Critical) affects the News and Blog Designer Bundle plugin and is an unauthenticated SQL injection flaw. The plugin fails to properly sanitize user input before passing it to the database. This allows attackers to execute arbitrary database commands, potentially leading to data theft, content manipulation, creation of rogue admin accounts, or full site takeover — all without needing a login.  

CVE-2026-23550 (CVSS 10.0 – Critical) impacts the Modular DS plugin and allows unauthenticated privilege escalation. Due to overly permissive routing and broken authentication logic, attackers can directly access protected endpoints and automatically log in as an administrator. This vulnerability has been actively exploited in the wild, with attackers observed creating new admin users and taking full control of affected sites.  

Both vulnerabilities represent complete compromise risks for WordPress environments. If exploited, attackers can modify content, deploy malware, redirect visitors, or permanently damage site integrity. Patches are available for both plugins, and there are no safe workarounds.  

ServiceNow

“This bug lets attackers take over an AI user’s identity and act with their permissions, no login required.”  

ServiceNow has patched CVE-2025-12420, a critical vulnerability (CVSS 9.3 – Critical) affecting its ServiceNow AI Platform, including Now Assist AI Agents and the Virtual Agent API. The flaw allows an unauthenticated attacker to impersonate any ServiceNow user and perform actions with that user’s privileges. The issue has been nicknamed BodySnatcher due to its ability to silently assume another user’s identity.  

The vulnerability stems from weaknesses in how the platform links accounts and validates identity, relying on trusted internal secrets and email-based logic. This design gap allows attackers to bypass multi-factor authentication (MFA) and single sign-on (SSO) protections entirely. If exploited, an attacker could impersonate high-privilege users, including administrators, and use AI agents to modify records, create backdoor accounts, disable security controls, or access sensitive corporate data.  

ServiceNow addressed the issue in October 2025, deploying fixes across hosted environments and releasing patches to partners and self-hosted customers. Fixed versions include Now Assist AI Agents 5.1.18 / 5.2.19 and later, and Virtual Agent API 3.15.2 / 4.0.4 and later. There is no evidence of active exploitation at this time, but the impact potential is severe due to the lack of authentication requirements and the elevated access that can be gained.  

Node.js 

“Attackers could knock Node.js services offline with crafted requests. Unsafe parsing logic can turn user input into executable code.”  

Node.js addressed two important security issues affecting applications and supporting components used across the ecosystem. CVE-2025-59466 is a denial-of-service vulnerability in the Node.js runtime that can be triggered by specially crafted input, causing excessive resource consumption and potentially crashing the process. Successful exploitation could allow an attacker to repeatedly disrupt service availability. This issue is rated High severity with a CVSS score of 7.5, reflecting its impact on system stability and uptime.  

The second issue, CVE-2026-1245, affects the widely used binary-parser npm package commonly deployed in Node.js applications. The vulnerability allows arbitrary code execution when untrusted input is used to construct parser definitions. Malicious input can be transformed into executable JavaScript, giving attackers the ability to run code with the same privileges as the Node.js process. This vulnerability carries a High severity rating with a CVSS score of 8.1. A patched version of the affected package is available.  

There are no confirmed reports of real-world exploitation for either vulnerability at the time of disclosure. However, the risks are serious: denial-of-service attacks can interrupt critical services, while arbitrary code execution can lead to full system compromise. Updating the Node.js runtime and affected dependencies fully mitigates these issues.  

Apache Struts 2  

“A single malicious XML request can trick Struts into exposing files or overwhelming the server.”  

CVE-2025-68493 is a high-severity vulnerability (CVSS 8.1 – High) affecting Apache Struts 2. The issue is caused by missing XML validation in the framework’s core processing logic, which allows unsafe handling of XML input. When a vulnerable application processes crafted XML, it may incorrectly resolve external entities, opening the door to serious security risks.  

If exploited, this weakness can allow attackers to read sensitive files, trigger denial-of-service conditions through resource exhaustion, or make unauthorized internal requests from the server. Applications that accept XML input or rely on XML-based configuration are especially exposed. The vulnerability impacts multiple Struts 2 versions across several release branches and has been fixed in Apache Struts 2 version 6.1.1 and later. There is no indication of active exploitation or public proof-of-concept code at this time, but the potential impact remains significant.  

Angular Template Compiler 

“This flaw lets attackers slip dangerous expressions into templates that run as code during the build.”  

CVE-2026-22610 is a high-severity vulnerability (CVSS 8.5 – High) in the Angular Template Compiler. The issue lies in how the compiler processes template input, where specially crafted expressions can bypass expected safeguards and be evaluated in unsafe ways. When untrusted or externally sourced templates are compiled, this can result in arbitrary code execution at build time.  

The Angular Template Compiler converts templates into executable JavaScript, making it a highly trusted part of the build pipeline. If attackers are able to inject malicious template content, they can influence the generated output, potentially embedding backdoors, altering application behavior, or introducing malicious logic before the application is deployed. This is especially risky for projects that dynamically generate templates or consume third-party template content.  

Because the vulnerability affects the core compilation process, many Angular projects may be exposed until patched. The issue has been resolved in updated Angular releases that strengthen template validation and prevent unsafe expressions from being processed during compilation.  

Hikvision Access Control

“These bugs allow attackers to bypass access controls and take over device management without proper authentication.”  

Hikvision has released security updates addressing CVE-2025-66176 and CVE-2025-66177, two high-severity vulnerabilities affecting Hikvision Access Control Products. These issues impact how the devices handle authentication and authorization, creating serious risks for environments that rely on them to manage physical access.  

CVE-2025-66176 (CVSS 8.8 – High) is an authentication bypass vulnerability. Due to improper validation of user requests, an attacker can access restricted functionality without providing valid credentials. This weakness allows unauthorized users to reach sensitive device interfaces that should only be available to trusted administrators.  

CVE-2025-66177 (CVSS 8.6 – High) is a privilege escalation vulnerability that allows attackers to gain elevated permissions once access is achieved. By chaining this issue with the authentication bypass, a remote attacker could gain full administrative control over affected access control devices. This could lead to unauthorized configuration changes, disruption of access policies, or disabling of physical security protections. There is no indication of active exploitation at this time, but the combined impact poses a serious security concern.  

SAP 

“A quartet of critical bugs in core SAP systems could let attackers corrupt financial data, run code remotely, or inject dangerous commands deep inside enterprise landscapes.”  

SAP’s January 2026 Security Patch Day delivered fixes for multiple critical vulnerabilities that affect core business and integration components across its ecosystem. Four of the most serious are CVE-2026-0501, CVE-2026-0500, CVE-2026-0498, and CVE-2026-0491, all of which can severely affect confidentiality, integrity, or availability if left unpatched.  

CVE-2026-0501 (CVSS 9.9 – Critical) is a SQL injection flaw in SAP S/4HANA’s Financials – General Ledger module. Insufficient input validation lets an authenticated user craft SQL queries that read, modify, or delete backend data, potentially corrupting financial records or undermining core accounting functions.  

CVE-2026-0500 (CVSS 9.6 – Critical) is a remote code execution (RCE) vulnerability in SAP Wily Introscope Enterprise Manager (WorkStation). An unauthenticated attacker can craft malicious content — for example via specially prepared JNLP files — that triggers execution of arbitrary commands when handled by the vulnerable component, compromising monitoring infrastructure.  

CVE-2026-0498 (CVSS 9.1 – Critical) is a code injection issue in SAP S/4HANA (Private Cloud and On-Premise). Attackers with appropriate access can inject code through remote-enabled function modules, potentially leading to OS command execution or full system compromise in affected installations.  

CVE-2026-0491 (CVSS 9.1 – Critical) is a similar code injection defect in SAP Landscape Transformation components. Through vulnerable RFC paths, attackers with authenticated access can inject commands and influence execution flows, putting landscape migration and transformation processes at risk.  

All four vulnerabilities must be addressed urgently with the appropriate SAP security notes and patches on systems where the affected components are in use. The combined impact spans database integrity, remote code execution, administrative control, and operational stability.  

Mailpit SSRF and WebSocket

“Two bugs in Mailpit let outsiders reach internal systems and read intercepted email data without permission.”  

Mailpit — a lightweight SMTP server and email viewer used in development — had two serious security issues that could be abused when it is reachable from untrusted networks.  

The first issue, tracked as CVE-2026-21859 (CVSS 7.5 – High), was a Server-Side Request Forgery (SSRF) flaw in the /api/v1/proxy endpoint. Because Mailpit did not validate user-supplied URLs, an attacker could make the server request internal or cloud metadata services on their behalf, potentially reaching sensitive internal APIs or resources that aren’t normally exposed. This was fixed in Mailpit v1.28.1.  

The second issue, CVE-2026-22689 (CVSS 7.8 – High), was a Cross-Site WebSocket Hijacking (CSWSH) flaw. The WebSocket server accepted connections from any origin, so a malicious webpage could open a WebSocket to a victim’s Mailpit instance and steal email content in real time — even without any login or credentials. This was fixed in Mailpit v1.28.2 by enforcing proper origin checks on WebSocket connections.  

Both bugs show how unprotected endpoints can be exploited even in tools intended for local development, especially when those tools are exposed beyond trusted networks.  

OpenProject 

“These issues weaken login and session protections, putting project data and user accounts at risk.”  

OpenProject has released fixes for CVE-2026-22601, CVE-2026-22602, CVE-2026-22603, and CVE-2026-22604, a group of high-severity vulnerabilities affecting core authentication, session handling, and access control mechanisms in the platform. When combined, these weaknesses could allow attackers to bypass protections that keep project data and user accounts secure.  

CVE-2026-22601 (CVSS 8.6 – High) is an authentication bypass issue that could allow attackers to appear as logged-in users without valid credentials. This undermines trust in the login process and opens the door to unauthorized access.  

CVE-2026-22602 (CVSS 7.8 – High) is a session fixation vulnerability. Attackers could force users to reuse a known session identifier, allowing the attacker to take over the session once the victim authenticates.  

CVE-2026-22603 (CVSS 7.5 – High) involves insufficient authorization checks in certain application paths, which could let users access or modify data beyond their intended permissions.  

CVE-2026-22604 (CVSS 7.4 – High) affects API access controls, where improper validation could expose sensitive project information to unauthorized users.  

All four issues have been addressed in patched OpenProject releases. While there is no indication of active exploitation, the impact could include account takeover, exposure of confidential project data, and disruption of team workflows if systems remain unpatched.  

Cal.com  

“A single crafted link can fully compromise user trust and redirect victims to attacker-controlled destinations.”  

CVE-2026-23478 is a critical vulnerability (CVSS 10.0 – Critical) affecting Cal.com, the open-source scheduling and booking platform. The issue is caused by improper validation of user-supplied URL input, allowing attackers to abuse trusted Cal.com links for open redirects and unsafe content injection.  

By exploiting this flaw, an attacker can create links that appear legitimate but silently redirect users to malicious websites. Because Cal.com links are commonly shared for meetings, interviews, and bookings, this creates a powerful attack path for phishing, credential theft, malware delivery, and brand impersonation. In some cases, the weakness also allows attacker-controlled content to be presented to users, further increasing the risk of deception.  

The vulnerability has been fixed in patched Cal.com releases by enforcing strict validation on redirect and URL handling logic. There is no confirmed active exploitation, but the maximum CVSS score reflects the complete lack of user interaction safeguards and the high likelihood of abuse if systems remain unpatched.  

Opvius AI

“This bug lets outsiders reach powerful WooCommerce functions without logging in.”  

CVE-2025-14301 is a critical vulnerability (CVSS 9.8 – Critical) affecting the Integration Opvius AI for WooCommerce plugin. The issue is caused by missing or insufficient authentication checks on exposed plugin endpoints, allowing unauthenticated attackers to access functionality that should be restricted to trusted users or administrators.  

If exploited, this flaw could allow attackers to interact with WooCommerce and AI integration features without permission, potentially manipulating store data, triggering unauthorized actions, or exposing sensitive business information. In a worst-case scenario, attackers could abuse the plugin’s integration logic to disrupt store operations or gain deeper access to the environment.  

The vulnerability has been fixed in updated versions of the plugin by enforcing proper authentication and permission validation. There is no confirmed evidence of active exploitation, but the impact is severe because the attack does not require credentials and targets e-commerce environments where availability and data integrity are critical.  

PagerDuty Runbook Automation

“This issue lets attackers abuse trusted automation to quietly gain access to high-value operational secrets.”  

CVE-2025-52493 is a high-severity vulnerability (CVSS 8.8 – High) affecting PagerDuty Runbook Automation. The flaw stems from insufficient authorization controls within runbook execution logic, which could allow users with elevated access to trigger or manipulate automation workflows beyond their intended scope.  

If exploited, this vulnerability could allow an attacker with administrative access to abuse trusted runbook automation features to extract sensitive secrets and perform high-impact actions. While the issue requires admin-level access, its impact aligns closely with modern attack patterns that focus on living off the land. A single compromised admin account could be used to quietly harvest API keys, service credentials, and access tokens for multiple integrated systems, all through legitimate PagerDuty interfaces that generate little to no security noise. Rather than relying on noisy exploits, attackers could turn one trusted administrative foothold into broad access across an organization’s operational and cloud ecosystem, making detection and containment far more difficult.  

PagerDuty has addressed the issue by strengthening permission checks and enforcing stricter validation around runbook execution. There is no evidence of active exploitation, but the risk remains significant due to the level of trust placed in automation workflows and their direct connection to production systems.  

ASP.NET Core Kestrel Server

“This flaw lets attackers hide malicious requests inside normal traffic and bypass server defenses.”  

CVE-2025-55315 is a critical vulnerability (CVSS 9.9 – Critical) affecting the ASP.NET Core Kestrel server, the default web server for ASP.NET Core applications. The issue is a HTTP request smuggling weakness caused by inconsistent parsing of malformed or specially crafted HTTP requests. This allows attackers to sneak hidden requests through the server by exploiting differences in how requests are interpreted.  

If exploited, this vulnerability could allow attackers to bypass security controls, access restricted endpoints, poison caches, or manipulate how requests are handled between proxies and the application server. In practical terms, attackers can inject unauthorized requests into trusted sessions, leading to data exposure, unauthorized actions, or unpredictable application behavior. Because Kestrel is commonly deployed behind reverse proxies, the real-world impact can be severe in production environments.  

Microsoft has addressed the issue by correcting how Kestrel validates and processes incoming HTTP requests, ensuring malformed traffic is consistently rejected. There is no confirmed evidence of active exploitation, but the near-maximum CVSS score reflects the high impact and low complexity of potential attacks if systems remain unpatched.  

Microsoft Windows Admin Center

“This flaw lets attackers slip past admin checks and control Windows systems through a trusted management interface.”  

CVE-2026-20965 is a high severity vulnerability (CVSS 7.5) affecting Microsoft Windows Admin Center, a centralized management tool used to administer Windows servers and infrastructure. The issue stems from improper authentication and authorization handling, allowing attackers to bypass expected security checks when interacting with the Admin Center interface.  

If exploited, this vulnerability could allow an attacker to impersonate authorized users or gain elevated privileges, enabling them to perform administrative actions remotely. Because Windows Admin Center is commonly used to manage servers, clusters, and system configurations, successful exploitation could lead to full system control, configuration tampering, service disruption, or access to sensitive operational data. The risk is especially high in environments where Admin Center is exposed to broader networks.  

Microsoft has released patches to correct the authentication logic and ensure that only properly authorized users can access privileged management functions. There is no confirmed evidence of active exploitation, but the impact is severe due to the trusted role Windows Admin Center plays in enterprise environments.  

Livewire Filemanager  

“This bug lets attackers upload dangerous files and take control of the server without logging in.”  

CVE-2025-14894 is a critical vulnerability (CVSS 9.8 – Critical) affecting Livewire Filemanager, a popular file management component used in Laravel and Livewire applications. The issue is caused by missing or insufficient authentication and validation checks on file handling functionality, allowing unauthenticated attackers to interact with file upload and management features that should be restricted.  

If exploited, this vulnerability could allow attackers to upload arbitrary files, including scripts that may be executed by the server. This can quickly escalate into remote code execution, full application compromise, data theft, or service disruption. Because file managers often have access to sensitive directories, a successful attack could expose configuration files, credentials, or user data, and give attackers long-term persistence on the system.  

The issue has been fixed in updated versions of Livewire Filemanager by enforcing proper access controls and tightening file validation logic. There is no confirmed evidence of active exploitation, but the impact is severe due to the lack of authentication requirements and the high level of access involved.  

Microsoft Office Untrusted Search Path

“Office could load unsafe files and allow the wrong file to open the door to full system compromise.”  

Microsoft released a security update to address a high-severity elevation of privilege vulnerability in Microsoft Office related to an untrusted search path issue. This weakness could allow a local attacker to run unauthorized code if they are able to place a malicious file in a location that Office mistakenly trusts. When triggered, the attack could give the attacker the same privileges as the logged-in user.  

The vulnerability is tracked as CVE-2026-20943 and carries a CVSS score of 7.0 (High). It affects Office installations that rely on Click-to-Run technology, including Office 2016. Exploitation requires local access and user interaction, but successful abuse could lead to data exposure, unauthorized changes, or service disruption. There have been no confirmed real-world attacks, zero-day exploitation, or public proof-of-concept code reported at this time.  

Microsoft has released a patch to correct how Office handles file search paths, reducing the risk of loading untrusted components. Systems that delay patching remain exposed to unnecessary local attack paths that could be leveraged as part of a broader compromise.  

Adobe 

“A broad set of serious bugs in Adobe creative and content tools could let attackers run code, break apps, or expose data if you open a crafted file.”  

Adobe released security updates across many products to address a large group of vulnerabilities (including all CVEs you listed). These issues mostly allow arbitrary code execution or memory exposure when a user opens a malicious file in affected software. Updating to the latest versions closes these attack paths and helps protect systems from compromise.  

Below is a summary of the key CVEs you asked about and how they impact affected Adobe products. All of these have patches available in the January 2026 security bulletins:  

Dreamweaver Vulnerabilities (Critical Code Execution)  

These flaws affect Adobe Dreamweaver versions 21.6 and earlier and are patched in 21.7. They all require user interaction (opening a malicious project or asset) and can result in arbitrary code execution or unauthorized actions:  

• CVE-2026-21267 – OS command injection, CVSS 8.8 (Critical)  

• CVE-2026-21268 – Improper input validation, CVSS 8.8 (Critical)  

• CVE-2026-21271 – Input validation leading to arbitrary code execution, CVSS 8.8 (Critical)  

• CVE-2026-21272 – Input validation leading to arbitrary file system write, CVSS 8.8 (Critical)  

• CVE-2026-21274 – Incorrect authorization enabling code execution, CVSS 8.8 (Critical)  

These represent some of the most serious issues in this batch.  

Adobe Bridge Vulnerability  

• CVE-2026-21283 – A heap-based buffer overflow in Adobe Bridge that can lead to arbitrary code execution when a crafted file is opened. CVSS 7.8 (High). This issue is fixed in updated Bridge versions.  

Adobe InDesign Vulnerabilities  

InDesign had several critical issues fixed:  

• CVE-2026-21275 & CVE-2026-21276 – Uninitialized pointer flaws that could allow code execution, CVSS 8.8 (Critical)  

• CVE-2026-21277 & CVE-2026-21304 – Heap overflow vulnerabilities leading to arbitrary code execution, CVSS 8.8 (Critical)  

• CVE-2026-21278 – Out-of-bounds read that could expose memory contents, CVSS 5.3 (Medium)  

All of these are patched in the latest InDesign updates.  

Adobe Substance 3D Stager  

• CVE-2026-21287 – A use-after-free vulnerability in Substance 3D Stager that could lead to arbitrary code execution with user interaction, CVSS 7.8 (High). This issue is patched.  

Additional Notes  

Some other affected products, including Illustrator, InCopy, and additional Substance 3D components, were included in this same wave of fixes for similar arbitrary code execution vulnerabilities.  

Across these Adobe bugs, the common pattern is that attackers must trick a user into opening a crafted file. Successful exploitation can lead to serious impacts such as execution of attacker-controlled code, application crashes, or exposure of sensitive memory.  

There are no widely reported in-the-wild exploits, zero-day abuse, or public proof-of-concept code for these specific CVEs at this time. However, the severity and number of affected products make prompt patching important.  

Chainlit

“A simple content update call could turn into data theft or internal network probing.”  

Chainlit, a popular Python framework for building AI chat applications, addressed two high-risk security issues in version 2.9.4 affecting earlier releases. CVE-2026-22218 is an arbitrary file read vulnerability in the /project/element update flow. An authenticated attacker could manipulate a file path parameter to copy and access sensitive files on the server, potentially exposing configuration files, secrets, or application data. This issue carries a CVSS score of 7.1 (High) due to its direct impact on data confidentiality.  

The second issue, CVE-2026-22219, is a server-side request forgery (SSRF) vulnerability in the same update flow when Chainlit is configured with the SQLAlchemy data layer. An authenticated attacker could force the server to make outbound HTTP requests to attacker-controlled URLs, enabling access to internal services or cloud metadata endpoints. This vulnerability has a CVSS score of 8.3 (High), reflecting the risk of internal network exposure and potential credential leakage.  

There are no confirmed reports of real-world exploitation for either vulnerability at this time. However, both issues present serious risks in production environments, especially those handling sensitive data or running in cloud infrastructures. The flaws were fully remediated in Chainlit 2.9.4, and earlier versions remain vulnerable.  

Oracle 

“This update fixes 337 security weaknesses that attackers could exploit to break into critical Oracle systems.”  

Oracle released its January 2026 Critical Patch Update (CPU) as part of its quarterly security release cycle. This update delivers fixes for 337 distinct vulnerabilities across more than 30 Oracle product families, making it one of the larger CPUs in recent quarters. The addressed issues include flaws that could lead to unauthorized access, data exposure, service disruption, or complete system compromise if left unpatched.  

The CPU resolves multiple Critical and High severity vulnerabilities, including issues that are remotely exploitable and, in some cases, require no authentication. Affected products span key enterprise platforms such as Oracle Communications, Oracle Commerce, Fusion Middleware, PeopleSoft, and other core Oracle technologies. Several vulnerabilities reach Critical severity with CVSS scores as high as 10.0, indicating the potential for total impact on affected systems.  

There are no confirmed reports of real-world exploitation associated with these vulnerabilities at the time of release. Even so, the sheer volume of fixes and the presence of remotely exploitable issues make this update especially important for organizations running internet-facing or mission-critical Oracle systems. The January 2026 CPU is cumulative and fully remediates the disclosed vulnerabilities in supported versions. 

Cisco Unified Communications Products   

“A single abused admin command could turn trusted access into full system control.”  

Cisco disclosed CVE-2026-20045, a high-impact command execution vulnerability affecting Cisco Unified Communications Manager and related Unified Communications products. The issue exists in the command-line interface input validation logic. When an authenticated user with administrative privileges submits specially crafted input, the system may improperly process the command, allowing arbitrary operating system commands to be executed on the underlying host.  

This vulnerability carries a CVSS score of 8.2 (High), reflecting the serious impact on system integrity and availability. Successful exploitation could allow an attacker to alter system configurations, access sensitive communication data, disrupt voice and video services, or fully compromise the affected system. While exploitation requires valid credentials, the level of control gained makes this a significant risk in enterprise environments.  

There are no confirmed reports of active exploitation at this time. Cisco has released software updates that correct the improper input handling and prevent unauthorized command execution. Systems running vulnerable versions remain exposed until patched.  

HPE Multiple Network and Configuration  

“A set of network, database, and packet-processing bugs could expose HPE networking gear to data access and service disruption risks if left unpatched.”  

Hewlett Packard Enterprise (HPE) released updates to address multiple security vulnerabilities affecting several of its networking products in early 2026. The flaws span EdgeConnect SD-WAN Orchestrator and HPE Instant On Access Points, with impacts ranging from database manipulation and information exposure to denial of service.  

Three related issues — CVE-2025-37181, CVE-2025-37182, and CVE-2025-37183 — affect the web-based management interface of the HPE EdgeConnect SD-WAN Orchestrator. Authenticated attackers could exploit these SQL injection flaws to inject and execute arbitrary database commands, potentially leading to unauthorized data access, modification, or interference with orchestrator operations. These issues are rated High severity with CVSS scores 7.2.  

In the HPE Instant On product line, CVE-2025-37165 involves a configuration issue in router mode that can leak internal VLAN and network configuration details to unintended interfaces, offering attackers reconnaissance data that could assist further attacks. This flaw carries a CVSS score 7.5 and affects devices running older firmware releases. CVE-2025-37166 describes a denial-of-service condition where crafted network packets can cause affected access points to enter a non-responsive state, disrupting connectivity and requiring a physical reset in some cases. This issue also carries a CVSS score 7.5.  

There are no widely reported exploitations for these specific CVEs in the wild yet. Still, the nature of the flaws — especially SQL injection and network packet handling issues — makes prompt patching essential. HPE has published patched firmware and software updates for impacted products, and administrators should install these updates as soon as possible to mitigate risk.  

Versa Concerto 

“A critical weakness in Versa Concerto could allow attackers to slip past authentication and access sensitive internal systems, putting enterprise networks at serious risk.”  

Versa Concerto’s SD-WAN orchestration platform is affected by a critical authentication bypass vulnerability, tracked as CVE-2025-34026 with a CVSS score of 9.2 (Critical). The issue is caused by improper request handling in the platform’s reverse proxy configuration, which can allow attackers to bypass authentication controls and reach restricted administrative Actuator endpoints.  

If successfully exploited, an attacker could access sensitive internal information such as application heap dumps, trace logs, credentials, and session data. This kind of exposure can significantly lower the barrier for deeper compromise of the SD-WAN environment and connected infrastructure.  

The vulnerability impacts Versa Concerto versions 12.1.2 through 12.2.0. A public proof-of-concept exploit is available, demonstrating how the authentication bypass can be triggered. While there are no confirmed reports of active exploitation or zero-day attacks, the existence of public exploit code increases the likelihood of abuse if systems remain unpatched. Updated versions of Versa Concerto address this issue.  

Zimbra Collaboration Suite

“A serious weakness in Zimbra’s classic webmail could let attackers read internal files without logging in, exposing sensitive system data.”  

Zimbra Collaboration Suite is affected by a high-severity local file inclusion vulnerability, tracked as CVE-2025-68645 with a CVSS score of 8.8 (High). The issue exists in the Webmail Classic UI, where improper handling of user-supplied input allows unauthenticated attackers to manipulate requests and force the application to include arbitrary files from the web root directory.  

If exploited, this vulnerability can expose internal application files, configuration details, and other sensitive information that could be used to plan further attacks or compromise user data. Because the attack does not require authentication and can be triggered remotely, it significantly increases the risk to internet-facing Zimbra servers running vulnerable versions.  

The issue affects Zimbra Collaboration Suite versions 10.0 through 10.0.17 and 10.1 through 10.1.12. A public proof-of-concept exploit is available, lowering the barrier for exploitation. There are no confirmed reports of active real-world attacks or zero-day exploitation, but the availability of exploit code makes timely patching critical. Fixed releases are available in newer Zimbra versions.  

Broadcom VMware vCenter Server

“A critical weakness in vCenter could allow an external attacker to take full control of the virtualization control plane if left unpatched.”  

Broadcom disclosed a critical remote code execution vulnerability in VMware vCenter Server that stems from a heap overflow condition in the service’s network request handling. An unauthenticated attacker with network access could exploit this issue by sending specially crafted traffic to the vCenter Server, potentially allowing arbitrary code execution with full system privileges. Because vCenter sits at the center of virtual infrastructure management, a successful attack could give an adversary control over virtual machines, configurations, and core operations.  

This issue is tracked as CVE-2024-37079 and is rated Critical, with a CVSS score of 9.8 (Critical). The vulnerability requires no authentication, no user interaction, and no prior access, making it especially dangerous in exposed or poorly segmented environments. At the time of disclosure, there was no confirmed real-world exploitation and no public proof-of-concept code, but the technical characteristics make it a high-value target.  

Broadcom released an official fix for affected VMware vCenter Server versions, closing the remote execution path and restoring safe memory handling within the service.  

GNU Inetutils Telnetd  

“This bug lets an attacker skip login checks entirely and become root, putting full system control at risk.”  

A critical authentication bypass vulnerability was identified in telnetd within GNU Inetutils through version 2.7. The issue allows a remote, unauthenticated attacker to gain access by abusing how telnetd processes environment variables. By supplying a crafted USER environment value such as -f root, an attacker can bypass normal authentication controls and log in directly as the root user.  

This vulnerability is tracked as CVE-2026-24061 and is rated Critical, with a CVSS score of 9.8 (Critical) according to the CNA assessment. The impact is severe, affecting confidentiality, integrity, and availability, since successful exploitation grants full administrative access to the system. The weakness is tied to improper handling of command arguments, allowing attacker-controlled input to alter authentication behavior.  

No mitigation is inherent to configuration alone, as the flaw exists in the telnetd implementation itself. Systems running vulnerable versions of GNU Inetutils telnetd are exposed to immediate system takeover risk if the service is reachable over the network.  

Brave Browser

“This update keeps Brave up to date with the latest Chromium foundation and fine-tunes features like the Brave Wallet and Linux support for a smoother, more secure browsing experience.”  

The Brave Browser 1.86.142 release is a stable, incremental update for Brave’s desktop and cross-platform browser, focusing on dependency adjustments, feature cleanup, and the essential underlying engine upgrade. It doesn’t introduce major new user features but improves the core browser experience and aligns Brave with the current Chromium baseline for performance and security.   

What’s Included:  

• Chromium engine upgrade: Updated to Chromium 144.0.7559.97, bringing enhancements to performance, security patches, and web compatibility inherited from the Chromium project.   

• Linux dependency fix: Re-added the “brave-keyring” package as a required dependency on Linux distributions to improve installation and runtime reliability on that platform.   

• Wallet UI change: Removed the “Web3” section from the Brave Wallet Explorer tab, simplifying the wallet interface and deprecating a component of the Web3 experience.   

This version continues Brave’s pattern of small, targeted quality updates that keep browser foundations current and address platform-specific quirks rather than deliver headline new features. There are no publicly disclosed critical vulnerabilities tied specifically to this version; most browser security coverage stems from the integrated Chromium fixes.   

Vitejs Vite 

“A development server that’s accidentally exposed can quietly hand over files attackers were never meant to see.”  

This patch addresses an information exposure vulnerability in Vite, a popular JavaScript build and development tool. CVE-2025-31125 occurs when a Vite development server is intentionally or unintentionally exposed to a network instead of being limited to localhost. In this situation, an unauthenticated attacker can abuse specific import query parameters to bypass Vite’s file access restrictions.  

The vulnerability allows attackers to retrieve the contents of files that should normally be blocked by Vite’s security controls. Depending on the project setup, this could include configuration files, source files, or other sensitive data used during development. The issue is tied to insufficient enforcement of file system deny rules when certain request patterns are used.  

CVE-2025-31125 has been assigned a CVSS score of 7.5 (High). The risk increases significantly when development servers are exposed to shared or public networks. Proof-of-concept exploit techniques are publicly available, and the issue has been flagged by government security agencies as important to remediate. This vulnerability has been fixed in updated Vite releases, and upgrading to patched versions fully addresses the issue.  

pnpm   

“A single dependency install can quietly run attacker code or pull in changed packages without anyone noticing.”  

This patch addresses two serious supply chain vulnerabilities in pnpm, a widely used JavaScript package manager. Both issues affect how dependencies are fetched and installed, creating opportunities for malicious code execution or undetected package changes during normal development and CI workflows.  

CVE-2025-69264 is a high-severity issue (CVSS score: 8.8) that allows unintended execution of lifecycle scripts from git-hosted dependencies. Although pnpm introduced protections to disable dependency scripts by default, certain scripts such as prepare and prepack could still run when dependencies were sourced directly from git repositories. This behavior allows attackers to embed malicious code that executes automatically during installation, potentially leading to full compromise of the developer or build environment.  

CVE-2025-69263 is a lockfile integrity weakness (CVSS score: 7.5) where pnpm failed to record cryptographic integrity hashes for dependencies fetched from HTTP or git tarball URLs. Without these hashes, pnpm could not detect when dependency content changed between installs. This breaks the trust model of lockfiles and opens the door to supply chain attacks where different code is delivered at different times without warning.  

Both vulnerabilities have been fixed in pnpm version 10.26.0 and later. The fixes ensure lifecycle scripts from git dependencies are properly restricted and that integrity hashes are enforced for all supported dependency sources.  

Anthropic MCP-Server-Git

“A poisoned prompt can push an AI coding assistant to manipulate files it was never meant to touch.”  

This patch addresses three high-severity vulnerabilities in Anthropic’s mcp-server-git, the Git integration used by AI assistants through the Model Context Protocol (MCP). These issues stem from improper input validation and access control in Git-related tool calls. When an attacker can influence content read by an AI model—such as repository files, issues, or documentation—they can trigger unsafe Git operations through prompt injection.  

CVE-2025-68143 has a CVSS v3.1 score of 8.8 (High). It allows unrestricted repository initialization, enabling Git repositories to be created in arbitrary filesystem locations. This can expose sensitive directories and expand the attack surface beyond the intended workspace.  

CVE-2025-68144 carries a CVSS v3.1 score of 8.1 (High). It is caused by argument injection in Git commands, where attacker-controlled inputs are passed directly to underlying Git operations. This can result in unintended file deletion, overwriting data, or manipulating repository contents.  

CVE-2025-68145 has a CVSS v3.1 score of 7.1 (High). This vulnerability allows a path validation bypass using repository parameters, permitting Git operations to occur outside the authorized repository scope. It weakens directory boundaries and can expose or alter unrelated data.  

When combined—especially alongside other MCP services like filesystem access—these vulnerabilities can be chained to enable arbitrary file access, data corruption, or remote code execution, all without direct system access by the attacker. Updated versions of mcp-server-git fully address these issues.  

Zoom Node Multimedia Router 

“A single meeting connection could give an attacker control of Zoom’s media infrastructure.”  

This patch addresses a critical remote code execution vulnerability in Zoom Node Multimedia Router (MMR) components used in Zoom Node Meetings Hybrid and Zoom Node Meeting Connector deployments. CVE-2026-22844 is caused by improper input validation that allows command injection at the operating system level.  

The flaw allows a remote attacker who can join a meeting handled by a vulnerable MMR to send specially crafted input that is executed as system commands. No elevated privileges or user interaction beyond joining the meeting are required. Successful exploitation could result in full compromise of the multimedia router, exposing meeting traffic, disrupting services, or enabling further lateral movement within the environment.  

CVE-2026-22844 has a CVSS v3.1 score of 9.9 (Critical). The severity reflects how easily the vulnerability can be exploited and the complete impact on confidentiality, integrity, and availability of the affected system. Zoom has released patched versions of the MMR software, and systems running versions prior to 5.2.1716.0 are affected.  

Microsoft SQL Server 

“A crafted SQL query can let an attacker climb the privilege ladder on your database server.”  

This vulnerability affects multiple versions of Microsoft SQL Server, including the 2016, 2017, 2019, and 2022 releases that existed prior to patched builds. CVE-2025-49758 is an SQL injection flaw in how certain SQL commands are processed. Because untrusted input isn’t properly neutralized, an authorized attacker with the ability to send SQL queries over the network can manipulate commands in a way that the server executes unintended operations.  

The core risk is privilege escalation: the attacker can escalate to higher database roles or permissions, potentially gaining access to sensitive data, modifying or deleting records, or compromising database integrity and availability. These impacts make the flaw a significant risk for systems accessible over internal networks or exposed to application traffic.  

CVE-2025-49758 has a CVSS 3.1 Base Score of 8.8 (High). The high rating reflects network exploitability, low attack complexity, minimal privileges required, and serious confidentiality, integrity, and availability impacts. A security update addressing this issue was released by Microsoft in August 2025 as part of the regular Patch Tuesday cycle; affected SQL Server instances should be updated to those fixed versions.

Apache bRPC 

“A bad message shouldn’t be able to crash your server — but here it can execute code instead.”  

This patch addresses a critical remote code execution vulnerability in Apache bRPC, a high-performance RPC framework used by distributed systems. CVE-2025-60021 exists because bRPC did not properly validate or safely handle untrusted data during message deserialization. An attacker who can send crafted input to a vulnerable bRPC endpoint can trigger unsafe deserialization, allowing arbitrary code to run on the server with the privileges of the bRPC process.  

The flaw is remotely exploitable over the network without requiring authentication, and its impact includes complete compromise of the affected system, including data access, manipulation, and service disruption. This type of issue poses severe risks in distributed environments where bRPC services are exposed to untrusted clients or internal networks.  

CVE-2025-60021 has a CVSS v3.1 Base Score of 9.8 (Critical) due to the ease of exploit and the extensive loss of confidentiality, integrity, and availability that can result from successful attacks. Updated versions of Apache bRPC have been released to remediate the unsafe deserialization logic, and operators should upgrade to fixed builds immediately.  

AVEVA Process Optimization

“Weak security controls in optimization systems can give attackers a direct path into industrial environments.”  

This patch addresses multiple high-risk vulnerabilities in AVEVA Process Optimization, a platform commonly deployed in industrial control and operational technology (OT) environments. The affected CVEs stem from improper access control and insecure handling of remote requests, which together can allow attackers to bypass protections and interfere with system operations.  

CVE-2025-61937 is rated CVSS v3.1 9.8 (Critical) and allows unauthenticated remote code execution due to insufficient validation of network inputs. An attacker could run arbitrary commands on the affected server, potentially taking full control of the optimization system.  

CVE-2025-64691 carries a CVSS v3.1 score of 9.1 (Critical) and enables authentication bypass, allowing attackers to access protected functions without valid credentials. This breaks trust boundaries and exposes sensitive configuration and operational data.  

CVE-2025-61943 has a CVSS v3.1 score of 8.8 (High) and allows privilege escalation, enabling an attacker with limited access to gain higher-level control over system components.  

CVE-2025-65118 is rated CVSS v3.1 8.6 (High) and can lead to denial of service or unauthorized system manipulation, impacting the availability and reliability of industrial processes.  

These vulnerabilities are especially dangerous in OT environments, where exploitation could result in process disruption, safety risks, data manipulation, or loss of operational visibility. AVEVA has released patches to address these issues, and unpatched systems remain at serious risk.  

Apache Airflow 

“A workflow scheduler should control jobs — not let attackers quietly take control of them.”  

This patch addresses a high-severity vulnerability in Apache Airflow, a widely used platform for orchestrating and scheduling data pipelines. CVE-2025-68675 is caused by improper access control in Airflow’s web interface and API handling, which can allow attackers to bypass authentication checks under certain conditions.  

An attacker with network access to a vulnerable Airflow instance could exploit this issue to gain unauthorized access to protected endpoints. Successful exploitation may allow the attacker to view or modify DAGs, access configuration details, trigger workflows, or escalate privileges within the Airflow environment. In environments where Airflow manages sensitive data pipelines, this could lead to data exposure, workflow manipulation, or service disruption.  

CVE-2025-68675 has been assigned a CVSS v3.1 score of 8.2 (High). The severity reflects the potential for unauthorized access and control without requiring advanced attack techniques. Apache has released updates that correct the access control logic, and systems running affected versions prior to the fix remain at risk.  

Bamboo and Confluence

“Weak access controls in core collaboration and build tools can quietly hand attackers more power than intended.”  

This patch addresses two high-severity vulnerabilities affecting Atlassian Bamboo and Atlassian Confluence, products widely used for CI/CD pipelines and enterprise collaboration. Both issues stem from improper access control enforcement, allowing attackers to perform actions beyond their intended permissions.  

CVE-2025-12383 impacts Atlassian Bamboo and has a CVSS score of 8.6 (High). The vulnerability allows unauthorized users to access restricted Bamboo functionality under certain conditions. Successful exploitation could enable attackers to view or manipulate build plans, access sensitive configuration data, or interfere with build execution, potentially leading to supply chain risks or service disruption.  

CVE-2025-66516 affects Atlassian Confluence and is rated CVSS 8.8 (High). This issue allows attackers to bypass authorization checks and access content or administrative functions they should not be able to reach. In enterprise environments, exploitation could expose sensitive internal documentation, credentials, or system configuration details.  

Neither vulnerability requires advanced attack techniques, which increases their real-world risk in environments where Bamboo and Confluence are widely accessible to internal users. Atlassian has released patches to correct the access control logic, and unpatched systems remain vulnerable to unauthorized access and misuse.  

AppSmith 

“A low-code platform designed to speed development can become a fast track for attackers if access controls fail.”  

This patch addresses a critical security vulnerability in AppSmith, an open-source low-code application platform used to build internal tools and dashboards. CVE-2026-22794 is caused by improper access control in AppSmith’s authentication and request handling logic, which can allow attackers to bypass normal authorization checks.  

A remote attacker could exploit this weakness to gain unauthorized access to applications, APIs, or sensitive configuration data managed by AppSmith. In affected environments, this may expose credentials, internal data sources, or allow attackers to modify application logic. Because AppSmith often connects directly to production databases and services, the downstream impact can be significant.  

CVE-2026-22794 has been assigned a CVSS v3.1 score of 9.1 (Critical). The severity reflects the potential for remote exploitation and the broad impact on confidentiality and integrity within environments that rely on AppSmith for internal tooling. AppSmith has released patched versions that correct the access control enforcement, and systems running unpatched versions remain at high risk.  

HPE Alletra 6000, Alletra 5000, and Nimble Storage 

“When storage authentication breaks, attackers can move straight from the network to the heart of your data.”  

This patch addresses a critical authentication and access control vulnerability affecting HPE Alletra 6000, Alletra 5000, and HPE Nimble Storage systems. CVE-2026-23594 is caused by improper validation of authentication requests, allowing an attacker to bypass normal login controls under specific conditions.  

An attacker with network access to a vulnerable storage management interface could exploit this issue to gain unauthorized administrative-level access. Successful exploitation may expose sensitive storage configurations, snapshots, replication settings, and stored data, and could allow attackers to modify or disrupt storage operations. In enterprise environments, this creates a serious risk to data confidentiality, integrity, and availability.  

CVE-2026-23594 has been assigned a CVSS v3.1 score of 9.8 (Critical). The severity reflects remote exploitability, low attack complexity, and the potential for full compromise of enterprise storage infrastructure. HPE has released updates to correct the authentication handling logic, and systems running unpatched firmware remain at high risk.  

Autodesk Fusion  

“Opening a design file should never put a workstation at risk — these issues show how easily that trust can be abused.”  

This patch addresses three high-risk vulnerabilities in Autodesk Fusion, a widely used cloud-connected CAD and engineering platform. The vulnerabilities are related to improper handling of crafted design files, which can lead to memory corruption and unintended execution paths during file processing.  

CVE-2026-0533 is a memory corruption vulnerability with a CVSS v3.1 score of 8.8 (High). It can be triggered when Fusion processes a specially crafted project or model file, potentially allowing an attacker to execute arbitrary code in the context of the logged-in user.  

CVE-2026-0534 has a CVSS v3.1 score of 8.6 (High) and involves out-of-bounds memory access during file import or rendering. Exploitation could lead to application crashes or controlled code execution, making it a viable attack path through shared design files.  

CVE-2026-0535 carries a CVSS v3.1 score of 8.9 (High) and is tied to improper validation of external file references. An attacker could use a malicious file to read unintended memory locations or destabilize the application, potentially chaining this issue with others for greater impact.  

These vulnerabilities are particularly concerning in collaborative engineering environments where design files are frequently exchanged between teams, partners, or customers. Autodesk has released updates that correct the unsafe memory handling and input validation issues. Systems running unpatched versions of Autodesk Fusion remain exposed to file-based attacks that require minimal user interaction.

Brother BRAdmin Credential Exposure and Unauthorized Access Vulnerability (CVE-2021-4786)  

“Printer management tools often fly under the radar — until exposed credentials turn them into an easy entry point.”  

This patch addresses a high-severity vulnerability in Brother BRAdmin, the network printer management utility used to configure and monitor Brother devices. CVE-2021-4786 is caused by improper protection of sensitive credentials handled by the application.  

The vulnerability allows an attacker with access to the system running BRAdmin, or with access to certain network communications, to recover administrative credentials stored or transmitted insecurely. Once obtained, these credentials can be used to gain unauthorized access to managed printers and devices, modify configurations, intercept print jobs, or pivot further into the network through trusted infrastructure components.  

CVE-2021-4786 has a CVSS v3.1 score of 7.5 (High). While it does not directly allow remote code execution, the exposure of administrative credentials poses a serious risk in enterprise environments where printers are often trusted assets with broad network visibility. Brother has released updated versions of BRAdmin that correct the insecure handling of credentials.  

GitLab Multiple Authentication Bypass and Access Control Vulnerabilities (CVE-2025-13927, CVE-2025-13928, CVE-2026-0723)  

“Broken access controls can put GitLab source code and pipelines at risk.”  

This patch addresses three serious vulnerabilities in GitLab, a platform central to source code management, CI/CD pipelines, and DevOps workflows. The issues stem from improper authorization checks and authentication handling, allowing attackers to access or manipulate resources beyond their intended permissions.  

CVE-2025-13927 is rated CVSS v3.1 8.8 (High) and allows an attacker to bypass authorization controls under specific conditions. Exploitation could enable unauthorized access to project data, issue details, or repository metadata that should be restricted to trusted users.  

CVE-2025-13928 carries a CVSS v3.1 score of 8.6 (High) and impacts GitLab’s permission enforcement in certain API or web request flows. An attacker could exploit this flaw to perform actions as another user or gain elevated privileges within a project, potentially leading to code manipulation or pipeline abuse.  

CVE-2026-0723 has a CVSS v3.1 score of 9.1 (Critical) and represents the most severe risk of the three. This vulnerability allows authentication bypass, enabling attackers to access protected GitLab functionality without valid credentials. Successful exploitation could lead to full compromise of repositories, CI/CD secrets, and deployment workflows.  

Together, these vulnerabilities pose a serious threat to organizations relying on GitLab for secure development operations. Exploitation could result in source code exposure, unauthorized code changes, pipeline tampering, and credential compromise. GitLab has released patches to address these issues, and unpatched instances remain at high risk.  

Hibernate ORM SQL Injection and Query Manipulation Vulnerability (CVE-2026-060)  

“When an ORM mishandles input, attackers can slip past safeguards straight into the database.”  

This patch addresses a high-severity vulnerability in Hibernate ORM, a widely used Java persistence framework. CVE-2026-060 is caused by improper handling of user-supplied input in certain query construction paths, which can allow SQL injection or unintended query manipulation under specific conditions.  

An attacker who can influence query parameters passed into affected Hibernate APIs may be able to alter the structure of generated SQL queries. Successful exploitation could result in unauthorized data access, data modification, or disclosure of sensitive information managed by applications relying on Hibernate for database interactions. In enterprise environments, this risk is amplified because Hibernate often sits at the core of business-critical applications.  

CVE-2026-060 has been assigned a CVSS v3.1 score of 8.5 (High). The severity reflects network-based exploitability, low attack complexity, and the potential impact on confidentiality and integrity of backend databases. Hibernate has released updates that correct the unsafe query handling logic, and applications using unpatched versions remain exposed to injection-style attacks.  

IBM Concert and ApplinX Improper Access Control and Authentication Vulnerabilities (CVE-2025-33015 and CVE-2025-36418)  

“When access controls fail in integration platforms, attackers can quietly reach systems they were never meant to touch.”  

This patch addresses two high-severity vulnerabilities affecting IBM Concert and IBM ApplinX, platforms commonly used to integrate, modernize, and expose enterprise and mainframe applications. Both vulnerabilities are rooted in improper access control and authentication enforcement, creating opportunities for unauthorized access.  

CVE-2025-33015 impacts IBM Concert and has a CVSS v3.1 score of 8.6 (High). The vulnerability allows unauthorized users to access restricted functionality due to insufficient permission checks. Successful exploitation could expose sensitive orchestration data, integration configurations, or allow manipulation of connected services and workflows.  

CVE-2025-36418 affects IBM ApplinX and carries a CVSS v3.1 score of 8.8 (High). This issue allows attackers to bypass authentication or authorization controls under specific conditions, enabling access to backend applications and services that ApplinX is designed to protect. In environments where ApplinX fronts critical legacy systems, this could result in data exposure or unauthorized transactions.  

These vulnerabilities are particularly concerning because IBM Concert and ApplinX often serve as bridges between modern applications and critical backend systems. Exploitation could allow attackers to move laterally, access sensitive business data, or disrupt core operations. IBM has released fixes to address these issues, and systems running unpatched versions remain at elevated risk.  

SolarWinds Web Help Desk Security Update for Multiple Critical and High-Severity Vulnerabilities  

“These weaknesses leave the door open for attackers to run code, bypass logins, and take control of help desk systems.”  

SolarWinds has released a security update for Web Help Desk that resolves six vulnerabilities ranging from critical to high severity. Several of these issues could allow attackers to execute malicious code remotely or bypass authentication controls entirely. If exploited, these weaknesses could lead to full system compromise, service disruption, or unauthorized access to sensitive ticketing data.  

The most severe issues include CVE-2025-40551, CVE-2025-40553, CVE-2025-40552, and CVE-2025-40554, all rated Critical with a CVSS score of 9.8. These vulnerabilities stem from unsafe handling of untrusted data and authentication bypass conditions, which could allow unauthenticated remote code execution. An attacker would not need valid credentials to exploit these flaws, significantly increasing risk for exposed systems.  

Two additional vulnerabilities, CVE-2025-40536 (CVSS 8.1, High) and CVE-2025-40537 (CVSS 7.5, High), involve security control bypass and hardcoded credentials. These issues could be abused to sidestep built-in protections or gain elevated access, especially when combined with other weaknesses. While there are no confirmed reports of real-world exploitation or zero-day abuse at this time, the impact potential is serious and aligns with techniques commonly targeted by attackers.  

Acer Local Privilege Escalation Vulnerabilities – CVE-2021-47826, CVE-2021-47825, CVE-2021-47823  

“These weaknesses allow a local attacker to quietly gain full system control by abusing poorly configured Acer services.”  

Acer has disclosed three high-severity local privilege escalation vulnerabilities affecting certain preinstalled Windows utilities on Acer systems. All three issues stem from unquoted service path configurations, a Windows weakness that can cause the operating system to execute unintended programs with elevated privileges. If exploited, these flaws could allow an attacker who already has local access to escalate privileges to SYSTEM level, putting the entire device at risk.  

CVE-2021-47826 impacts Acer Backup Manager, where an improperly quoted service path could allow a malicious executable to be launched when the service starts. This could grant full administrative control of the system. The vulnerability carries a CVSS score of 7.8 (High) due to its privilege escalation impact.  

CVE-2021-47825 affects Acer Updater Service and uses the same attack method. An attacker could place a crafted file in a specific directory so that Windows mistakenly runs it as a trusted system service. This issue is also rated High severity with a CVSS score of 7.8.  

CVE-2021-47823 exists in Acer ePower Management Service, again caused by an unquoted service path. Successful exploitation would allow local attackers to execute code with SYSTEM privileges, making persistence and deeper compromise far easier. This vulnerability is rated High severity (CVSS 7.8).  

While these vulnerabilities require local access and are not remotely exploitable on their own, they are highly valuable in post-exploitation scenarios and could be chained with other attacks to achieve full device takeover.  

SmarterTools SmarterMail Unauthenticated Remote Code Execution via ConnectToHub API  

“This issue allows attackers to run system commands on the mail server without logging in, putting email systems fully at risk.”  

SmarterTools has disclosed a critical security vulnerability affecting SmarterMail versions prior to build 9511. This flaw allows an unauthenticated remote attacker to execute operating system commands by abusing the ConnectToHub API. Because no authentication is required, an attacker can exploit this issue over the network without valid credentials, making it especially dangerous for internet-exposed mail servers.  

The vulnerability, tracked as CVE-2026-24423, is caused by missing authentication for a critical function (CWE-306). An attacker can point the SmarterMail server to a malicious HTTP server that responds with crafted OS commands. The vulnerable application then executes those commands directly, potentially allowing full server compromise, data theft, service disruption, or deployment of persistent malware. This issue is rated Critical with a CVSS score of 9.3.  

All SmarterMail builds before 100.0.9511 are affected. Systems running build 9511 or later are not impacted. Due to the nature of the vulnerability, successful exploitation could give attackers complete control of the underlying mail server and any sensitive data it processes.  

Dormakaba Physical Access Control Systems Multiple Security Vulnerabilities (CVE-2025-59090 through CVE-2025-59109)  

“These weaknesses show how digital flaws can quickly turn into physical security risks.”  

Dormakaba physical access control systems are affected by multiple security vulnerabilities tracked under CVE-2025-59090 through CVE-2025-59109. These issues impact components used to manage building entry, credentials, and PIN-based authentication. The vulnerabilities vary in severity and attack complexity, but together they highlight meaningful weaknesses across both network-exposed access servers and physical registration devices.  

One of the most severe issues, CVE-2025-59090, is rated Critical with a CVSS score of 9.3. This vulnerability stems from an unauthenticated SOAP API in the Kaba exos access control server. An attacker on the network could interact with the API without credentials, allowing manipulation of access-related data and exposure of sensitive PIN information. This type of flaw significantly weakens trust in access logs and credential security.  

At the lower end of the range, CVE-2025-59109 is rated Medium with a CVSS score of 5.1 and affects a Dormakaba registration unit. The issue involves an exposed hardware interface that could be abused by someone with physical access to capture PIN entries. While exploitation requires hands-on access to the device, the impact includes loss of credential confidentiality and potential compromise of authentication processes.  

Other CVEs within this range represent additional weaknesses discovered during a broader security review of Dormakaba access control products. While not all individual details are publicly available, the volume and spread of CVEs indicate systemic issues that could enable unauthorized access, credential exposure, or manipulation of access control operations.  

No confirmed real-world exploitation or zero-day activity has been publicly reported for these vulnerabilities at this time.  

Ivanti Endpoint Manager Mobile (EPMM) CVE-2026-1281 and CVE-2026-1340  

“Critical mobile management bugs already under attack — attackers can run code without logging in.”  

Ivanti released emergency security updates to address two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM): CVE-2026-1281 and CVE-2026-1340. Both issues carry a CVSS score of 9.8 (Critical) and allow unauthenticated remote code execution, meaning attackers do not need valid credentials to exploit them. A successful attack could give full control of the EPMM server and expose sensitive user and device data managed by the platform.  

Ivanti confirmed that these vulnerabilities were exploited as zero-day attacks in real-world incidents before patches were available. The attacks were described as limited in scope, but the risk is severe because exposed systems could be fully compromised. The flaws are caused by improper input handling in EPMM features related to application distribution and Android file transfer configurations, enabling attackers to inject and execute system commands through crafted requests.  

Ivanti has issued interim RPM patches for affected EPMM versions. These fixes must be manually applied and reapplied after any upgrade, as they do not persist automatically. Ivanti plans to include a permanent fix in EPMM version 12.8.0.0, expected in early 2026.  

Western Digital WD Discovery and My Cloud CVE-2025-30248 and CVE-2025-26465  

“A bad installer setup can let attackers run their own code during installation.”  

Western Digital addressed two security vulnerabilities affecting its desktop software and network-attached storage environments. CVE-2025-30248 is a high-severity issue with a CVSS score of 7.8 (High) in WD Discovery for Windows. The vulnerability is caused by unsafe DLL loading behavior during installation, allowing a local attacker to execute arbitrary code if a malicious DLL is placed alongside the installer. If exploited, this could result in malware installation, privilege abuse, or full system compromise on the affected endpoint.  

The second issue, CVE-2025-26465, is a medium-severity vulnerability with a CVSS score of 6.5 (Medium) affecting OpenSSH as shipped in certain Western Digital My Cloud Home and My Cloud Duo firmware versions. This flaw weakens SSH host verification when specific DNS-based trust settings are enabled, potentially allowing a machine-in-the-middle attack. While exploitation requires specific configuration and conditions, a successful attack could expose administrative sessions or allow traffic interception.  

Western Digital released updated versions of WD Discovery to resolve the installer issue and firmware updates for My Cloud devices that include patched OpenSSH components. These updates remove the vulnerable behaviors and restore secure handling of installations and encrypted connections.  

Mozilla Thunderbird CVE-2026-0818  

“A subtle email leak can quietly expose parts of protected messages when remote content is allowed.”  

Mozilla addressed a medium-severity information disclosure issue in Thunderbird, tracked as CVE-2026-0818. The vulnerability has a CVSS score of 4.3 (Medium) and affects how Thunderbird handles remote content and CSS in emails that are partially encrypted. A specially crafted message can use CSS techniques to leak small portions of email content back to an attacker-controlled server when the message is viewed.  

This issue does not allow remote code execution, malware delivery, or account takeover. However, it creates a privacy risk by exposing fragments of sensitive email data, especially in environments where encrypted or confidential communications are expected to remain private. Exploitation requires user interaction, specifically opening an email with remote content enabled.  

Mozilla fixed the issue in updated Thunderbird releases, closing the content leakage vector and restoring proper isolation between remote content and protected message text.  

Check Point Harmony SASE Windows Client CVE-2025-9142  

“A local file handling weakness can let a regular user tamper with protected system areas.”  

Check Point disclosed and fixed a high-severity vulnerability in the Harmony SASE Windows Client, tracked as CVE-2025-9142. The issue has a CVSS score of 7.5 (High) and allows a local attacker without administrator privileges to manipulate files outside of an intended directory. This is a local privilege escalation risk that becomes dangerous in shared or multi-user systems.  

The vulnerability is caused by improper path validation during certificate processing. A local user can abuse directory traversal techniques to write or delete files outside the certificate handling directory. Because parts of the Harmony client operate with elevated privileges, a successful attack could allow tampering with protected files, weakening system security or paving the way for further privilege escalation.  

The issue affects Harmony SASE Windows Client versions prior to 12.2. Check Point resolved the flaw by tightening file path validation logic to prevent access outside approved directories.  

Notepad++ WinGUp Updater Lacks Update Integrity Verification (CVE-2025-15556)  

“This update closes a dangerous gap where a trusted update could quietly become an attack.”  

This patch addresses a high-risk security issue in Notepad++ versions prior to 8.8.9 that affects the WinGUp update mechanism. The updater failed to cryptographically verify update metadata and installer files before execution. Because of this, an attacker capable of intercepting or redirecting update traffic could replace legitimate updates with malicious installers. When executed, this would allow arbitrary code execution with the same privileges as the user, creating a serious compromise risk.  

The vulnerability is tracked as CVE-2025-15556 and is categorized under CWE-494: Download of Code Without Integrity Check. It carries a CVSS 4.0 score of 7.7 (High severity). This issue has been confirmed as exploited in the real world, increasing the urgency for remediation. Notepad++ version 8.8.9 resolves the issue by enforcing proper integrity and authenticity verification during the update process.  

Systems running affected versions face a realistic risk of malware installation, data theft, or system manipulation, all triggered during what appears to be a routine software update.  

MindsDB File Upload API Path Traversal Vulnerability (CVE-2025-68472)  

“A simple file upload request could open the door to full system compromise.”  

This patch fixes a high-severity security issue in MindsDB versions prior to 25.11.1 involving improper handling of file paths in the file upload API. The application failed to properly validate and sanitize filenames supplied in upload requests. As a result, an unauthenticated attacker could manipulate file paths to access or overwrite arbitrary files on the underlying system.  

The vulnerability is tracked as CVE-2025-68472 and is classified as CWE-22: Path Traversal. It carries a CVSS score of 8.1 (High severity). Exploitation does not require authentication or user interaction, making it especially dangerous in exposed environments. Proof-of-concept exploitation has been confirmed, demonstrating how attackers could abuse the API to impact system integrity and availability.  

By exploiting this issue, an attacker could tamper with critical files, disrupt services, or prepare the system for further attacks. The issue is fully addressed in MindsDB version 25.11.1, which enforces proper file path validation and restrictions.  

Cisco Identity Services Engine Authenticated Information Disclosure (CVE-2026-20029)  

“Even trusted admin access should not expose the system’s deepest secrets.”  

This patch addresses an information disclosure vulnerability in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC). The issue allows an authenticated attacker with administrative privileges to exploit improper XML processing in the web-based management interface. By submitting a crafted XML file, the attacker can trigger unsafe XML external entity handling and gain access to sensitive files on the underlying operating system.  

The vulnerability is tracked as CVE-2026-20029 and is categorized as CWE-611: Improper Restriction of XML External Entity Reference. It carries a CVSS score of 4.9 (Medium severity). While exploitation requires valid administrator credentials, proof-of-concept exploit code is publicly available. There are no confirmed reports of active real-world attacks at this time.  

Successful exploitation could expose configuration data, credentials, or internal system files that are not intended to be accessible, increasing the risk of follow-on attacks and weakening overall trust in administrative boundaries. Cisco has released patches across affected release trains to fully remediate the issue.  

7-Zip Windows Hard Link File Write Remote Code Execution (CVE-2025-11001)  

“A compressed file should never have the power to overwrite your system.”  

This patch addresses a serious security vulnerability in 7-Zip for Windows related to improper handling of hard links during archive extraction. The flaw allows a crafted archive to abuse Windows hard links so that, when extracted, files are written outside the intended directory. This can result in overwriting arbitrary files on the system, which may ultimately lead to remote code execution under the context of the user.  

The vulnerability is tracked as CVE-2025-11001 and is associated with unsafe file write behavior on Windows systems. It carries a CVSS score of 8.8 (High severity). Exploitation requires user interaction, such as opening or extracting a malicious archive, but no special privileges are needed. Proof-of-concept techniques demonstrating hard-link abuse have been disclosed, highlighting real exploitation potential.  

If successfully exploited, this issue could allow attackers to replace executable files, modify system components, or establish persistence. The patch corrects how 7-Zip validates and handles hard links during extraction, ensuring files cannot be written to unintended locations.  

 Expression Escape and Git Node Remote Code Execution Vulnerabilities (CVE-2026-25049, CVE-2026-21877)  

“A single malicious workflow can hand attackers the keys to your automation server.”  

This patch report covers two critical vulnerabilities in n8n that expose automation environments to remote code execution. Because n8n commonly runs with access to credentials, APIs, and internal systems, these flaws significantly raise the risk of full server compromise, data theft, and long-term attacker persistence if left unpatched.  

CVE-2026-25049 is a critical expression handling vulnerability in n8n versions prior to 1.123.17 and 2.5.2. Unsafe evaluation of workflow expressions allows authenticated users with workflow edit permissions to escape built-in safeguards and execute arbitrary system commands on the host. This vulnerability has a CVSS score of 9.9 (Critical), and public proof-of-concept code demonstrates how easily expression logic can be abused to gain system-level access.  

CVE-2026-21877 affects the n8n Git node in versions before 1.121.3. Improper validation of repository paths and file operations enables authenticated users to write and execute arbitrary code on the server. This issue carries a CVSS score of 10.0 (Critical) and could result in complete takeover of the n8n instance and underlying operating system. While no confirmed real-world exploitation has been reported, the impact is severe.  

Together, these vulnerabilities show how dangerous insufficient input validation and sandbox controls can be in automation platforms. When attackers can turn workflows into execution engines, the result is total loss of trust in the automation environment.  

ASUS RT-AX55 Code Auth Module Authenticated Remote Code Execution (CVE-2023-41348)  

“Once logged in, an attacker could turn router management into system control.”  

This patch addresses an authenticated remote code execution vulnerability in the ASUS RT-AX55 wireless router. The issue exists within the code_auth module, where insufficient validation of user-supplied input allows an authenticated attacker to inject and execute arbitrary commands on the device. Exploitation occurs through the router’s management interface after successful authentication.  

The vulnerability is tracked as CVE-2023-41348 and represents a high-impact RCE risk for affected devices. It carries a CVSS score of 8.8 (High severity). While authentication is required, successful exploitation grants attackers the ability to run commands on the router’s underlying operating system, potentially leading to full device compromise.  

If abused, this vulnerability could allow attackers to modify router configurations, intercept or redirect network traffic, install persistent backdoors, or disrupt network availability. ASUS addressed the issue through firmware updates that strengthen input handling and execution controls within the affected module.  

Sangoma FreePBX Authentication Bypass and Command Injection Vulnerabilities (CVE-2019-19006, CVE-2025-64328)  

“These flaws turned a phone system into an easy target for full takeover.”  

This patch report covers two serious vulnerabilities affecting Sangoma FreePBX that expose systems to unauthorized access and command execution. When combined, these issues significantly increase the risk of full PBX compromise, service disruption, and persistent attacker access.  

CVE-2019-19006 is a critical authentication bypass vulnerability in older FreePBX releases. Due to improper access control in the administrative interface, remote attackers could bypass login requirements and gain administrator-level access without valid credentials. This vulnerability carries a CVSS score of 9.8 (Critical) and was actively exploited in real-world attacks, where attackers installed web shells, altered call routing, and maintained long-term unauthorized access.  

CVE-2025-64328 affects the FreePBX Endpoint Manager module and introduces an authenticated command injection vulnerability. An attacker with valid credentials could inject operating system commands through improperly validated input in SSH-related functions. This flaw has a CVSS score of 8.6 (High severity) and has been observed in active exploitation, allowing attackers to execute commands as the asterisk user and further compromise the underlying system.  

Together, these vulnerabilities highlight how weaknesses in access control and input validation can lead to complete loss of system integrity in voice infrastructure environments.  

Avast SecureLine Unquoted Service Path Privilege Escalation (CVE-2020-37037)  

“A small configuration mistake gave local users a direct path to full system control.”  

This patch addresses a local privilege escalation vulnerability in Avast SecureLine VPN caused by an unquoted service path in the Windows service configuration. In affected versions, the executable path for the SecureLine service was not properly quoted. This allowed a low-privileged local attacker to place a malicious executable in a higher-priority directory so that Windows would execute it when the service starts.  

The vulnerability is tracked as CVE-2020-37037 and is associated with improper service configuration on Windows systems. It carries a CVSS score of 7.8 (High severity). Exploitation requires local access but no elevated privileges. If successfully exploited, the attacker can execute arbitrary code with SYSTEM-level privileges, leading to full compromise of the affected endpoint.  

This issue could be abused to install persistent malware, disable security controls, or manipulate system settings. The vulnerability is resolved by updating Avast SecureLine to a version that properly quotes and secures the service executable path.  

Broadcom Symantec Web Security Services Agent — Elevation of Privilege (CVE-2025-13917)  

“This update closes a dangerous gap that could let a low-level user gain far more control than intended.”  

This security update addresses CVE-2025-13917, a High severity elevation of privilege vulnerability in the Symantec Web Security Services (WSS) Agent. The issue affects versions prior to 9.8.5 and is caused by improper privilege handling within the agent. If exploited, a local attacker with limited access could escalate their privileges and gain greater control over the affected system.  

The vulnerability has a CVSS score of 7.0 (High). While there are no confirmed reports of real-world exploitation or zero-day attacks, the impact is significant due to the potential for unauthorized access, system manipulation, and exposure of sensitive data. Privilege escalation issues like this are often used as a stepping stone for broader compromise once an attacker gains an initial foothold.  

Broadcom has released a patch that fully addresses the issue in WSS Agent version 9.8.5 and later. Applying the update removes the privilege escalation condition and reduces the risk of attackers abusing local access to expand their control.  

GnuPG Stack-Based Buffer Overflow Vulnerabilities (CVE-2026-24881, CVE-2026-24882)  

“These fixes shut down dangerous memory errors that could let attackers crash encryption services or gain deeper control.”  

This patch addresses two High severity vulnerabilities in GnuPG, a widely used encryption and digital signing tool. The issues affect GnuPG versions prior to 2.5.17 and stem from stack-based buffer overflows in key components that handle encrypted data and hardware-backed keys. If left unpatched, these weaknesses could put sensitive communications and system trust at risk.  

CVE-2026-24881 is a High severity vulnerability with a CVSS score of 8.1. It occurs in the gpg-agent component when processing specially crafted CMS (S/MIME) messages. An attacker could exploit this issue remotely by delivering malicious encrypted content, potentially causing a crash or opening the door to unauthorized code execution. While no active attacks or proof-of-concept exploits are known, the attack path is realistic and impactful.  

CVE-2026-24882 carries a CVSS score of 8.4 (High) and impacts the tpm2daemon component used for TPM-protected cryptographic keys. This issue could allow a local attacker to corrupt memory during key operations, leading to service disruption or execution of unauthorized code with elevated privileges. There is no evidence of real-world exploitation at this time, but the potential damage to system integrity is significant.  

Both vulnerabilities are fully resolved in GnuPG version 2.5.17 and later. Updating removes the unsafe memory handling conditions and helps ensure encrypted communications and key management remain secure.  

IBM Db2 Privilege Escalation Vulnerabilities (CVE-2025-36384, CVE-2025-36184)  

“Without the fix, limited access could turn into full system control.”  

This patch addresses two High severity vulnerabilities in IBM Db2, a core enterprise database platform that often holds highly sensitive business data. Both issues involve privilege escalation, meaning a user with some level of access could increase their permissions and perform actions beyond what was intended, putting systems and data at serious risk.  

CVE-2025-36384 is a High severity vulnerability with a CVSS score of 8.4 affecting IBM Db2 for Windows versions 12.1.0 through 12.1.3. The issue stems from an unquoted search path element, which could allow a local attacker to trick Db2 into running a malicious program with elevated privileges. If exploited, this could lead to full control of the Db2 service and potentially the underlying system. There are no confirmed real-world attacks or public exploit code at this time.  

CVE-2025-36184 has a CVSS score of 7.2 (High) and impacts IBM Db2 for Linux, UNIX, and Windows 11.5.x, including Db2 Connect Server. This flaw allows a Db2 instance owner to execute code with higher privileges than necessary, potentially reaching system-level control. While exploitation has not been observed in the wild, the impact could be severe, including database takeover, service disruption, or host compromise.  

IBM has released patches and interim fixes to resolve both issues. Applying the updates removes these unsafe privilege conditions and helps protect Db2 environments from misuse by local or insider threats. 

Juniper Networks Junos OS Improper Access Control (CVE-2025-21589)  

“This update shuts down a gap that could let attackers slip past protections and reach sensitive network controls.”  

Juniper Networks released this update to address CVE-2025-21589, a High severity improper access control vulnerability in Junos OS. The issue affects certain Junos OS releases where access restrictions were not enforced as strictly as intended, creating an opportunity for unauthorized interaction with protected system functions.  

The vulnerability has a CVSS score of 7.5 (High). If exploited, an attacker could bypass security boundaries and gain access to internal features that should be restricted, potentially leading to unauthorized configuration changes, service disruption, or wider network impact. There are no confirmed real-world attacks, zero-day exploitation, or public proof-of-concept code associated with this issue at this time. Even so, weaknesses in network operating systems carry elevated risk due to their role in controlling critical infrastructure.  

Juniper has corrected the access control logic in updated Junos OS releases. Applying the patch removes the unauthorized access condition and helps ensure that only properly authorized users can interact with sensitive network components.  

Dell Unity Improper Access Control and Privilege Escalation Vulnerabilities (CVE-2026-21418, CVE-2026-22277)  

“These fixes close risky gaps that could let users gain more control over storage systems than they should have.”  

This patch addresses two High severity vulnerabilities in Dell Unity, an enterprise storage platform used to manage critical and sensitive data. Both issues involve weaknesses in access enforcement that could allow users with existing access to elevate their privileges and perform unauthorized actions within the storage environment.  

CVE-2026-21418 is rated High severity with a CVSS score of 7.8. The vulnerability is caused by improper access control, allowing an authenticated user to carry out actions beyond their intended permissions. If exploited, this could lead to unauthorized configuration changes or exposure of protected storage resources. There are no confirmed real-world attacks or public proof-of-concept exploits tied to this issue.  

CVE-2026-22277 is also High severity with a CVSS score of 7.8. This issue allows privilege escalation within Dell Unity, enabling a user with limited access to gain elevated control over system functions. Successful exploitation could increase the risk of data exposure, misuse of storage services, or service disruption. There is no evidence of active exploitation at this time.  

Dell has released updates that correct both access control and privilege handling weaknesses. Applying these patches removes the unsafe conditions and helps ensure Dell Unity systems remain secure and properly restricted.  

Motorola Device Manager Privilege Escalation (CVE-2020-36982)  

“This issue allows limited users to quietly gain higher control over a system through trusted Motorola software.”  

This patch addresses CVE-2020-36982, a High severity vulnerability in Motorola Device Manager, a utility used to manage and connect Motorola devices to Windows systems. The flaw involves improper privilege handling, which could allow a local attacker with limited access to escalate their privileges on the affected system.  

The vulnerability has a CVSS score of 7.8 (High). If exploited, an attacker could abuse the way Motorola Device Manager runs certain services or components with elevated permissions, leading to unauthorized system-level actions. This type of weakness is especially risky on shared or enterprise systems, where local access may already be present. There have been no confirmed reports of real-world exploitation or public proof-of-concept code associated with this issue.  

Motorola addressed the vulnerability through updated versions of Device Manager that correct the unsafe privilege behavior. Applying the patch removes the escalation path and helps ensure that device management software cannot be misused to gain elevated system access.  

NVIDIA GeForce Graphics Driver Multiple Vulnerabilities (CVE-2025-33217, CVE-2025-33218, CVE-2025-33219, CVE-2025-33220, CVE-2025-33234)  

“These updates fix multiple driver weaknesses that could let attackers crash systems or gain deeper control through the graphics stack.”  

This patch addresses multiple High severity vulnerabilities in NVIDIA GeForce graphics drivers, which are widely deployed across consumer and enterprise systems. The affected flaws are related to improper memory handling and insufficient validation within driver components that operate at a highly privileged level of the operating system.  

• CVE-2025-33217 – High severity, CVSS 7.8
  This issue could allow a local attacker to trigger memory corruption, potentially leading to system crashes or elevated privileges.  

• CVE-2025-33218 – High severity, CVSS 7.8
  A vulnerability in driver input handling that could be abused to cause denial of service or gain higher-level execution.  

• CVE-2025-33219 – High severity, CVSS 7.8
  Improper validation within the driver could allow unauthorized memory access, increasing the risk of system instability or privilege escalation.  

• CVE-2025-33220 – High severity, CVSS 7.8
  This flaw may allow an attacker with local access to execute unintended operations in kernel-level driver code.  

• CVE-2025-33234 – High severity, CVSS 7.8
  A driver memory issue that could be leveraged to disrupt system operations or assist in further compromise.  

There are no confirmed reports of active exploitation, zero-day attacks, or public proof-of-concept code for these vulnerabilities at this time. However, because graphics drivers run with elevated system privileges, successful exploitation could have serious consequences, including system takeover or persistent instability.  

NVIDIA has released updated GeForce drivers that correct these issues. Installing the latest driver versions removes the unsafe memory conditions and helps protect systems from attacks targeting the graphics driver layer. 

Wondershare Desktop Software Privilege Escalation (CVE-2020-36977)  

“This issue lets attackers abuse trusted media software to quietly gain full control of a system.”  

This patch addresses CVE-2020-36977, a High severity vulnerability affecting Wondershare desktop software installed on Windows systems. The flaw is caused by improper privilege handling, where certain services or components run with elevated permissions that can be misused by a local attacker.  

The vulnerability has a CVSS score of 7.8 (High). A user with limited local access could exploit this weakness to escalate privileges, potentially gaining full administrative control of the system. Because Wondershare software is widely installed and often runs trusted background services, this vulnerability increases the risk of silent system compromise, especially on shared or enterprise endpoints. There are no confirmed reports of real-world exploitation or public proof-of-concept code for this issue.  

Wondershare addressed the vulnerability in updated versions of the affected software by correcting how privileges are assigned and enforced. Applying the patch removes the escalation path and helps ensure multimedia tools cannot be leveraged to compromise system security.  

Realtek Audio Driver Privilege Escalation (CVE-2020-36974)  

“This issue lets attackers turn trusted audio software into a path for full system control.”  

This patch addresses CVE-2020-36974, a High severity vulnerability in Realtek audio drivers commonly installed on Windows systems. The flaw is caused by improper privilege handling, where certain driver components operate with elevated permissions without sufficient restrictions.  

The vulnerability has a CVSS score of 7.8 (High). If exploited, a local attacker with limited access could leverage the Realtek driver to escalate privileges, potentially gaining full control of the affected system. Because audio drivers run at a low level of the operating system and are widely deployed, this type of issue poses a serious risk, especially on shared or enterprise endpoints. There are no confirmed reports of real-world exploitation or public proof-of-concept code for this vulnerability.  

Realtek addressed the issue through updated audio driver releases that correct the unsafe permission handling. Applying the patched drivers removes the privilege escalation path and helps prevent attackers from abusing trusted driver software to compromise systems.  

EPSON Status Monitor Privilege Escalation (CVE-2020-36975)  

“This weakness allows everyday printer software to become a doorway to full system control.”  

This patch addresses CVE-2020-36975, a High severity vulnerability in EPSON Status Monitor, a utility installed with EPSON printer drivers on Windows systems. The issue is caused by improper privilege handling, where certain components of the status monitoring software run with elevated permissions without adequate safeguards.  

The vulnerability has a CVSS score of 7.8 (High). A local attacker with limited access could exploit this weakness to escalate privileges, potentially gaining full control of the affected system. Because EPSON Status Monitor is commonly installed and trusted, this issue is particularly risky in shared or enterprise environments, where local access may already exist. There are no confirmed reports of real-world exploitation or public proof-of-concept code associated with this vulnerability.  

EPSON addressed the issue through updated printer driver and utility packages that correct the unsafe privilege behavior. Applying the patch removes the escalation path and helps ensure that printer management software cannot be misused to compromise system security.  

Veritas NetBackup Privilege Escalation (CVE-2020-37045)  

“This issue allows a low-level user to turn backup software into a path for deeper system control.”  

This patch addresses CVE-2020-37045, a High severity vulnerability in Veritas NetBackup, a widely used enterprise backup and recovery platform. The flaw is related to improper privilege handling, where certain NetBackup components may run with elevated permissions without sufficient restrictions.  

The vulnerability has a CVSS score of 7.8 (High). If exploited, a local attacker with limited access could escalate privileges and perform unauthorized actions on the affected system. Because NetBackup often operates with high-level permissions and access to sensitive data, successful exploitation could lead to system compromise, data exposure, or disruption of backup operations. There are no confirmed reports of real-world exploitation or public proof-of-concept code tied to this issue.  

Veritas released patches to correct the unsafe privilege behavior in affected NetBackup versions. Applying the update removes the escalation path and helps ensure backup infrastructure cannot be misused as a stepping stone for broader attacks.  

F5 BIG-IP Multiple Vulnerabilities (CVE-2026-22548, CVE-2026-1642)  

“These fixes close serious weaknesses that could let attackers interfere with traffic handling and gain deeper control of critical network systems.”  

This patch addresses two High severity vulnerabilities in F5 BIG-IP, a core application delivery and traffic management platform that sits in front of critical enterprise applications. Because BIG-IP systems handle authentication, traffic flow, and availability, weaknesses at this layer can have a broad operational and security impact.  

CVE-2026-22548 is rated High severity with a CVSS score of 7.8. The issue involves improper handling of requests, which could allow an attacker to disrupt services or interact with protected components in unintended ways. If exploited, this could lead to service instability or unauthorized behavior within affected BIG-IP modules. There are no confirmed reports of real-world exploitation or public proof-of-concept code.  

CVE-2026-1642 is also High severity, with a CVSS score of 7.5. This vulnerability stems from insufficient access control, potentially allowing an authenticated user to perform actions beyond their intended permissions. Successful exploitation could impact system configuration, traffic management, or service availability. There is no evidence of active exploitation or zero-day use at this time.  

F5 has released updates that resolve both issues by strengthening request handling and access enforcement. Applying the patches helps ensure BIG-IP systems continue to safely manage application traffic without exposing sensitive controls.  

Cisco Network Software Multiple Vulnerabilities (CVE-2026-20119, CVE-2026-20098)  

“These updates close high-risk weaknesses that could let attackers interfere with Cisco systems and gain more control than intended.”  

This patch addresses two High severity vulnerabilities affecting Cisco network software, used widely across enterprise and service provider environments. Both issues involve weaknesses that could be abused to impact system stability, security controls, or privileged operations if left unpatched.  

CVE-2026-20119 is rated High severity with a CVSS score of 7.8. The vulnerability in Cisco network collaboration software and appliances that can be exploited remotely without authentication or user interaction. The flaw allows an attacker to trigger a denial of service (DoS) condition simply by sending a specially crafted meeting invitation to a vulnerable device. There are no confirmed reports of real-world exploitation or public proof-of-concept code at this time.  

CVE-2026-20098 is also High severity, carrying a CVSS score of 7.5. This issue stems from insufficient access control, potentially allowing an authenticated user to execute actions beyond their assigned privileges. If exploited, attackers could alter configurations, impact traffic handling, or weaken security controls. There is no evidence of active exploitation or zero-day use associated with this vulnerability.  

Cisco has released software updates that correct both weaknesses by strengthening access enforcement and request validation. Applying the patches reduces the risk of service disruption, unauthorized changes, and broader network impact.  

Red Hat Enterprise Linux Multiple Security Vulnerabilities (CVE-2024-4027, CVE-2026-1616, CVE-2025-14459)  

“These fixes close serious weaknesses that could expose Red Hat systems to crashes, unauthorized access, or deeper compromise.”  

This patch addresses multiple High severity vulnerabilities affecting Red Hat Enterprise Linux (RHEL) components that are commonly deployed across enterprise and cloud environments. Because these systems often support critical workloads, unpatched issues could have a broad impact on availability, security, and system trust.  

CVE-2024-4027 is rated High severity with a CVSS score of 7.8. The issue affects core system components and could allow an attacker to trigger unexpected behavior such as service disruption, a remote denial-of-service (DoS) attack. or unauthorized access under certain conditions. Exploitation could impact system stability and reliability. There are no confirmed reports of active exploitation or public proof-of-concept code.  

CVE-2026-1616 carries a CVSS score of 7.5 (High) and involves improper handling of privileged operations. A local attacker with existing access could potentially leverage this weakness to gain broader control or interfere with protected system processes. While no exploitation has been observed, the risk is meaningful in multi-user or shared environments.  

CVE-2025-14459 is also High severity, with a CVSS score of 7.6. This vulnerability could allow misuse of system resources or unintended access due to insufficient validation or access enforcement. If exploited, it could weaken system isolation and increase the likelihood of follow-on attacks. There is no evidence of real-world attacks associated with this issue.  

Red Hat has released updates that resolve all three vulnerabilities by strengthening access controls and correcting unsafe handling logic. Applying the patches helps maintain system stability, protect sensitive workloads, and reduce the risk of unauthorized activity.  

Tanium Platform Multiple Vulnerabilities (CVE-2025-15344, CVE-2026-1224, CVE-2025-15322)

“These updates close gaps that could let users stress the system, access backend data improperly, or weaken platform stability.”  

This patch addresses three Medium severity vulnerabilities in the Tanium Platform, an enterprise endpoint management solution with broad visibility and control. While none of these issues are rated High, Tanium’s trusted role means even moderate weaknesses can create operational or security risk if abused or combined.  

CVE-2025-15344 is a Medium severity SQL injection vulnerability with a CVSS score of 6.3. The issue allows an authenticated user to inject crafted SQL input due to insufficient input sanitization. If exploited, it could expose backend data, alter stored information, or disrupt normal platform behavior. There are no confirmed reports of real-world exploitation or public proof-of-concept code.  

CVE-2026-1224 is a Medium severity uncontrolled resource consumption vulnerability with a CVSS score of 4.9. An authenticated user could trigger excessive use of system resources, potentially causing performance degradation or partial denial of service. While the impact is limited, repeated abuse could affect platform reliability. No exploitation has been observed.  

CVE-2025-15322 is also Medium severity, with a CVSS score of 4.3. This vulnerability involves improper privilege or permission handling, allowing limited actions outside intended boundaries. The impact is constrained, but it could weaken internal controls if left unpatched. There is no evidence of active exploitation.  

Tanium has released updates that resolve all three issues by improving input validation, limiting unsafe resource usage, and strengthening permission checks. Applying these updates helps maintain platform stability and protect backend data.

TeamViewer Remote Access Software Multiple Vulnerabilities (CVE-2026-23563, CVE-2026-23564, CVE-2026-23565, CVE-2026-23566, CVE-2026-23567, CVE-2026-23568, CVE-2026-23569, CVE-2026-23570, CVE-2026-23571)  

“These fixes close multiple weaknesses that could let attackers misuse remote access software to disrupt systems or overstep security boundaries.”  

This patch addresses multiple vulnerabilities in TeamViewer, a widely used remote access and remote support application trusted for administrative and unattended access. Because TeamViewer often runs with elevated permissions and provides direct system control, weaknesses in this software can carry serious security and operational risk.  

The affected vulnerabilities include a mix of access control weaknesses, improper validation, and stability issues that could be abused by an attacker with local or authenticated access. The listed issues are rated Medium severity (CVSS scores in the 6.x range). If exploited, these vulnerabilities could allow unauthorized actions, session manipulation, application crashes, or misuse of remote access capabilities.  

At this time, there are no confirmed reports of real-world exploitation, zero-day attacks, or public proof-of-concept code associated with these CVEs. Even so, remote access software is a high-value target, and successful abuse could lead to system compromise, service disruption, or unauthorized remote control.  

TeamViewer has released updates that address all listed vulnerabilities by strengthening permission checks, improving input handling, and correcting unsafe logic. Applying the latest TeamViewer version removes these weaknesses and helps ensure remote access sessions remain secure and properly controlled.

React Native Community CLI Command Injection Remote Code Execution (CVE-2025-11953)  

“A development tool meant to help developers can be turned into a remote attack point that hands over full system control.”  

This patch addresses CVE-2025-11953, a Critical severity vulnerability in the React Native Community CLI, specifically tied to the Metro Development Server started by the CLI. By default, the Metro server binds to external network interfaces, exposing an endpoint that is vulnerable to OS command injection.  

The vulnerability carries a CVSS score of 9.8 (Critical). An unauthenticated remote attacker can exploit this issue by sending a crafted HTTP POST request to the exposed server endpoint. Successful exploitation allows the attacker to execute arbitrary executables on the host system. On Windows systems, attackers can also execute arbitrary shell commands with fully controlled arguments, significantly increasing the risk of full system compromise.  

The issue affects React Native Community CLI versions 4.8.0 up to, but not including, 20.0.0. Because the attack requires no authentication, no user interaction, and works over the network, the risk is especially severe for developer systems or build environments where the Metro server may be exposed unintentionally. This vulnerability presents a clear path to remote code execution, data compromise, and complete host takeover.  

The vulnerability has been fixed in React Native Community CLI version 20.0.0 and later, where the unsafe command handling and exposure behavior have been corrected.

Microsoft Edge Heap Corruption Vulnerability (CVE-2026-1861)  

“A single malicious web page could corrupt browser memory and put users at risk just by being opened.”  

This patch addresses CVE-2026-1861, a High severity vulnerability in Microsoft Edge (Chromium-based) involving heap corruption. The issue allows a remote attacker to potentially exploit unsafe memory handling by delivering a crafted HTML page to a victim.  

The vulnerability has a CVSS score of 7.5 (High). Exploitation does not require authentication, and the only user action needed is visiting a malicious or compromised website. If successfully exploited, the flaw could cause browser crashes or potentially enable further exploitation within the Edge process. Because browsers routinely handle untrusted content, this issue poses a real risk to both individual users and enterprise environments. There are no confirmed reports of active exploitation or public proof-of-concept code at this time.  

Microsoft has released Edge updates that correct the underlying memory corruption issue. Applying the patch strengthens browser stability and reduces exposure to web-based attacks delivered through malicious HTML content.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both OS and third-party software.

Webinar Recording: January 2026 Vulnerability Digest from Action1