Patch Tuesday March 2026

Patch Tuesday March 2026 Updates – Vulnerability Digest from Action1

This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.

Microsoft Vulnerabilities

This Patch Tuesday includes 78 vulnerability fixes from Microsoft, above last month’s 55 patches but below its 12 month moving average of 93, with three rated critical. While there are no zero-day vulnerabilities reported this time, the number of patches and several critical issues mean it’s still an update worth prioritizing.

CVE-2026-26144 – Microsoft Excel Information Disclosure Vulnerability

“A single malicious Excel interaction could silently leak sensitive data across the network—turning a simple spreadsheet into a covert data exfiltration channel.”

This vulnerability affects Microsoft Excel and allows an unauthorized attacker to disclose sensitive information over a network. The issue stems from improper neutralization of input during web page generation, a flaw categorized as Cross-Site Scripting (CWE-79). If successfully exploited, the vulnerability could allow attackers to trigger unintended network activity that leaks confidential information. Microsoft notes that the issue may allow Copilot Agent mode to exfiltrate sensitive data without user interaction, potentially enabling a zero-click information disclosure scenario.
CVSS Score: 7.5
SEVERITY: Important
THREAT:
This vulnerability enables remote attackers to access sensitive information without requiring authentication or user interaction. Because the attack vector is network-based and requires no privileges, attackers could potentially trigger automated data exfiltration processes. In environments using AI-assisted workflows such as Copilot Agent mode, the risk increases because automated processes could unknowingly transmit sensitive corporate data.
EXPLOITS:
At the time of publication, there is no public disclosure of exploit code and no evidence that this vulnerability is actively exploited in the wild. Microsoft assesses exploitation as unlikely and lists exploit code maturity as unproven. No public proof-of-concept exploit has been confirmed.
TECHNICAL SUMMARY:
The vulnerability occurs due to improper neutralization of user-controlled input during web page generation in Microsoft Excel. This type of flaw falls under Cross-Site Scripting (XSS), where malicious content is not correctly sanitized before being processed or rendered. An attacker could craft content that triggers unintended behavior when processed by Excel. In this case, exploitation could cause Copilot Agent mode to send sensitive information through unintended outbound network connections. The attack does not require user interaction and can occur over a network, potentially enabling automated data leakage from affected systems.
EXPLOITABILITY:
This vulnerability affects Microsoft Excel within Microsoft Office environments. The attack requires network access but no user interaction or privileges. An attacker could deliver specially crafted content that Excel processes, triggering unintended outbound data transmissions.
BUSINESS IMPACT:
Information disclosure vulnerabilities are especially dangerous in corporate environments where Excel files often contain financial data, intellectual property, or operational records. If exploited, attackers could silently extract confidential information from internal systems without triggering obvious alerts. Organizations using AI-assisted productivity features may face increased exposure, as automated agents could unintentionally transmit sensitive data outside corporate boundaries.
WORKAROUND:
If patch deployment must be delayed, organizations should restrict outbound network traffic from Office applications and monitor unusual network requests generated by Excel processes. Disabling or limiting AI-driven automation features such as Copilot Agent mode may reduce exposure.

CVE-2026-26113 – Microsoft Office Remote Code Execution Vulnerability

“When a simple document preview can trigger code execution, attackers gain a doorway directly into the system.”

This vulnerability in Microsoft Office allows an attacker to execute arbitrary code on a system due to an untrusted pointer dereference flaw (CWE-822). The issue occurs when Microsoft Office improperly handles memory pointers, potentially allowing an attacker to manipulate how the application accesses memory. Successful exploitation could allow the attacker to run code on the affected system with the same privileges as the current user. Notably, the Preview Pane can serve as an attack vector, meaning exploitation may occur simply by viewing a malicious file.
CVSS Score: 8.4
SEVERITY: High
THREAT:
This vulnerability enables attackers to execute arbitrary code on a local system without requiring privileges or user interaction. If exploited, the attacker could gain the ability to install malware, modify system files, or manipulate sensitive data. Because the vulnerability impacts widely used Office applications and can be triggered through document previewing, it presents a significant risk in environments where users frequently interact with shared or downloaded files.
EXPLOITS:
At the time of release, there are no known public exploits or proof-of-concept code available for this vulnerability. Microsoft has confirmed the issue but reports that it has not been publicly disclosed or actively exploited. The current exploitability assessment indicates exploitation is less likely, and exploit code maturity remains unproven.
TECHNICAL SUMMARY:
The vulnerability is caused by an untrusted pointer dereference within Microsoft Office. When the application processes certain crafted content, it may improperly reference or handle a memory pointer that points to an unsafe or attacker-controlled location. This incorrect pointer handling can lead to memory corruption, enabling the execution of arbitrary code. The attacker could exploit the flaw by delivering a specially crafted Office document that triggers the vulnerability when processed. Because the Preview Pane can act as an attack vector, the malicious content may execute even if the document is only previewed and not fully opened.
EXPLOITABILITY:
The vulnerability affects Microsoft Office environments. The attack vector is classified as local, meaning the malicious file must be executed or processed on the local system. The Preview Pane can trigger the vulnerability, allowing exploitation when a malicious Office document is previewed in supported file viewers.
BUSINESS IMPACT:
Remote code execution vulnerabilities in productivity software represent a high-risk threat for organizations. If exploited, attackers could gain control of employee systems, deploy ransomware, steal sensitive documents, or establish persistent access within corporate networks. Because Office documents are frequently shared internally and externally, malicious files could spread quickly across organizations, potentially turning a single compromised system into an entry point for wider network compromise.
WORKAROUND:
If the security update cannot be applied immediately, organizations should disable the Preview Pane in file explorers and restrict the opening of Office files from untrusted sources. Implementing email filtering, attachment scanning, and endpoint protection monitoring can also reduce the risk of malicious document delivery.
URGENCY:
This vulnerability allows arbitrary code execution with no privileges and no user interaction. The ability to trigger the exploit through the Preview Pane increases the risk because users may not need to open a document for the attack to occur. Systems running vulnerable Office versions should receive security updates quickly to prevent potential compromise.

CVE-2026-26110 – Microsoft Office Remote Code Execution Vulnerability

“A single memory handling mistake inside Office can allow attackers to run their own code—turning an ordinary document into a potential system takeover.”

This vulnerability in Microsoft Office allows an attacker to execute arbitrary code due to a type confusion flaw (CWE-843). The issue occurs when the application accesses a resource using an incompatible data type, causing incorrect memory handling. If exploited, the vulnerability could allow attackers to run malicious code on the affected system with the privileges of the logged-in user. The Preview Pane can act as an attack vector, meaning the vulnerability may be triggered simply by previewing a malicious Office document.
CVSS Score: 8.4
SEVERITY: High
THREAT:
This vulnerability allows attackers to execute arbitrary code locally without requiring privileges or user interaction. Because the flaw involves memory mismanagement, attackers can potentially manipulate program execution to run malicious payloads. If exploited in corporate environments, attackers could gain control of systems, deploy malware, or use compromised machines as entry points for further network attacks.
EXPLOITS:
At the time of publication, there are no confirmed public exploits or proof-of-concept code available. Microsoft reports that the vulnerability has not been publicly disclosed and is not currently being exploited in the wild. Exploit code maturity is listed as unproven, and the exploitability assessment indicates exploitation is less likely.
TECHNICAL SUMMARY:
The vulnerability results from a type confusion condition within Microsoft Office. Type confusion occurs when a program mistakenly treats a memory object as a different data type than it actually is. This can cause the application to perform invalid operations on memory structures, potentially leading to memory corruption. Attackers can exploit this condition by crafting specially designed Office documents that trigger incorrect object handling when processed by the application. When the vulnerability is triggered, the attacker may redirect program execution to run arbitrary code.
EXPLOITABILITY:
This vulnerability affects Microsoft Office installations. The attack vector is local, meaning the malicious content must be executed or processed on the target machine. The Preview Pane can trigger the vulnerability when a specially crafted Office document is previewed, enabling the attack without fully opening the file.
BUSINESS IMPACT:
Remote code execution vulnerabilities in Office applications pose serious risks for organizations because documents are widely exchanged through email, file shares, and collaboration platforms. If exploited, attackers could gain control of user systems, deploy ransomware, steal corporate data, or move laterally across internal networks. A single malicious document could compromise an endpoint and provide attackers with a foothold inside the organization.
WORKAROUND:
If immediate patching is not possible, organizations should disable the Preview Pane in file explorers and restrict the opening or previewing of Office documents from untrusted sources. Implementing strong email filtering and endpoint protection can also help reduce exposure to malicious files.
URGENCY:
This vulnerability enables arbitrary code execution without privileges or user interaction and can be triggered through document previewing. Because Office documents are a common delivery mechanism for attacks, delaying patch deployment increases the risk that attackers could weaponize the flaw once technical details become widely known.

CVE-2026-23654 – GitHub Zero-Shot SCFoundation Remote Code Execution Vulnerability

“A single malicious dependency can quietly turn a trusted installation into a remote command execution gateway for attackers.”

This vulnerability affects the GitHub repository “zero-shot-scfoundation” due to a dependency on a vulnerable third-party component. The project references a package called “geneformer” in its requirements file. Because the dependency is not securely controlled, an attacker could publish a malicious package with the same name to the public PyPI registry. If a user installs the project and the malicious package is retrieved during installation, the attacker’s code could execute automatically on the system. This creates the potential for remote code execution during the installation process, allowing attackers to run arbitrary commands with the user’s privileges.
CVSS Score: 8.8
SEVERITY: Important
THREAT:
This vulnerability enables remote code execution through a dependency confusion / malicious package injection scenario. An attacker can exploit the trust developers place in public package registries by publishing a package with the same name as the referenced dependency. If the malicious package is installed, arbitrary attacker-controlled code may run on the target system.
EXPLOITS:
At the time of publication, no public exploits or proof-of-concept code have been reported. The vulnerability has not been publicly disclosed prior to the advisory and has not been observed exploited in the wild. Microsoft’s exploitability assessment indicates Exploitation Unlikely.
TECHNICAL SUMMARY:
The vulnerability stems from a dependency on an external third-party component referenced in the project’s requirements configuration. When software installation tools such as pip resolve dependencies, they may retrieve packages from public repositories like PyPI. If a malicious actor publishes a package named “geneformer” to the public repository and the installer resolves that package instead of an intended internal or trusted source, the malicious package will be downloaded and executed during installation. Since installation scripts and package initialization routines can run code automatically, this provides a mechanism for attackers to execute arbitrary commands on the target system. The attack relies on dependency confusion, where the installer prioritizes the malicious package due to naming conflicts or repository resolution order.
EXPLOITABILITY:
The vulnerability can affect environments that install or deploy the zero-shot-scfoundation project and resolve dependencies from public package repositories. Exploitation requires a user or automated build system to install the affected project, which triggers retrieval of the malicious dependency from PyPI if present.
BUSINESS IMPACT:
Organizations relying on open-source AI or machine learning projects could unknowingly execute attacker code during installation. This may lead to system compromise, data theft, unauthorized access to development environments, and potential supply-chain attacks. Development pipelines, CI/CD environments, and research infrastructure are particularly at risk because automated builds often install dependencies without manual verification.
WORKAROUND:
If the patch cannot be applied immediately:
Pin dependencies to verified package sources.
Use private package registries or repository allow-lists.
Validate package hashes during installation.
Monitor build environments for unexpected dependency downloads.
URGENCY:
Although exploitation has not been observed, the vulnerability enables remote code execution with minimal attacker effort once a malicious package is published. Because it targets the software supply chain and developer environments, it could lead to widespread compromise if exploited at scale. Organizations using this repository should prioritize mitigation to prevent dependency confusion attacks.

Microsoft Configuration Manager Remote Code Execution Vulnerability

“A single malicious request to your Configuration Manager could hand an attacker the power to run code across your enterprise.”

CVE-2024-43468 is a Remote Code Execution (RCE) vulnerability affecting Microsoft Configuration Manager. The flaw allows an attacker to execute arbitrary code on the server hosting Configuration Manager under specific conditions. Because Configuration Manager is designed to deploy software, updates, and configurations across large enterprise environments, exploitation could give attackers a powerful platform to distribute malicious payloads at scale.

CVSS Score: 9.8
SEVERITY: Critical
THREAT: Remote Code Execution

EXPLOITS:
At the time of disclosure, there has been no confirmed public exploit or active zero-day exploitation reported. However, due to the high impact and enterprise exposure of Configuration Manager, exploitation is considered highly attractive to threat actors. No widely released public proof-of-concept exploit has been confirmed.

TECHNICAL SUMMARY:
This vulnerability exists in Microsoft Configuration Manager due to improper validation of input or insecure handling of requests within its management components. An authenticated attacker could send specially crafted requests to the server, triggering improper processing that results in arbitrary code execution. Successful exploitation allows the attacker to execute code in the context of the site server. Given the elevated privileges typically associated with Configuration Manager services, this could lead to full system compromise and potentially lateral movement throughout the environment.

EXPLOITABILITY:
The vulnerability affects supported versions of Microsoft Configuration Manager prior to the security update addressing CVE-2024-43468. Exploitation requires authenticated access to the Configuration Manager environment. The attack is network-based and does not require user interaction once access is obtained.

BUSINESS IMPACT:
Microsoft Configuration Manager is often deployed as a centralized system management solution in enterprise environments. If exploited, attackers could deploy malicious software, modify configurations, disable security controls, or distribute ransomware across thousands of managed endpoints. This vulnerability could transform a trusted administrative tool into a large-scale attack distribution mechanism, leading to operational disruption, financial losses, and reputational damage.

WORKAROUND:
If immediate patching is not possible:

• Restrict access to Configuration Manager servers to trusted administrators only.
• Limit network exposure of site servers.
• Monitor for suspicious administrative activity or abnormal deployment actions.
  These mitigations reduce risk but do not eliminate the vulnerability.

URGENCY:
This is a Critical Remote Code Execution vulnerability affecting a centralized enterprise management system. Because Configuration Manager has broad control over endpoints, successful exploitation could rapidly escalate into a widespread compromise. Immediate patching significantly reduces the risk of enterprise-wide impact.

Windows Admin Center Privilege Escalation Vulnerability

“A low-privileged user could quietly escalate to administrator rights and take control of your management infrastructure.”

CVE-2026-26119 is a critical improper authentication vulnerability in Windows Admin Center. The flaw allows an authenticated attacker with low privileges to elevate their access level over the network. By exploiting weaknesses in how authentication is validated, an attacker could gain administrative permissions within the Windows Admin Center environment. Because Windows Admin Center is widely used to manage servers and infrastructure, this vulnerability presents a serious risk to enterprise environments.

CVSS Score: 8.8
SEVERITY: Critical
THREAT: Elevation of Privilege

EXPLOITS:
At the time of disclosure, there has been no confirmed public exploit or active zero-day exploitation reported. However, the vulnerability is considered more likely to be exploited due to its network accessibility and relatively low attack complexity. No official proof-of-concept code has been widely published.

TECHNICAL SUMMARY:
The vulnerability stems from improper authentication validation within Windows Admin Center. When processing authentication requests, the system does not correctly enforce privilege boundaries under certain conditions. An attacker who has valid but limited credentials can manipulate the authentication workflow to escalate privileges. Once successful, the attacker may inherit administrative permissions, allowing them to execute commands, modify configurations, manage connected systems, and potentially pivot further into the network. The flaw compromises the integrity of access control mechanisms and undermines trust in the management interface.

EXPOLITABILITY:
This vulnerability affects Windows Admin Center installations prior to the patched release. The attack vector is network-based and requires authenticated access with low privileges. Exploitation does not require user interaction once access is obtained.

BUSINESS IMPACT:
This vulnerability is dangerous because Windows Admin Center often manages critical infrastructure, servers, and clustered environments. If exploited, attackers could gain centralized administrative control, alter configurations, deploy malicious software, or disrupt services. In enterprise environments, this can lead to widespread compromise, operational downtime, data exposure, and reputational damage. A single exploited management interface could become the launch point for a full network takeover.

WORKAROUND:
If immediate patching is not possible:

• Restrict Windows Admin Center access to trusted network segments only.
• Enforce strict least-privilege access policies.
• Monitor authentication logs for unusual elevation behavior.
  These measures reduce exposure but do not eliminate the vulnerability.

URGENCY:
With a Critical severity rating and network-based privilege escalation potential, this vulnerability poses a serious infrastructure risk. Because it targets a centralized administrative tool, successful exploitation could rapidly expand attacker control across managed systems. Prompt deployment of the security update is strongly recommended to prevent escalation scenarios.

Apple dyld Memory Corruption Vulnerability

“This patch closes a zero-day that was already being used in highly targeted attacks to run malicious code on Apple devices.”

Apple released security updates to address CVE-2026-20700 with CVSS Score of 7.8, a memory corruption vulnerability in dyld, the Dynamic Link Editor used across , iPadOS, macOS, tvOS, watchOS, and visionOS. The issue could allow an attacker with memory write capabilities to execute arbitrary code on a vulnerable device. Because dyld operates at a low system level, successful exploitation could allow installation of spyware, persistent malware, or other malicious payloads with elevated privileges.

Apple confirmed that this vulnerability was actively exploited in extremely sophisticated, targeted attacks before the patch was released, making it a true zero-day. This significantly raises the severity and real-world impact. While an official CVSS score has not been publicly confirmed, the nature of the vulnerability and confirmed exploitation indicate high to critical risk. There is no publicly available proof-of-concept exploit code at this time.

The fix is included in the latest versions of iOS, iPadOS, macOS, tvOS, watchOS, and visionOS in release 26.3, as well as supported older operating system branches.

BeyondTrust Remote Support & PRA Remote Code Execution Vulnerability

“A dangerous command-injection weakness in BeyondTrust tools allows attackers to take control without ever logging in.”

BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability identified as CVE-2026-1731. The issue is caused by improper input handling that allows attackers to inject and execute operating system commands. The vulnerability has a CVSS base score of 9.9 (Critical), reflecting how easily it can be exploited and the severe impact if abused.

An unauthenticated remote attacker can exploit this weakness over the network without valid credentials or user interaction. Successful exploitation allows execution of arbitrary commands on the affected system, potentially leading to full system compromise, theft of sensitive data, service outages, and further movement inside the network. Because these products are often deployed with high privileges and exposed to administrators, the risk is especially high in enterprise environments.

BeyondTrust released patches to address the issue. SaaS deployments were automatically updated, while self-hosted environments must apply the vendor-provided updates to remediate the vulnerability. At the time of disclosure, no confirmed widespread real-world exploitation had been reported, but the simplicity and impact of the attack make this vulnerability particularly dangerous if left unpatched.

Google Chrome Multiple Security Vulnerabilities

“This Chrome update closes dangerous gaps attackers could use to crash browsers, steal data, or run harmful code.”

Google has released security updates for Chrome that address multiple high and medium-severity vulnerabilities. These issues affect core components like the V8 JavaScript engine, media libraries, and UI features, and could allow code execution, crashes, data leaks, or spoofed interfaces.

High-Severity Vulnerabilities:
• CVE-2026-1861 (CVSS 8.1 – High) – A heap buffer overflow in the libvpx video codec component. This memory corruption issue could allow remote code execution if triggered by specially crafted content.
• CVE-2026-1862 (CVSS 8.2 – High) – A type confusion flaw in the V8 JavaScript engine. This could lead to heap corruption and arbitrary code execution.
• CVE-2026-2441 (CVSS 8.8 – High) – A use-after-free vulnerability in Chrome’s CSS component. This issue has been observed in real-world attacks and could allow attackers to execute code through malicious HTML.

These high-severity issues could let an attacker take control of the browser process merely by getting a user to visit a crafted webpage.

Medium-Severity Vulnerabilities:
• CVE-2026-2317 (CVSS 6.5 – Medium) – Cross-origin data leak issue related to animations.
• CVE-2026-2318 (CVSS 5.6 – Medium) – UI spoofing issue in Picture-in-Picture mode that could mislead users.
• CVE-2026-2320 (CVSS 5.4 – Medium) – Logic issue in file handling that could result in unintended behavior.
• CVE-2026-2323 (CVSS 5.3 – Medium) – Browser logic flaw affecting download handling.
• CVE-2026-0102 (CVSS 5.0 – Medium) – Security issue included in the broader update.

These medium-severity issues could expose data or allow user interface confusion but are less likely to result in full system compromise compared to the high-severity flaws.

Chromium Browser Security Vulnerabilities

“Several high-severity browser bugs that could crash Chromium or let attackers run malicious code or trick users into unsafe actions.”

Chromium addressed multiple vulnerabilities in its browser engine, fixed in updates such as Chrome/Chromium version 145.0.7632.45 and later. These include CVE-2026-2314, CVE-2026-2316, CVE-2026-2319, and CVE-2026-2322, each involving different browser components and various potential impacts.

• CVE-2026-2314 – A heap buffer overflow in the Codecs component that could be triggered by a malicious HTML page, potentially leading to remote code execution or memory corruption. This issue is rated CVSS v3.1 8.8 (High).
• CVE-2026-2316 – Insufficient policy enforcement in Frames could allow UI spoofing via crafted content. This flaw carries a CVSS v3.1 score of 6.5 (Medium).
• CVE-2026-2319 – A race condition in the DevTools component that can enable object corruption if a user is tricked into specific interactions; it is rated CVSS v3.1 7.5 (High).
• CVE-2026-2322 – An issue in File input UI handling that could let an attacker manipulate the user interface to spoof file dialogs; it is rated CVSS v3.1 4.3 (Medium).

These vulnerabilities generally require a remote attacker to convince a user to interact with crafted web content, and they can affect confidentiality, integrity, and in some cases execution flow of the browser. While there are no widely confirmed exploit reports in the wild yet, the presence of heap overflows and race conditions means prompt updating to the fixed Chromium/Chrome builds is important to mitigate risk. Upgrade to the latest browser releases to ensure these issues are resolved.

Chromium Memory Safety Vulnerabilities

“Malicious web content could corrupt browser memory and potentially take control of the system.”

This patch addresses three high-severity memory safety vulnerabilities in Chromium. The issues include use-after-free and improper memory handling flaws in core browser components. Specially crafted web pages can trigger memory corruption when rendered, potentially leading to browser crashes or arbitrary code execution in the context of the logged-in user.

• CVE-2026-2648 – CVSS 8.8 (High)
• CVE-2026-2649 – CVSS 8.8 (High)
• CVE-2026-2650 – CVSS 8.8 (High)

These vulnerabilities require only that a user visit a malicious website. No additional privileges are needed. Successful exploitation could allow attackers to execute code, bypass sandbox protections, or compromise sensitive data. There are no confirmed reports of active exploitation at this time, but memory corruption issues in browsers are frequently targeted due to their high impact and wide exposure.

The update strengthens memory management controls, corrects unsafe object handling, and prevents invalid memory access during page rendering and script execution.

Chromium Media & DevTools Security Vulnerabilities

“This update stops three high-severity security issues that could crash the browser or expose memory.”

Google has released a Chromium stable channel update that fixes three high-severity vulnerabilities affecting core browser components. All are resolved in Chromium 145.0.7632.116/117 and should be applied promptly to reduce risk.

CVE-2026-3061 — High severity (CVSS v3: High)
A memory safety bug in the Media component allows an out-of-bounds read, which can cause crashes or unintended access to adjacent memory. These types of issues can undermine browser stability and potentially leak sensitive information.

CVE-2026-3062 — High severity (CVSS v3: High)
An out-of-bounds read and write vulnerability in the Tint shader compiler (used for WebGPU) can lead to memory corruption. Memory corruption bugs are especially dangerous because they can destabilize the browser and may be leveraged for more advanced attacks.

CVE-2026-3063 — High severity (CVSS v3: High)
An inappropriate implementation in the DevTools component creates a logic weakness under specific conditions. While not directly exploitable for code execution on its own, it weakens security assurances and can contribute to unpredictable behavior.

There are no confirmed reports of these vulnerabilities being exploited in the wild at the time of this update, but leaving them unpatched increases exposure, especially given how browsers interact with untrusted web content.

Ivanti Endpoint Manager Authentication Bypass & SQL Injection

“Two serious bugs in Ivanti’s Endpoint Manager could let attackers steal credentials or read sensitive data — one without needing to log in at all.”
“This update closes an open door and a database weakness that attackers could use to grab stored data or move deeper into networks.”

Ivanti released patches in Endpoint Manager 2024 SU5 to fix two notable vulnerabilities: a high-severity authentication bypass (CVE-2026-1603) and a medium-severity SQL injection issue (CVE-2026-1602). These affect versions of Ivanti Endpoint Manager prior to 2024 SU5.

CVE-2026-1603 carries a CVSS score of 8.6 (High). It allows a remote, unauthenticated attacker to bypass authentication controls and access sensitive stored credential information. Because no login is required, this issue presents significant risk, especially if the management interface is exposed to untrusted networks.

CVE-2026-1602 has a CVSS score of 6.5 (Medium). It is an SQL injection vulnerability that allows an authenticated attacker to manipulate database queries and read arbitrary data. While it requires valid access, it could be leveraged by insiders or attackers who have already obtained credentials.

At the time of disclosure, Ivanti reported no confirmed real-world exploitation of these vulnerabilities. The patch in 2024 SU5 addresses both issues.

WordPress WPvivid Backup & Migration Plugin Privilege Escalation Vulnerability (CVE-2026-1357)

“This vulnerability exposes a critical weakness in a widely used WordPress backup plugin. If exploited, attackers could gain full administrative control and manipulate backup systems that protect website data.”

A security update was released to address a vulnerability in the WPvivid Backup & Migration plugin for WordPress, a popular tool used to create backups, migrate websites, and restore data. The issue affects how the plugin validates user permissions when handling certain operations. If left unpatched, attackers could exploit the weakness to gain elevated privileges within the WordPress environment.

CVE-2026-1357 carries a CVSS v3.1 score of 9.8 (Critical). The vulnerability stems from improper privilege validation that may allow attackers to escalate privileges and perform administrative actions without proper authorization. Successful exploitation could allow attackers to modify backup files, change plugin configurations, or take control of site management functions.

The issue was addressed through updates to the WPvivid Backup & Migration plugin, which strengthen permission validation and access control checks across affected functionality. No verified real-world exploitation or confirmed public proof-of-concept code has been reported for this vulnerability.

Anthropic Claude Code Security Vulnerabilities

“Opening a malicious repository could silently run commands or leak API keys — this update shuts that door.”

Anthropic has released security updates for Claude Code, addressing two serious vulnerabilities that expose developers to supply-chain-style attacks. Both issues abused project initialization logic and trust validation. These flaws are now patched in current releases.

CVE-2025-59536 — High Severity (CVSS v3: 8.7 High)
This vulnerability allowed arbitrary code execution before the user approved the startup trust prompt. A specially crafted repository could execute shell commands or other malicious actions immediately when opened in Claude Code. This bypassed a core security control designed to prevent execution until explicit user trust. Proof-of-concept exploitation was demonstrated by security researchers.

CVE-2026-21852 — Medium Severity (CVSS v3: 5.3 Medium)
A logic flaw in the project load workflow allowed Claude Code to process repository configuration and send outbound API requests before trust confirmation. An attacker could redirect requests to a malicious endpoint and capture a user’s Anthropic API key. Stolen API keys can enable unauthorized access to cloud services and development environments. Proof-of-concept research confirmed the exposure risk.

There were no confirmed large-scale real-world exploitation campaigns at the time of disclosure. However, the demonstrated ability to trigger code execution and extract credentials from simply opening a repository represents a high-impact threat for developers using AI-assisted tools.

Apache NiFi Authorization Bypass Vulnerability

“This vulnerability weakens authorization controls in Apache NiFi. If exploited, attackers could bypass security restrictions and access sensitive data flows that power enterprise data processing pipelines.”

Apache released a security update addressing a vulnerability affecting Apache NiFi, the platform used to automate and manage data flows across enterprise systems. The issue impacts how authorization checks are enforced within certain components of the platform. If left unpatched, attackers could bypass access restrictions and interact with protected resources inside the NiFi environment.

CVE-2026-25903 carries a CVSS v3.1 score of 8.7 (High). The vulnerability stems from improper authorization validation that may allow unauthorized users to perform restricted actions within the platform. Successful exploitation could allow attackers to access sensitive data flows, manipulate processing pipelines, or disrupt trusted data movement operations used by organizations.

Apache addressed the issue through security updates that strengthen authorization enforcement and access validation across affected NiFi components. No verified real-world exploitation or confirmed public proof-of-concept code has been reported for this vulnerability.

Rapid7 Insight Platform Authentication Bypass Vulnerability

“This vulnerability lets attackers walk past authentication controls and access sensitive systems without valid credentials. If left unpatched, it opens a direct path into security infrastructure designed to protect the organization.”

Rapid7 released a security update addressing an authentication bypass vulnerability affecting components of the Rapid7 Insight Platform. The weakness could allow a remote attacker to bypass authentication checks and gain unauthorized access to protected application functions. Because the Insight platform is widely used for vulnerability management, detection, and security operations, exploitation could expose sensitive security data or allow attackers to manipulate monitoring functions.

The vulnerability is tracked as CVE-2026-1568 and carries a CVSS v3.1 score of 9.6 (Critical). The issue stems from improper validation of authentication controls, allowing specially crafted requests to bypass normal access checks. Successful exploitation could allow attackers to access restricted platform functions or retrieve sensitive information stored within the system.

Rapid7 addressed the issue through security updates that strengthen authentication validation and access control checks across affected platform components. No verified evidence of real-world exploitation or public proof-of-concept code has been confirmed at this time.

Red Hat Enterprise Linux Multiple Security Vulnerabilities

“These vulnerabilities strike at core Linux services. The most serious issue could open a path to major system compromise, while the others increase the risk of crashes, service disruption, and unintended request handling.”

Red Hat released security updates addressing multiple vulnerabilities affecting components used in Red Hat Enterprise Linux. These issues impact key services tied to authentication, HTTP parsing, and memory handling. If left unpatched, they could allow attackers to bypass security controls, trigger memory corruption, or cause denial-of-service conditions.

CVE-2026-1709 carries a CVSS v3.1 score of 9.4 (Critical) and affects Keylime, where missing client-side TLS authentication can allow unauthenticated administrative access. CVE-2026-1761 is rated 8.6 (High) and affects libsoup, where a stack-based buffer overflow could lead to crashes or arbitrary code execution. CVE-2026-1757 has a 6.2 (Medium) score and can cause a local denial-of-service condition in xmllint through memory exhaustion. CVE-2026-1760 is rated 5.3 (Medium) and involves HTTP request smuggling in SoupServer that can lead to unintended request processing and denial of service. CVE-2026-1801 also carries a 5.3 (Medium) score and affects libsoup through malformed chunk parsing that can enable request smuggling and possible information disclosure.

Red Hat addressed these issues through security updates for the affected packages. No verified real-world exploitation or confirmed public proof-of-concept activity was established in the sources I checked.

Red Hat Satellite Security Vulnerabilities

“These vulnerabilities weaken security controls in Red Hat Satellite. If exploited, attackers could interfere with systems responsible for managing and securing enterprise Linux infrastructure.”

Red Hat released security updates addressing two vulnerabilities affecting Red Hat Satellite, the platform used to manage lifecycle operations, updates, and configuration across Red Hat Enterprise Linux environments. These issues affect how certain system components validate requests and enforce security controls. If left unpatched, attackers could exploit these weaknesses to perform unauthorized actions or disrupt system management operations.

CVE-2026-1530 carries a CVSS v3.1 score of 8.1 (High) and involves improper handling within Satellite components that could allow attackers to bypass certain protections and perform unauthorized actions in the management environment.

CVE-2026-1531 also carries a CVSS v3.1 score of 8.1 (High) and stems from insufficient validation in system processing functions. Successful exploitation could allow attackers to interfere with management services responsible for coordinating updates and configuration across managed systems.

Red Hat addressed these issues through security updates that strengthen request validation and access enforcement in affected Satellite components. No verified real-world exploitation or confirmed public proof-of-concept code has been reported for these vulnerabilities.

Fortinet FortiClient EMS SQL Injection Vulnerability

“An unauthenticated attacker can exploit this SQL injection to execute commands on the FortiClientEMS server — no login required.”

Fortinet released a security update addressing CVE-2026-21643, a critical SQL injection vulnerability affecting FortiClientEMS version 7.4.4. The issue stems from improper neutralization of special elements in SQL commands within the web interface. A remote attacker can send crafted HTTP requests to execute unauthorized SQL queries, potentially leading to remote code execution on the underlying system.
This vulnerability carries a CVSS 3.1 score of 9.1 (Critical). The attack requires no authentication and can be executed over the network, creating a serious risk to confidentiality, integrity, and availability. Because FortiClientEMS centrally manages endpoints, a successful compromise could allow attackers to manipulate endpoint policies, deploy malicious payloads, disrupt security controls, or move laterally within the enterprise environment.

Fortinet confirmed that only version 7.4.4 is affected. Updating to version 7.4.5 or later resolves the issue. At the time of disclosure, there were no confirmed reports of active exploitation or publicly released proof-of-concept code.

Tanium Deploy Access Control Vulnerability

“A weakness in Tanium Deploy could allow attackers to bypass security checks and interfere with enterprise software deployment systems. If exploited, it could expose sensitive management functions that control how software is distributed across the network.”

Tanium released a security update addressing a vulnerability in Tanium Deploy, the platform used to manage and automate software deployments across enterprise endpoints. The issue affects how certain access controls are enforced within the deployment management functions. If left unpatched, an attacker could exploit the weakness to interact with restricted deployment features.

CVE-2025-15330 carries a CVSS v3.1 score of 8.8 (High). The vulnerability stems from improper access control validation that may allow unauthorized users to perform actions within the deployment environment. Successful exploitation could allow attackers to manipulate deployment processes, potentially affecting the integrity of software distributed across managed systems.

Tanium addressed the issue through a security update that strengthens authentication and access control checks within affected Deploy components. No verified real-world exploitation or confirmed public proof-of-concept code has been reported for this vulnerability.

Dell RecoverPoint Critical Security Vulnerability

“This vulnerability exposes a severe security gap in Dell RecoverPoint. If exploited, attackers could gain complete control over critical data protection systems that organizations rely on to safeguard and recover their most important data.”

Dell released a security update addressing a critical vulnerability affecting Dell RecoverPoint, the platform used for enterprise data replication and disaster recovery management. The issue impacts components responsible for handling system operations and administrative functionality. If left unpatched, the vulnerability could allow attackers to compromise the integrity and control of systems responsible for protecting critical enterprise data.

CVE-2026-22769 carries a CVSS v3.1 score of 10.0 (Critical). The vulnerability stems from improper validation and access control within the RecoverPoint system. Successful exploitation could allow attackers to execute unauthorized actions within the management environment, potentially altering configurations, disrupting replication operations, or compromising system integrity.

Dell addressed the issue through a security update that strengthens system validation and access control protections within affected RecoverPoint components. No verified real-world exploitation or confirmed public proof-of-concept code has been reported for this vulnerability.

Apache Tomcat Improper Request Handling Vulnerability

“Improper request handling in Tomcat opened a path to unauthorized access and potential application compromise.”

CVE-2026-24733 is a high-severity vulnerability (CVSS 8.2) affecting Apache Tomcat. The issue stems from improper validation and request processing within the server, which could allow an attacker to bypass intended security restrictions under certain configurations.

An attacker could exploit this flaw by sending specially crafted HTTP requests to a vulnerable Tomcat instance. Successful exploitation may result in unauthorized access to protected resources, exposure of sensitive application data, or interference with web application behavior. In environments hosting critical enterprise applications, this could lead to data leakage, service disruption, or broader compromise.

Apache addressed this vulnerability in updated Tomcat releases across supported branches. Organizations should upgrade to the latest patched version in their respective Tomcat release line to remove exposure.

NetApp SnapCenter Privilege Escalation Vulnerability

“A low-level SnapCenter account could escalate to administrator on managed systems, putting backups and critical servers at risk.”

CVE-2025-26512 is a critical privilege escalation vulnerability (CVSS 9.9) affecting NetApp SnapCenter. In vulnerable versions prior to 6.0.1P1 and 6.1P1, an authenticated SnapCenter user with limited permissions could exploit this flaw to gain administrative privileges on remote systems running SnapCenter plug-ins.

This means a standard SnapCenter account could be leveraged to take control of managed hosts. Successful exploitation could result in unauthorized access to sensitive data, tampering or deletion of backups, service disruption, or lateral movement across enterprise infrastructure. Because SnapCenter orchestrates protection for databases, applications, and virtual environments, compromise could directly impact recovery capabilities.

NetApp resolved this issue in SnapCenter versions 6.0.1P1, 6.1P1, and later.

Jenkins Security Vulnerabilities

“If attackers control your build server, they control your software supply chain.”

These Jenkins vulnerabilities weakened core security controls within CI/CD environments. One issue allowed an authenticated user with limited permissions to bypass authorization checks and access restricted functionality or sensitive information, including credentials and job configurations. The second issue involved insufficient input validation, which could allow limited manipulation of system behavior depending on configuration.

The access control weakness carries a high severity score of 8.0, while the input validation issue is rated 4.3 (medium severity). Jenkins addressed both issues in updated core releases.

SolarWinds Serv-U Remote Code Execution Vulnerabilities

“These vulnerabilities open the door to root-level compromise of Serv-U servers. If exploited, attackers with elevated access could execute arbitrary code and seize control of enterprise file transfer infrastructure.”

SolarWinds released security updates addressing four vulnerabilities affecting SolarWinds Serv-U, a widely used enterprise file transfer platform. The issues impact Serv-U version 15.5 and could allow attackers with administrative privileges to execute arbitrary code with elevated permissions. Successful exploitation could compromise sensitive file transfer operations and allow attackers to take full control of affected servers. These vulnerabilities were addressed in Serv-U version 15.5.4.

CVE-2025-40538 carries a CVSS v3.1 score of 9.1 (Critical) and involves broken access control that could allow an attacker to create a system administrator account and execute arbitrary code with privileged permissions.

CVE-2025-40539 has a CVSS v3.1 score of 9.1 (Critical) and is a type confusion vulnerability that could allow execution of native code with root or privileged account permissions.

CVE-2025-40540 also carries a CVSS v3.1 score of 9.1 (Critical) and involves another type confusion weakness that could allow arbitrary code execution at the highest system privilege level.

CVE-2025-40541 has a CVSS v3.1 score of 9.1 (Critical) and stems from an insecure direct object reference vulnerability that could allow an attacker to execute native code as a privileged account.

These vulnerabilities require administrative privileges to exploit, but successful exploitation could still allow attackers to execute code and fully compromise the Serv-U server environment. No verified real-world exploitation or confirmed public proof-of-concept code has been reported.

Cisco Catalyst SD-WAN Security Vulnerabilities

“Cisco SD-WAN and monitoring systems exposed critical trust gaps — including a zero-day authentication bypass and high-risk privilege escalation that can hand over full network control.”

The most severe issue, CVE-2026-20127, carries a CVSS v3 score of 10.0 (Critical). This authentication bypass vulnerability has been exploited in real-world zero-day attacks. An unauthenticated remote attacker could gain full administrative control of affected controllers, inject rogue devices, and manipulate WAN traffic. This level of compromise puts entire enterprise networks at immediate risk.

CVE-2026-20126 is rated CVSS v3 8.8 (High). This vulnerability allows remote exploitation that could lead to significant system compromise, depending on deployment exposure.

CVE-2026-20122 carries a CVSS v3 score of 7.8 (High) and allows an authenticated local attacker to escalate privileges to root through crafted administrative input, resulting in full device takeover.

CVE-2026-20128 is rated CVSS v3 7.5 (High) and addresses additional security weaknesses within SD-WAN components that could be leveraged to disrupt or compromise services.

These patches strengthen authentication controls, enforce stricter privilege boundaries, and harden SD-WAN management interfaces against remote and local abuse.

Trend Micro Apex One Remote Code Execution Vulnerabilities

“Two critical console weaknesses could let attackers upload malicious files and take control of your server — this patch closes that gap.”

Trend Micro has released security updates for Apex One, addressing two critical path traversal vulnerabilities in the Apex One management console. Both issues carry a CVSS v3 score of 9.8 (Critical) and can lead to remote code execution (RCE) if exploited. Organizations running on-premises Apex One deployments should apply the update immediately.

CVE-2025-71210 — Critical (CVSS v3: 9.8)

This vulnerability is a path traversal issue in the Apex One management console. An attacker with access to the console could manipulate file paths to upload and execute arbitrary code on the underlying Windows system. Successful exploitation may result in full system compromise.

CVE-2025-71211 — Critical (CVSS v3: 9.8)

A second path traversal vulnerability exists in a separate Apex One component within the management console. Like the first issue, it enables attackers to upload malicious files and execute code remotely, potentially leading to complete control of the affected server.

Trend Micro confirmed patches are available in the latest updated builds of Apex One. While exploitation requires access to the management console, exposed or improperly secured console interfaces significantly increase risk. There were no public reports of active in-the-wild exploitation at the time of disclosure. Critical Patch Build 14136 fixes these issues.

VMware Aria Operations Security Vulnerabilities

“High-impact weaknesses in VMware Aria could let attackers run commands, inject malicious scripts, or gain admin rights — this update locks them down.”

This patch addresses three vulnerabilities in VMware Aria Operations that could allow attackers to compromise infrastructure monitoring environments and gain elevated control. The most severe issue, CVE-2026-22719, is a command injection vulnerability with a CVSS v3.1 score of 8.1 (High). An unauthenticated attacker may exploit this flaw during a support-assisted product migration to execute arbitrary commands, potentially leading to remote code execution. This vulnerability has been added to the CISA Known Exploited Vulnerabilities catalog, indicating confirmed exploitation in the wild.

The update also fixes CVE-2026-22720, a stored cross-site scripting vulnerability with a CVSS v3.1 score of 8.0 (High). An attacker with permission to create custom benchmarks could inject malicious scripts into the interface and perform unauthorized administrative actions. Additionally, CVE-2026-22721 resolves a privilege escalation vulnerability with a CVSS v3.1 score of 6.2 (Medium) that could allow an attacker with existing access to gain administrative privileges within VMware Aria Operations.

These vulnerabilities affect VMware Aria Operations deployments used within VMware Cloud Foundation, Telco Cloud Platform, and Telco Cloud Infrastructure environments. Successful exploitation could enable attackers to execute code, manipulate monitoring systems, and gain deeper access to managed infrastructure.

ServiceNow AI Platform Remote Code Execution Vulnerability

“An unauthenticated user could run remote code inside ServiceNow’s AI sandbox — this patch stops that.”

CVE-2026-0542 is a critical remote code execution vulnerability in the ServiceNow AI Platform that allows an unauthenticated attacker to execute arbitrary code within the platform’s sandbox environment under certain conditions — meaning an attacker could trigger harmful actions without any login credentials. It’s tied to improper isolation/compartmentalization in the ServiceNow AI Sandbox, letting malicious input escape the intended containment. The vulnerability is assigned a CVSS v4.0 score of 9.2 (Critical) because it can be triggered remotely over a network with no authentication required and could compromise confidentiality, integrity, and availability of the affected instance. 

ServiceNow has released security updates for all affected hosted and self-hosted instances to eliminate the weakness in the AI Platform. Hosted customers received automatic updates early in 2026 as part of the vendor’s patch rollout, and self-hosted or partner customers should apply the corresponding hotfixes or upgraded releases as soon as possible. As of the advisory publication, there are no confirmed reports of this vulnerability being exploited in the wild, but because it requires no authentication, exposed instances remain high-risk until patched. 

Juniper Junos OS Evolved Remote Code Execution Vulnerability

“Attackers could take full control of PTX routers without logging in.”

CVE-2026-21902 is a critical vulnerability with a CVSS v3.1 score of 9.8 affecting Juniper Networks Junos OS Evolved on PTX Series routers. The issue is caused by incorrect permission assignment within the On-Box Anomaly Detection framework. Although intended for internal communication, the service is enabled by default and listens on a network port, making it reachable from external sources in certain deployments.

An unauthenticated network-based attacker can send crafted requests to the exposed service and execute arbitrary code with root privileges. Successful exploitation gives full control of the device, creating serious risk for service providers and enterprises that rely on PTX routers for backbone and high-capacity routing. There are no confirmed reports of active exploitation at this time, but the remote, unauthenticated nature of the issue makes it high priority.

Juniper has released fixes in Junos OS Evolved 25.4R1-S1-EVO, 25.4R2-EVO, and later versions. Systems running vulnerable builds should be updated immediately

Android Multiple Critical Security Vulnerabilities

“This March update closes critical Android vulnerabilities that could allow attackers to execute code, escalate privileges, and break system isolation.”

The March 2026 Android Security Bulletin addresses 129 vulnerabilities across Android’s core platform, including Framework, System, Kernel, and virtualization subsystems. The most severe issues fixed this month include multiple critical remote execution, privilege escalation, and isolation escape flaws that pose significant risks to device integrity and data security.

Below are the notable critical vulnerabilities:

• CVE-2026-0006 (Critical, CVSS 9.8) — A remote code execution flaw in the System component due to a heap buffer overflow. No privileges or user interaction are required to exploit.
• CVE-2026-0047 (Critical, CVSS 9.8) — A local privilege escalation issue in the Android Framework that allows an app to gain elevated rights without additional execution privileges.
• CVE-2025-48631 (Critical, CVSS 9.8) — A denial-of-service and potential code execution vulnerability in a core System service that could destabilize or crash the device remotely.
• CVE-2024-43859 (Critical, CVSS 9.8) — A kernel privilege escalation vulnerability in the Flash-Friendly File System (F2FS) that could let attackers gain elevated system control.
• CVE-2026-0037 (Critical, CVSS 9.8) — A kernel virtualization isolation break affecting pKVM, enabling potential guest-to-host privilege escalation.
• CVE-2026-0038 (Critical, CVSS 9.8) — Another virtualization/guest escape vulnerability that undermines isolation boundaries within the kernel’s VM infrastructure.

In addition to these critical items, the March bulletin includes numerous high-severity privilege escalation and information disclosure fixes, as well as patches for vendor-specific components.

Google has released the March 2026 patch levels (2026-03-01 and 2026-03-05) that incorporate these fixes. OEMs and carriers are rolling out corresponding updates to supported devices. Installing these updates promptly is essential to protect against active and potential exploitation.

Cisco Secure Firewall Management Center Critical Vulnerabilities

“When the system that manages your firewalls is vulnerable, the entire network becomes exposed. These weaknesses could allow attackers to bypass security controls, run commands, or disrupt critical protections.”

Cisco released security updates addressing multiple vulnerabilities in Cisco Secure Firewall Management Center (FMC) that could allow attackers to bypass authentication, execute commands, or disrupt security operations. The most severe issues include CVE-2026-20079 and CVE-2026-20131, both rated CVSS v3.1 10.0 (Critical). These vulnerabilities could allow an unauthenticated remote attacker to send crafted HTTP requests to the web management interface and gain the ability to execute commands with root-level privileges on the underlying system.

Additional vulnerabilities addressed in this update include CVE-2026-20100, CVE-2026-20101, CVE-2026-20103, CVE-2026-20105, CVE-2026-20106, CVE-2026-20039, and CVE-2026-20082. These issues involve weaknesses such as improper input validation, authorization bypass conditions, and other security control failures that could allow attackers with varying levels of access to execute commands, escalate privileges, or cause service disruption within the firewall management platform.

Because Secure Firewall Management Center centrally manages firewall rules, intrusion prevention policies, and security visibility across enterprise environments, successful exploitation could allow attackers to manipulate security policies, disable protections, and gain deeper access into protected networks.

Apple WebKit and Kernel Security Vulnerabilities

“Three Apple vulnerabilities reveal how both malicious web content and kernel-level weaknesses can open the door to device compromise. A single webpage or malicious app could potentially trigger code execution deep inside the system.”

Apple released security updates addressing three vulnerabilities affecting WebKit and the Apple kernel across multiple Apple platforms. CVE-2021-30952 is an integer overflow vulnerability in WebKit with a CVSS v3.1 score of 7.8 (High). An attacker could exploit the issue by delivering specially crafted web content that triggers a memory error, potentially allowing arbitrary code execution when processed by Safari or other applications that rely on WebKit.

CVE-2023-43000 is a kernel vulnerability with a CVSS v3.1 score of 7.8 (High) that could allow an application to execute arbitrary code with kernel privileges. Because the kernel operates at the core of the operating system, successful exploitation could allow attackers to bypass security controls and gain deep system-level access.

Apple also addressed CVE-2023-41974, another WebKit vulnerability with a CVSS v3.1 score of 8.8 (High). Processing specially crafted web content could lead to arbitrary code execution within the context of the affected application. Apple resolved these issues through security updates affecting iOS, iPadOS, macOS, Safari, and other Apple platform components. CVE-2023-41974 has been reported as actively exploited in the wild, indicating attackers were already leveraging the issue before patches were widely deployed.

Mozilla Firefox Multiple Security Vulnerabilities

“Firefox 148 shuts down dangerous browser paths before attackers can turn a routine session into code execution, sandbox escape, or privilege gain.”

Firefox 148 was released on February 24, 2026, under Mozilla Foundation Security Advisory 2026-13. This update closes browser-exposed weaknesses in WebRender, JavaScript, DOM, IndexedDB, Web Audio, Networking, WebAuthn, and grouped memory-safety fixes. Mozilla says the memory-safety rollups showed evidence of memory corruption and may have been usable for arbitrary code execution with enough effort.

Verified CVSS v3.x scoring puts almost the entire advisory in High or Critical territory. Critical 10.0: CVE-2026-2760, CVE-2026-2761, CVE-2026-2768, CVE-2026-2776, and CVE-2026-2778. Critical 9.8: CVE-2026-2757, 2758, 2759, 2795, 2762, 2763, 2764, 2796, 2797, 2765, 2766, 2767, 2799, 2770, 2771, 2772, 2773, 2774, 2775, 2777, 2792, 2793, 2807, 2779, 2800, 2780, 2781, 2782, 2784, 2785, 2786, 2805, 2787, 2788, 2789, 2790, and 2791. Critical 9.1: CVE-2026-2806. High 8.8: CVE-2026-2798 and 2769. High 7.5: CVE-2026-2794, 2801, 2783, and 2803. The only reviewed Firefox 148 items below High are CVE-2026-2802 at 4.2 Medium and CVE-2026-2804 at 5.4 Medium.

This is a security-first release, that fixes more than 50 security issues. The most serious exposure runs through remote code execution-style memory corruption, sandbox escapes that break browser isolation, privilege paths that widen post-compromise impact, and critical networking and authentication-adjacent issues in JAR handling, cache behavior, and WebAuthn-related spoofing.

Roundcube Webmail Remote Code Execution & XSS Vulnerabilities

“A single malicious email could give attackers control of your mail server or steal user sessions.”

This patch addresses two serious vulnerabilities in Roundcube Webmail, impacting both server integrity and user security.

CVE-2025-49113 – CVSS 9.9 (Critical)
This remote code execution vulnerability allows an authenticated attacker to exploit improper input handling in mail processing components. By delivering specially crafted content, an attacker can execute arbitrary code on the mail server. Successful exploitation could lead to full server compromise, unauthorized mailbox access, data theft, or persistent backdoor installation. The near-maximum severity reflects the high impact on confidentiality, integrity, and availability.

CVE-2025-68461 – CVSS 7.2 (High)
This stored cross-site scripting (XSS) vulnerability allows attackers to inject malicious JavaScript into email content. When a victim opens the message, the script executes within their authenticated session. This can result in session hijacking, credential theft, mailbox manipulation, and unauthorized actions performed as the victim.

There are no confirmed reports of active exploitation at this time. The update strengthens input validation, corrects unsafe parsing behavior, and improves output encoding protections to block script injection and prevent server-side code execution.

Veeam Backup & Replication Security Vulnerabilities

“These vulnerabilities allowed credential theft and full remote code execution, making backup servers a prime ransomware target.”

Veeam addressed two serious vulnerabilities in Veeam Backup & Replication that directly impacted enterprise backup infrastructure.

CVE-2023-27532 is a high-severity vulnerability (CVSS 7.5) that allowed an unauthenticated attacker with network access to retrieve encrypted credentials stored in the configuration database. Attackers leveraged this weakness in real-world ransomware campaigns to extract credentials, move laterally, and compromise backup environments. Public proof-of-concept code accelerated exploitation, and the issue was widely abused before patching.

CVE-2024-40711 is a critical remote code execution vulnerability (CVSS 9.8) requiring no authentication. It allowed attackers to execute arbitrary code on vulnerable Veeam servers. This flaw was confirmed as actively exploited in ransomware operations, enabling full system takeover and deployment of malicious payloads. Because backup servers hold administrative credentials and control recovery processes, compromise can cripple an organization’s ability to restore operations.

Veeam resolved these vulnerabilities in updated releases, including version 12.2.0.334 and later builds.

Hikvision Wireless Access Point Command Execution Vulnerability

“A high-risk command execution issue could let a logged-in user fully control a wireless access point.”

This Hikvision patch addresses a high-severity authenticated command execution vulnerability affecting certain Hikvision Wireless Access Point models. The issue occurs due to insufficient input validation in the device firmware, allowing an attacker with valid credentials to send crafted network packets that trigger arbitrary command execution on the system. If exploited, this vulnerability could allow attackers to disrupt wireless services, alter configurations, or use the access point as a stepping stone to attack other networked systems.

The vulnerability is tracked as CVE-2026-0709 and has been assigned a CVSS v3.1 score of 7.2 (High). While authentication is required, the impact is significant because successful exploitation grants system-level control of critical network infrastructure. Hikvision has released updated firmware that resolves the issue across affected wireless access point models. There are no confirmed reports of active exploitation or zero-day use at the time of disclosure.

Samsung MagicINFO Server Security Vulnerabilities

“These vulnerabilities hand attackers the keys to the system. One allows malicious content to silently hijack accounts, while another exposes hardcoded database credentials that could give attackers direct control of the platform’s backend.”

Samsung released a security patch addressing two critical vulnerabilities in MagicINFO 9 Server, the centralized platform used to manage digital signage displays. These issues affect versions prior to 21.1090.1 and could allow attackers to compromise system integrity, manipulate content, or access sensitive backend systems controlling displays across enterprise environments.

CVE-2026-25200 is a Stored Cross-Site Scripting (XSS) vulnerability that allows attackers to upload malicious HTML files. Once executed, the malicious content can run within a user’s session and potentially lead to account takeover or unauthorized actions within the management platform. This vulnerability carries a CVSS v3.1 score of 9.8 (Critical).

CVE-2026-25202 exposes hardcoded database credentials embedded within the application. Attackers who discover these credentials can directly access and manipulate the backend database without authentication. This could allow attackers to alter signage content, tamper with system configurations, or gain deeper control over the infrastructure. This vulnerability has a CVSS v3.1 score of 9.8 (Critical).

Both vulnerabilities were addressed in MagicINFO 9 Server version 21.1090.1, which removes the hardcoded credentials and strengthens file upload validation mechanisms. No confirmed real-world exploitation or public proof-of-concept code has been verified at this time.

Foxit PDF Editor Cloud Cross-Site Scripting Vulnerabilities

“Unsafe handling of file and layer names could allow attackers to run harmful scripts inside trusted PDF workflows.”

Foxit addressed two medium-severity stored cross-site scripting vulnerabilities in Foxit PDF Editor Cloud that could allow attackers to inject and execute malicious JavaScript in a user’s browser. CVE-2026-1591 affects the File Attachments list, where specially crafted file names are not properly sanitized before being displayed. CVE-2026-1592 impacts the Create New Layer feature, where unsafe handling of layer names allows similar script execution. Both issues stem from insufficient input validation and output encoding within the cloud interface.

Each vulnerability carries a CVSS v3.1 score of 6.3 (Medium). Successful exploitation requires user interaction, such as opening or viewing a crafted document, but could allow attackers to steal session information, access data visible to the user, or redirect users to malicious content. Foxit released updates that correct the input handling logic and prevent script injection through these fields. There are no confirmed reports of active exploitation or zero-day abuse at the time of disclosure.

IBM Aspera Faspex Access Control Vulnerability

“A security gap in IBM Aspera Faspex could allow attackers to bypass key access controls. If exploited, unauthorized users could interfere with secure enterprise file transfer operations.”

IBM released a security update addressing a vulnerability affecting IBM Aspera Faspex, a platform used for high-speed enterprise file transfers. The issue impacts how the application enforces access restrictions within certain service components. If left unpatched, the weakness could allow unauthorized users to interact with functions that should be restricted.

CVE-2025-13379 carries a CVSS v3.1 score of 8.6 (High). The vulnerability stems from improper access control validation within the Faspex application. Successful exploitation could allow attackers to bypass security checks and perform unauthorized actions that may affect file transfer operations or expose sensitive data handled by the platform.

IBM addressed the issue through security updates that strengthen authentication and access control enforcement within affected Faspex components. No verified real-world exploitation or confirmed public proof-of-concept code has been reported for this vulnerability.

Ingress-NGINX Request Handling Vulnerability

“A low-level SnapCenter account could escalate to administrator on managed systems, putting backups and critical servers at risk.”

CVE-2025-26512 is a critical privilege escalation vulnerability (CVSS 9.9) affecting NetApp SnapCenter. In vulnerable versions prior to 6.0.1P1 and 6.1P1, an authenticated SnapCenter user with limited permissions could exploit this flaw to gain administrative privileges on remote systems running SnapCenter plug-ins.

This means a standard SnapCenter account could be leveraged to take control of managed hosts. Successful exploitation could result in unauthorized access to sensitive data, tampering or deletion of backups, service disruption, or lateral movement across enterprise infrastructure. Because SnapCenter orchestrates protection for databases, applications, and virtual environments, compromise could directly impact recovery capabilities.

NetApp resolved this issue in SnapCenter versions 6.0.1P1, 6.1P1, and later.

Notepad++ Arbitrary Code Execution Vulnerability

“This vulnerability allowed specially crafted files or malicious libraries to trigger code execution under the user’s account.”

CVE-2026-25926 is a high-severity vulnerability (CVSS 7.3) affecting Notepad++. The issue stems from improper handling of file-loading or external library behavior, which could allow a malicious file or dynamic link library (DLL) to execute unintended code.

An attacker could exploit this flaw by convincing a user to open a specially crafted file or by placing a malicious DLL in a location searched by the application. If successfully triggered, arbitrary code would execute with the privileges of the logged-in user. This could lead to data theft, system changes, malware installation, or further compromise within a corporate environment.

The vulnerability has been resolved in the latest Notepad++ release.

GitLab Server-Side Request Forgery Vulnerability

“A single webhook request could turn GitLab into a gateway into the internal network. This vulnerability allows unauthenticated attackers to force the server to make internal requests, exposing sensitive systems and services that should never be reachable.”

GitLab released a security patch addressing a Server-Side Request Forgery (SSRF) vulnerability affecting GitLab Community Edition (CE) and Enterprise Edition (EE). The issue occurs when requests to the internal network for webhooks are enabled, allowing an attacker to trigger the GitLab server to send requests to internal services. An unauthenticated attacker could exploit this weakness even if user registration is disabled, potentially exposing internal infrastructure or sensitive data.

The vulnerability is tracked as CVE-2021-22175 and carries a CVSS v3.1 score of 6.8 (Medium) from GitLab’s CNA record. The NVD analysis assigns a CVSS v3.1 score of 9.8 (Critical) due to the potential for remote exploitation without authentication and the high impact on confidentiality, integrity, and availability.

Successful exploitation could allow attackers to probe internal network resources, access internal HTTP services, and retrieve sensitive responses from systems not exposed to the internet. Public proof-of-concept exploit code has been reported for this vulnerability. The issue affects GitLab versions starting from 10.5 and was addressed in patched releases 13.6.7, 13.7.7, and 13.8.4.

Microsoft Windows Fundamentals Privilege Escalation Vulnerability

“Core operating system components should enforce trust — this vulnerability weakened that foundation.”

CVE-2025-29969 is a high-severity vulnerability (CVSS 7.5) affecting Microsoft Windows Fundamentals. The issue involves improper handling within a core Windows component that could allow an attacker to execute code with elevated privileges.

If successfully exploited, an attacker could gain higher-level access on a targeted system. Depending on the user context, this may allow installation of programs, modification of data, creation of new accounts, or broader system control. Because the flaw exists in a foundational Windows component, the potential impact spans enterprise workstations and servers running affected versions.

Microsoft addressed this vulnerability in its latest security updates for supported Windows releases.

Splunk Enterprise CVE-2026-20140 Security Update

“A low-level Windows user could leverage a DLL loading weakness to gain full SYSTEM control of a Splunk server.”

CVE-2026-20140 is a high-severity local privilege escalation vulnerability (CVSS 7.7) affecting Splunk Enterprise for Windows. The issue is caused by a DLL search-order hijacking weakness in affected versions of the software.

A local, low-privileged Windows user with the ability to create directories and write files on the system drive could place a malicious DLL in a location loaded by Splunk during service startup. When the Splunk service restarts, it may load the attacker-controlled DLL. Because the service runs with SYSTEM-level privileges, the malicious code executes with full administrative control.

Successful exploitation could allow attackers to take over the host system, disable logging or security controls, manipulate indexed data, or pivot deeper into the network. While the vulnerability requires local access, the impact is significant in shared or multi-user environments.

Splunk addressed this issue in updated releases of Splunk Enterprise for Windows.

Zenitel Intercom & IP Audio Systems

“Communication systems are meant to secure facilities — these vulnerabilities put that security at risk.”

These four vulnerabilities affect Zenitel intercom and IP audio systems, exposing core communication infrastructure to unauthorized access and system compromise.

CVE-2025-64127 is a critical vulnerability (CVSS 9.8) that allows unauthenticated remote access to system functionality. An attacker on the network could exploit this issue to gain control of affected devices without valid credentials.

CVE-2025-64128 is a high-severity vulnerability (CVSS 8.1) involving improper authentication controls. Under certain conditions, attackers could bypass intended access restrictions and interact with protected services.

CVE-2025-64129 is a high-severity vulnerability (CVSS 7.8) related to command or input handling weaknesses. Successful exploitation could allow unauthorized system manipulation or execution of unintended actions.

CVE-2025-64130 is a medium-severity vulnerability (CVSS 6.5) that could expose sensitive system information, potentially assisting attackers in reconnaissance or follow-on attacks.

Because Zenitel systems are commonly deployed in transportation, correctional facilities, healthcare, and other critical infrastructure environments, exploitation could result in disruption of communications, unauthorized device control, or broader network compromise.

Zenitel has released firmware updates addressing these vulnerabilities.

ESET Management Agent for Windows

“Security software must defend the system — not open a path to higher privileges.”

CVE-2025-13818 is a high-severity vulnerability (CVSS 7.8) affecting ESET Management Agent for Windows. The issue involves improper privilege handling within the agent service that could allow a local user to elevate privileges on the affected system.

An attacker with local access could exploit this flaw to execute code with elevated permissions, potentially gaining SYSTEM-level control. Successful exploitation could allow installation of programs, modification of security configurations, disabling of protections, or broader compromise of the endpoint. Because the Management Agent operates with high privileges and communicates with centralized management infrastructure, abuse could weaken overall enterprise security posture.

ESET has released updates to address this vulnerability in supported versions of the Management Agent for Windows.

Zyxel ATP & USG Series

“Perimeter firewalls are meant to block attackers — this vulnerability let them slip through.”

CVE-2025-11730 is a critical vulnerability (CVSS 9.8) affecting Zyxel ATP and USG series firewalls. The issue stems from improper input validation within a network-exposed service, allowing an unauthenticated attacker to execute arbitrary commands on affected devices.

An attacker on the internet could exploit this flaw without valid credentials by sending specially crafted requests to the vulnerable service. Successful exploitation could result in full device compromise, unauthorized configuration changes, interception of network traffic, or use of the firewall as a pivot point into internal networks. Because these appliances sit at the network perimeter, compromise can expose the entire organization.

Zyxel has released firmware updates to address this vulnerability in supported ATP and USG models.

FileZen OS

“A trusted file transfer tool became a dangerous entry point—attackers are already using this weakness to run system commands and take control of servers.”

This patch addresses a critical OS command injection vulnerability in FileZen tracked as CVE-2026-25108, with a CVSS v3.1 score of 8.8 (High). The issue occurs when the Antivirus Check Option is enabled. An authenticated user can send specially crafted HTTP requests that force FileZen to execute arbitrary operating system commands. This gives attackers the ability to run code on the host server with application-level privileges.

The vulnerability affects FileZen versions 4.2.1 through 4.2.8 and 5.0.0 through 5.0.10. FileZen S is not affected. A successful exploit can lead to full system compromise, data theft, service disruption, or lateral movement inside the network. Security authorities have confirmed active exploitation in real-world attacks, increasing the urgency of patching.

The issue is resolved in FileZen version 5.0.11, which removes the command injection vector and strengthens input handling in the antivirus scanning feature.

CryptoPro Secure Disk for BitLocker

“Weak integrity checks let attackers alter critical boot files and seize root control before BitLocker unlocks the drive.”

This update addresses CVE-2025-10010, a medium severity vulnerability with a CVSS v3 score of 6.8. The issue affects CryptoPro Secure Disk for BitLocker, which uses a Linux-based pre-boot environment to authenticate users before decrypting the Windows partition. The Linux component resides on an unencrypted partition. Because certain configuration files were not properly validated by the Integrity Measurement Architecture (IMA), an attacker with physical access could modify those files and execute arbitrary code with root privileges before BitLocker unlocks the system.

Successful exploitation requires physical access but no prior authentication or privileges. An attacker could implant malicious code, tamper with the boot process, or compromise sensitive data before the operating system loads. There are no confirmed reports of active exploitation in the wild at this time.

The vulnerability is resolved in CryptoPro Secure Disk versions 7.6.6 and 7.7.1, which strengthen integrity validation controls in the pre-boot environment.

FreeBSD Jail Escape via File Descriptor Exchange (CVE-2025-15576)

“A gap in jail boundary enforcement lets processes step outside their sandbox — this patch restores strict isolation.”

This patch addresses a serious vulnerability in the FreeBSD jail subsystem tracked as CVE-2025-15576. The issue affects FreeBSD 14.3 and FreeBSD 13.5 and allows a jailed process to escape its restricted environment and gain access to the host system’s filesystem.

The flaw occurs when two sibling jails share a directory using a nullfs mount and communicate through a Unix domain socket. In this configuration, processes can exchange directory file descriptors. Due to improper validation during filesystem name lookups, the kernel may allow a process inside a jail to obtain a directory descriptor outside its assigned root. This breaks the fundamental isolation model of FreeBSD jails and enables unauthorized access to sensitive host files and system resources.

CVE-2025-15576 carries a CVSS v3.1 score of 7.0 (High). Successful exploitation can lead to a complete breakdown of filesystem isolation, allowing attackers to read or modify system files, extract sensitive data, or pivot into further privilege escalation attacks on the host system. A security update corrects the descriptor validation logic in the jail subsystem to enforce proper filesystem boundary checks.

No verified reports currently confirm active exploitation in the wild or publicly released proof-of-concept code.

Rockwell Automation Studio 5000 Logix Designer

“A weakness in industrial engineering software could allow an attacker to bypass authentication and gain full control of critical configuration tools. When authentication fails, the systems used to manage industrial operations become exposed.”

Rockwell Automation addressed CVE-2021-22681, an authentication bypass vulnerability affecting Studio 5000 Logix Designer. This issue carries a CVSS v3.1 score of 10.0 (Critical). The vulnerability could allow an attacker to bypass authentication controls and gain unauthorized access to the application environment.

If successfully exploited, an attacker could gain elevated access to engineering functions used to configure and manage ControlLogix and CompactLogix programmable logic controllers (PLCs). This level of access could allow unauthorized modification of controller configurations, project files, and industrial automation logic.

Because Studio 5000 Logix Designer is widely deployed in industrial control system environments, compromise of the engineering workstation or development environment could expose operational technology networks and allow manipulation of industrial processes. There are no verified reports of active exploitation in the wild or confirmed public proof-of-concept exploits associated with this vulnerability.

vLLM Remote Code Execution Vulnerability

“A single malicious media request can turn an AI inference server into an attacker-controlled system.”

This patch addresses a critical remote code execution vulnerability (CVE-2026-22778) in vLLM, a widely used engine for serving large language models. The issue affects vLLM versions 0.8.3 through 0.14.0 and is resolved in vLLM 0.14.1. The vulnerability allows attackers to trigger memory disclosure through malformed image input, leaking heap memory addresses that weaken system protections.

The exposed memory information significantly reduces the effectiveness of ASLR protections, allowing attackers to combine the leak with a heap overflow in the JPEG2000 decoder used by OpenCV/FFmpeg. When chained together, the attack can lead to remote code execution and full server compromise on systems running vulnerable vLLM deployments. The flaw is tracked as CVE-2026-22778, with a CVSS v3.1 score of 9.8 (Critical).

The patch in vLLM 0.14.1 sanitizes error responses from image processing and blocks the exploit chain that could expose internal memory data. Systems using multimodal endpoints that process external images or videos face the highest risk if left unpatched.

Alist Certificate Validation Bypass Vulnerability

“When a system stops verifying certificates, attackers can quietly sit in the middle and read or change everything.”

This patch addresses a critical certificate validation bypass vulnerability (CVE-2026-25160) in Alist, a file listing and multi-storage management platform. The issue affects Alist versions prior to 3.57.0, where TLS certificate verification for storage driver communications was disabled by default. This weakness allowed attackers to impersonate trusted services and intercept communications between Alist and connected storage backends.

The vulnerability enables Man-in-the-Middle attacks, allowing attackers to intercept, view, and manipulate sensitive data transferred between Alist and external storage services. Because the issue can be exploited over the network without authentication, it significantly impacts the confidentiality and integrity of stored files. CVE-2026-25160 has a CVSS v3.1 score of 9.1 (Critical).

The patch released in Alist version 3.57.0 restores proper TLS certificate verification and removes the insecure configuration that allowed connections to proceed without validating server authenticity. Proof-of-concept exploit code is publicly available.

Cisco Meeting Management Arbitrary File Upload Vulnerability

“A low-privileged user can turn a simple file upload into full root control of the system.”

This patch addresses a high-severity vulnerability (CVE-2026-20098) in Cisco Meeting Management (CMM). The issue exists in the Certificate Management component of the web-based management interface, where improper input validation allows an authenticated attacker to upload arbitrary files to the system. A successful exploit enables the attacker to overwrite files that are processed by the root system account, leading to command execution and full system compromise.

The vulnerability allows an attacker with valid credentials and at least the video operator role to send a crafted HTTP request to the vulnerable interface. Once the malicious file is uploaded, it can overwrite system files or inject commands that execute with root-level privileges, exposing the system’s confidentiality, integrity, and availability. CVE-2026-20098 carries a CVSS v3.1 score of 8.8 (High).

Cisco released a software update that resolves the vulnerability by correcting the input validation in the affected interface. The flaw affects Cisco Meeting Management versions 3.12 and earlier, and it is fixed in version 3.12.1. There are no available workarounds, making patching the only effective remediation.

Hikvision IP Cameras, DVRs, and NVR Devices Authentication Bypass Vulnerability

“A hidden backdoor allowed attackers to bypass login protections and take control of surveillance systems.”

This patch addresses a critical authentication bypass vulnerability (CVE-2017-7921) affecting Hikvision IP cameras, DVRs, and NVR devices. The issue exists in the device authentication mechanism, where a flaw allows attackers to bypass login controls and access sensitive device functions without valid credentials.

An attacker can exploit this weakness by sending specially crafted requests to the device interface, allowing unauthorized access to configuration data and administrative features. Once exploited, attackers can retrieve sensitive information such as administrator credentials and system configuration files, enabling full control over affected surveillance systems. CVE-2017-7921 carries a CVSS v3.1 score of 9.8 (Critical).

Hikvision released firmware updates to correct the authentication logic and remove the backdoor-style access path. Devices running older firmware versions remain vulnerable and may allow attackers to monitor, modify, or disable surveillance operations if the update is not applied. Public proof-of-concept exploit code exists and the vulnerability has been widely abused in real-world attacks targeting exposed devices.

Cisco TelePresence Remote Command Execution Vulnerability

“A crafted request could give attackers direct command access to enterprise video conferencing systems.”

This patch addresses a high-severity vulnerability (CVE-2026-20119) affecting Cisco TelePresence devices. The issue exists in the web-based management interface, where improper input validation allows attackers to send specially crafted requests that trigger command execution on the underlying operating system.

An attacker with network access to the management interface could exploit this vulnerability to run arbitrary commands on affected devices. Successful exploitation may allow attackers to alter system configurations, disrupt conferencing operations, or gain control of the device environment. CVE-2026-20119 carries a CVSS v3.1 score of 7.5 (High).

Cisco released software updates that correct the input validation weakness and improve request handling within the management interface. Systems running vulnerable firmware remain exposed until the patched version is applied.

F5 BIG-IP Authentication Bypass Vulnerability

“A simple request to the management interface could let attackers slip past authentication and reach sensitive system controls.”

This patch addresses a medium-severity vulnerability (CVE-2026-22548) affecting F5 BIG-IP systems. The issue exists in the management interface, where improper access control validation may allow attackers to bypass authentication protections under certain conditions. This weakness could allow unauthorized users to interact with restricted system functionality without valid credentials.

If exploited, an attacker with network access to the management interface could access sensitive administrative endpoints. This could expose configuration data or allow limited interaction with system components that should normally require authentication. CVE-2026-22548 carries a CVSS v3.1 score of 5.9 (Medium).

F5 released software updates that correct the authentication validation logic and strengthen access checks within the affected management components. Systems running vulnerable BIG-IP versions remain exposed until the security update is applied.

F5 NGINX OSS Denial of Service Vulnerability

“A specially crafted request can overwhelm the web server and bring critical applications to a halt.”

This patch addresses a medium-severity vulnerability (CVE-2026-1642) affecting F5 NGINX Open Source (OSS). The issue exists in how NGINX processes certain malformed HTTP requests. Improper request handling can allow attackers to send specially crafted traffic that forces the server to consume excessive resources.

Successful exploitation may allow an attacker to trigger a Denial of Service (DoS) condition, causing the server to use excessive CPU or memory resources. This can result in temporary disruption of web applications and services running on affected NGINX servers. CVE-2026-1642 carries a CVSS v3.1 score of 5.9 (Medium).

F5 addressed the issue through updates to NGINX Open Source, improving request handling and resource management when processing malformed inputs. Systems running vulnerable versions remain at risk of service disruption until the patched version is deployed.

Arista NG Firewall Command Injection Vulnerability

“A trusted diagnostics tool can become a weapon, allowing attackers to execute commands directly on the firewall.”

This patch addresses a high-severity vulnerability (CVE-2025-6978) affecting Arista NG Firewall (formerly Untangle). The flaw exists in the diagnostics troubleshooting component, where improper validation of user-supplied input allows command injection through the system’s troubleshooting functionality.

An attacker with administrative or elevated privileges can send crafted requests to the diagnostics interface and inject shell commands into the underlying operating system. Successful exploitation can result in arbitrary command execution with root privileges, potentially allowing attackers to manipulate firewall behavior, access sensitive data, or disrupt network protection services. CVE-2025-6978 carries a CVSS v3.1 score of 7.2 (High).

Arista released a fix in NG Firewall version 17.4, which strengthens input validation in the diagnostics component and prevents malicious commands from being passed to the system shell.

Quest Desktop Authority Privilege Escalation Vulnerability

“A weakness in a trusted administration tool could allow attackers to quietly elevate privileges and gain greater control of managed systems.”

This patch addresses a medium-severity vulnerability (CVE-2025-67813) affecting Quest Desktop Authority, an enterprise endpoint management and privilege administration platform. The issue stems from improper validation during certain privileged operations within the management environment.

An attacker with existing access to the environment could exploit the weakness to escalate privileges and perform actions with elevated system rights. Successful exploitation may allow unauthorized changes to administrative settings or manipulation of systems managed through Desktop Authority. CVE-2025-67813 carries a CVSS v3.1 score of 5.3 (Medium).

Quest released updates that strengthen privilege validation and correct the logic used when processing administrative operations. Systems running vulnerable versions remain exposed until the patched version of Desktop Authority is installed.

Signal K Server Remote Code Execution Vulnerability

“A critical weakness in a marine data server could let attackers execute commands and take full control of connected systems.”

This patch addresses a critical vulnerability (CVE-2026-23515) affecting Signal K Server, an open-source platform used to collect and distribute marine navigation and vessel data. The issue exists in the server’s handling of certain external inputs, where improper validation allows attackers to inject malicious commands through crafted requests.

An attacker with network access to a vulnerable Signal K Server instance could exploit this weakness to execute arbitrary commands on the host system. Successful exploitation may allow attackers to take full control of the server, manipulate vessel data streams, or disrupt connected navigation services. CVE-2026-23515 carries a CVSS v3.1 score of 10.0 (Critical).

Security updates address the vulnerability by improving input validation and strengthening how external requests are processed. Systems running vulnerable versions remain exposed to remote compromise until the patched release is installed.

Microsoft Semantic Kernel Remote Code Execution Vulnerability

“A critical weakness in an AI orchestration framework could allow attackers to run code and take control of systems integrating AI services.”

This patch addresses a critical vulnerability (CVE-2026-25592) affecting Microsoft Semantic Kernel, a framework used to integrate large language models and AI services into applications. The issue stems from improper handling of certain external inputs within the framework, allowing attackers to inject malicious commands through crafted interactions.

An attacker could exploit this weakness to execute arbitrary code on systems running vulnerable Semantic Kernel deployments. Successful exploitation may allow attackers to manipulate AI workflows, access sensitive data, or gain full control of the host environment where the framework is deployed. CVE-2026-25592 carries a CVSS v3.1 score of 10.0 (Critical).

Microsoft addressed the vulnerability through updates that strengthen input validation and improve how external prompts and plugin interactions are processed within the framework. Systems running vulnerable versions remain exposed to remote compromise until the patched release is deployed.

GoldWave Remote Code Execution Vulnerability

“A malicious audio file could silently trigger code execution and give attackers control of the system.”

This patch addresses a critical vulnerability (CVE-2020-37066) affecting GoldWave, a popular digital audio editing application. The issue exists in the way the application processes certain audio files, where improper memory handling can allow specially crafted files to trigger memory corruption during parsing.

An attacker can exploit this weakness by convincing a user to open a maliciously crafted audio file. When processed by the vulnerable application, the file can trigger remote code execution, allowing attackers to run arbitrary commands on the affected system with the privileges of the user. CVE-2020-37066 carries a CVSS v3.1 score of 9.8 (Critical).

Updates to GoldWave correct the memory handling flaw and strengthen validation of audio file data during processing. Systems running vulnerable versions remain exposed until the updated software is installed.

CloudMe Remote Code Execution Vulnerability

“An exposed cloud sync service could allow attackers to execute commands and take control of the system.”

This patch addresses a critical vulnerability (CVE-2020-37070) affecting CloudMe, a cloud storage and file synchronization platform. The issue exists in the CloudMe Sync service, where improper handling of network requests allows attackers to send specially crafted commands to the service.

An attacker with network access to a vulnerable CloudMe instance can exploit this weakness to execute arbitrary code on the affected system without authentication. Successful exploitation may allow attackers to take control of the host system, access synchronized files, or disrupt cloud synchronization services. CVE-2020-37070 carries a CVSS v3.1 score of 9.8 (Critical).

Security updates address the vulnerability by strengthening validation of incoming requests and restricting unsafe command processing within the synchronization service. Systems running vulnerable versions remain exposed until the patched software is deployed.

Nsauditor Remote Code Execution Vulnerability

“A malicious network file could turn a trusted auditing tool into a gateway for attackers.”

This patch addresses a high-severity vulnerability (CVE-2020-37119) affecting Nsauditor, a network security auditing and monitoring tool. The issue exists in the application’s handling of certain crafted project or network data files, where improper memory management can lead to memory corruption.

An attacker can exploit this weakness by persuading a user to open a maliciously crafted file within Nsauditor. When processed, the file can trigger remote code execution, allowing attackers to run arbitrary commands on the affected system with the privileges of the user. CVE-2020-37119 carries a CVSS v3.1 score of 7.8 (High).

Updates to the software correct the unsafe memory handling and improve validation when processing external data files. Systems running vulnerable versions remain exposed until the patched version of Nsauditor is installed.

AMD Graphics Driver Vulnerabilities

“A vulnerable graphics driver can quietly open the door to system crashes, memory corruption, and privilege abuse. This update shuts that door before attackers can step through.”

This AMD graphics driver update addresses multiple security vulnerabilities affecting Radeon and Ryzen graphics platforms, including CVE-2021-26381 through CVE-2025-48518. These weaknesses exist in driver components responsible for memory management, system calls, and input validation. If exploited, they could allow a local attacker to corrupt kernel memory, execute unauthorized operations, or trigger denial-of-service conditions that destabilize affected systems.

One of the more recent issues, CVE-2025-48518, involves improper input validation that can lead to an out-of-bounds memory write, potentially allowing an attacker with local access to compromise system integrity or crash the system. This vulnerability carries a CVSS v3.x score of 6.9 (Medium).

Another notable issue, CVE-2021-26381, stems from improper system call parameter validation in the Trusted OS driver, which could allow a malicious driver to manipulate large memory mappings and cause kernel memory corruption. This vulnerability carries a CVSS v3.x score of 8.8 (High).

AMD addressed these vulnerabilities through updated driver releases and security mitigations across multiple Radeon and Ryzen graphics products, including PRO and enterprise GPU platforms. The fixes strengthen memory handling, validation routines, and driver security boundaries to reduce the risk of privilege escalation or system instability.

No verified reports of active exploitation or publicly released proof-of-concept code were confirmed at the time of publication.

IBM Common Cryptographic Architecture Remote Code Execution Vulnerability

“A weakness in a core cryptographic component could allow attackers to execute code and compromise critical security functions.”

This patch addresses a critical vulnerability (CVE-2025-13375) affecting IBM Common Cryptographic Architecture (CCA), a framework used to provide cryptographic services and secure key management in enterprise systems. The issue stems from improper handling of certain inputs within the cryptographic processing functions.

An attacker who can interact with affected systems may exploit the flaw to execute arbitrary code within the cryptographic service environment. Successful exploitation could allow attackers to compromise cryptographic operations, manipulate secure transactions, or disrupt trusted security processes. CVE-2025-13375 carries a CVSS v3.1 score of 9.8 (Critical).

IBM released security updates that strengthen input validation and correct the processing logic within the affected cryptographic components. Systems running vulnerable versions remain exposed until the patched version of the software is applied.

Unstructured.io Remote Code Execution Vulnerability

“A flaw in an AI data processing platform could let attackers run code and take control of systems handling sensitive documents.”

This patch addresses a critical vulnerability (CVE-2025-64712) affecting Unstructured.io, a platform used to ingest and process large volumes of structured and unstructured data for AI and machine learning workflows. The issue stems from improper validation of externally supplied inputs during document processing operations.

An attacker could exploit the flaw by supplying specially crafted input files or processing requests, which may trigger remote code execution on the host system running the Unstructured platform. Successful exploitation could allow attackers to access sensitive processed data, manipulate AI pipelines, or gain full control of the underlying server environment. CVE-2025-64712 carries a CVSS v3.1 score of 9.8 (Critical).

Security updates correct the unsafe input handling and strengthen validation within the document parsing and processing components. Systems running vulnerable versions remain exposed to remote compromise until the patched version of Unstructured.io is deployed.

Payload CMS Remote Code Execution Vulnerability

“A crafted request to a content platform could allow attackers to run code and seize control of the server.”

This patch addresses a critical vulnerability (CVE-2026-25544) affecting Payload CMS, a Node.js-based content management system used to manage application data and APIs. The issue stems from improper validation of user-supplied input within server-side processing components, allowing malicious requests to inject and execute code.

An attacker who can interact with a vulnerable Payload CMS instance could exploit the flaw to execute arbitrary code on the host server. Successful exploitation may allow attackers to manipulate stored content, access sensitive data, or take full control of the underlying application environment. CVE-2026-25544 carries a CVSS v3.1 score of 9.8 (Critical).

Security updates address the vulnerability by strengthening input validation and improving how the platform processes external requests and data inputs. Systems running vulnerable versions remain exposed to remote compromise until the patched release is deployed.

Frigate Remote Code Execution Vulnerability

“A weakness in a video surveillance platform could allow attackers to run code and gain control of monitoring systems.”

This patch addresses a critical vulnerability (CVE-2026-25643) affecting Frigate, an open-source network video recorder widely used with IP cameras for object detection and surveillance automation. The issue stems from improper validation of externally supplied input within components responsible for processing requests and integrations.

An attacker with access to a vulnerable Frigate instance could exploit the flaw by sending specially crafted requests that trigger remote code execution on the host system. Successful exploitation may allow attackers to take control of the surveillance platform, manipulate video processing functions, or access stored recordings and system data. CVE-2026-25643 carries a CVSS v3.1 score of 9.1 (Critical).

Security updates correct the unsafe input handling and strengthen request validation within affected components. Systems running vulnerable versions remain exposed to remote compromise until the patched version of Frigate is deployed.

i-doit CMDB Arbitrary File Deletion Vulnerability

“A simple parameter manipulation can let an attacker quietly erase files from the CMDB server and undermine the integrity of the entire asset database.”

A high-severity vulnerability in i-doit Open Source CMDB 1.14.1, tracked as CVE-2020-37078, allows authenticated attackers to delete arbitrary files on the server. The issue exists in the import module, where the application fails to properly validate the delete_import parameter. By sending a crafted POST request with a manipulated filename, an attacker can instruct the system to delete files from the underlying filesystem.

The vulnerability carries a CVSS v3.1 score of 8.8 (High). It can be exploited over the network with low privileges and no user interaction, meaning an attacker who has limited authenticated access to the platform can still cause significant damage. Successful exploitation may result in deletion of application files, logs, or configuration data, which can disrupt CMDB operations, compromise data integrity, or destabilize the server environment.

Public exploit code has been published demonstrating how the vulnerability can be triggered through the import interface. This increases the practical risk for exposed or poorly secured deployments of i-doit CMDB.

Ingress-NGINX Kubernetes Controller Security Vulnerabilities

“A weakness in the Kubernetes ingress controller could allow attackers to manipulate traffic handling and disrupt critical applications.”

This patch addresses two high-severity vulnerabilities (CVE-2025-15566 and CVE-2026-1580) affecting Ingress-NGINX, the Kubernetes ingress controller used to manage external access to services within clusters. The issues stem from improper validation and handling of certain configuration inputs and requests processed by the controller.

Attackers who can interact with affected environments may exploit these weaknesses to manipulate ingress configurations, interfere with request routing, or disrupt application availability within the cluster. Successful exploitation could impact the integrity and availability of services exposed through the ingress layer. CVE-2025-15566 carries a CVSS v3.1 score of 8.8 (High), and CVE-2026-1580 carries a CVSS v3.1 score of 8.7 (High).

Security updates address the vulnerabilities by strengthening validation of ingress configuration data and improving request processing logic within the controller. Kubernetes environments using vulnerable versions remain exposed until the patched releases are deployed.

OpenClaw Command Injection Vulnerabilities

“These OpenClaw bugs turn a helpful AI assistant into a potential command execution engine for attackers.”

Multiple high-severity vulnerabilities in OpenClaw, a self-hosted AI assistant platform, allow attackers to execute arbitrary system commands under certain conditions. The issues are tracked as CVE-2026-24763 and CVE-2026-25593, both stemming from improper handling of command execution paths and configuration values that can be manipulated by attackers.

CVE-2026-24763 carries a CVSS v3.1 score of 8.8 (High). In versions prior to 2026.1.29, OpenClaw improperly handles the PATH environment variable when constructing shell commands inside its Docker sandbox execution environment. An authenticated user capable of influencing environment variables can inject malicious commands, allowing execution within the container and potentially exposing sensitive data or system resources.

CVE-2026-25593 carries a CVSS v3.1 score of 8.4 (High). Versions prior to 2026.1.20 allow an unauthenticated local client to abuse the Gateway WebSocket API through the config.apply function. By setting unsafe cliPath values in configuration files, an attacker can trigger command injection when the system performs command discovery, resulting in arbitrary command execution with the privileges of the gateway process user.

Security updates in OpenClaw versions 2026.1.20 and 2026.1.29 correct the unsafe command handling and configuration validation that enabled these attacks.

IBM WebSphere Information Disclosure Vulnerability

“A weakness in a core enterprise application server could expose sensitive system information to unauthorized users.”

This patch addresses a high-severity vulnerability (CVE-2025-14914) affecting IBM WebSphere Application Server. The issue exists in the way the server processes certain requests, where insufficient validation may allow unauthorized users to access sensitive information that should be restricted.

An attacker with network access to a vulnerable WebSphere environment could exploit this weakness to retrieve sensitive system data, potentially exposing configuration details or internal information about the application environment. Such exposure could assist attackers in conducting further attacks against enterprise applications and infrastructure. CVE-2025-14914 carries a CVSS v3.1 score of 7.6 (High).

IBM released security updates that strengthen request validation and restrict access to sensitive information within the affected components. Systems running vulnerable versions remain exposed until the patched update is installed.

Honeywell CCTV Improper Authentication Vulnerability

“An exposed authentication gap in Honeywell CCTV systems could let attackers step directly into surveillance networks without a password.”

A critical vulnerability affecting Honeywell CCTV monitoring and recording systems, tracked as CVE-2026-1670, allows attackers to bypass authentication controls and gain unauthorized access to the device. The flaw stems from improper validation of authentication mechanisms in the system’s web interface, enabling remote attackers to access functionality that should require valid credentials.

The vulnerability carries a CVSS v3.1 score of 9.8 (Critical). It can be exploited remotely over the network without authentication or user interaction, making it especially dangerous for internet-exposed surveillance infrastructure. Successful exploitation could allow attackers to access or manipulate video feeds, alter system configurations, or pivot deeper into connected security networks.

Honeywell released security guidance addressing the issue and recommends updating affected CCTV systems to patched firmware versions that enforce proper authentication validation and access control protections.

CASL Ability Remote Code Execution Vulnerability

“A weakness in a widely used authorization library could allow attackers to inject malicious code and take control of affected applications.”

This patch addresses a critical vulnerability (CVE-2026-1774) affecting CASL Ability, a JavaScript authorization library used to manage access control in web applications. The issue stems from improper validation of user-supplied input when defining or evaluating authorization rules.

An attacker could exploit this weakness by crafting malicious input that manipulates how authorization logic is processed. Successful exploitation may allow remote code execution within the application environment, potentially enabling attackers to bypass access controls, manipulate application behavior, or gain control of the underlying server. CVE-2026-1774 carries a CVSS v3.1 score of 9.8 (Critical).

Security updates address the issue by strengthening input validation and improving how authorization rules are processed within the CASL Ability library. Applications using vulnerable versions remain exposed until the patched release is applied.

Axios Server-Side Request Forgery Vulnerability

“A trusted HTTP client can become a silent bridge for attackers to reach internal systems that were never meant to be exposed.”

A vulnerability in Axios, the widely used JavaScript HTTP client library, tracked as CVE-2026-25639, exposes applications to Server-Side Request Forgery (SSRF) attacks. The issue arises from improper validation of user-supplied URLs when Axios processes requests. If an application passes untrusted input directly into Axios request functions, an attacker may force the server to initiate requests to unintended internal or external resources.

This vulnerability carries a CVSS v3.1 score of 7.5 (High). It can be exploited remotely over the network without requiring authentication. Successful exploitation may allow attackers to probe internal services, access sensitive metadata endpoints, or interact with systems that are normally protected behind firewalls. In cloud environments, this could expose internal APIs or instance metadata services.

Axios maintainers addressed the issue in updated releases that strengthen URL validation and request handling logic to prevent malicious redirection or unsafe internal network access.

libpng Memory Corruption Vulnerability

“A crafted image file could trigger memory corruption and allow attackers to execute code on affected systems.”

This patch addresses a high-severity vulnerability (CVE-2026-25646) affecting libpng, a widely used library for processing PNG image files in many applications and operating systems. The issue stems from improper memory handling when parsing specially crafted PNG image data.

An attacker could exploit this weakness by delivering a malicious PNG image to a vulnerable application that uses libpng. When the image is processed, it can trigger memory corruption that may lead to arbitrary code execution or application crashes. CVE-2026-25646 carries a CVSS v3.1 score of 8.3 (High).

Updates to libpng correct the memory handling flaw and strengthen validation of image data during parsing. Applications that rely on vulnerable versions of libpng remain exposed until they are rebuilt or updated with the patched library.

next-mdx Remote Code Execution Vulnerability

“A crafted image file could trigger memory corruption and allow attackers to execute code on affected systems.”

This patch addresses a high-severity vulnerability (CVE-2026-0969) affecting next-mdx, a library used with Next.js applications to render MDX content that combines Markdown with JSX components. The issue stems from improper handling and validation of user-supplied MDX content during the compilation and rendering process.

An attacker could exploit this weakness by supplying malicious MDX content that triggers remote code execution within the application environment. Successful exploitation may allow attackers to manipulate application behavior, access sensitive data, or compromise the server hosting the application. CVE-2026-0969 carries a CVSS v3.1 score of 8.8 (High).

Security updates correct the unsafe processing logic and strengthen validation of MDX content before it is compiled and executed. Applications using vulnerable versions of next-mdx remain exposed until the patched version of the library is deployed.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both OS and third-party software.

Webinar Recording: March 2026 Vulnerability Digest from Action1