Tag: patch-available
All items tagged patch-available.
- CVE-2026-46978 / CVE-2026-35278 — Oracle June 2026 CSPU: unauthenticated Solaris RAD flaw (10.0) and PeopleSoft RCE (9.8)
- CVE-2026-55803 / CVE-2026-55804 — Drupal core: PHP object-injection chain in JSON:API, BSI-rated critical
- CVE-2026-4020 — Gravity SMTP WordPress plugin: unauthenticated config-dump of email-connector credentials, mass-exploited
- CVE-2026-20181 / CVE-2026-20190 — Cisco Identity Services Engine: unauthenticated credential read chaining to authenticated root command execution
- CVE-2026-12046 / CVE-2026-12045 / CVE-2026-12048 — pgAdmin 4: unauthenticated pickle deserialization RCE, AI-Assistant read-only-transaction bypass, stored XSS
- CVE-2026-42530 / CVE-2026-42055 — NGINX: HTTP/3 QUIC use-after-free and HTTP/2-proxy heap overflow, out-of-band F5 patches
- CVE-2026-55803 / CVE-2026-55804 — Drupal core: PHP object-injection chain in JSON:API, BSI-rated critical
- CVE-2026-46978 / CVE-2026-35278 — Oracle June 2026 CSPU: unauthenticated Solaris RAD flaw (CVSS 10.0) and PeopleSoft RCE (9.8)
- CVE-2026-0647 et al. — Rockwell Automation FLEX I/O unauthenticated password reset (CVSS 9.4) and Logix CIP denial-of-service, flagged by NCSC-CH
- BSI flags 13 vulnerabilities patched in Zammad 7.1 — admin privilege escalation in a DACH public-sector helpdesk platform
- UPDATE: Check Point IKEv1 CVE-2026-50751 — public PoC raises exploitation risk
- CVE-2026-48611 / CVE-2026-48612 — phpBB: unauthenticated authentication bypass to admin, one HTTP request
- Obsidian Security: a three-CVE chain turns any LiteLLM user into root on the AI gateway
- Varonis "SearchLeak" (CVE-2026-42824): one-click M365 Copilot data exfiltration, now patched
- CVE-2026-10795 — UpdraftPlus WordPress backup plugin: unauthenticated authentication bypass to RCE
- CVE-2026-20253 — Splunk Enterprise: unauthenticated pre-auth RCE via the PostgreSQL sidecar proxy
- CVE-2026-48558 — SimpleHelp RMM: unauthenticated OIDC authentication bypass yields a full technician session
- June 2026 Patch Tuesday: four CVSS ≥ 9.1 criticals — Windows kernel TCP/IP RCE, Nuance PowerScribe, Azure Stack Edge, Exchange Online
- CVE-2026-25089 — Fortinet FortiSandbox: unauthenticated OS command injection in the web UI's VNC-launch handler (CVSS 9.8)
- UPDATE: ShinyHunters PeopleSoft campaign — Oracle confirms CVE-2026-35273 and ships an out-of-band patch; Nottingham quantifies 455,000 records
- CVE-2026-5027 — Langflow: unauthenticated path traversal to arbitrary file write, exploited in the wild
- CVE-2026-41089 — Windows Netlogon: pre-auth SYSTEM RCE on domain controllers, actively exploited
- CVE-2026-49975 — HTTP/2 Bomb: HPACK amplification + Slowloris chains to single-connection RAM exhaustion, patch status split by server
- Keycloak 26.6.3 — 16 CVEs in the EU public sector's reference IAM, led by token-exchange privilege escalation and SSRF [SINGLE-SOURCE vendor advisory]
- CVE-2026-10868 — MISP: mass-assignment account-takeover (CVSS 9.0) in the EU threat-sharing platform
- CVE-2026-10881 — Google Chrome (ANGLE graphics engine): out-of-bounds read/write enabling sandbox escape (CVSS 9.6)
- An autonomous AI agent finds 21 zero-days in FFmpeg for ~$1,000 — nine numbered (CVE-2026-39210 to -39218), parser bugs up to 23 years old
- CVE-2026-28318 — SolarWinds Serv-U: unauthenticated DoS added to CISA KEV
- GMO Flatt Security: one GitHub issue could hijack any public repo running Anthropic's claude-code-action — and could have poisoned the action itself
- CVE-2026-45247 — Mirasvit Full Page Cache Warmer (Magento 2 / Adobe Commerce): unauthenticated PHP object-injection RCE, now in CISA KEV
- CVE-2026-8206 + CVE-2026-8181 — Kirki and Burst Statistics WordPress plugins: unauthenticated account takeover under active mass-exploitation
- CVE-2026-20230 — Cisco Unified Communications Manager: unauthenticated SSRF to OS-root file write
- CVE-2026-10611 — MISP: OTP bypass when LDAP mixed-auth and OTP enforcement are both enabled
- Enclave: a single debug flag left on in six Microsoft 365 Android apps allowed silent OAuth-token theft
- One-click GitHub OAuth-token theft via github.dev, full-disclosed with PoC; Microsoft patched 3 June
- CVE-2024-21182 — Oracle WebLogic Server: unauthenticated T3/IIOP data access, KEV-listed on active exploitation
- CVE-2025-48595 — Android Framework: actively-exploited integer-overflow privilege escalation
- UPDATE: Gamaredon weaponises WinRAR CVE-2025-8088 and adds the GammaSteel stealer
- Mautic 7.1.2 / 6.0.9 — seven authenticated flaws, including two post-auth RCE paths (SSTI and path-traversal-to-PHP-RCE), an SSRF and an API authorization bypass
- CVE-2026-0257 — Palo Alto PAN-OS GlobalProtect: Pre-Auth Authentication Bypass via Certificate Reuse
- CVE-2026-48710 "BadHost" — Starlette (FastAPI / vLLM / LiteLLM / MCP SDK): Pre-Auth Auth Bypass via Malformed Host Header
- UPDATE: Ivanti Secure Access Client — NCSC.ch adds CVE-2026-8992 (local privilege escalation, CVSS 7.8) to May advisory
- Apereo CAS version 7.3.7.1 patches an OIDC-provider flaw reported by Coop Switzerland; CERT-FR issues advisory CERTFR-2026-AVI-0654
- CVE-2026-4408 & CVE-2026-4480 — Samba: unauthenticated RCE in SAMR RPC and print-command subsystems (CVSS 10.0)
- CVE-2026-44939 (+ CVE-2026-41052, CVE-2026-41053) — SUSE Rancher: command injection on cluster import, PSA label privilege-escalation, GitHub-App over-inclusive team membership
- CVE-2026-44848 & CVE-2026-44849 — Portainer CE: Docker plugin endpoints unguarded; Swarm-service security checks bypassed (CVSS 9.4)
- CVE-2026-9170 — IBM HTTP Server / WebSphere Application Server: pre-auth RCE via improper input validation (CVSS 9.8)
- CVE-2026-4868 (+ five further CVEs) — GitLab 19.0.1 / 18.11.4 / 18.10.7 patch release: Duo AI identity impersonation, unauthenticated project enumeration
- CVE-2026-32996 & CVE-2026-32997 — Veeam Backup & Replication KB4852: LPE in Windows Agent, arbitrary file write in Linux appliance
- CVE-2026-48842 — Roundcube Webmail pre-authentication SQL injection in `virtuser_query` plugin (CVSS 8.1)
- CVE-2026-35087 / CVE-2026-35089 / CVE-2026-35090 — Slican PBX telephony exchanges, triple pre-authentication admin bypass (CERT Polska)
- CVE-2026-9312 — GitHub Enterprise Server (< 3.22): unauthenticated SSRF via upload-endpoint path traversal exposes internal services and credentials
- CVE-2026-9058 — Szafir SDK (KIR): signature-verification routine reports success on an untrusted certificate chain, enabling auth bypass in Polish e-government
- CVE-2026-26980 — Ghost CMS Content API: unauthenticated blind SQL injection in the `slug` filter, actively exploited
- CVE-2026-0257 — Palo Alto PAN-OS GlobalProtect pre-auth authentication bypass, exploited in two waves by the same actor
- CVE-2026-4408 / CVE-2026-4480 — Samba dual unauthenticated RCE (CVSS 10.0), patch window closed mid-week
- CVE-2026-9170 — IBM HTTP Server / WebSphere Application Server: pre-auth RCE (CVSS 9.8)
- CVE-2026-48710 "BadHost" — Starlette pre-auth host-header auth bypass across the Python AI/ASGI stack
- CVE-2026-48842 — Roundcube Webmail pre-authentication SQL injection
- CVE-2026-48172 — LiteSpeed User-End cPanel plugin: authenticated cPanel user to root via `lsws.redisAble`, actively exploited
- DNS-resolver patch cluster — Unbound 1.25.1 (11 CVEs) and ISC BIND 9.18.49 / 9.20.23
- ANSSI / CERT-FR publishes CERTFR-2026-AVI-0635 on SPIP < 4.4.15 — security-policy bypass in the dominant French public-administration CMS
- UPDATE: Drupal CVE-2026-9082 — CISA KEV addition + active exploitation confirmed; NCSC.ch flips post 12584 to "Actively exploited"
- CVE-2026-34926 — Trend Micro Apex One On-Premise: post-auth directory traversal by admin-credential holder injects code deployed fleet-wide to all managed agents (CISA KEV, ITW)
- CVE-2025-34291 — Langflow AI Workflow Platform: CORS misconfiguration + SameSite=None refresh token enables cross-origin token theft (CISA KEV, ITW, Flodric botnet)
- UPDATE: Microsoft Defender CVE-2026-41091 + CVE-2026-45498 — both CVEs confirmed exploited, out-of-band engine update 4.18.26040.7 confirmed as fix
- Keycloak 26.6.2 — 16 CVEs including OIDC session fixation (CVE-2026-7507), WebAuthn execute-actions token replay (CVE-2026-37982), introspection audience bypass (CVE-2026-37979) and cross-realm IDOR in Authorization Services (CVE-2026-4630)
- PinTheft — Linux kernel local-privilege-escalation primitive (RDS zerocopy double-free + io_uring fixed-buffer page-cache overwrite), PoC public, Arch Linux default-loaded
- UPDATE: Drupal SA-CORE-2026-004 / CVE-2026-9082 ships — "highly critical" pre-auth SQL injection in core database API, PostgreSQL-only
- CVE-2026-41091 — Microsoft Defender Engine link-following EoP, actively exploited
- CVE-2026-45584 — Microsoft Defender Engine heap-buffer-overflow RCE over network
- CVE-2026-31635 ("DirtyDecrypt") — Linux kernel RxGK page-cache write, public PoC; Fedora, Arch, openSUSE Tumbleweed affected
- vm2 Node.js sandbox — 12 critical CVEs (CVE-2026-43997 / 43999 / 44005 / 44006 / 44008 / 44009 et al.), sandbox escape to host RCE, upgrade to ≥ 3.11.4
- UPDATE: SEPPmail Secure E-Mail Gateway — InfoGuard Labs full technical write-up; new CVE-2026-2743 (CVSS 10.0 pre-auth path traversal in LFT)
- BigBlueButton bbb-web < 3.0.21 / < 3.0.23 — three flaws in EU education and government virtual-classroom platform: weak session-token randomness, API checksum bypass, SSRF
- CVE-2026-42231 / -42232 / -44789 / -44790 / -44791 — n8n self-hosted automation: chained prototype-pollution and injection flaws enabling authenticated-to-RCE plus a Git-node arbitrary file read
- Microsoft Defender Engine CVE-2026-41091 + CVE-2026-45498 — both confirmed exploited in the wild; out-of-band engine update is the fix
- Drupal core CVE-2026-9082 — pre-auth SQL injection, CISA KEV, active exploitation confirmed; NCSC.ch flipped to "actively exploited"
- Two CISA KEV additions under active exploitation — Trend Micro Apex One and Langflow
- Drupal CVE-2026-9082 — disclosure-only Monday to KEV-confirmed-exploited by Friday
- CVE-2026-48172 — LiteSpeed User-End cPanel plugin: authenticated cPanel user to root, actively exploited
- CVE-2026-7507 (+15) — Keycloak 26.6.2: identity-provider cluster including OIDC session fixation and cross-realm IDOR
- Cisco Catalyst SD-WAN CVE-2026-20182 — UAT-8616 active, CISA Emergency Directive ED-26-03, 10+ companion-CVE clusters
- PAN-OS CVE-2026-0300 — wave 2 confirmed delayed to 2026-05-28; eight build streams remain on mitigation-only for a further 11 days
- Dirty Frag (CVE-2026-43284 xfrm-ESP + CVE-2026-43500 RxRPC) — Microsoft confirmed ITW, RxRPC distro patches still propagating
- PAN-OS CVE-2026-0300 — staged-patch arc spanning W19 and W20
- CVE-2026-44277 / CVE-2026-26083 — Fortinet FortiAuthenticator and FortiSandbox unauthenticated RCE
- CVE-2026-34263 — SAP Commerce Cloud pre-auth RCE; CVE-2026-34260 — SAP S/4HANA Enterprise Search SQL injection
- CVE-2026-44088 — CERT-PL SzafirHost JAR zip-polyglot bypass in Poland's qualified e-signature browser helper
- CVE-2026-6722 — PHP SOAP UAF in `SOAP_GLOBAL(ref_map)` (with companions CVE-2026-7261 / CVE-2026-7262)
- CVE-2026-46300 — Linux kernel xfrm ESP-in-TCP LPE ("Fragnesia"), PoC public
- SEPPmail CVE-2026-44128 — CIRCL advisory confirms CVSS 9.3 unauthenticated Perl-eval RCE; no third-party PoC in window
- CERT-PL CVE-2026-44088 — SzafirHost JAR zip-polyglot bypass in Poland's qualified e-signature browser helper
- FunnelKit "Funnel Builder for WooCommerce" actively exploited as Magecart skimmer on 40,000+ WordPress stores — no CVE assigned
- CVE-2026-41225 — F5 BIG-IP / BIG-IQ: iControl REST Manager-role authenticated RCE (CVSS 4.0 score 8.6 / CVSS 3.1 score 9.1) leading the May 2026 Quarterly Notification
- CVE-2026-41553 — DHTMLX PDF Export Module: unauthenticated server-side JavaScript injection RCE (CVSS 4.0 score 10.0), with CVE-2026-41552 and CVE-2026-7182 path-traversal companions
- CVE-2026-44112 / CVE-2026-44113 / CVE-2026-44115 / CVE-2026-44118 — OpenClaw "Claw Chain": four chainable flaws in autonomous-agent platform enable sandbox escape → credential leak → privilege escalation → file disclosure
- AMD-SB-7052 / CVE-2025-54518 — AMD Zen 2 µop-cache corruption / SoC isolation failure: local privilege escalation (CVSS 7.3), microcode mitigation in May 2026 Windows update and Xen XSA-490
- CVE-2026-45691 — Nextcloud Server / Enterprise Server: 2FA bypass on WebDAV via pre-authenticated session token reuse
- CVE-2026-45793 — PHP Composer: GitHub Actions CI token disclosure in error messages [SINGLE-SOURCE]
- CVE-2026-20182 — Cisco Catalyst SD-WAN Controller/Manager: pre-auth authentication bypass enabling full fabric takeover
- CVE-2026-42945 — NGINX Open Source / Plus / F5 WAF products: 18-year-old heap buffer overflow in rewrite module ("NGINX Rift"), PoC public
- CVE-2026-46300 — Linux kernel: local privilege escalation via xfrm ESP-in-TCP ("Fragnesia"), PoC public
- CVE-2026-8043 Ivanti Xtraction external file control (CVSS 9.6) plus EPM SQL-injection-to-RCE and vTM admin OS-command injection — May 2026 advisory batch, no ITW
- UPDATE: CVE-2026-0300 PAN-OS Captive Portal — patch wave 2 delayed to 2026-05-28 for eight high-traffic build streams; mitigation remains the only option on those builds [SINGLE-SOURCE]
- CVE-2026-44277 / CVE-2026-26083 — Fortinet FortiAuthenticator and FortiSandbox unauthenticated RCE
- CVE-2026-45185 — Exim "Dead.Letter" use-after-free in BDAT/CHUNKING on GnuTLS builds
- CVE-2026-41089 / CVE-2026-41096 / CVE-2026-41103 / CVE-2026-42898 — Microsoft May 2026 Patch Tuesday (120+ CVEs, no zero-days)
- CVE-2026-34263 / CVE-2026-34260 — SAP Commerce Cloud pre-auth RCE, S/4HANA Enterprise Search SQL injection
- CERTFR-2026-AVI-0564 — SPIP < 4.4.14: multiple RCEs (public and private area)
- CERTFR-2026-AVI-0572 — Centreon Infra Monitoring: RCE / SQLi / XSS cluster (April 2026 bulletin)
- UPDATE: PAN-OS CVE-2026-0300 — first-wave patched builds released on 2026-05-13
- Audit Jenkins pipelines for Checkmarx AST plugin auto-update window 2026-05-09 → 2026-05-10 and treat any match as full secrets compromise
- CVE-2026-44128 et al. — SEPPmail Secure Email Gateway: six-CVE cluster on the Swiss public sector's dominant email-encryption appliance
- cPanel / WHM — two emergency TSRs inside ten days: post-CVE-2026-41940 fleet now facing CVE-2026-29201/29202/29203
- CVE-2026-26030 + CVE-2026-25592 — Microsoft Semantic Kernel Python and .NET SDKs: a class-of-bug for agentic-AI frameworks
- CVE-2026-32202 — Windows Shell NTLM coercion; Akamai's PatchDiff-AI shows the residual zero-click path left by the CVE-2026-21510 patch
- Hardening and mitigation
- Patch PHP across all web-facing infrastructure
- Apply Dirty Frag kernel backports — Microsoft now confirms in-the-wild
- CVE-2026-26030 / CVE-2026-25592 — Microsoft Semantic Kernel: prompt-injection-to-RCE in the Python and .NET SDKs of Microsoft's AI agent orchestration framework (CVSS 9.9 each)
- UPDATE: cPanel/WHM second emergency TSR in 10 days — embargo lifted on CVE-2026-29202 (post-auth Perl RCE, CVSS 8.8), CVE-2026-29203 (CVSS 8.8), CVE-2026-29201 (CVSS 4.3)
- Hardening / mitigation
- Apply cPanel/WHM second-TSR patches now — embargo lifted, post-auth RCE is real
- CVE-2026-43284 / CVE-2026-43500 — Linux "Dirty Frag": deterministic LPE chain via page-cache write primitives in xfrm-ESP and RxRPC, active exploitation confirmed
- CVE-2026-42208 — LiteLLM Proxy pre-authentication SQL injection: CISA KEV deadline 2026-05-11; all upstream LLM API keys at risk
- CVE-2026-44128 et al. — SEPPmail Secure Email Gateway: CVSS 9.3 unauthenticated RCE and five additional CVEs [SINGLE-SOURCE-NATIONAL-CERT carve-out + vendor]
- CVE-2026-40982 — Spring Cloud Config Server: pre-authentication path traversal, CVSS 9.8; all actively-maintained branches affected
- CVE-2025-68670 — xrdp pre-authentication stack overflow, arbitrary code execution [SINGLE-SOURCE]
- Swiss and DACH Deployment Context
- CVE-2026-5787 / CVE-2026-6973 — Ivanti EPMM pre-auth certificate impersonation → admin RCE (CISA KEV deadline **2026-05-10**)
- CVE-2026-32202 — Windows Shell NTLM coercion / credential capture, APT28 active against EU governments (CISA KEV deadline **2026-05-12**)
- CVE-2026-5787 — Ivanti EPMM improper certificate validation (pre-auth Sentry impersonation, CVSS 9.1)
- CVE-2026-6973 — Ivanti EPMM admin API improper input validation → RCE (CVSS 7.2, CISA KEV deadline 2026-05-10)
- CVE-2026-32202 — Windows Shell NTLM coercion, APT28 ITW (CVSS 4.3, CISA KEV deadline 2026-05-12)
- GLPI CERTFR-2026-AVI-0551 — Seven CVEs including SSRF and XSS in EU ITSM platform (advisory 2026-04-29)