The post Academic Exposure: The Unpatched Flaw Siphoning Student Data from DRC INSIGHT appeared first on Daily CyberSecurity.

The post Unpatched and Exposed: Public PoC Released for Critical 9.8 CVSS Xiongmai IP Camera Flaw appeared first on Daily CyberSecurity.

Adobe patches a critical PDF flaw exploited for months, allowing attackers to bypass sandbox protections and deliver malware. Users urged to update now.

The post Adobe Issues Emergency Patch for Critical PDF Flaw Exploited For Months appeared first on TechRepublic.

Microsoft today pushed software updates to fix a staggering 167 security vulnerabilities in its Windows operating systems and related software, including a SharePoint Server zero-day and a publicly disclosed weakness in Windows Defender dubbed “BlueHammer.” Separately, Google Chrome fixed its fourth zero-day of 2026, and an emergency update for Adobe Reader nixes an actively exploited flaw that can lead to remote code execution.

Redmond warns that attackers are already targeting CVE-2026-32201, a vulnerability in Microsoft SharePoint Server that allows attackers to spoof trusted content or interfaces over a network.

Mike Walters, president and co-founder of Action1, said CVE-2026-32201 can be used to deceive employees, partners, or customers by presenting falsified information within trusted SharePoint environments.

“This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise,” Walters said. “The presence of active exploitation significantly increases organizational risk.”

Microsoft also addressed BlueHammer (CVE-2026-33825), a privilege escalation bug in Windows Defender. According to BleepingComputer, the researcher who discovered the flaw published exploit code for it after notifying Microsoft and growing exasperated with their response. Will Dormann, senior principal vulnerability analyst at Tharros, says he confirmed that the public BlueHammer exploit code no longer works after installing today’s patches.

Satnam Narang, senior staff research engineer at Tenable, said April marks the second-biggest Patch Tuesday ever for Microsoft. Narang also said there are indications that a zero-day flaw Adobe patched in an emergency update on April 11 — CVE-2026-34621 — has seen active exploitation since at least November 2025.

Adam Barnett, lead software engineer at Rapid7, called the patch total from Microsoft today “a new record in that category” because it includes nearly 60 browser vulnerabilities. Barnett said it might be tempting to imagine that this sudden spike was tied to the buzz around the announcement a week ago today of Project Glasswing — a much-hyped but still unreleased new AI capability from Anthropic that is reportedly quite good at finding bugs in a vast array of software.

But he notes that Microsoft Edge is based on the Chromium engine, and the Chromium maintainers acknowledge a wide range of researchers for the vulnerabilities which Microsoft republished last Friday.

“A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities,” Barnett said. “We should expect to see further increases in vulnerability reporting volume as the impact of AI models extend further, both in terms of capability and availability.”

Finally, no matter what browser you use to surf the web, it’s important to completely close out and restart the browser periodically. This is really easy to put off (especially if you have a bajillion tabs open at any time) but it’s the only way to ensure that any available updates get installed. For example, a Google Chrome update released earlier this month fixed 21 security holes, including the high-severity zero-day flaw CVE-2026-5281.

For a clickable, per-patch breakdown, check out the SANS Internet Storm Center Patch Tuesday roundup. Running into problems applying any of these updates? Leave a note about it in the comments below and there’s a decent chance someone here will pipe in with a solution.

The post Python Under Pressure: Critical Memory Flaws and Command Injection Bypass Uncovered appeared first on Daily CyberSecurity.

The post HPE Aruba Patches High-Severity Credential Theft Flaw appeared first on Daily CyberSecurity.

The post 100,000+ Sites Exposed: Critical 9.8 CVSS Flaw Hits Everest Forms WordPress Plugin appeared first on Daily CyberSecurity.

GitLab has rolled out a major security update to address a series of vulnerabilities impacting both its Community Edition (CE) and Enterprise Edition (EE) platforms. The GitLab security update resolves multiple flaws, including high-severity issues that could be exploited to disrupt services or gain unintended access to system functionality. This update is particularly critical for organizations operating in self-managed GitLab environments, where administrators are responsible for applying patches and maintaining system security.  Delaying the deployment of this GitLab security update could leave systems exposed to known threats, including the actively addressed CVE-2026-5173 vulnerability. The patch release not only strengthens access controls but also mitigates risks tied to denial-of-service attacks, data exposure, and improper authorization checks. As a result, GitLab is strongly urging all affected users to upgrade to the latest versions immediately to ensure their environments remain protected against potential exploitation. 

Critical GitLab Security Update Targets High-Severity Flaws 

GitLab security update covers a high-severity vulnerability tracked as CVE-2026-5173, which impacts websocket connections. This flaw could allow an authenticated attacker to bypass access controls and invoke unintended server-side methods. With a CVSS score of 8.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), the issue represents a serious risk to affected environments.  The vulnerability was discovered internally by GitLab team member Simon Tomlinson. It affects GitLab CE/EE versions from 16.9.6 prior to 18.8.9, version 18.9 before 18.9.5, and version 18.10 before 18.10.3. The latest security patch resolves this issue along with several others. 

Patch Releases and Affected Versions 

The GitLab security update includes patched versions 18.10.3, 18.9.5, and 18.8.9. According to the official release statement:  “Today, we are releasing versions 18.10.3, 18.9.5, 18.8.9 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately.”  GitLab confirmed that users of GitLab.com and GitLab Dedicated services are already protected and do not need to take action. 

Twelve Vulnerabilities Addressed 

This GitLab security update resolves a total of twelve vulnerabilities, ranging from high to low severity. Alongside CVE-2026-5173, several denial-of-service (DoS) vulnerabilities were identified: 

• CVE-2026-1092: A DoS issue in the Terraform state lock API caused by improper JSON validation (CVSS 7.5).  
• CVE-2025-12664: A DoS vulnerability in the GraphQL API that could be triggered through repeated queries (CVSS 7.5).  
• CVE-2026-1403: A CSV import flaw allowing authenticated users to disrupt Sidekiq workers (CVSS 6.5).  
• CVE-2026-1101: A GraphQL SBOM API issue affecting GitLab EE, also enabling DoS attacks (CVSS 6.5).  

In addition to these, multiple medium-severity flaws were patched: 

• CVE-2026-1516: A code injection issue in Code Quality reports that could expose user IP addresses (CVSS 5.7).  
• CVE-2026-4332: A cross-site scripting vulnerability in analytics dashboards (CVSS 5.4).  
• CVE-2026-2619: Incorrect authorization in the vulnerability flags AI detection API (CVSS 4.3).  
• CVE-2025-9484: Information disclosure via GraphQL queries (CVSS 4.3).  
• CVE-2026-1752: Improper access control in the Environments API (CVSS 4.3).  
• CVE-2026-2104: Information disclosure through CSV export (CVSS 4.3).  

A low-severity issue, CVE-2026-4916, was also addressed, involving missing authorization checks in custom role permissions (CVSS 2.7). Many of these vulnerabilities were reported through GitLab’s HackerOne bug bounty program, highlighting contributions from researchers such as a92847865, foxribeye, sim4n6, maksyche, go7f0, and others. 

Bug Fixes and Stability Improvements 

Beyond security fixes, the update also includes a wide range of bug fixes across all three versions. These improvements address issues such as failed Git operations for deploy keys on Geo sites, performance optimizations in migration helpers, and compatibility fixes for Amazon Linux 2023.  Other fixes include resolving flaky test cases, improving dependency proxy access, and addressing regressions in project archiving and deletion workflows. These updates aim to enhance overall platform stability alongside the security patch. 

Upgrade Guidance and Deployment Notes 

GitLab emphasized that no new migrations are included in these releases, meaning multi-node deployments should not require downtime. However, by default, Omnibus packages will stop services, run migrations, and restart during upgrades unless configured otherwise via the /etc/gitlab/skip-auto-reconfigure file.  The company also noted that certain package builds, such as SLES 12.5 for versions 18.10.3 and 18.9.5, are not included in this release. Additionally, GitLab confirmed that version numbers 18.10.2, 18.9.4, and 18.8.8 were skipped, with no patches issued under those versions. 

The post Mitel Patches Critical SQL Injection and Privilege Escalation in MiCollab appeared first on Daily CyberSecurity.

The post Under Active Attack: Critical 9.1 CVSS FortiClient EMS Flaw Exploited in the Wild appeared first on Daily CyberSecurity.

The post Joomla! Issues Security Patch: Critical File Deletion and Webservice Flaws Exposed appeared first on Daily CyberSecurity.

The post Security Alert: Critical Vulnerability Hits Anritsu Remote Spectrum Monitors appeared first on Daily CyberSecurity.

The post NVIDIA Patches High-Severity “Insecure Deserialization” Flaws in BioNeMo Framework appeared first on Daily CyberSecurity.

The post The Update That Vanished: Why Microsoft Hastily Rescinded Windows 11 KB5079391 appeared first on Daily CyberSecurity.

Google patches eight high-severity Chrome vulnerabilities affecting 3.5 billion users. Here’s why you should update and relaunch your browser now.

The post Google Issues High-Risk Security Patch for 3.5 Billion Chrome Users: What You Need to Know appeared first on TechRepublic.

Microsoft releases an out-of-band hotpatch for critical Windows 11 RRAS vulnerabilities that could allow remote code execution through malicious remote servers.

The post Microsoft Issues Emergency Patch for Critical Windows 11 RRAS Vulnerabilities appeared first on TechRepublic.

Google patches two actively exploited Chrome vulnerabilities that could allow attackers to crash browsers or run malicious code. Billions of users urged to update.

The post Critical Chrome Security Flaws Threaten Billions of Users Worldwide appeared first on TechRepublic.

An important Veeam security patch to address multiple vulnerabilities in its Backup & Replication platform that potentially allowed attackers to execute malicious code remotely, has been released. The flaws, tracked as CVE-2026-21666 and CVE-2026-21667, were identified as critical and could enable remote code execution on affected systems ,if successfully exploited.  The vulnerabilities impact Veeam Backup & Replication 12.3.2.4165 and all earlier version 12 builds, prompting the company to release fixes in version 12.3.2.4465. The security update was published on March 12, 2026, under KB ID: 4830, and addresses a total of seven security issues affecting the backup platform.  In its advisory, the company emphasized the urgency of applying the update, noting that threat actors often analyze security patches to identify weaknesses in systems that have not yet been updated.  The official notice states, “It’s important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software. This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay.” 

The Veeam Security Patch Includes

Among the vulnerabilities fixed in the Veeam security patch, two of the most severe are CVE-2026-21666 and CVE-2026-21667. Both issues received a CVSS v3.1 score of 9.9, indicating critical severity. 

CVE-2026-21666 

The vulnerability CVE-2026-21666 allows an authenticated domain user to trigger remote code execution on a Veeam Backup Server. If exploited, an attacker with domain-level authentication could run arbitrary commands on the server hosting backup services. 

• Severity: Critical 
• CVSS v3.1 Score: 9.9 
• Reported via: HackerOne 

CVE-2026-21667 

Another major flaw, CVE-2026-21667, similarly enables an authenticated domain user to achieve remote code execution on the Backup Server. 

• Severity: Critical 
• CVSS v3.1 Score: 9.9 
• Source: Discovered during internal testing 

Both vulnerabilities demonstrate how attackers with valid credentials could compromise backup infrastructure, potentially gaining control of systems responsible for storing critical data. 

Additional Vulnerabilities Fixed in the Update 

Beyond CVE-2026-21666 and CVE-2026-21667, the Veeam security patch resolves several other high-impact security issues affecting the Backup & Replication platform. 

CVE-2026-21668 

This vulnerability allows an authenticated domain user to bypass restrictions and manipulate arbitrary files stored within a Backup Repository. 

• Severity: High 
• CVSS v3.1 Score: 8.8 
• Source: Discovered during internal testing 

CVE-2026-21672 

The flaw CVE-2026-21672 could allow attackers to escalate privileges locally on Windows-based Veeam Backup & Replication servers. 

• Severity: High 
• CVSS v3.1 Score: 8.8 
• Reported through: HackerOne 

CVE-2026-21708 

Another critical vulnerability enables a user with the Backup Viewer role to perform remote code execution as the postgres user. 

• Severity: Critical 
• CVSS v3.1 Score: 9.9 
• Source: Discovered during internal testing 

These vulnerabilities highlight multiple ways attackers could potentially abuse authentication, permissions, or internal components to compromise backup infrastructure. 

Other Security Improvements Included 

Alongside fixes for remote code execution vulnerabilities such as CVE-2026-21666 and CVE-2026-21667, the update also introduces a configuration change for Veeam Agent for Linux. The software now opens firewall ports 2500–3300, aligning its port range with other Veeam products.  While not directly tied to a CVE identifier, the change aims to standardize network behavior across Veeam tools and improve operational consistency. 

Additional Fixes Introduced in Newer Versions 

The company also addressed more vulnerabilities in Backup & Replication 13.0.1.2067. In addition to CVE-2026-21672 and CVE-2026-21708, two additional critical issues were fixed: 

• CVE-2026-21669 (CVSS score: 9.9): Allows an authenticated domain user to perform remote code execution on the Backup Server. 
• CVE-2026-21671 (CVSS score: 9.1): Allows an authenticated user with the Backup Administrator role to execute code in high availability (HA) deployments of Veeam Backup & Replication. 

These issues further demonstrate the potential impact of credentialed attacks against backup systems if vulnerabilities remain unpatched.  Backup systems are frequently targeted by attackers because they contain copies of critical organizational data. Exploiting flaws such as CVE-2026-21666 or CVE-2026-21667 could allow adversaries to run code directly on backup servers, potentially tampering with stored backups or gaining broader access to enterprise infrastructure.  Security experts often warn that once vendors publish patches, threat actors begin analyzing them to identify exploitable weaknesses in systems that have not yet been updated. 

Microsoft Corp. today pushed security updates to fix at least 77 vulnerabilities in its Windows operating systems and other software. There are no pressing “zero-day” flaws this month (compared to February’s five zero-day treat), but as usual some patches may deserve more rapid attention from organizations using Windows. Here are a few highlights from this month’s Patch Tuesday.

Two of the bugs Microsoft patched today were publicly disclosed previously. CVE-2026-21262 is a weakness that allows an attacker to elevate their privileges on SQL Server 2016 and later editions.

“This isn’t just any elevation of privilege vulnerability, either; the advisory notes that an authorized attacker can elevate privileges to sysadmin over a network,” Rapid7’s Adam Barnett said. “The CVSS v3 base score of 8.8 is just below the threshold for critical severity, since low-level privileges are required. It would be a courageous defender who shrugged and deferred the patches for this one.”

The other publicly disclosed flaw is CVE-2026-26127, a vulnerability in applications running on .NET. Barnett said the immediate impact of exploitation is likely limited to denial of service by triggering a crash, with the potential for other types of attacks during a service reboot.

It would hardly be a proper Patch Tuesday without at least one critical Microsoft Office exploit, and this month doesn’t disappoint. CVE-2026-26113 and CVE-2026-26110 are both remote code execution flaws that can be triggered just by viewing a booby-trapped message in the Preview Pane.

Satnam Narang at Tenable notes that just over half (55%) of all Patch Tuesday CVEs this month are privilege escalation bugs, and of those, a half dozen were rated “exploitation more likely” — across Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server and Winlogon. These include:

–CVE-2026-24291: Incorrect permission assignments within the Windows Accessibility Infrastructure to reach SYSTEM (CVSS 7.8)
–CVE-2026-24294: Improper authentication in the core SMB component (CVSS 7.8)
–CVE-2026-24289: High-severity memory corruption and race condition flaw (CVSS 7.8)
–CVE-2026-25187: Winlogon process weakness discovered by Google Project Zero (CVSS 7.8).

Ben McCarthy, lead cyber security engineer at Immersive, called attention to CVE-2026-21536, a critical remote code execution bug in a component called the Microsoft Devices Pricing Program. Microsoft has already resolved the issue on their end, and fixing it requires no action on the part of Windows users. But McCarthy says it’s notable as one of the first vulnerabilities identified by an AI agent and officially recognized with a CVE attributed to the Windows operating system. It was discovered by XBOW, a fully autonomous AI penetration testing agent.

XBOW has consistently ranked at or near the top of the Hacker One bug bounty leaderboard for the past year. McCarthy said CVE-2026-21536 demonstrates how AI agents can identify critical 9.8-rated vulnerabilities without access to source code.

“Although Microsoft has already patched and mitigated the vulnerability, it highlights a shift toward AI-driven discovery of complex vulnerabilities at increasing speed,” McCarthy said. “This development suggests AI-assisted vulnerability research will play a growing role in the security landscape.”

Microsoft earlier provided patches to address nine browser vulnerabilities, which are not included in the Patch Tuesday count above. In addition, Microsoft issued a crucial out-of-band (emergency) update on March 2 for Windows Server 2022 to address a certificate renewal issue with passwordless authentication technology Windows Hello for Business.

Separately, Adobe shipped updates to fix 80 vulnerabilities — some of them critical in severity — in a variety of products, including Acrobat and Adobe Commerce. Mozilla Firefox v. 148.0.2 resolves three high severity CVEs.

For a complete breakdown of all the patches Microsoft released today, check out the SANS Internet Storm Center’s Patch Tuesday post. Windows enterprise admins who wish to stay abreast of any news about problematic updates, AskWoody.com is always worth a visit. Please feel free to drop a comment below if you experience any issues apply this month’s patches.

Google’s March 2026 Android update patches 129 flaws, including an actively exploited Qualcomm zero-day, and urges users to install 2026-03-05.

The post Google’s Biggest Android Security Update in Years Fixes 129 Bugs, Including an Actively Exploited Zero-Day appeared first on TechRepublic.