< ciso
brief />
Security Advisory and Patch Watch Banner

All news in category “Security Advisory and Patch Watch

2058 articles · page 22 of 103

ABB PCM600 Path Traversal Vulnerability (CVE-2018-1002208)

⚠️ A path traversal vulnerability in ABB PCM600 (CVE-2018-1002208) could allow an attacker to deliver specially crafted messages to a system node, resulting in insertion and execution of arbitrary code. Affected releases are PCM600 versions >=1.5 and <=2.13; ABB released a fix in PCM600 2.14 (note: RE_630 relays are incompatible with 2.14). CISA rates the issue CVSS 3.1 4.4 (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N), notes exploitation is not remotely trivial, and recommends applying the vendor update or, where immediate upgrade is impractical, applying system-level and network mitigations such as segmentation, firewalls, and updated VPNs.
read more →

CISA Adds CVE-2026-41940 to Known Exploited Vulnerabilities

⚠️ CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities Catalog for a missing authentication for critical function in WebPros cPanel & WHM and WP2 (WordPress Squared). The issue has evidence of active exploitation and represents a common attack vector that can enable unauthorized access to protected functionality. Under BOD 22-01 federal agencies are required to remediate affected systems by the specified due date; CISA strongly urges all organizations to prioritize patching, apply vendor updates, and implement compensating controls promptly.
read more →

ABB OPTIMAX Azure AD SSO Authentication Bypass Vulnerability

🔒 A high-severity authentication bypass (CVE-2025-14510, CVSS 8.1) affects ABB Ability OPTIMAX systems that use Azure Active Directory Single Sign-On, potentially permitting an attacker to bypass user authentication remotely. Affected builds include all 6.1 and 6.2 releases and 6.3/6.4 builds prior to 6.3.1-251120 and 6.4.1-251120. ABB has published fixes (for example, 6.3.1-251120); administrators should follow the ABB PSIRT advisory, apply available updates, and implement network segmentation and secure remote access controls while performing impact analysis prior to changes.
read more →

ABB IEC 61850 Vulnerability Affects Select Control Devices

⚠️ ABB disclosed CVE-2025-3756, a vulnerability in its IEC 61850 MMS client stack that can be triggered by a specially crafted 61850 packet. Exploitation requires access to the IEC 61850 network and can force PM 877, CI850, and CI868 modules into a fault state requiring manual restart or repeatedly crash S+ Operations IEC 61850 connectivity, causing denial-of-service. System 800xA IEC61850 Connect is not affected. ABB has released or scheduled firmware updates and advises customers to apply fixes and follow mitigating guidance.
read more →

Critical cPanel and WHM Authentication Bypass Zero-Day

🔒 CVE-2026-41940 is a critical authentication-bypass affecting cPanel, WHM, and WP Squared that has been actively exploited in the wild. The flaw stems from a CRLF injection in login and session-loading where unsanitized Authorization header data is written into server-side session files before authentication, enabling bypass. Patches released April 28 cover multiple 11.x release lines and vendors published detection scripts; short-term mitigations include blocking management ports (2083/2087/2095/2096) or stopping cpsrvd and cpdavd.
read more →

Critical RCE Vulnerability Discovered in Google Gemini CLI

🔒 Researchers disclosed a max-severity remote code execution (RCE) vulnerability in @google/gemini-cli and the associated GitHub Action that could load untrusted workspace configurations in headless CI environments. Google issued patches in 0.39.1, 0.40.0-preview.3 and updated the run-gemini-cli Action to 0.1.22, removing implicit workspace trust and enforcing tool allowlists. Teams that pin CLI versions are advised to upgrade and review workspace configurations immediately.
read more →

Linux LPE 'Copy Fail' Vulnerability CVE-2026-31431

🔒 Security researchers Xint.io and Theori disclosed a high-severity Linux local privilege escalation tracked as CVE-2026-31431 and dubbed Copy Fail, which lets an unprivileged user write four controlled bytes into the page cache of any readable file to gain root. The defect stems from a logic flaw in the kernel cryptographic algif_aead module introduced in 2017. A compact 732‑byte Python exploit can inject shellcode into a setuid binary such as /usr/bin/su and spawn a root shell, and major distributions have issued advisories.
read more →

Google and Cursor Fix Critical RCE Flaws in Dev Tools

🔒 Google patched a maximum-severity remote code execution vulnerability in @google/gemini-cli and the google-github-actions/run-gemini-cli workflow that could allow attackers to run arbitrary commands on host systems. Novee Security reported the flaw, which carries a CVSS score of 10.0, and Google says the impact is limited to headless CI usage where workspace folders were auto-trusted. Affected versions include @google/gemini-cli prior to 0.39.1 (and preview releases) and run-gemini-cli prior to 0.1.22; users should update to the patched releases, explicitly set GEMINI_TRUST_WORKSPACE when inputs are trusted, or follow Google’s hardening guidance for untrusted inputs. Google also tightened allowlisting checks for --yolo mode to prevent auto-approved tool calls from bypassing restrictions.
read more →

Emergency cPanel/WHM Update Fixes Critical Auth Bypass

🔒 A critical authentication bypass was identified in cPanel and WHM, prompting an emergency update that requires administrators to run /scripts/upcp –force to install patched builds. Hosting provider Namecheap temporarily blocked ports 2083 and 2087 used by the control panels while vendors issued fixes, underscoring the severity. Systems on unsupported cPanel releases will not receive security updates and should be upgraded immediately.
read more →

Cursor extension flaw exposes local API credentials

🔒 A high-severity vulnerability in the AI-powered development tool Cursor allows installed extensions to read sensitive credentials stored locally, researchers at LayerX report. The issue stems from Cursor keeping API keys, session tokens and cached configuration in an unprotected SQLite database rather than using OS keychains or encryption, and it does not restrict extension access. LayerX assigned the flaw a CVSS score of 8.2 and demonstrated silent exfiltration without user prompts. Cursor acknowledged the notice but said trust boundaries are the user's responsibility; as of 28 April 2026 the vulnerability remains unresolved.
read more →

GitHub fixes RCE that exposed millions of private repos

🛡️ GitHub patched a critical remote code execution bug, CVE-2026-3854, reported by Wiz on March 4, 2026, that could have allowed attackers to access millions of private repositories. The company reproduced the issue within 40 minutes and deployed a fix to GitHub.com in under two hours. The flaw affected GitHub.com and multiple Enterprise offerings and could be triggered by a single crafted git push that injects unsafe metadata fields. GitHub’s forensic review found no evidence of exploitation prior to the researcher disclosure, and patches for GitHub Enterprise Server releases are available now; administrators are urged to upgrade immediately.
read more →

Critical GitHub RCE Vulnerability Exposed Millions of Repos

🔓 GitHub patched a critical remote code execution flaw (CVE-2026-3854) that allowed authenticated users to inject commands via crafted git push operations. Discovered by Wiz, the issue abused an internal X-STAT component in GitHub’s server-side processing and earned one of the highest bug-bounty payouts. Cloud services were patched quickly and fixes for GitHub Enterprise Server versions 3.14.25 through 3.20.0 were released, but Wiz reported that 88% of Enterprise Server instances remained exposed at disclosure. Enterprise customers are urged to apply vendor patches immediately.
read more →

CISA Orders Federal Patch for Windows Zero-Day Flaw

🔒 CISA has ordered U.S. federal agencies to secure Windows endpoints against a zero-click authentication coercion flaw, tracked as CVE-2026-32202. Akamai reported the bug as a residual issue left after an incomplete February patch for an RCE, CVE-2026-21510, and says it enabled credential theft via auto-parsed LNK files. Microsoft flagged exploitation after reporting inquiries, and CISA added the issue to its KEV Catalog, directing agencies to patch by May 12 under BOD 22-01. Organizations are urged to apply vendor mitigations or discontinue affected products if fixes are unavailable.
read more →

AI Audit Finds 271 Vulnerabilities in Firefox 150 Release

🔍 The Firefox team used frontier AI models in partnership with Anthropic to scan the browser and fix latent security flaws. After earlier work with Opus 4.6 that produced 22 fixes for Firefox 148, an early evaluation of Claude Mythos Preview uncovered 271 vulnerabilities now addressed in Firefox 150. The team worked around the clock to triage and remediate the findings, and observers note this technology favors defenders—provided patches reach users quickly.
read more →

Critical cPanel Authentication Flaw — Update Immediately

⚠️ cPanel has released urgent security updates to remediate an authentication vulnerability affecting all currently supported versions of its control panel. The vendor issued patched builds (11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.136.0.5, 11.134.0.20) and advises immediate updating. If you run an unsupported version, cPanel warns you to upgrade as it may also be affected. Hosting provider Namecheap temporarily blocked TCP ports 2083 and 2087 while applying the fixes and is actively deploying the official patches across its servers.
read more →

CISA Adds Actively Exploited ConnectWise and Windows Flaws

🔒 CISA has added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2024-1708, a path traversal flaw in ConnectWise ScreenConnect (CVSS 8.4), and CVE-2026-32202, a protection-mechanism failure in Windows Shell (CVSS 4.3). Patches were released in February 2024 and April 2026 respectively. The additions follow observed real-world exploitation, including chaining with other CVEs and activity attributed to both nation-state and criminal groups. Affected organizations and federal agencies should prioritize remediation and verify deployments of the relevant fixes.
read more →

Critical SQL Injection in LiteLLM (CVE-2026-42208)

⚠️ A critical SQL injection (CVE-2026-42208, CVSS 9.3) in the open-source LiteLLM Python gateway allowed unauthenticated attackers to inject SQL via a proxy API key check by placing crafted values in the Authorization header. Maintainers released 1.83.7-stable on April 19, 2026, to fix versions >=1.81.16 and <1.83.7. Security vendor Sysdig reported active exploitation within roughly 26–36 hours of disclosure, with probes focused on credential tables that store upstream LLM provider keys. Operators should update immediately or set disable_error_logs: true as a temporary mitigation.
read more →

Critical LiteLLM Pre-auth SQLi Allows Database Access

🔓 LiteLLM's proxy contains a pre-auth SQL injection in its API key verification, tracked as CVE-2026-42208. An attacker can send a crafted Authorization header to any LLM API route to read and modify the proxy database, exposing API keys, master keys, provider credentials, and environment secrets. Exploitation was observed about 36 hours after public disclosure and targeted '/chat/completions'. Upgrade to 1.83.7 or apply the suggested workaround and rotate any exposed credentials.
read more →

Critical GitHub RCE CVE-2026-3854 Can Be Triggered by Push

🔒 GitHub patched a critical command-injection vulnerability, CVE-2026-3854, that allowed an authenticated user with push access to achieve remote code execution via a single git push. Researchers at Wiz disclosed the issue on March 4, 2026, and GitHub deployed a fix to GitHub.com within two hours while releasing updates for GitHub Enterprise Server. The flaw resulted from insufficient sanitization of git push options incorporated into the internal X-Stat header, enabling injection of metadata fields to override execution controls. Administrators should apply the provided GHES updates immediately.
read more →

Critical Cursor IDE Bug Could Allow Remote Code Execution

⚠️ Security researchers disclosed a high-severity vulnerability in the Cursor AI-powered IDE that can lead to arbitrary code execution when its agent interacts with a malicious repository. Novee Security's analysis shows an attacker can embed a bare Git repository with a crafted hook and trigger it when the IDE autonomously runs Git operations. Cursor patched the flaw in version 2.5; there are no reports of active exploitation.
read more →