All news with #patch release tag

🔒 Google released the June 2026 Android security updates fixing 124 vulnerabilities, including one actively exploited Android Framework zero-day (CVE-2025-48595) affecting devices running Android 14 and later. The company warned of limited, targeted exploitation and urged users to update to the latest Android versions. Two patch bundles (2026-06-01 and 2026-06-05) were issued; Pixel devices will receive updates immediately while other vendors may delay. Google also addressed 18 critical flaws across System, Framework, and Qualcomm components, and previously patched other zero-days this year.

🔒 Oracle has issued its first monthly Critical Security Patch Update (CSPU), addressing 35 vulnerabilities that require more urgent attention than quarterly releases. The batch includes 11 critical, 18 high, and 6 medium severity flaws, with several affecting Oracle REST Data Services, Oracle E-Business Suite, and Oracle Payments. Some older supply-chain bugs have public proof-of-concept exploits, increasing patching urgency.

🔒 Palo Alto Networks patched CVE-2026-0257, an authentication bypass on the GlobalProtect portal and gateway, after attackers began exploiting the flaw. Initially rated medium, the issue was raised to high severity following multiple exploitation attempts on unpatched PAN-OS devices. Rapid7 observed forged-cookie probes and VPN IP assignment to internal networks, prompting urgent patching guidance. CISA added the vulnerability to its KEV Catalog and federal agencies must remediate by June 1.

🔒 A critical vulnerability in WP Maps Pro (CVE-2026-8732) allowed unauthenticated attackers to create administrator accounts via a flawed "temporary access" AJAX endpoint. Discovered by researcher David Brown, the issue affected versions 6.1.0 and older and relied on a publicly exposed nonce in frontend JavaScript, making protections ineffective. Defiant observed active exploitation attempts and blocked thousands of requests, and the vendor released WP Maps Pro 6.1.1 to address the flaw. Site owners are urged to update immediately to prevent account takeover and persistent backdoors.

🔒 Two High-severity vulnerabilities in Notepad++ (CVE-2026-48778 and CVE-2026-48800, CVSS 7.8) let local attackers run arbitrary commands by tampering with the editor’s XML configuration files. Both issues affected versions up to 8.9.6 and were patched in 8.9.6.1 along with a lower-severity crash bug (CVE-2026-48770). The flaws stem from unvalidated values in shortcuts.xml and config.xml, enabling persistence and stealthy execution if an attacker can write to a user’s AppData or supply a poisoned settings folder.

🔔 Amazon RDS for Oracle now supports the Oracle April 2026 Release Update (RU) for 19c and 21c and the Supplemental Patch Bundle (SPB) for 19c. The SPB, formerly the Oracle Spatial Patch Bundle, contains additional patches for targeted features such as Oracle Spatial, Data Pump, and GoldenGate. You can apply the RU or SPB via the RDS Console, SDK, or CLI and enable Automatic Minor Version Upgrade or use AWS Organizations rollout policies to stagger updates across environments.

🔒 The MacGregor Voyage Data Recorder (VDR) G4e contains multiple credential management vulnerabilities, including default and hard-coded credentials, weak password hashing, and accessible authentication files that can allow an attacker to gain administrator access. Danelec has released firmware V5.250 to address these issues and users are urged to update at the next service attendance rather than waiting for annual maintenance. CISA recommends minimizing network exposure, isolating control networks behind firewalls, and using secure remote access methods such as up-to-date VPNs while performing risk assessments prior to deployment of mitigations.

🔒 ABB disclosed a cross-site scripting vulnerability in affected ABB EIBPORT firmware versions that can expose session identifiers and allow unauthorized access. A firmware update is available that modifies session and credential handling and hardens product configuration. ABB recommends applying the update promptly and following network segmentation and firewall best practices to reduce exposure.

🔧 Microsoft released the KB5089573 preview cumulative update for Windows 11 25H2 and 24H2, delivering 30 non-security changes focused on performance and reliability. The optional May 2026 update accelerates app launch and core shell experiences (Start, Search, Action Center) and improves Windows Hello sign-in behavior and reliability. It also addresses File Explorer stability, touch gestures, Modern Standby resume performance, and reduces authentication blocks for Windows Hello Enhanced Sign-in Security. Devices upgrade to builds 26200.8524 and 26100.8524 and updated Secure Boot certificates are being phased in ahead of expiring 2011 certificates.

🛡️ Microsoft released updates to address a SharePoint remote code execution vulnerability, CVE-2026-45659, rated CVSS 8.8 and classified as Important. The flaw involves deserialization of untrusted data, allowing an authenticated attacker with minimal Site Member permissions to execute code over a network without elevated privileges. Microsoft credited researcher MEOW for the discovery and urged administrators to apply the updates for affected SharePoint versions. The advisory follows recent fixes for other SharePoint issues that have been exploited in the wild.

🔐 A critical vulnerability, CVE-2026-48172 (CVSS 10.0), in the LiteSpeed User-End cPanel Plugin allows privilege escalation via the lsws.redisAble function, enabling arbitrary scripts to run as root. The flaw affects plugin versions 2.3 through 2.4.4 and is being actively exploited; LiteSpeed fixed it in v2.4.5 and later bundled releases. Administrators are urged to upgrade to cPanel plugin v2.4.7 (with WHM plugin v5.3.1.0) or uninstall the user-end plugin if immediate patching is not feasible.

🛡️ Ubiquiti issued updates addressing three maximum-severity vulnerabilities in UniFi OS that allow remote, unauthenticated attackers to modify systems, read files via path traversal, and perform command injection after gaining network access. Additional fixes include another critical command injection and a high-severity information disclosure issue. The flaws were reported via HackerOne and can be exploited with low complexity; Ubiquiti has not confirmed any in-the-wild exploitation. Censys reports nearly 100,000 Internet-exposed UniFi OS endpoints, with about 50,000 in the United States, though it is unclear how many have been remediated.

🔒 A critical vulnerability in the on-premises Cisco Secure Workload platform can let a remote, unauthenticated attacker gain site admin privileges by sending a crafted HTTP request to an internal REST API. Cisco assigned CVE-2026-20223 a CVSS score of 10.0 and says the issue stems from insufficient validation and authentication of REST API access. Only on-prem deployments must act immediately by upgrading to the patched versions; SaaS has already been fixed. Cisco reported no known exploitation in the wild at the time of disclosure.

🔒 An update resolves multiple vulnerabilities in B&R Automation Runtime SDM prior to 6.4 that could allow session takeover, reflected XSS, or CSV formula injection. The vendor corrected the issues in Automation Runtime 6.4 and notes SDM is disabled by default in AR 6. Customers should apply the update based on risk assessment and follow recommended network isolation and access-control practices.

🔒 ABB reports heap, stack and classic buffer overflow vulnerabilities in select Terra AC Wallbox firmware. An attacker who hijacks Bluetooth and crafts oversized fields could corrupt memory and potentially alter firmware behavior. ABB has released firmware version 1.8.36 (JP) to address the issues and recommends updating as soon as possible.

🔒 Hitachi Energy reported that GMS600 versions are affected by CVE-2022-4304, a timing-based side-channel in OpenSSL RSA decryption that can allow recovery of pre-master secrets after many trial messages. The flaw impacts all RSA padding modes and can enable decryption of TLS application data. Vendor mitigation is to upgrade to version 1.3.2; CISA reiterates network isolation and defensive best practices.

🛡️ Microsoft released emergency updates on Wednesday to address two actively exploited Microsoft Defender zero-day vulnerabilities. The first, CVE-2026-41091, affects the Microsoft Malware Protection Engine and can be abused to achieve SYSTEM privileges via improper link resolution before file access. The second, CVE-2026-45498, impacts the Defender Antimalware Platform and may be used to trigger denial-of-service; Microsoft says updates should deploy automatically but advises administrators to verify platform and signature versions and confirm successful installation.

🔔 Amazon RDS Custom for SQL Server now supports the latest General Distribution Release (GDR) updates for Microsoft SQL Server, including SQL Server 2019 CU32+GDR KB5084816 and SQL Server 2022 CU24+GDR KB5083252. These updates address vulnerabilities tracked as CVE-2026-32167 and CVE-2026-32176. You can apply the updates via the Amazon RDS Management Console or programmatically with the AWS SDK or CLI, and guidance is available in the Amazon RDS Custom User Guide.

🚨Drupal administrators must apply an emergency core update to address a “highly critical” SQL injection defect (CVE-2026-9082) that affects sites using PostgreSQL. The release also bundles upstream fixes for Symfony and Twig, so Drupal urges updates even for non-Postgres deployments. Supported branches 11.3, 11.2, 10.6 and 10.5 are patched, while end-of-life versions may receive unsupported best-effort patches. The flaw permits anonymous attackers to send crafted requests resulting in arbitrary SQL injection, information disclosure, and potential privilege escalation or remote code execution.

🛡️ Drupal has issued a core security release scheduled for May 20 between 17:00 and 21:00 UTC, warning that exploits could appear within hours of disclosure. Administrators are urged to reserve time for the update and to upgrade sites running Drupal 8 or 9 to at least 10.6. Patches will be released for several 10.x and 11.x branches, and although some older branches are EOL, hotfixes will be provided for affected 9.5 and 8.9 releases. Sites using Drupal Steward have mitigations but should still apply updates promptly.