All news with #vulnerability disclosure tag

🔒 Cisco released patches for a maximum-severity vulnerability in Secure Workload (formerly Tetration) that allowed unauthenticated attackers to gain Site Admin privileges by abusing internal REST APIs. The flaw, tracked as CVE-2026-20223, stems from insufficient validation and authentication of API endpoints and could let attackers read sensitive data and change configurations across tenant boundaries. Cisco provided fixed releases for on-premises deployments and has already remediated the issue in the SaaS offering; no workarounds exist.

🔒 A nine‑year logic flaw in the Linux kernel's ptrace path (CVE‑2026‑46333) lets unprivileged local users read sensitive files on default Debian, Fedora and Ubuntu installations. Qualys TRU found the bug in __ptrace_may_access(), exploitable when a privileged process drops credentials and remains briefly reachable; pidfd_getfd() expanded the attack surface. Upstream patches and distro updates are available; mitigations include raising kernel.yama.ptrace_scope to 2.

🔒 An update resolves multiple vulnerabilities in B&R Automation Runtime SDM prior to 6.4 that could allow session takeover, reflected XSS, or CSV formula injection. The vendor corrected the issues in Automation Runtime 6.4 and notes SDM is disabled by default in AR 6. Customers should apply the update based on risk assessment and follow recommended network isolation and access-control practices.

🔒 ABB reports heap, stack and classic buffer overflow vulnerabilities in select Terra AC Wallbox firmware. An attacker who hijacks Bluetooth and crafts oversized fields could corrupt memory and potentially alter firmware behavior. ABB has released firmware version 1.8.36 (JP) to address the issues and recommends updating as soon as possible.

🔒 ABB B&R reported multiple vulnerabilities in the UEFI PXE implementation of affected B&R PCs and controllers. EDK2 Network Package issues include out-of-bounds reads, buffer overflows, infinite loops, and weak PRNG usage that can lead to remote code execution, DoS, DNS poisoning, or data exposure. Vendor updates are available for many product versions and users are advised to apply patches or follow mitigations.

🔒 Hitachi Energy reported that GMS600 versions are affected by CVE-2022-4304, a timing-based side-channel in OpenSSL RSA decryption that can allow recovery of pre-master secrets after many trial messages. The flaw impacts all RSA padding modes and can enable decryption of TLS application data. Vendor mitigation is to upgrade to version 1.3.2; CISA reiterates network isolation and defensive best practices.

🔒 Qualys disclosed a nine-year-old Linux kernel vulnerability tracked as CVE-2026-46333 (ssh-keysign-pwn) that stems from the __ptrace_may_access() code path. The flaw can allow an unprivileged local user to disclose sensitive files such as /etc/shadow and SSH host private keys and to execute arbitrary commands as root on default installs of Debian, Fedora, and Ubuntu. A public proof-of-concept appeared after a kernel commit; vendors have issued patches and recommend raising kernel.yama.ptrace_scope to 2 as a temporary mitigation.

🔔 Amazon RDS Custom for SQL Server now supports the latest General Distribution Release (GDR) updates for Microsoft SQL Server, including SQL Server 2019 CU32+GDR KB5084816 and SQL Server 2022 CU24+GDR KB5083252. These updates address vulnerabilities tracked as CVE-2026-32167 and CVE-2026-32176. You can apply the updates via the Amazon RDS Management Console or programmatically with the AWS SDK or CLI, and guidance is available in the Amazon RDS Custom User Guide.

🛡️ Drupal issued emergency updates addressing a "highly critical" SQL injection flaw tracked as CVE-2026-9082 in its database abstraction API that can be exploited against sites using PostgreSQL, allowing information disclosure and in some cases privilege escalation or remote code execution. The vendor released patched builds for supported 11.x and 10.x branches and published manual patches for EOL versions. Upstream Symfony and Twig fixes are also included in recent releases.

🛡️ Drupal has issued a core security release scheduled for May 20 between 17:00 and 21:00 UTC, warning that exploits could appear within hours of disclosure. Administrators are urged to reserve time for the update and to upgrade sites running Drupal 8 or 9 to at least 10.6. Patches will be released for several 10.x and 11.x branches, and although some older branches are EOL, hotfixes will be provided for affected 9.5 and 8.9 releases. Sites using Drupal Steward have mitigations but should still apply updates promptly.

🔒 Microsoft has issued a mitigation for a BitLocker bypass called YellowKey (CVE-2026-45585), after a public proof-of-concept appeared. The flaw lets specially crafted FsTx files placed on a USB drive or EFI partition trigger an unrestricted shell when WinRE boots, risking access to encrypted volumes on affected Windows 11 and Windows Server 2025 systems. Microsoft and researchers recommend removing autofstx.exe from the WinRE image and switching from TPM-only to TPM+PIN to block exploitation.

⚠️ A max-severity flaw (CVE-2026-45829) in the Python FastAPI server of ChromaDB allows unauthenticated attackers to load and execute remote models before authentication is enforced, enabling arbitrary code execution on exposed servers. The issue impacts PyPI-distributed releases used widely in AI retrieval stacks; a 1.5.9 release exists but it is unclear if the fix addresses this vulnerability. Mitigations include using the Rust frontend, avoiding public exposure of the Python API, and restricting network access to the ChromaDB API port.

🔒 Cisco Talos disclosed multiple vulnerabilities affecting TP‑Link, Adobe Photoshop, OpenVPN, and Norton VPN. Most issues were patched by vendors under Cisco’s third‑party disclosure policy; the Norton installer flaw was observed in use before a patch was available. The TP‑Link Archer AX53 firmware contains eight issues including buffer overflow and several command injection and config‑control flaws that allow code execution or arbitrary file access. Talos recommends applying vendor updates and using updated Snort rules to detect exploitation.

🔐 Proof-of-concept exploit code has been published for the recently patched Linux kernel vulnerability known as DirtyDecrypt (aka DirtyCBC), which enables local privilege escalation by bypassing copy-on-write protections in rxgk_decrypt_skb. The flaw (CVE-2026-31635) affects kernels built with CONFIG_RXGK, impacting distributions like Fedora, Arch and openSUSE Tumbleweed. In containerized environments, vulnerable worker nodes may enable pod escape and root compromise.

🔒 ABB published updates addressing a path traversal vulnerability (CWE-22, CVSS v3 7.1) affecting CoreSense HM and CoreSense M10. The flaw allowed unauthenticated local users to access restricted directories and could lead to full system compromise and sensitive data exposure. ABB fixed the issue in CoreSense HM v2.3.4 and CoreSense M10 v1.4.1.31 and recommends applying the update promptly. CISA republished the vendor advisory and advises network isolation, strict input validation, and restricting local host access to authorized users.

⚠️ The Drupal Security Team announced a planned core security release for all supported branches on May 20, 2026, from 5–9 p.m. UTC. Administrators are urged to reserve that window because exploits may emerge within hours or days, and to update to the latest patch for their branch in advance. Patches are expected for 11.3.x, 11.2.x, 10.6.x and 10.5.x, with mitigation guidance and instructions for end-of-life releases included.

🔒 InfoGuard Labs disclosed multiple critical vulnerabilities in SEPPMail Secure E-Mail Gateway that allow unauthenticated remote code execution, path traversal, deserialization flaws, and exposure of sensitive server data. Researchers demonstrated an exploit chain leveraging the LFT path traversal (CVE-2026-2743) to overwrite syslog configuration and obtain a Perl reverse shell, enabling full appliance takeover and mail interception. SEPPmail has released fixes across versions 15.0.2.1, 15.0.3 and 15.0.4 and urges administrators to apply updates immediately.

⚡ Microsoft disclosed an actively exploited XSS spoofing vulnerability in on‑premises Exchange Server (CVE-2026-42897) and issued temporary mitigation via its Exchange Emergency Mitigation Service while a permanent fix is prepared. Supply chain attacks intensified as TeamPCP compromised npm packages and node-ipc to distribute stealers and harvest credentials for cloud pivoting. A fake Hugging Face model delivered a Rust-based stealer, underscoring AI model registries as an emergent supply chain risk, while OpenAI and Microsoft announced new AI-driven vulnerability tools.

🏆 The Pwn2Own Berlin 2026 contest at OffensiveCon (May 14–16) awarded security researchers $1,298,250 for exploiting 47 zero-day vulnerabilities across browsers, enterprise apps, servers, virtualization, containers, LLMs and local privilege escalation. Competitors earned $523,000 on day one, $385,750 on day two, and $389,500 on day three. DEVCORE topped the leaderboard with $505,000 and 50.5 Master of Pwn points; Cheng‑Da Tsai secured the highest single payout of $200,000 for an Exchange RCE chain.

🔒 The Avada Builder WordPress plugin contained two serious vulnerabilities impacting an estimated one million active installations. One flaw (CVE-2026-4782) allows authenticated users with subscriber access to read arbitrary server files via the plugin’s shortcode-rendering and the custom_svg parameter, exposing sensitive files like wp-config.php. The other issue (CVE-2026-4798) is a time-based blind SQL injection exploitable without authentication if WooCommerce was previously installed and then deactivated. Administrators are urged to update to Avada Builder 3.15.3 immediately.