All news with #vulnerability disclosure tag

🔔 CISA has added CVE-2026-5281, a Google Dawn use-after-free vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The listing invokes BOD 22-01 remediation requirements for Federal Civilian Executive Branch agencies, which must remediate by the specified due date. CISA strongly urges all organizations to prioritize timely remediation and strengthen vulnerability management, as use-after-free flaws are a common and impactful attack vector.

🛡️ Researchers disclosed a patched bug in Open VSX's pre-publish scanning pipeline that allowed a malicious VS Code extension to pass vetting and go live. The defect, named Open Sesame, arose because a Java service returned a single boolean that conflated 'no scanners configured' with 'scanner failures,' causing failed scans to be treated as harmless. The vulnerability was fixed in Open VSX 0.32.0 after responsible disclosure.

🔴 CISA warns that a critical code-injection vulnerability, CVE-2026-33017, in the Langflow AI workflow framework is being actively exploited for remote code execution. The flaw impacts Langflow versions 1.8.1 and earlier and can be triggered with a single crafted HTTP request due to unsandboxed flow execution, allowing attackers to build public flows without authentication. Administrators should upgrade to Langflow 1.9.0, disable or restrict the vulnerable endpoint, rotate keys and secrets, and avoid exposing Langflow directly to the internet. CISA added the issue to its Known Exploited Vulnerabilities list and set an April 8 deadline for agencies covered by BOD 22-01.

🔒 Cisco Talos disclosed multiple vulnerabilities impacting Canva Affinity, TP-Link Archer AX53, and HikVision face recognition terminals. Researchers identified 19 EMF-related issues in Canva Affinity, including out-of-bounds reads and a type confusion that can lead to memory corruption and arbitrary code execution. TP-Link’s AX53 contains 10 vulnerabilities across tmpServer, tdpServer and SSH hostkey handling that range from buffer overflows to write-what-where flaws and credential exposure via MITM. A HikVision SADP XML parser stack-based buffer overflow can be triggered by a malicious network packet. All identified issues have been patched following coordinated disclosure; users should apply vendor updates and consider Snort rule coverage for detection.

⚠️ Georgia Tech researchers warn that AI-assisted 'vibe coding' is producing measurable security flaws in real projects. The Vibe Security Radar traced at least 35 new CVEs in March 2026 and reports 74 confirmed AI-related vulnerabilities to date, while estimating the true count in open source may be five to ten times higher. The team monitors roughly 50 tools and uses metadata and AI agents to map vulnerable commits back to assistants such as Claude Code, noting some tools leave no trace.

⚠️ Researchers disclosed a vulnerability in Anthropic's Claude Google Chrome extension that allowed any website to silently inject prompts into the assistant simply by loading a page. Koi Security researcher Oren Yomtov reported the issue chained an overly permissive origin allowlist with a DOM-based XSS in an Arkose Labs CAPTCHA hosted on a-cdn.claude.ai. Exploitation could let attackers steal tokens, conversation history, and perform actions on behalf of victims. Anthropic patched the extension to require an exact origin match and Arkose Labs fixed the XSS.

⚠️ An unauthenticated remote attacker can trigger a hidden CLI function in WAGO industrial managed switches to escape the restricted interface and gain full control of the device. The vulnerability is tracked as CVE-2026-3587 and classified under CWE-912. CISA rates the issue CRITICAL with a CVSS v3.1 base score of 10.0. Operators should install vendor fixed firmware or, as an interim measure, disable SSH and Telnet.

⚠️ OpenCode Systems' OC Messaging and USSD Gateway version 6.32.2 contain an improper access control vulnerability (CVE-2025-70614, CVSS 3.1 Base Score 8.1) that can allow an authenticated low-privileged user to access SMS messages outside their tenant by providing a crafted company/tenant identifier. OpenCode released version 6.33.11 on 2026-01-06 to remediate the issue. Administrators should upgrade affected systems to 6.33.11 or later and limit network exposure of messaging gateways.

⚠️CISA reports a critical remote code execution vulnerability (CVE-2026-4681) affecting PTC Windchill and FlexPLM, with a CVSS v3.1 base score of 10.0. The issue stems from deserialization of untrusted data (CWE-94) and could allow unauthenticated attackers to run arbitrary code. PTC is developing a patch and advises immediate application of documented workarounds and updated Apache or IIS configurations to protect public, file, and replica servers.

⚠ CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-33634, an Aqua Security Trivy issue involving embedded malicious code that CISA reports is being actively exploited. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by their due dates; CISA urges all organizations to prioritize timely patching and mitigation. CISA will continue to update the catalog as new evidence of exploitation emerges.

⚠️ Citrix has released patches for two NetScaler vulnerabilities, including a critical memory overread (CVE-2026-3055) that affects appliances configured as SAML identity providers and can expose session tokens. The vendor also fixed CVE-2026-4368, a race-condition flaw on Gateway and AAA configurations that may cause user session mix-ups. Citrix strongly urges administrators to install the specified updates immediately and offers guidance to locate and remediate affected instances.

⚠️ CISA has added CVE-2026-33017 — a Langflow code injection vulnerability — to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by the specified due dates. CISA urges all organizations to prioritize timely remediation to reduce exposure to active threats.

⚠ The Grassroots DICOM (GDCM) 3.2.2 library contains a memory leak vulnerability (CVE-2026-3650) that can be triggered by parsing specially crafted DICOM files with non-standard VR types. Successful exploitation can cause extensive heap allocations that are not released, producing resource exhaustion and a denial-of-service condition. This issue is rated High with a CVSS v3.1 base score of 7.5. Users should follow defensive best practices and monitor vendor distribution channels for updates.

⚠ Citrix has published updates for NetScaler ADC and NetScaler Gateway to fix two vulnerabilities, including a critical memory overread (CVE-2026-3055) that can leak sensitive information from appliance memory. Exploitation requires specific configurations—SAML IdP for CVE-2026-3055 and gateway or AAA roles for CVE-2026-4368. Affected builds include 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23; customers should inspect configurations and apply patches immediately.

🔓 A researcher developed a hardware voltage-glitching exploit, dubbed Bliss, that targets the Xbox One boot ROM to bypass early ARM Cortex memory protections. By inducing two precisely timed voltage collapses, the attacker can skip critical setup and redirect execution into attacker-controlled data. The exploit is a silicon-level, unpatchable compromise that enables loading unsigned code and accessing the console’s security processor.

🔔 CISA added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on March 20, 2026: CVE-2025-31277, CVE-2025-32432, CVE-2025-43510, CVE-2025-43520, and CVE-2025-54068. The flaws affect multiple Apple products, Craft CMS, and Laravel Livewire and include buffer overflows, improper locking, and code injection risks. BOD 22-01 requires FCEB agencies to remediate listed CVEs; CISA urges all organizations to prioritize mitigation as part of routine vulnerability management.

⚠ Sansec has disclosed a critical file upload vulnerability dubbed PolyShell in Magento's REST API that can let unauthenticated attackers upload arbitrary executables and achieve remote code execution or account takeover. The flaw stems from how custom product options accept a base64-encoded file_info object and write files to pub/media/custom_options/quote/. Adobe applied a fix in the 2.4.9 pre-release (APSB25-94), but most production stores remain unpatched; operators should restrict and block access to the upload directory, verify nginx/Apache rules, scan for web shells, and consider a specialized WAF.

🔒 Researchers discovered nine critical vulnerabilities across several low-cost KVM-over-IP units, including Angeet/Yeeso, GL-iNet, Sipeed, and JetKVM. Flaws range from unauthenticated file uploads and command injection to weak firmware verification and exposed debugging interfaces, enabling pre-authentication root takeover on some devices. Eclypsium warns these inexpensive, Linux-based single-port KVMs are increasingly common in business and pose outsized risks if exposed directly to networks.

🔔 CISA added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog — CVE-2025-66376, a cross-site scripting (XSS) issue in Synacor Zimbra Collaboration Suite (ZCS). Evidence indicates active exploitation, prompting inclusion under BOD 22-01 guidance. While the binding directive applies to FCEB agencies, CISA strongly urges all organizations to prioritize remediation. CISA will continue to update the KEV Catalog as new exploited vulnerabilities are identified.

🔒 Eclypsium researchers disclosed nine vulnerabilities in low-cost IP KVM devices from GL-iNet, Angeet/Yeeso, Sipeed, and JetKVM. The most severe flaws can allow unauthenticated attackers to gain root or execute arbitrary code and operate at BIOS/UEFI levels, enabling keystroke injection, booting from removable media, and persistence beyond OS defenses. Some vendors have issued firmware fixes, but critical issues in Angeet ES3 remain unpatched. Administrators should apply available updates, isolate KVMs, and enforce stronger access controls.