All news with #vulnerability disclosure tag

⚠️ ABB has reported critical vulnerabilities in Ability Symphony Plus (S+) Engineering tied to an embedded PostgreSQL component (version 13.11 and earlier) that could allow authenticated users on the S+ client/server network to execute arbitrary code. Affected S+ releases include 2.2 through 2.4 SP2; ABB released an update — S+ Engineering 2.4 SP2 RU1 (re-released December 2024) — to address the issues. CISA recommends network isolation and perimeter firewalling as primary mitigations; no product-specific workarounds exist and ABB reported no known exploitation at the time of the advisory.

🔒 Researchers disclosed a max-severity remote code execution (RCE) vulnerability in @google/gemini-cli and the associated GitHub Action that could load untrusted workspace configurations in headless CI environments. Google issued patches in 0.39.1, 0.40.0-preview.3 and updated the run-gemini-cli Action to 0.1.22, removing implicit workspace trust and enforcing tool allowlists. Teams that pin CLI versions are advised to upgrade and review workspace configurations immediately.

🔒 Google patched a maximum-severity remote code execution vulnerability in @google/gemini-cli and the google-github-actions/run-gemini-cli workflow that could allow attackers to run arbitrary commands on host systems. Novee Security reported the flaw, which carries a CVSS score of 10.0, and Google says the impact is limited to headless CI usage where workspace folders were auto-trusted. Affected versions include @google/gemini-cli prior to 0.39.1 (and preview releases) and run-gemini-cli prior to 0.1.22; users should update to the patched releases, explicitly set GEMINI_TRUST_WORKSPACE when inputs are trusted, or follow Google’s hardening guidance for untrusted inputs. Google also tightened allowlisting checks for --yolo mode to prevent auto-approved tool calls from bypassing restrictions.

🔒 A critical authentication bypass was identified in cPanel and WHM, prompting an emergency update that requires administrators to run /scripts/upcp –force to install patched builds. Hosting provider Namecheap temporarily blocked ports 2083 and 2087 used by the control panels while vendors issued fixes, underscoring the severity. Systems on unsupported cPanel releases will not receive security updates and should be upgraded immediately.

🔒 A high-severity vulnerability in the AI-powered development tool Cursor allows installed extensions to read sensitive credentials stored locally, researchers at LayerX report. The issue stems from Cursor keeping API keys, session tokens and cached configuration in an unprotected SQLite database rather than using OS keychains or encryption, and it does not restrict extension access. LayerX assigned the flaw a CVSS score of 8.2 and demonstrated silent exfiltration without user prompts. Cursor acknowledged the notice but said trust boundaries are the user's responsibility; as of 28 April 2026 the vulnerability remains unresolved.

🛡️ GitHub patched a critical remote code execution bug, CVE-2026-3854, reported by Wiz on March 4, 2026, that could have allowed attackers to access millions of private repositories. The company reproduced the issue within 40 minutes and deployed a fix to GitHub.com in under two hours. The flaw affected GitHub.com and multiple Enterprise offerings and could be triggered by a single crafted git push that injects unsafe metadata fields. GitHub’s forensic review found no evidence of exploitation prior to the researcher disclosure, and patches for GitHub Enterprise Server releases are available now; administrators are urged to upgrade immediately.

🔓 GitHub patched a critical remote code execution flaw (CVE-2026-3854) that allowed authenticated users to inject commands via crafted git push operations. Discovered by Wiz, the issue abused an internal X-STAT component in GitHub’s server-side processing and earned one of the highest bug-bounty payouts. Cloud services were patched quickly and fixes for GitHub Enterprise Server versions 3.14.25 through 3.20.0 were released, but Wiz reported that 88% of Enterprise Server instances remained exposed at disclosure. Enterprise customers are urged to apply vendor patches immediately.

🔒 CISA has added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2024-1708, a path traversal flaw in ConnectWise ScreenConnect (CVSS 8.4), and CVE-2026-32202, a protection-mechanism failure in Windows Shell (CVSS 4.3). Patches were released in February 2024 and April 2026 respectively. The additions follow observed real-world exploitation, including chaining with other CVEs and activity attributed to both nation-state and criminal groups. Affected organizations and federal agencies should prioritize remediation and verify deployments of the relevant fixes.

⚠️ A critical SQL injection (CVE-2026-42208, CVSS 9.3) in the open-source LiteLLM Python gateway allowed unauthenticated attackers to inject SQL via a proxy API key check by placing crafted values in the Authorization header. Maintainers released 1.83.7-stable on April 19, 2026, to fix versions >=1.81.16 and <1.83.7. Security vendor Sysdig reported active exploitation within roughly 26–36 hours of disclosure, with probes focused on credential tables that store upstream LLM provider keys. Operators should update immediately or set disable_error_logs: true as a temporary mitigation.

🔒 GitHub patched a critical command-injection vulnerability, CVE-2026-3854, that allowed an authenticated user with push access to achieve remote code execution via a single git push. Researchers at Wiz disclosed the issue on March 4, 2026, and GitHub deployed a fix to GitHub.com within two hours while releasing updates for GitHub Enterprise Server. The flaw resulted from insufficient sanitization of git push options incorporated into the internal X-Stat header, enabling injection of metadata fields to override execution controls. Administrators should apply the provided GHES updates immediately.

⚠️ A vulnerability in NSA GRASSMARLIN allows crafted session data to trigger improper XML parsing that may disclose sensitive information. Tracked as CVE-2026-6807 and classified under CWE-611, the issue affects GRASSMARLIN v3.2.1 and carries a CVSS 3.1 base score of 5.5 (MEDIUM). The GRASSMARLIN project reached end-of-life in 2017 and is archived, so no vendor patches are planned; CISA recommends compensating controls, network isolation, and following published ICS defensive guidance.

⚠️ CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog affecting SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X routers, citing evidence of active exploitation. The listed flaws include two SimpleHelp issues (CVE-2024-57726, CVE-2024-57728), a Samsung path traversal (CVE-2024-7399), and a D-Link command injection (CVE-2025-29635). Agencies are urged to apply fixes or retire affected devices by May 8, 2026.

🔒 A high-severity SSRF vulnerability in LMDeploy (CVE-2026-33626, CVSS 7.5) was exploited in the wild within 13 hours of disclosure. The flaw in the vision-language module's load_image() function allows fetching arbitrary URLs without validating internal addresses, enabling access to cloud metadata and internal services. Security researchers and Sysdig observed targeted port scanning, API enumeration, and out-of-band DNS callbacks, highlighting rapid weaponization of AI-infrastructure bugs.

⚠️ Researchers warn that a critical vulnerability (CVE-2026-3844) in the Breeze Cache WordPress plugin allows unauthenticated attackers to upload arbitrary files via the fetch_gravatar_from_remote function. Exploitation can lead to remote code execution and complete site takeover, but successful attacks require the optional 'Host Files Locally - Gravatars' add-on to be enabled. Cloudways released a patch in version 2.4.5; administrators should update immediately or disable the add-on until patched.

🔒 Apple released an emergency update to fix a Notification Services logging flaw that allowed deleted alerts to remain stored on devices, potentially exposing message content. Tracked as CVE-2026-28950, the vulnerability is resolved in iOS 26.4.2 and iPadOS 26.4.2, with backports provided for older supported releases. Apple said the root cause was a logging issue and that improved data redaction prevents notifications marked for deletion from persisting. The company did not confirm whether the flaw was exploited or how long retained data could remain accessible.

⚠ Forescout's BRIDGE:BREAK study finds serial-to-Ethernet adapters widely shipped with outdated kernels and insecure open-source components, exposing industrial, healthcare, and retail equipment to attack. Researchers report firmware images averaged roughly 80 OSS components and nearly 2,500 known vulnerabilities with public exploits present. Manual analysis uncovered 22 new flaws in Lantronix and Silex devices enabling RCE, authentication bypass, firmware tampering, and device takeover. Vendors released patches; operators should patch, remove internet exposure, enforce strong credentials, segment networks, and monitor for misuse.

🔒 Apple released out-of-band updates for iPhone and iPad to address a Notification Services flaw that could leave deleted notifications stored on the device. The bug, tracked as CVE-2026-28950, was patched on April 22, 2026 in iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8 and iPadOS 18.7.8. Apple says the issue was resolved through improved data redaction but provided no further technical details or confirmation of exploitation. Users are advised to install the updates promptly.

🔒 Microsoft released an out-of-band fix after an April 14 .NET update (10.0.6) introduced a critical regression in the ASP.NET Core Data Protection NuGet package (CVE-2026-40372, CVSS 9.1). A bug in the ManagedAuthenticatedEncryptor caused HMAC validation tags to be computed with an incorrect offset, allowing forged cookies and tokens to be treated as valid. Developers should upgrade to 10.0.7, rebuild embedded apps (including Docker images), expire affected cookies and tokens, and rotate protection keys to remove potential forgeries.

🔒 Amazon announced its April 2026 quarterly security and critical updates for Amazon Corretto, delivering new builds for LTS and Feature Release OpenJDK distributions. Releases available: Corretto 26.0.1, 25.0.3, 21.0.11, 17.0.19, 11.0.31, and 8u492. This is the final Corretto 8 release that includes JavaFX binaries; JavaFX will be removed starting July 2026. Downloads and repo configuration instructions are provided on the Corretto home page to help administrators apply the updates.

⚠ CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-33825, an Microsoft Defender access-control issue characterized by insufficient granularity and identified as being actively exploited. The agency emphasizes that this class of flaw is a frequent attack vector and presents significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by the prescribed due date, and CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management.