All news with #vulnerability disclosure tag

⚠️CISA reports a critical remote code execution vulnerability (CVE-2026-4681) affecting PTC Windchill and FlexPLM, with a CVSS v3.1 base score of 10.0. The issue stems from deserialization of untrusted data (CWE-94) and could allow unauthenticated attackers to run arbitrary code. PTC is developing a patch and advises immediate application of documented workarounds and updated Apache or IIS configurations to protect public, file, and replica servers.

⚠️ Citrix has released patches for two NetScaler vulnerabilities, including a critical memory overread (CVE-2026-3055) that affects appliances configured as SAML identity providers and can expose session tokens. The vendor also fixed CVE-2026-4368, a race-condition flaw on Gateway and AAA configurations that may cause user session mix-ups. Citrix strongly urges administrators to install the specified updates immediately and offers guidance to locate and remediate affected instances.

⚠️ CISA has added CVE-2026-33017 — a Langflow code injection vulnerability — to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by the specified due dates. CISA urges all organizations to prioritize timely remediation to reduce exposure to active threats.

⚠ The Grassroots DICOM (GDCM) 3.2.2 library contains a memory leak vulnerability (CVE-2026-3650) that can be triggered by parsing specially crafted DICOM files with non-standard VR types. Successful exploitation can cause extensive heap allocations that are not released, producing resource exhaustion and a denial-of-service condition. This issue is rated High with a CVSS v3.1 base score of 7.5. Users should follow defensive best practices and monitor vendor distribution channels for updates.

⚠ Citrix has published updates for NetScaler ADC and NetScaler Gateway to fix two vulnerabilities, including a critical memory overread (CVE-2026-3055) that can leak sensitive information from appliance memory. Exploitation requires specific configurations—SAML IdP for CVE-2026-3055 and gateway or AAA roles for CVE-2026-4368. Affected builds include 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23; customers should inspect configurations and apply patches immediately.

🔓 A researcher developed a hardware voltage-glitching exploit, dubbed Bliss, that targets the Xbox One boot ROM to bypass early ARM Cortex memory protections. By inducing two precisely timed voltage collapses, the attacker can skip critical setup and redirect execution into attacker-controlled data. The exploit is a silicon-level, unpatchable compromise that enables loading unsigned code and accessing the console’s security processor.

🔔 CISA added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on March 20, 2026: CVE-2025-31277, CVE-2025-32432, CVE-2025-43510, CVE-2025-43520, and CVE-2025-54068. The flaws affect multiple Apple products, Craft CMS, and Laravel Livewire and include buffer overflows, improper locking, and code injection risks. BOD 22-01 requires FCEB agencies to remediate listed CVEs; CISA urges all organizations to prioritize mitigation as part of routine vulnerability management.

⚠ Sansec has disclosed a critical file upload vulnerability dubbed PolyShell in Magento's REST API that can let unauthenticated attackers upload arbitrary executables and achieve remote code execution or account takeover. The flaw stems from how custom product options accept a base64-encoded file_info object and write files to pub/media/custom_options/quote/. Adobe applied a fix in the 2.4.9 pre-release (APSB25-94), but most production stores remain unpatched; operators should restrict and block access to the upload directory, verify nginx/Apache rules, scan for web shells, and consider a specialized WAF.

🔒 Researchers discovered nine critical vulnerabilities across several low-cost KVM-over-IP units, including Angeet/Yeeso, GL-iNet, Sipeed, and JetKVM. Flaws range from unauthenticated file uploads and command injection to weak firmware verification and exposed debugging interfaces, enabling pre-authentication root takeover on some devices. Eclypsium warns these inexpensive, Linux-based single-port KVMs are increasingly common in business and pose outsized risks if exposed directly to networks.

🔔 CISA added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog — CVE-2025-66376, a cross-site scripting (XSS) issue in Synacor Zimbra Collaboration Suite (ZCS). Evidence indicates active exploitation, prompting inclusion under BOD 22-01 guidance. While the binding directive applies to FCEB agencies, CISA strongly urges all organizations to prioritize remediation. CISA will continue to update the KEV Catalog as new exploited vulnerabilities are identified.

🔒 Eclypsium researchers disclosed nine vulnerabilities in low-cost IP KVM devices from GL-iNet, Angeet/Yeeso, Sipeed, and JetKVM. The most severe flaws can allow unauthenticated attackers to gain root or execute arbitrary code and operate at BIOS/UEFI levels, enabling keystroke injection, booting from removable media, and persistence beyond OS defenses. Some vendors have issued firmware fixes, but critical issues in Angeet ES3 remain unpatched. Administrators should apply available updates, isolate KVMs, and enforce stronger access controls.

🔒 Apple has issued Background Security Improvements to address CVE-2026-20643, a cross-origin flaw in WebKit's Navigation API that could be exploited to bypass the same-origin policy when processing maliciously crafted web content. Apple fixed the issue by improving input validation and shipped patches in iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a). Researcher Thomas Espach is credited with the report. Users should keep Automatically Install enabled in Settings > Privacy and Security to receive these lightweight fixes promptly.

🚨 A critical out-of-bounds write in the LINEMODE Set Local Characters (SLC) suboption handler of GNU InetUtils telnetd (CVE-2026-32746) enables unauthenticated remote attackers to achieve remote code execution as root. Discovered by Dream on March 11, 2026, the flaw affects releases through 2.7 and carries a CVSS score of 9.8. Exploitation can succeed during the initial Telnet handshake with a single connection to port 23; no credentials or user interaction are required. A patch is expected by April 1, 2026; until then, disable Telnet, avoid running telnetd as root, and block port 23.

🔒 Apple has pushed its first Background Security Improvements release to patch a WebKit vulnerability tracked as CVE-2026-20643 on iPhone, iPad, and Mac without requiring a full OS upgrade. The flaw is a cross-origin issue in the Navigation API that could allow malicious web content to bypass the browser's Same Origin Policy, and Apple says it fixed the bug with improved input validation. Credited to researcher Thomas Espach, the update is available on iOS 26.3.1, iPadOS 26.3.1, and macOS 26.3.1/26.3.2; Apple warns that uninstalling Background Security Improvements removes all prior background patches and reverts the device to the baseline OS.

🔒 The Siemens SICAM SIAPP SDK contains multiple vulnerabilities that could allow disruption of customer-developed SIAPP components or their simulation environment. Identified impacts include denial of service, stack-based overflows, command injection enabling remote code execution, and unauthorized file deletion. These issues are exploitable primarily when the API is used improperly or when hardening measures are not applied. Siemens has released v2.1.7 to address the flaws and strongly recommends updating, validating updates prior to deployment, and supervising patch rollouts.

🔒 Companies House says its WebFiling service is back after a security flaw introduced in October 2025 exposed data for about five million U.K. companies. The bug let authenticated users view other firms' dashboards — including dates of birth, residential addresses and company email addresses — by navigating back after attempting a 'file for another company' action. The agency says no passwords or identity‑verification documents were accessed, and it has reported the issue to the ICO and NCSC while investigating whether any data was accessed or changed without permission.

🛡️ CISA has added CVE-2025-47813, an information disclosure vulnerability affecting Wing FTP Server, to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. This class of flaw is frequently abused by threat actors and poses a notable risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies are required to remediate KEV items by the specified due dates. CISA urges all organizations to prioritize timely remediation as part of standard vulnerability management.

⚠ Qualys disclosed nine critical vulnerabilities in AppArmor, the Linux Security Module enabled by default on Ubuntu, Debian, and SUSE. Dubbed “CrackArmor,” the flaws date back to the Linux 4.11 kernel and allow an unprivileged local user to manipulate profiles to gain full root, escape containers, or crash systems. Qualys estimates over 12.6 million exposed enterprise instances and emphasizes immediate kernel patching; fixes have been landed upstream in coordination with major distro maintainers.

🔒 Qualys Threat Research Unit disclosed nine vulnerabilities collectively named CrackArmor in the Linux kernel's AppArmor module that let unprivileged users tamper with security profiles, bypass user-namespace restrictions, and escalate to root. Qualys says the problems have existed since 2017 and affect kernels since 4.11, with no CVEs assigned yet. The vendor is withholding PoC exploits and urges immediate kernel patching across affected distributions such as Ubuntu, Debian, and SUSE.

⚠️ Researchers at Pillar Security disclosed two critical vulnerabilities in both self-hosted and cloud n8n deployments that can yield complete server compromise without any user interaction. The most severe, CVE-2026-27493, is an unauthenticated zero-click flaw in Form nodes that enables expression injection through public form endpoints; CVE-2026-27577 is a sandbox escape in the expression compiler enabling remote code execution. n8n issued patches and automated cloud mitigations; self-hosted users should upgrade to the recommended versions and rotate all stored credentials if a vulnerable workflow was exposed.