All CosmicBytez Labs articles tagged #Security Updates, across news, security advisories, how-to guides, and projects.
CISA added two critical Fortinet FortiSandbox OS command injection vulnerabilities to its KEV catalog and gave federal agencies just three days to patch, as active exploitation continues against the security appliance platform.
A critical unauthenticated remote code execution vulnerability in WordPress core affects all 6.9 and 7.0 installations. WordPress force-pushed emergency patches (6.9.5 / 7.0.2) to sites via its auto-update system.
A critical flaw in Perl through 5.43.9 causes regex alternations with more than 65,535 branches to silently produce incorrect matches, potentially bypassing security filters that rely on regex validation.
A critical stored XSS vulnerability in Zimbra's Classic Web Client allows attackers to deliver specially crafted emails that execute arbitrary code within...
An authentication bypass vulnerability in OpenCTI prior to 7.260326.0 allows any authenticated user with KNOWLEDGE_KNUPDATE permission to bypass...
CISA added CVE-2026-55255, a CVSS 9.9 IDOR authorization bypass in Langflow, to its Known Exploited Vulnerabilities catalog on July 7, ordering U.S....
A critical vulnerability in ownCloud Core's Updater component exposes a dangerous method to administrators, enabling potential remote code execution on...
A use-after-free bug in the Linux kernel's epoll subsystem — CVE-2026-46242 — lets any local user escalate to root on Linux 6.4+ with ~99% reliability. A...
IBM and Red Hat announced Project Lightwell — a $5 billion commitment to secure open-source supply chains using Anthropic's Mythos AI model, which found...
CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalog, confirming active in-the-wild exploitation of a high-severity SharePoint...
The Linux Foundation has launched Akrites, a new open source security initiative designed to give the community standardized tools and channels to report,...
CISA has added a Cisco Unified Communications Manager Server vulnerability to its Known Exploited Vulnerabilities catalog and ordered federal agencies to...
Critical path traversal vulnerability (CVSS 9.1) in Apache IoTDB affects versions 1.0.0 through 1.3.5 and 2.0.0 through 2.0.5. Users must upgrade...
A second critical path traversal vulnerability (CVSS 9.1) in Apache IoTDB affects versions 1.0.0 through 1.3.5 and 2.0.0 through 2.0.6. Patch to 1.3.6 or...
Curl 8.21.0 patches 18 vulnerabilities including a 25-year-old mTLS connection reuse flaw (CVE-2026-8932) that could allow authentication bypass. With...
GitHub released actions/checkout v7 on June 18, 2026, adding default protections that refuse to fetch fork PR code inside pull_request_target workflows —...
Microsoft has confirmed Windows 11 version 26H2 as the next feature update, with devices running 24H2 and 25H2 able to upgrade via a lightweight...
The Usbliter8 exploit targets a hardware-level flaw in Apple A12 and A13 SecureROM boot chains that cannot be patched via software updates, leaving...
Microsoft's June 2026 Patch Tuesday addressed nearly 200 security vulnerabilities — the highest single-month patch count in the company's history —...
This week's security roundup covers Apple's patch for a Beats headphones eavesdropping vulnerability, the DOT closing its investigation into Delta's...
Security researchers at Paradigm Shift have published a working exploit called usbliter8 that achieves arbitrary code execution inside the SecureROM of...
CVE-2026-20253, a critical unauthenticated remote code execution flaw in Splunk Enterprise, is being actively exploited in the wild just days after public...
F5 has released emergency security updates for two critical vulnerabilities in NGINX Open Source, including a CVSS 9.2 use-after-free flaw in the HTTP/3...
Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack that distributed infected releases to paying customers via the...
Both Google and Mozilla have released urgent browser updates addressing multiple memory safety vulnerabilities, including critical-severity flaws that...
CISA has issued an emergency directive ordering federal agencies to patch CVE-2026-48907, a maximum-severity improper access control flaw in the Widget...
Splunk patches CVE-2026-20253, a CVSS 9.8 critical vulnerability enabling unauthenticated file operations and remote code execution in Splunk Enterprise.
Security researchers have disclosed three now-patched vulnerabilities in LangGraph — including a critical chain that enables remote code execution on...
A high-severity path traversal flaw (CVE-2026-5027, CVSS 8.8) in the AI application builder Langflow is being actively exploited with no patch available....
Veeam patched a critical CVE-2026-44963 flaw in Backup and Replication allowing remote code execution on domain-joined servers. CVSS 9.4 — patch immediately.
A critical CVE-2026-44963 flaw in Veeam Backup and Replication lets low-privilege domain users achieve remote code execution on backup servers. CVSS 9.4 —...
CISA added a high-severity SolarWinds Serv-U flaw to its KEV catalog after confirming attackers are actively exploiting it to crash file transfer servers.
Cisco has disclosed active exploitation of CVE-2026-20245, a high-severity vulnerability in Catalyst SD-WAN Manager with a CVSS score of 7.8. No patch is…
OWASP has launched CVE Lite CLI, a free open-source command line tool that scans software projects in seconds to identify packages with known CVE…
Redis has patched a use-after-free vulnerability in its blocking-client code that allows authenticated users to execute arbitrary OS commands on the database…
Belgium's national cybersecurity authority (CCB) has issued an urgent warning that threat actors are actively exploiting a recently patched critical Windows…
Google has released Chrome 148 with patches for 151 security vulnerabilities, including critical-severity flaws that could allow remote code execution....
phpMyFAQ before 4.1.3 contains a CVSS 8.2 flaw allowing unauthenticated attackers to reset any account password without token validation, enabling full...
IBM and Red Hat unveil Project Lightwell, a $5B commitment to securing open-source supply chains by fixing vulnerabilities without breaking production.
CISA's emergency directive gives federal agencies four days to patch the actively exploited LiteSpeed cPanel plugin flaw being weaponized in the wild.
Microsoft has confirmed a new known issue affecting Windows Server 2016 systems where domain controller lookups fail after installing the KB5087537 May 2026.
Microsoft has released updates fixing CVE-2026-45659, a CVSS 8.8 remote code execution vulnerability in SharePoint Server that requires no specialized.
CISA has added CVE-2026-9082, a SQL injection vulnerability in Drupal Core, to its Known Exploited Vulnerabilities catalog following confirmed in-the-wild...
Ubiquiti has released security updates fixing three CVSS 10.0 vulnerabilities in UniFi OS that allow unauthenticated remote attackers to fully compromise...
Drupal has released an urgent security update for CVE-2026-9082, a highly critical flaw that can be exploited without authentication to achieve...
Supply chain security startup Socket has raised $60 million in a new funding round, valuing the company at $1 billion. The capital will expand Socket's...
A coordinated wave of critical security patches landed this week from Ivanti, Fortinet, SAP, VMware, and n8n. Topping the list is CVE-2026-8043 in Ivanti...
Cisco has patched a maximum-severity authentication bypass flaw in its Catalyst SD-WAN Controller that has already been exploited in limited attacks....
A security researcher claims Microsoft silently patched an Azure Backup for AKS vulnerability after rejecting his disclosure report — issuing no CVE and...
A proof-of-concept exploit has been released for a critical-severity NGINX vulnerability that has existed in the rewrite module for nearly two decades....
OpenAI has disclosed that two corporate employee devices were compromised via the Mini Shai-Hulud supply chain attack on the TanStack npm ecosystem,...
A stored cross-site scripting vulnerability in vCluster Platform allows attackers to inject and execute arbitrary JavaScript via the name field of a...
OpenAI is urging macOS users to update their software following an expanding supply chain attack that compromised TanStack and additional npm and PyPI...
This week's threat roundup covers an actively exploited PAN-OS RCE granting root access, Anthropic's Mythos AI finding a cURL memory safety bug, AI...
Microsoft's May 2026 Patch Tuesday addresses 137 vulnerabilities including nine critical flaws — but for the first time in two years, not a single...
Microsoft's May 2026 Patch Tuesday addresses 138 security vulnerabilities across its product portfolio, including 30 rated Critical — with notable DNS...
Exim has released security updates to patch a severe vulnerability affecting GnuTLS-compiled builds of the world's most widely deployed mail transfer...
Fortinet has released emergency security patches for two critical vulnerabilities in FortiSandbox and FortiAuthenticator that could enable attackers to...
SAP's May 2026 Security Patch Day addresses 15 vulnerabilities across multiple enterprise products, including two critical-severity flaws in Commerce...
A CVSS 7.5 denial-of-service vulnerability in Apple iOS and iPadOS allows a remote attacker to exhaust device resources and crash the operating system...
The Apache Software Foundation has released urgent security updates for the Apache HTTP Server addressing a severe vulnerability in the HTTP/2 protocol...
cPanel has released security updates addressing three vulnerabilities in cPanel and Web Host Manager (WHM), including flaws enabling privilege escalation,...
Google has patched a maximum severity vulnerability in its Gemini CLI npm package and GitHub Actions workflow that allowed unprivileged attackers to...
cPanel and WebHost Manager have released an emergency patch for a critical authentication bypass vulnerability that allows attackers to gain control panel...
GitHub has patched CVE-2026-3854, a critical remote code execution vulnerability exploitable via a single HTTP request that could have granted attackers...
Cybersecurity researchers have disclosed CVE-2026-25874, a critical unauthenticated remote code execution vulnerability (CVSS 9.3) in Hugging Face's...
A high-severity Firefox vulnerability (CVE-2026-6770) exploits the internal ordering of IndexedDB database names to generate a stable 44-bit fingerprint...
A Microsoft Windows vulnerability originally patched in a prior Patch Tuesday was incompletely remediated, leaving a residual attack surface that...
Following the April 2026 Patch Tuesday, Microsoft has made broadly available a new MDM policy setting that enables IT administrators to fully uninstall...
This week's ThreatsDay Bulletin covers the $290M KelpDAO DeFi hack tied to Lazarus Group, new macOS living-off-the-land attack techniques, ProxySmart SIM...
Microsoft is rolling out Windows Update improvements that give users more control over how updates are installed while reducing disruption from frequent...
Microsoft released out-of-band updates to address critical issues affecting Windows Server systems that emerged after the installation of April 2026 Patch...
Microsoft has acknowledged that a recent Microsoft Edge browser update introduced a regression that breaks right-click paste functionality in the...
CISA has added a high-severity Apache ActiveMQ vulnerability to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the...
Google removed over 8.3 billion policy-violating ads and suspended 24.9 million accounts in 2025, while simultaneously rolling out sweeping Android 17...
A high-severity LDAP injection vulnerability in OPNsense's authentication connector allows unauthenticated attackers to bypass login controls by injecting...
Microsoft has suspended developer accounts used to maintain several prominent open-source projects without prior notice or a quick reinstatement path,...
A bypass of the CVE-2024-27297 patch in the Nix package manager allows attackers to follow symlinks during fixed-output derivation builds, enabling...
A critical CVSS 9.8 path traversal vulnerability in goshs, a SimpleHTTPServer written in Go, allows unauthenticated attackers to write arbitrary files via...
Fortinet has released emergency out-of-band patches for CVE-2026-35616, a critical pre-authentication API access bypass in FortiClient EMS that enables...
Fortinet has released an emergency weekend security update for CVE-2026-35616, a critical pre-authentication API access bypass in FortiClient EMS that is...
A critical unauthenticated SQL injection vulnerability (CVSS 9.1) in the setinfo endpoint allows remote attackers to corrupt data and cause denial of...
Cisco has released security advisories addressing a batch of critical and high-severity vulnerabilities across multiple products, covering flaws that...
Apple has extended security update eligibility to additional iPhone models still running iOS 18, enabling more devices to receive protections against the...
CISA has issued a mandatory patching directive ordering all U.S. federal agencies to apply Citrix NetScaler security updates by Thursday, March 5, 2026,...
A newly observed ClickFix campaign impersonates Cloudflare's CAPTCHA verification pages to deliver the Python-based Infiniti Stealer to macOS users via a...
A critical vulnerability in Gematik Authenticator prior to version 4.16.0 allows attackers to hijack authentication sessions via malicious deep links,...
Researchers have disclosed a critical unauthenticated remote code execution vulnerability in the GNU InetUtils telnet daemon (telnetd). CVE-2026-32746...
Microsoft is investigating a new bug affecting Samsung laptops after the February 2026 security update — some users are unable to access their C: drive...
Microsoft has pushed an out-of-band hotpatch (KB5084597) to Windows 11 Enterprise devices to address three integer-overflow RCE flaws in RRAS, one rated...
Veeam Software has released a critical security update for Backup & Replication, patching five remote code execution vulnerabilities with CVSS scores...
CISA mandated all federal civilian agencies patch CVE-2025-68613, a CVSS 9.9 remote code execution flaw in the n8n workflow automation platform, after...
Security researchers have published details of two newly patched critical vulnerabilities in n8n — CVE-2026-27577 (CVSS 9.4), an expression sandbox escape...
A high-severity host header injection vulnerability in ZITADEL's login V2 password reset flow allows attackers to redirect reset links to...
A stored cross-site scripting vulnerability in ZITADEL's login V2 interface allows organization administrators to inject malicious JavaScript via a...
A new cross-platform tool called Tirith hooks into terminal shells to detect and block Unicode homoglyph attacks, pipe-to-shell exploits, and supply chain...