https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45584

One job. You had one job.

Heap-based buffer overflow in Microsoft Defender allows an unauthorized attacker to execute code over a network.

"No way to prevent this" say users of only language where this regularly happens

https://xeiaso.net/shitposts/no-way-to-prevent-this/CVE-2026-45584/?utm_campaign=mi_irl&utm_medium=social&utm_source=mastodon

Si votre CMS est un #Drupal, ou si vous connaissez quelqu’un qui administre un site Drupal : c’est le moment de vérifier la version.

La faille CVE-2026-9082 touche Drupal Core avec base PostgreSQL : injection SQL critique, exploitable sans compte, pouvant mener à fuite de données, élévation de privilèges voire RCE selon le contexte.

À corriger en priorité :
Drupal 10.5 → 10.5.10
Drupal 10.6 → 10.6.9
Drupal 11.2 → 11.2.12
Drupal 11.3 → 11.3.10

MySQL/MariaDB ne semblent pas concernés par cette SQLi, mais les mises à jour incluent aussi Symfony/Twig : patch recommandé pour tout le monde.
👇
https://www.drupal.org/sa-core-2026-004

"Drupal – CVE-2026-9082 : cette faille critique de type injection SQL menace les sites Web"
👇
https://www.it-connect.fr/drupal-cve-2026-9082-cette-faille-critique-de-type-injection-sql-menace-les-sites-web/

🔍 (à noter la diff entre estimation LLM VLAI et attribution CVSS officielle en Medium)
👇
https://vulnerability.circl.lu/vuln/CVE-2026-9082

💬
⬇️
https://infosec.pub/

#CyberVeille #CVE_2026_9082

Drupal – CVE-2026-9082 : cette faille critique de type injection SQL menace les sites Web https://www.it-connect.fr/drupal-cve-2026-9082-cette-faille-critique-de-type-injection-sql-menace-les-sites-web/ #ActuCybersécurité #Cybersécurité #Vulnérabilité #Web

🚨 Drupal sites using PostgreSQL face a highly critical SQL injection vuln (CVE-2026-9082), risking RCE & data exposure. Patch versions 11.3, 11.2, 10.6, 10.5.x ASAP. Update Symfony & Twig too. No active exploitation yet. https://radar.offseq.com/threat/drupal-patches-highly-critical-vulnerability-expos-a1486e66 #OffSeq #Drupal #SQLInjection #Infosec

Patch immediately before public exploits emerge.

https://www.drupal.org/sa-core-2026-004

Affected:

- 8.9.0 , < 10.4.10
- 10.5.0 , < 10.5.10
- 10.6.0 , < 10.6.9
- 11.0.0 , < 11.1.10
- 11.2.0 , < 11.2.12
- 11.3.0 , < 11.3.10

CVE-2026-9082 - Highly critical - SQL Injection
CVE-2026-8495 - Missing Authorization
CVE-2026-8493 - XSS
CVE-2026-8492
CVE-2026-8491

#Drupal #PHP #CyberSecurity #Infosec #CVE #WebSecurity #PostgreSQL #SqlInjection #PrivilegeEscalation #XSS

Qualys has published their full write-up of CVE-2026-46333: https://www.openwall.com/lists/oss-security/2026/05/20/15

This includes a PoC to full root via `accounts-daemon` demonstrated in Debian 13, Fedora Workstation 43/44, so goes well beyond the initial "you need a program that opens a given file and you get to read it" assumption.

Fedify security updates: 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3

If you use Fedify, update to a patched release now. CVE-2026-42462 affects Fedify's Linked Data Signature handling. An attacker could use JSON-LD graph-restructuring features to change how a signed activity is interpreted without invalidating its Linked Data Signature.

Fedify verifies incoming ActivityPub activities with several mechanisms, including HTTP Signatures, Object Integrity Proofs, and Linked Data Signatures. The vulnerable path is Linked Data Signatures: the signature is checked over the canonical RDF graph, but JSON-LD can represent the same graph in more than one JSON shape. In affected versions, that gap could let a signed activity be reshaped so that Fedify reads a different ActivityPub object shape than intended.

The fix makes Fedify normalize Linked Data Signature-verified activities against Fedify's local JSON-LD context before interpreting them, and rejects JSON-LD constructs that can preserve the signed RDF graph while changing the ActivityPub object shape consumed by Fedify.

Patched releases are 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3. The GitHub Security Advisory is GHSA-9rfg-v8g9-9367, and the CVE ID is CVE-2026-42462.

Update @fedify/fedify:

npm  update  @fedify/fedify
yarn upgrade @fedify/fedify
pnpm update  @fedify/fedify
bun  update  @fedify/fedify
deno update  @fedify/fedify

After updating, redeploy. If you run other Fedify-based servers, update those too.

Thanks to @Claire for the report and responsible disclosure.

If anything is unclear, ask below.

BotKit security updates: 0.3.3 and 0.4.2

If you use BotKit, update to a patched release now. CVE-2026-42462 affects Fedify's Linked Data Signature handling, and BotKit inherits the exposure through its dependency on Fedify.

The vulnerability allows an attacker to use JSON-LD graph-restructuring features—specifically @graph, @included, and @reverse—to reshape a signed ActivityPub activity without invalidating its Linked Data Signature. This can cause BotKit (via Fedify) to interpret a different ActivityPub object shape than was originally signed. The fix normalizes Linked Data Signature-verified activities against Fedify's local JSON-LD context before interpreting them, and rejects the JSON-LD constructs that enable the attack.

All versions of BotKit up to 0.3.2 (in the 0.3.x branch) and 0.4.1 (in the 0.4.x branch) are affected. Patched releases are 0.3.3 and 0.4.2.

For BotKit 0.4.x, update @fedify/botkit:

npm  update  @fedify/botkit
yarn upgrade @fedify/botkit
pnpm update  @fedify/botkit
bun  update  @fedify/botkit
deno update  @fedify/botkit

For BotKit 0.3.x, update @fedify/botkit:

npm  update  @fedify/botkit@0.3.3
yarn upgrade @fedify/botkit@0.3.3
pnpm update  @fedify/botkit@0.3.3
bun  update  @fedify/botkit@0.3.3
deno update  @fedify/botkit@0.3.3

If you use other BotKit-related packages (e.g., @fedify/botkit-postgres), update them as well. After updating, redeploy.

The CVE ID is CVE-2026-42462. See also fedify-dev/fedify#773 for Fedify's own announcement.

Thanks to @Claire for the report and responsible disclosure.

If anything is unclear, feel free to ask on GitHub Discussions or Matrix.

Neue BitLocker-Lücke "YellowKey": Microsoft bestätigt Zero-Day-Schwachstelle CVE-2026-45585. Angreifer mit physischem Zugriff können verschlüsselte Laufwerke entschlüsseln. #Microsoft #Windows https://winfuture.de/news,158827.html?utm_source=Mastodon&utm_medium=ManualStatus&utm_campaign=SocialMedia

I thought there was a bug in EPSS since I couldn't see the score for CVE-2026-45498, but... it's just too new. Released today. Rare not-Patch-Tuesday CVE release for Microsoft. Wonder what's up.

(It's a Microsoft Defender DoS, which, sure, seems bad for an A/V thing, but... it's just DoS according to the CVE and KB.)

(Also the KB says there's no exploitation, but CISA KEV says otherwise... curiouser and curiouser.)

🚨 CRITICAL: Avada (Fusion) Builder ≤3.15.2 has unauth RCE bug (CVE-2026-6279). Attackers can run PHP via exposed AJAX endpoint. Disable plugin or restrict access ASAP. Patch status: unconfirmed. https://radar.offseq.com/threat/cve-2026-6279-cwe-74-improper-neutralization-of-sp-f70da2f6 #OffSeq #WordPress #CVE20266279 #infosec

@gzobra @adulau @firstdotorg

Thank you for these kind words!

If you are interested we started to deploy in production the algorithms presented during FIRST CTI in Munich. An example here:

https://vulnerability.circl.lu/vuln/cve-2026-42945#sightings

Click on the "Forecast" tab.

Have a nice day!