Anyone got a CVE-2026-3055-vulnerable box I can throw my attempted detection script against? I mean, it's trivial, but still would like to have more certainty about our boxes NOT being impacted than "I think I understood the watchtowr blog & didn't fuck up" when we get asked if we need to emergency patch tomorrow :neobot_giggle:

@offseq

CRITICAL: CVE-2026-4851 affects CASIANO GRID::Machine

... which is abandonware last updated in 2011.

⚠️ CRITICAL: CVE-2026-4851 affects CASIANO GRID::Machine (≤0.127). Malicious remote hosts can trigger client-side RCE via unsafe eval() deserialization. Only connect to trusted hosts & review code paths. Details: https://radar.offseq.com/threat/cve-2026-4851-cwe-502-deserialization-of-untrusted-4ee6eb90 #OffSeq #CVE20264851 #Perl #Security

CISA just added two critical vulnerabilities to its Known Exploited Vulnerabilities catalog and both deserve your immediate attention.

First up is CVE-2026-33017, a code injection flaw in Langflow, the open-source AI workflow builder that has exploded in popularity.

Read more: https://steelefortress.com/7448up

#Cybersecurity #InfoSec #Privacy #ThreatIntel

- Syncthing got a 2.0 release and switched from LevelDB to SQLite https://github.com/syncthing/syncthing/releases
- macOS did that weird (a) Upgrade https://support.apple.com/de-de/126604 and is now at 2.6.4 with 8 (eight!) new emojis https://support.apple.com/en-us/122868
- Grafana security fix 12.4.1 -> 12.4.2 https://grafana.com/blog/grafana-security-release-critical-and-high-severity-security-fixes-for-cve-2026-27876-and-cve-2026-27880/
- TandoorRecipes got shared shopping lists and pantry inventory with 2.6.0 and an security update to 2.6.1 https://github.com/TandoorRecipes/recipes/releases
- Grist, qbittorrent and smokeping got updates for their containers. I haven't figured out what changed. https://hub.docker.com/r/gristlabs/grist https://github.com/linuxserver/docker-qbittorrent/releases https://github.com/linuxserver/docker-smokeping/releases
- Redis 8.6.2 with some bugfixes https://github.com/redis/redis/releases
- Home Assistant 2026.3.3 -> 2026.3.4. Nothing interesting. https://github.com/home-assistant/core/releases
- oh-my-zsh with tiny changes https://github.com/ohmyzsh/ohmyzsh/commits/master/
- Next section is done by homebrew. I don't even know what half of the stuff is used for. Don't judge for having fish and zsh.
ffmpeg 8.0.1_4 -> 8.1
pandoc 3.9 -> 3.9.0.2
nghttp2 1.68.0_1 -> 1.68.1
simdjson 4.4.0 -> 4.4.2
freetype 2.14.2 -> 2.14.3
cryptography 46.0.5 -> 46.0.6
ipython 9.11.0 -> 9.12.0
libavif 1.4.0 -> 1.4.1
harfbuzz 13.1.1 -> 13.2.1
glib 2.86.4 -> 2.88.0
aom 3.13.1 -> 3.13.2
svt-av1 4.0.1 -> 4.1.0
libnghttp2 1.68.0 -> 1.68.1
openexr 3.4.6 -> 3.4.8
ca-certificates 2025-12-02 -> 2026-03-19
esphome 2026.2.4 -> 2026.3.1
jupyterlab 4.5.6 -> 4.5.6_1
ada-url 3.4.3 -> 3.4.4
node 25.8.1_1 -> 25.8.2
fish 4.5.0 -> 4.6.0
icu4c@78 78.2 -> 78.3
jpeg-turbo 3.1.3 -> 3.1.4
- tailscale 1.96.2 now with easy file transfers "taildrop" https://tailscale.com/changelog
- Xcode 26.4 https://developer.apple.com/documentation/xcode-release-notes/xcode-26_4-release-notes

I haven't touched my desktop yet and probably won't.

Edit 1
I missed the Nextcloud update because I use that weird Nextcloud All-In-One container. nextcloud.com/changelog/

Edit 2
How did I miss the Mastodon upgrade from 4.5.7 to 4.5.8. I may be gone for a moment. https://github.com/mastodon/mastodon/releases

Edit 3
Why do I run a server in the garage?
evcc 0.209.6 -> 0.303.2 https://github.com/evcc-io/evcc/releases

- Syncthing got a 2.0 release and switched from LevelDB to SQLite https://github.com/syncthing/syncthing/releases
- macOS did that weird (a) Upgrade https://support.apple.com/de-de/126604 and is now at 2.6.4 with 8 (eight!) new emojis https://support.apple.com/en-us/122868
- Grafana security fix 12.4.1 -> 12.4.2 https://grafana.com/blog/grafana-security-release-critical-and-high-severity-security-fixes-for-cve-2026-27876-and-cve-2026-27880/
- TandoorRecipes got shared shopping lists and pantry inventory with 2.6.0 and an security update to 2.6.1 https://github.com/TandoorRecipes/recipes/releases
- Grist, qbittorrent and smokeping got updates for their containers. I haven't figured out what changed. https://hub.docker.com/r/gristlabs/grist https://github.com/linuxserver/docker-qbittorrent/releases https://github.com/linuxserver/docker-smokeping/releases
- Redis 8.6.2 with some bugfixes https://github.com/redis/redis/releases
- Home Assistant 2026.3.3 -> 2026.3.4. Nothing interesting. https://github.com/home-assistant/core/releases
- oh-my-zsh with tiny changes https://github.com/ohmyzsh/ohmyzsh/commits/master/
- Next section is done by homebrew. I don't even know what half of the stuff is used for. Don't judge for having fish and zsh.
ffmpeg 8.0.1_4 -> 8.1
pandoc 3.9 -> 3.9.0.2
nghttp2 1.68.0_1 -> 1.68.1
simdjson 4.4.0 -> 4.4.2
freetype 2.14.2 -> 2.14.3
cryptography 46.0.5 -> 46.0.6
ipython 9.11.0 -> 9.12.0
libavif 1.4.0 -> 1.4.1
harfbuzz 13.1.1 -> 13.2.1
glib 2.86.4 -> 2.88.0
aom 3.13.1 -> 3.13.2
svt-av1 4.0.1 -> 4.1.0
libnghttp2 1.68.0 -> 1.68.1
openexr 3.4.6 -> 3.4.8
ca-certificates 2025-12-02 -> 2026-03-19
esphome 2026.2.4 -> 2026.3.1
jupyterlab 4.5.6 -> 4.5.6_1
ada-url 3.4.3 -> 3.4.4
node 25.8.1_1 -> 25.8.2
fish 4.5.0 -> 4.6.0
icu4c@78 78.2 -> 78.3
jpeg-turbo 3.1.3 -> 3.1.4
- tailscale 1.96.2 now with easy file transfers "taildrop" https://tailscale.com/changelog
- Xcode 26.4 https://developer.apple.com/documentation/xcode-release-notes/xcode-26_4-release-notes

I haven't touched my desktop yet and probably won't.

Edit 1
I missed the Nextcloud update because I use that weird Nextcloud All-In-One container. nextcloud.com/changelog/

Edit 2
How did I miss the Mastodon upgrade from 4.5.7 to 4.5.8. I may be gone for a moment. https://github.com/mastodon/mastodon/releases

Edit 3
Why do I run a server in the garage?
evcc 0.209.6 -> 0.303.2 https://github.com/evcc-io/evcc/releases

🚨 CVE-2026-5036: HIGH severity stack buffer overflow in Tenda 4G06 (04.06.01.29) enables remote code execution. Exploit code is public — patch or mitigate now. Watch for attacks on /goform/DhcpListClient. https://radar.offseq.com/threat/cve-2026-5036-stack-based-buffer-overflow-in-tenda-210df5d9 #OffSeq #CVE20265036 #RouterSecurity

⚠️ CVE-2026-4987 (HIGH): SureForms plugin for WordPress lets attackers bypass payment amount validation by setting form_id to 0 — no auth needed, all versions <=2.5.2 at risk. Patch or mitigate now! https://radar.offseq.com/threat/cve-2026-4987-cwe-20-improper-input-validation-in--6438ea07 #OffSeq #WordPress #Vuln #PaymentSecurity