Wordfence Bug Bounty Program Monthly Report – March 2026

In March 2026, the Wordfence Bug Bounty Program received 1718 vulnerability submissions from our growing community of security researchers working to improve the overall security posture of the WordPress ecosystem. These submissions are reviewed, triaged, and processed by the Wordfence Threat...

Security Bulletin: NVIDIA Merlin - May 2026

NVIDIA has released a software update for NVIDIA® Merlin. To protect your system, clone or update this software to include any commit after March 11, 2026 from the NVIDIA-Merlin/Transformers4Rec GitHub repo. Go to NVIDIA Product Security. Details The following table summarizes the potential...

EUVD-2026-30113

Exposure of the QKEY used as input into the ‘OTA-Quantum’ device registration process and internal system keys via an unauthenticated and unencrypted HTTP GET method in the Arqit Symmetric Key Agreement Platform. This issue affects Symmetric Key Agreement Platform: before 26.03...

CVE-2026-21023

The vulnerability CVE-2026-21023 affects PackageManagerService prior to SMR Mar-2026 Release 1, enabling local attackers to modify installation restrictions on specific apps. Root cause: insufficient verification of data authenticity in PackageManagerService. Impact per the sources: trivial local...

Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack

Checkmarx has disclosed that its ongoing investigation tied to the supply chain security incident has revealed that a cybercriminal group published data related to the company on the dark web. "Based on current evidence, we believe this data originated from Checkmarx's GitHub repository, and that...

CVE-2026-40873 mailcow: dockerized vulnerable to stored XSS in Quarantine attachment filenames

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name s...

Security Updates for Microsoft Windows Admin Center in Azure Portal (March 2026)

The Microsoft Windows Admin Center in Azure Portal installed on the remote host is missing a security update. It is, therefore, affected by a vulnerability: - Elevation of Privilege vulnerability in Windows Admin Center in Azure Portal CVE-2026-23660 Note that Nessus has not tested for this issue...

April 14, 2026—KB5082123 (OS Build 17763.8644)

April 14, 2026—KB5082123 OS Build 17763.8644 Windows Secure Boot certificate expiration Important: Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. This might affect the ability of certain personal and business devices to boot securely if not updated ...

Exploit for CVE-2026-40271

Lazarus Group: 19-Day A/B Test Campaign Analysis TLP:CLEA...

Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder

CVSSv3.1 Rating: Medium CVSSv3.1 Score: 5.9 CVSSv3.1 Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Summary and Impact An issue exists in the the EventStream header decoder in AWS SDK for Go v2 in versions predating 2026-03-23. An actor can send a malformed EventStream response frame...

PT-2026-31394

Name of the Vulnerable Software and Affected Versions SonicWall SMA1000 series appliances Description An SQL injection flaw exists in SonicWall SMA1000 series appliances. A remote authenticated attacker with read-only administrator privileges can escalate privileges to primary administrator. The...

GHSA-WPC6-37G7-8Q4W OpenClaw: Shell init-file options could satisfy exec allowlist script matching

Summary Before OpenClaw 2026.3.31, exec allowlist matching could treat shell init-file wrapper invocations as if the approved script itself were being executed. Shell options such as --rcfile, --init-file, and --startup-file could therefore inherit allowlist trust from a matched script path even...

PT-2026-30819

Name of the Vulnerable Software and Affected Versions Weaver Fanwei E-cology versions 10.0 through 20260311 Description An unauthenticated remote code execution flaw exists due to exposed debug functionality. Attackers can execute arbitrary system commands by sending crafted POST requests to the...

EUVD-2026-19354

Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan RAT. Users of @usebruno/cli who ran...

Amazon Web Services Research and Engineering Studio 安全漏洞

Amazon Web Services Research and Engineering Studio is a cloud-based research and engineering environment of Amazon, Inc. There is a security vulnerability in the version of Amazon Web Services Research and Engineering Studio from March 2025 to December 1, 2025. This vulnerability stems from the...

The Hack That Exposed Syria’s Sweeping Security Failures

When Syrian government accounts were hijacked in March, the breach looked chaotic. But it revealed something more troubling: a state struggling with the most basic layer of cybersecurity...

PT-2026-29967

Name of the Vulnerable Software and Affected Versions @usebruno/cli versions installed between 00:21 UTC and 03:30 UTC on March 31, 2026 Description A supply chain attack involving compromised versions of the axios npm package introduced a hidden dependency deploying a cross-platform Remote Acces...

GO-2026-4919 Trivy ecosystem supply chain was briefly compromised in github.com/aquasecurity/trivy

On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release...

GHSA-FGV2-4Q4G-WC35

creationtimestamp| type| source ---|---|--- 2026-03-31 19:20:27+00:00| published-proof-of-concept| Telegram/pGlKXNBirRT0gxqFC1bVLs6pojbUfu72MTdyyvCxHD2SpM...

CVE-2026-32726

creationtimestamp| type| source ---|---|--- 2026-03-31 18:31:15+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3miesq35nbb2w 2026-03-31 19:10:17+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mieuvvjrol25 2026-03-31 19:20:34+00:00| published-proof-of-concept|...