2026-05 Cumulative Update for Windows Server 2022 Datacenter: Azure Edition for x64-based Systems (KB5087545)

A security issue has been identified in a Microsoft software product that could affect your system. You can help protect your system by installing this update from Microsoft. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article...

DEBIAN-CVE-2026-41293

Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support versions may also be affected. Users are recommended to...

CVE-2026-43515

The CVE-2026-43515 issue is an Improper Authorization flaw in Apache Tomcat caused by multiple method constraints defining the HTTP method for the same extension. Affected versions include Tomcat 11.0.0-M1–11.0.21, 10.1.0-M1–10.1.54, 9.0.0.M1–9.0.117, 8.5.0–8.5.100, and 7.0.0–7.0.109. Mitigation ...

CVE-2026-41293

Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support versions may also be affected. Users are recommended to...

sealed-env: TOTP secret embedded in unseal token payload (enterprise mode)

In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's literal TOTP secret in the JWS payload of every minted unseal token. JWS payload is base64-encoded JSON, NOT encrypted. Any party who could observe a minted token CI build logs, container env dumps...

GHSA-8HF9-3Q64-Q2QF Dalfox Server Mode has an Unauthenticated Arbitrary File Create/Append via `output` Option

Summary When dalfox is run in REST API server mode, the output, output-all, and debug fields in model.Options are JSON-tagged and deserialized directly from the attacker's request body, then propagated unchanged through dalfox.Initialize into the scan engine's logging path. The logger opens the...

Arbitrary Code Injection

Overview protobufjs-cli is a Translates between file formats and generates static code as well as TypeScript definitions. Affected versions of this package are vulnerable to Arbitrary Code Injection via the pbjs static code generation. An attacker can execute arbitrary code by providing crafted...

protobuf.js: Prototype injection in generated message constructors

Summary protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the proto key. If an application constructed a message from an attacker-controlled plain object, an own enumerable proto property could alter the prototype of that...

Command Injection

Overview protobufjs-cli is a Translates between file formats and generates static code as well as TypeScript definitions. Affected versions of this package are vulnerable to Command Injection via pbts. An attacker can execute arbitrary shell commands by supplying file paths containing shell...

CVE-2026-43930

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password OTP login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive...

Description of the security update for Word 2016: May 12, 2026 (KB5002858)

Description of the security update for Word 2016: May 12, 2026 KB5002858 Summary This security update resolves a Microsoft Office remote code execution vulnerability and Microsoft Word Information Disclosure Vulnerability. To learn more about the vulnerabilities, see the following security...

CVE-2026-43930

CVE-2026-43930 affects Parse Server. A race condition in the MFA SMS OTP login path before 8.6.76 and 9.9.0-alpha.2 can allow two concurrent /login requests carrying the same OTP to succeed, producing two valid session tokens. Impact is breaking single-use OTP; attacker must already know the vict...

CVE-2026-42006

CVE-2026-42006 describes that an attacker can cause uncontrolled memory usage by sending excessive bracing over IMAP. The underlying issue is an incomplete fix (CVE-2026-27857) that blocked only one of two vulnerability paths—closing braces but allowing open braces to bypass the limit. The result...

CVE-2026-42006

An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left open. In particular, the fix was for closing braces, but you could still use open braces to bypass t...

CVE-2026-33603

Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and...

Why Agentic AI Is Security's Next Blind Spot

Agentic AI is already running in production environments across many organizations today. It is executing tasks, consuming data, and taking actions — most likely without meaningful involvement from the security team. The industry conversation has largely framed this as a question of policy: allow...

CVE-2026-6813

The Continually plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

CVE-2026-6813

The Continually plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

CVE-2025-40833

The affected devices contain a null pointer dereference vulnerability while processing specially crafted IPv4 requests. This could allow an attacker to cause denial of service condition. A manual restart is required to recover the system...

CVE-2025-40833

The affected devices contain a null pointer dereference vulnerability while processing specially crafted IPv4 requests. This could allow an attacker to cause denial of service condition. A manual restart is required to recover the system...