GIMP Vulnerabilities Allow Remote Code Execution
CERT-Bund has issued a security advisory regarding multiple vulnerabilities in GIMP, a popular open-source image editing software. These vulnerabilities, with a CVSS Base Score of 7.8, could allow remote attackers to execute arbitrary code on affected systems running Linux, UNIX, or Windows.
TYPO3 Extensions Multiple Vulnerabilities
CERT-Bund has issued a security advisory for multiple vulnerabilities in TYPO3 Extensions, including Mailqueue and Redirect Tab. The vulnerabilities have a CVSS base score of 7.5 and can allow for remote code execution or information disclosure.
Varnish HTTP Cache Vulnerability Allows Security Bypass
CERT-Bund has issued a security advisory (WID-SEC-2026-0749) regarding a vulnerability in Varnish HTTP Cache versions prior to 8.0.1, 9.0, 6.0.17, and 6.0.16r12. The vulnerability allows remote attackers to bypass security measures, with a CVSS base score of 6.5.
Red Hat Linux Vulnerability Allows Privilege Escalation and Info Disclosure
CERT-Bund has issued a security advisory (WID-SEC-2026-0756) regarding a vulnerability in Red Hat Enterprise Linux versions prior to 10 and version 9. The vulnerability allows local attackers to escalate privileges and disclose information. The CVSS score is 6.8.
Apache Airflow Multiple Vulnerabilities Advisory
CERT-Bund has issued a security advisory for Apache Airflow, detailing multiple vulnerabilities with a CVSS score of 8.6. The advisory affects versions prior to 3.1.8 and impacts Linux and UNIX operating systems. Exploitation could lead to security bypass and information disclosure.
Linux Kernel Vulnerabilities Allow Security Bypass
CERT-Bund has issued a security advisory regarding multiple vulnerabilities in the Linux Kernel, identified as WID-SEC-2026-0754. These vulnerabilities allow attackers to bypass security measures, with a CVSS Base Score of 6.5. Several versions of the Open Source Linux Kernel are affected.
IBM SPSS Multiple Vulnerabilities Advisory
CERT-Bund has issued a security advisory for IBM SPSS, detailing multiple vulnerabilities with a CVSS score of 8.2. These vulnerabilities allow for remote attacks, including cross-site scripting and denial of service. Affected systems include Linux, UNIX, and Windows.
KeePassXC Vulnerability Allows Privilege Escalation
CERT-Bund has issued a security advisory for KeePassXC, detailing a vulnerability that allows local attackers to escalate privileges. The advisory affects versions prior to 2.7.12 on Linux, UNIX, and Windows systems.
CERT-FR: Multiple Redmine Vulnerabilities Identified
CERT-FR has issued a security advisory regarding multiple vulnerabilities discovered in Redmine software. The vulnerabilities include Cross-Site Scripting (XSS) and security policy bypass, affecting specific versions of Redmine. Users are advised to consult the Redmine security advisories for patch information.
CERT-FR: Multiple Spring AI Vulnerabilities, SQL Injection Risks
CERT-FR has issued an advisory regarding multiple vulnerabilities in Spring AI, versions 1.0.x prior to 1.0.4 and 1.1.x prior to 1.1.3. These vulnerabilities allow for SQL injection and security policy bypass. Users are advised to consult the vendor's security bulletins for patch information.
Microsoft Products Vulnerability CVE-2026-32249 Discovered
CERT-FR has issued a notice regarding a vulnerability (CVE-2026-32249) discovered in Microsoft products. The advisory details affected systems and directs users to Microsoft's security bulletin for patches.
Multiple Vulnerabilities in Kaspersky Products Identified
CERT-FR has issued a security advisory regarding multiple vulnerabilities discovered in various Kaspersky product versions. These vulnerabilities could allow an attacker to cause unspecified security issues. Users are advised to consult Kaspersky's security bulletin for patch information.
CERT-FR: Multiple vulnerabilities in Mattermost Server
CERT-FR has issued an advisory regarding multiple vulnerabilities discovered in Mattermost Server. These vulnerabilities could allow an attacker to bypass security policies. Users are advised to consult Mattermost's security bulletins for patch information.
Multiple Python Vulnerabilities Affect CPython Systems
CERT-FR has issued a security advisory regarding multiple vulnerabilities discovered in Python, specifically affecting CPython systems without the latest security patches. These vulnerabilities could lead to security policy bypass. Users are advised to consult the editor's security bulletins for available patches.
Microsoft Edge Vulnerability CVE-2026-3909
CERT-FR has issued a security advisory regarding a vulnerability in Microsoft Edge, identified as CVE-2026-3909. The advisory notes that this vulnerability is actively being exploited and affects versions prior to 146.0.3856.62.
CERT-FR: Multiple Xen Vulnerabilities Disclosed
CERT-FR has issued a security advisory regarding multiple vulnerabilities discovered in Xen versions 4.17.x and 4.18.x. These vulnerabilities could lead to data breaches, remote denial of service, and privilege escalation. Users are advised to apply security patches provided by Xen.
BfDI Welcomes EDPB GDPR Guidelines on Legitimate Interest
The European Data Protection Board (EDPB) has released draft guidelines on the processing of personal data based on legitimate interest under GDPR. The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) welcomes the initiative to provide greater legal certainty. The guidelines are now open for public consultation.
Global Privacy Assembly Adopts Resolution on Trustworthy International Data Traffic
The Global Privacy Assembly (GPA) adopted a resolution on trustworthy international data traffic, also known as Data Free Flow with Trust (DFFT). Initiated by the German delegation, the resolution provides core data protection elements to guide legal frameworks and transfer instruments for secure data transfers.
Vercel Next.js Vulnerabilities Allow DoS or Security Bypass
CERT-Bund has issued a security advisory for Vercel Next.js, detailing vulnerabilities that could allow remote attackers to perform Denial of Service attacks or bypass security measures. The advisory affects versions prior to 16.1.7 and 15.5.13, with a CVSS base score of 6.5.
Octopus Deploy Vulnerability Allows Remote File Manipulation
CERT-Bund has issued a security advisory for Octopus Deploy, detailing a vulnerability that allows remote authenticated attackers to manipulate files. The advisory affects specific versions of Octopus Deploy running on Linux and Windows and provides mitigation information.
NetBox Cross-Site Scripting Vulnerability Advisory
CERT-Bund has issued a security advisory for NetBox, detailing a vulnerability that allows for Cross-Site Scripting attacks. The advisory affects NetBox version 4.3.5 and provides information on mitigation strategies.
Gitea Vulnerabilities Allow Bypass, Data Manipulation, Disclosure
CERT-Bund has issued a security advisory for Gitea, detailing multiple vulnerabilities with a CVSS base score of 7.3. These vulnerabilities can allow attackers to bypass security measures, manipulate data, and disclose confidential information. Users are advised to update to Gitea version 1.25.5 or later.
Kubernetes Vulnerability Allows Remote File Manipulation
CERT-Bund has issued a security advisory (WID-SEC-2026-0738) regarding a vulnerability in Kubernetes that allows remote authenticated attackers to manipulate files. The vulnerability affects the Open Source Kubernetes CSI Driver for NFS versions prior to 4.13.1 and has a CVSS Base Score of 6.5.
libexif Vulnerability Allows Code Execution and Denial-of-Service
CERT-Bund has issued a security advisory regarding a vulnerability in the libexif library (versions <=0.6.25). The vulnerability allows local attackers to execute arbitrary code, cause a denial-of-service, or disclose confidential information. Mitigation is available.
FFmpeg Vulnerability Allows Denial of Service and Information Disclosure
CERT-Bund has issued a security advisory (WID-SEC-2026-0740) regarding a vulnerability in the FFmpeg RV60 video decoder. The vulnerability allows remote attackers to cause a Denial of Service or disclose information. Affected versions include Open Source ffmpeg <8.1, 8.0, and 8.0.1.
CPython Vulnerabilities Allow File Manipulation and DoS
CERT-Bund has issued a security advisory regarding multiple vulnerabilities in CPython versions prior to 3.15.0. These vulnerabilities can be exploited by authenticated remote attackers to manipulate files or cause a denial-of-service condition. The advisory provides mitigation information for affected systems.
OpenClaw AI Assistant Vulnerabilities
CERT-Bund has issued a security advisory for OpenClaw, an AI assistant, detailing multiple vulnerabilities with a high CVSS base score of 8.1. The advisory urges users to mitigate the risks associated with privilege escalation and confidential information disclosure.
ImageMagick Vulnerability Allows Remote Denial of Service
CERT-Bund has issued a security advisory for ImageMagick, detailing a vulnerability that allows remote denial of service attacks. The advisory affects versions prior to Open Source ImageMagick <7.1.2-17 and <6.9.13-42, impacting Linux, UNIX, and Windows systems.
Mattermost Vulnerabilities: Remote Attack Possible
CERT-Bund has issued a security advisory regarding multiple vulnerabilities in Mattermost Server versions prior to 11.4.0, 11.3.1, 11.2.3, 10.11.11, 11.6.0, 10.11.13, 11.5.1, 11.4.3, and 10.11.13. These vulnerabilities have a CVSS base score of 7.3 and allow for remote attacks.
OpenCTI Vulnerability Allows Bypassing Security Measures
CERT-Bund has issued a security advisory for OpenCTI, a cyber threat intelligence platform. A vulnerability (CVE) allows remote, authenticated attackers to bypass security measures. The advisory affects OpenCTI versions prior to 6.9.1.
Langflow Vulnerabilities Allow Code Execution and Security Bypass
CERT-Bund has issued a security advisory (WID-SEC-2026-0747) regarding critical vulnerabilities in Langflow versions <=1.8.1 and <1.7.2. These flaws allow remote code execution and security bypass, with a CVSS base score of 10.0. Mitigation is available.
ENISA Chairs EU Agencies Network, Strengthens Cybersecurity
ENISA has taken over the chair of the EU Agencies Network (EUAN) for 2025-2026, focusing on implementing a new governance framework and strengthening cybersecurity across EU agencies. A Memorandum of Understanding was signed to reassert cooperation on shared services, including HR, cybersecurity, and legal services.
PCPD Releases AI Storybook for Primary Students
The Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong has published a new Chinese storybook titled “Adventure in the AI Labyrinth” for primary school students. This initiative aims to educate young students on the proper use of artificial intelligence and the importance of personal data privacy protection.
CISA KEV: Wing FTP Server Path Disclosure Vulnerability
CISA has added CVE-2025-47813, a path disclosure vulnerability in Wing FTP Server, to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability affects versions prior to 7.4.4 and requires specific conditions to exploit.
ICO Decision Notice: FOI Partly Upheld
The UK's Information Commissioner's Office (ICO) issued a decision notice regarding a Freedom of Information request made to the London Borough of Southwark. The ICO partly upheld the request, finding the Council holds some information and failed to demonstrate it does not hold information for another part. The Council must issue a fresh response within 30 days.
ICO Decision: Council entitled to withhold homelessness report
The ICO has issued a decision notice regarding Newport City Council's withholding of a homelessness report. The council was found entitled to withhold information under section 41 of the Freedom of Information Act (FOIA) concerning information provided in confidence. No further action is required by the council.
ICO Decision Notice: NPCC FOI Complaint Not Upheld
The ICO has decided not to uphold a Freedom of Information complaint against the National Police Chiefs' Council (NPCC). The NPCC confirmed it holds no further information beyond what was already provided regarding cross-force access, and the ICO agreed.
ICO Decision: FOI Complaint Against Council for Delayed Response Upheld
The UK's Information Commissioner's Office (ICO) has upheld a Freedom of Information (FOI) complaint against the London Borough of Barking and Dagenham Council. The council failed to respond to an FOI request within the statutory 20 working days. The ICO has ordered the council to respond within 30 calendar days.
ICO Decision: NHS England FOI Response Time Failure
The ICO has issued a decision notice finding NHS England failed to respond to a Freedom of Information (FOI) request within the statutory 20 working days. The ICO requires NHS England to respond to the complainant within 30 calendar days.
ICO upholds Cabinet Office refusal of Trump-Starmer communication records
The UK's Information Commissioner's Office (ICO) has upheld the Cabinet Office's refusal to release records of a communication between Donald Trump and Keir Starmer. The ICO found that the Cabinet Office was justified in citing section 27 (international relations) of the Freedom of Information Act as grounds for withholding the information.
ICO Upholds FOI Complaint Against NHS Trust for Delayed Response
The UK's Information Commissioner's Office (ICO) has upheld a complaint against North Tees & Hartlepool NHS Foundation Trust for a delayed response to a Freedom of Information (FOI) request. While the Trust was found not to hold further information, a breach of FOI timelines was identified.
ICO Decision: DFE FOI Request on Student Finance Costs
The UK's Information Commissioner's Office (ICO) issued a decision regarding a Freedom of Information (FOI) request to the Department for Education (DfE) concerning student finance costs. The ICO upheld the DfE's decision to withhold projected cost information under FOIA section 35(1)(a).
ICO Decision: Council correct to withhold legal advice under EIR
The UK Information Commissioner's Office (ICO) issued a decision finding that Wychavon District Council was correct to withhold legal advice under Regulation 12(5)(b) of the Environmental Information Regulations (EIR). The decision upholds the council's action and requires no further steps.
ICO Orders BBC to Respond to FOI Request
The UK's Information Commissioner's Office (ICO) has issued a decision notice requiring the British Broadcasting Corporation (BBC) to respond to a Freedom of Information (FOI) request. The BBC failed to meet the statutory 20-working-day response deadline.
ICO Upholds FOI Complaint Against Epping Forest Council
The ICO has upheld a Freedom of Information (FOI) complaint against Epping Forest Council for failing to respond to a request within the statutory 20-working-day limit. The Council has been ordered to provide a response to the complainant within 30 calendar days.
ICO Decision Notice: Council Failed to Respond to FOI Request
The Information Commissioner's Office (ICO) issued a decision notice against South Gloucestershire Council for failing to respond to a Freedom of Information (FOI) request within the statutory 20-day period. The ICO requires the council to respond to the complainant within 30 calendar days.
ICO Decision Notice: Mid Sussex District Council - EIR Request
The ICO found that Mid Sussex District Council correctly applied exemptions to an EIR request regarding a poisoning allegation investigation. However, the council breached the 20-working-day response time. No further steps are required from the council.
ICO Upholds Complaint Against DCMS for Vexatious FOI Requests
The UK's Information Commissioner's Office (ICO) has upheld a complaint against the Department for Culture, Media & Sport (DCMS). The ICO found that DCMS failed to demonstrate that seven Freedom of Information requests were vexatious, overturning the department's refusal.
ICO Decision: DfC breached FOIA for Universal Credit info
The UK's Information Commissioner's Office (ICO) found the Department for Communities (DfC) breached the Freedom of Information Act (FOIA) by failing to confirm it held requested Universal Credit information within 20 working days and by not issuing a timely refusal notice. No further steps are required.
ICO Decision Notice: DFE FOI and Data Protection
The ICO issued a decision notice regarding the Department for Education's (DFE) handling of an FOI request. The ICO upheld the DFE's decision to refuse to confirm or deny the existence of information, citing data protection principles.
ICO Upholds FOI Complaint Against Waltham Forest Council
The UK's Information Commissioner's Office (ICO) has upheld a Freedom of Information (FOI) complaint against Waltham Forest Council for failing to respond to a request within the statutory 20 working days. The ICO has ordered the council to provide a response within 30 calendar days.
ICO Decision: Khalsa Academies Trust breached FOIA
The UK's Information Commissioner's Office (ICO) has issued a decision notice finding that Khalsa Academies Trust breached the Freedom of Information Act (FOIA) by failing to respond to a request within the statutory 20-working-day limit and by issuing an invalid refusal. The Trust is required to comply with FOIA.
ICO upholds FCDO's refusal to confirm Guantanamo Bay information
The UK's Information Commissioner's Office (ICO) has upheld the Foreign, Commonwealth and Development Office's (FCDO) refusal to confirm or deny the existence of information related to Guantanamo Bay. The decision allows the FCDO to rely on specific exemptions under the Freedom of Information Act.
ICO orders Potto Parish Council to respond to FOI request
The UK's Information Commissioner's Office (ICO) has ordered Potto Parish Council to respond to a Freedom of Information (FOI) request within 30 days. The Council must provide a fresh response that either discloses the requested information or issues a valid refusal notice, without requesting proof of identity.
ICO Decision: Bedford Borough Council FOI Request
The ICO has issued a decision regarding a Freedom of Information request made to Bedford Borough Council. The Council correctly withheld information under FOI 40(2) but was found to have breached notice requirements under FOI 17(1)(b). No further action is required.
GDPR Resolution on Data Protection Rights Procedure
The Spanish Data Protection Agency (AEPD) has issued a resolution regarding a data protection rights procedure. The case involves a complaint against INVERSIONES COLECTIVAS EN RED, S.L. (ICIRED) for failing to adequately address a consumer's rights of access and deletion after their data was included in a default file. The resolution details the complaint and the agency's procedural steps.