CISA Adds Cisco Vulnerability CVE-2026-20131 to KEV Catalog
CISA has added CVE-2026-20131, a vulnerability in Cisco Secure Firewall Management Center Software and Cisco Security Cloud Control, to its Known Exploited Vulnerabilities (KEV) Catalog. This action is based on evidence of active exploitation and requires Federal Civilian Executive Branch (FCEB) agencies to remediate the vulnerability.
CISA ICS Advisory: Schneider Electric Modicon Controllers Vulnerable
CISA issued an advisory regarding vulnerabilities in Schneider Electric Modicon Controllers M241, M251, M258, and LMC058. Successful exploitation could lead to cross-site scripting or open redirect attacks, potentially resulting in account takeover or code execution.
CISA: Schneider Electric EcoStruxure Automation Expert Vulnerability Advisory
CISA issued an advisory regarding a critical vulnerability (CVE-2026-2273) in Schneider Electric's EcoStruxure Automation Expert software. The vulnerability could allow for arbitrary command execution on engineering workstations, potentially compromising industrial control systems. Schneider Electric has released version 25.0.1 as a fix.
CISA: Schneider Electric EcoStruxure PME/EPO Vulnerability Advisory
CISA issued an advisory regarding a deserialization of untrusted data vulnerability (CVE-2025-11739) affecting Schneider Electric's EcoStruxure Power Monitoring Expert (PME) and EcoStruxure Power Operation (EPO) products. The vulnerability could lead to arbitrary code execution, system compromise, operational disruption, and unauthorized administrative control.
CISA Advisory: Mitsubishi Electric CNC Series Vulnerability ICSA-26-078-05
CISA issued an advisory regarding a denial-of-service vulnerability (CVE-2025-2399) in Mitsubishi Electric CNC Series products. Successful exploitation could allow remote attackers to cause an out-of-bounds read. Affected products are deployed worldwide, with remediation guidance provided by the vendor.
CISA: CTEK Chargeportal Vulnerabilities Allow Unauthorized Administrative Control
CISA issued an advisory regarding critical vulnerabilities in CTEK Chargeportal software affecting energy and transportation sectors. Successful exploitation could lead to unauthorized administrative control or denial-of-service attacks on charging stations. The vendor is sunsetting the product in April 2026.
CISA: IGL-Technologies eParking.fi ICS Advisory
CISA released an advisory regarding vulnerabilities in IGL-Technologies eParking.fi charging stations. Successful exploitation could allow attackers to gain unauthorized administrative control or disrupt services. The advisory details two critical vulnerabilities, CVE-2026-29796 and CVE-2026-31903, affecting all versions of eParking.fi.
CISA ICS Advisory: WebCTRL Server Vulnerabilities Allow Communication Interception
CISA issued an advisory regarding multiple vulnerabilities in Automated Logic WebCTRL Premium Server. Successful exploitation could allow attackers to intercept or modify communications. The advisory provides details on affected versions and remediation guidance.
CISA Adds Microsoft SharePoint Vulnerability to KEV Catalog
CISA has added CVE-2026-20963, a Microsoft SharePoint deserialization vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Federal Civilian Executive Branch (FCEB) agencies are required to remediate this vulnerability.
CISA ICS Advisory: Schneider Electric Modicon Vulnerabilities
CISA issued an advisory regarding vulnerabilities in Schneider Electric Modicon M241, M251, and M262 controllers. Successful exploitation could lead to a denial-of-service condition. Affected versions are prior to 5.4.13.12 for M241/M251 and 5.4.10.12 for M262.
EDPB Launches Coordinated GDPR Enforcement on Transparency
The European Data Protection Board (EDPB) has launched a coordinated enforcement action for 2026 focusing on compliance with GDPR transparency and information obligations. Twenty-five Data Protection Authorities across Europe will participate, assessing controllers' adherence to Articles 12, 13, and 14 of the GDPR.
Python Vulnerability Allows Security Policy Bypass
CERT-FR has issued an advisory regarding a vulnerability in Python (CVE-2026-3479) that allows attackers to bypass security policies. The advisory urges users to apply the latest security patches provided by the Python editor.
VMware Product Vulnerabilities Identified by CERT-FR
CERT-FR has issued an advisory regarding multiple vulnerabilities discovered in various VMware products. These vulnerabilities could allow an attacker to cause unspecified security issues. Affected users are advised to consult VMware's security bulletins for patch information.
Mitel Products Vulnerability - XSS
CERT-FR has issued an advisory regarding a remote code injection (XSS) vulnerability affecting various Mitel product versions. Affected systems include specific versions of MCX and MiContact Center Business. Users are advised to consult Mitel's security bulletin for patch information.
CERT-FR: Multiple vulnerabilities in Roundcube software
CERT-FR has issued an advisory regarding multiple vulnerabilities discovered in Roundcube webmail software. The vulnerabilities could lead to data confidentiality breaches, server-side request forgery (SSRF), and remote code injection (XSS). Users are advised to consult the editor's security bulletin for patch information.
Microsoft Products Vulnerabilities
CERT-FR has issued an advisory regarding multiple vulnerabilities discovered in Microsoft products. These vulnerabilities could allow an attacker to exploit unspecified security issues. Affected systems include specific versions of azl3 and cbl2 components.
CERT-FR Advises on Splunk Universal Forwarder Vulnerabilities
CERT-FR has issued an advisory regarding multiple vulnerabilities discovered in Splunk Universal Forwarder. The advisory details affected versions and references Splunk's security bulletin for patch information. The vulnerabilities could allow an attacker to cause unspecified security issues.
Ubiquiti UniFi Vulnerabilities Allow Privilege Escalation
CERT-Bund has issued a security advisory for Ubiquiti UniFi Network Application, detailing vulnerabilities that allow for privilege escalation. The advisory assigns a critical CVSS Base Score of 10.0 and a high CVSS Temporal Score of 8.7, indicating a significant security risk. Affected versions include UniFi Network Application <10.1.89, <10.2.97, <9.0.118, and UniFi Express <4.0.13.
Xpdf Vulnerability Allows Denial of Service
CERT-Bund has issued a security advisory regarding a denial-of-service vulnerability in the Xpdf PDF viewer. The vulnerability affects versions of Xpdf on Linux, UNIX, and Windows systems. The advisory provides information on the vulnerability and mitigation, noting a CVSS base score of 2.9.
Dell Secure Connect Gateway Policy Manager Critical Vulnerabilities
CERT-Bund has issued a security advisory for Dell Secure Connect Gateway Policy Manager, detailing critical vulnerabilities (CVSS Base Score 9.8) that could allow remote attacks. The advisory affects versions prior to 5.34.00.14 and recommends mitigation.
Jenkins Vulnerabilities Allow Code Execution and Info Disclosure
CERT-Bund has issued a security advisory for Jenkins, detailing multiple vulnerabilities with a high CVSS base score. These vulnerabilities allow attackers to execute arbitrary code, bypass security measures, and disclose confidential information. Affected versions include Jenkins weekly <2.555 and Jenkins LTS <2.541.3.
Samba Vulnerability Allows Information Disclosure
CERT-Bund has issued an advisory regarding a Samba vulnerability (WID-SEC-2026-0780) that allows local attackers to disclose information. The vulnerability affects Open Source Samba versions prior to 4.24.0 and has a CVSS Base Score of 5.5.
Drupal Automated Logout Extension Vulnerability Allows File Manipulation
CERT-Bund has issued a security advisory regarding a vulnerability in Drupal's Automated Logout Extension. The vulnerability allows remote, anonymous attackers to manipulate files. Affected versions include Open Source Drupal Automated Logout <1.7.0 and <2.0.2.
WebKitGTK Vulnerabilities Allow Code Execution, DoS, Info Disclosure
CERT-Bund has issued a security advisory (WID-SEC-2026-0782) regarding multiple vulnerabilities in WebKitGTK, a web browser engine used across various operating systems. The vulnerabilities, with a CVSS Base Score of 8.8, can allow remote attackers to execute arbitrary code, cause denial-of-service conditions, or disclose sensitive information.
IBM QRadar SIEM Critical Vulnerabilities
CERT-Bund has issued a security advisory regarding critical vulnerabilities in IBM QRadar SIEM, versions prior to 7.5.0 UP15. These vulnerabilities, with a CVSS Base Score of 9.8, allow for remote code execution, information disclosure, denial of service, and file manipulation.
libarchive Vulnerability Allows Denial-of-Service
CERT-Bund has issued a security advisory regarding a vulnerability in the libarchive library, which allows for denial-of-service attacks. The vulnerability affects various operating systems including Linux, UNIX, and Windows, and specific versions of Red Hat Enterprise Linux. Mitigation measures are available.
Keycloak Vulnerabilities: Info Disclosure and Privilege Escalation
CERT-Bund has issued a security advisory regarding critical vulnerabilities in Keycloak versions prior to 26.5.6. These vulnerabilities allow for remote information disclosure and privilege escalation. Mitigation is available.
Microsoft Dynamics 365 SQL Injection Vulnerability
CERT-Bund has issued a security advisory for Microsoft Dynamics 365 Customer Engagement regarding a critical SQL injection vulnerability (CVSS 8.8). The vulnerability allows authenticated remote attackers to execute arbitrary SQL commands, potentially leading to privilege escalation or operating system command execution.
Roundcube Vulnerabilities: Critical Score, File Manipulation, XSS
CERT-Bund has issued a security advisory for Roundcube, a PHP-based open-source webmail system. Multiple vulnerabilities with a critical CVSS base score of 10.0 have been identified, allowing attackers to manipulate files, bypass security measures, and perform cross-site scripting attacks.
Python Path Traversal Vulnerability Disclosed
CERT-Bund has disclosed a path traversal vulnerability in Python versions prior to 3.15.0. The vulnerability, with a CVSS base score of 4.0, allows local attackers to exploit the flaw. Mitigation is available.
SuiteCRM Vulnerabilities Allow Code Execution, Data Manipulation, SSRF, DoS
CERT-Bund has issued a security advisory for SuiteCRM, detailing multiple vulnerabilities that could allow attackers to execute arbitrary code, manipulate data, perform SSRF attacks, or cause denial-of-service conditions. The advisory affects versions prior to 7.15.1 and 8.9.3, with a CVSS base score of 8.8.
ICO Fines Reddit for UK GDPR Violations
The UK's Information Commissioner's Office (ICO) has fined Reddit, Inc. £14.4 million for violating UK GDPR. The penalty stems from failures in age assurance mechanisms and data protection impact assessments, which unlawfully processed children's data and potentially exposed them to harmful content.
TriZetto Data Breach Notification Letter
TriZetto Provider Solutions is notifying individuals of a cybersecurity incident that may have involved protected health information. The incident, discovered on October 2, 2025, potentially exposed patient names, addresses, dates of birth, and in some cases, Social Security numbers. TriZetto is offering identity protection services to affected individuals.
TriZetto Provider Solutions Data Breach Notification
TriZetto Provider Solutions is notifying individuals about a data breach and offering identity monitoring services. The notice provides instructions for enrollment, steps to protect personal information, and contact information for relevant agencies.
Worcester State University Data Breach Notification
Worcester State University issued a data breach notification letter on February 25, 2026, detailing a breach that exposed personal information of students and staff from January 24 to February 2, 2026. The university has updated its policies to prevent future incidents and is providing guidance on security freezes.
Massachusetts General Hospital Data Breach Notification
Massachusetts General Hospital (MGH) issued a data breach notification on February 25, 2026, regarding an incident where Protected Health Information (PHI) was inadvertently sent to the incorrect patient. The breach involved names, dates of birth, social security numbers, and diagnoses. MGH is offering 24 months of free credit monitoring and identity theft protection services.
Hingham Municipal Lighting Plant Data Breach Notification
The Hingham Municipal Lighting Plant has issued a data breach notification letter to affected individuals. The incident involved the exposure of personal information, including names, Social Security numbers, and driver's license numbers. Affected individuals are offered two years of complimentary identity protection services.
AI Standards, Regulations, and Enforcement Efforts Discussed
Global jurisdictions are discussing policies for responsible AI development and use, but the pace of AI innovation is outpacing regulation. Stakeholders at the AI Standards Hub Global Summit 2026 highlighted the importance of technical standards and assurance systems in guiding compliance amidst evolving regulatory frameworks like the EU AI Act and a patchwork of US state laws.
GDPR Article 25: Data Protection by Design and Default Factors
This analysis discusses the implementation of GDPR Article 25, focusing on data protection by design and by default. It highlights the importance of continuously assessing state of the art, cost of implementation, processing context, and risks to individuals, especially with the rise of AI.
CISA KEV: Microsoft SharePoint RCE Vulnerability (CVE-2026-20963)
CISA has added a Microsoft SharePoint remote code execution vulnerability (CVE-2026-20963) to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability has a CVSS score of 8.8 and is actively exploited.
CISA KEV: Zimbra Collaboration XSS Vulnerability CVE-2025-66376
CISA has added a known exploited vulnerability, CVE-2025-66376, affecting Zimbra Collaboration. This cross-site scripting (XSS) vulnerability requires immediate attention from federal agencies and organizations using the affected software.
ICO Decision Notice: House of Commons FOI Complaint
The UK's Information Commissioner's Office (ICO) has issued a decision notice regarding a complaint against the House of Commons. The ICO found that the House of Commons correctly relied on Section 40(2) of the Freedom of Information Act to withhold information related to role upgrades, deeming it third-party personal data.
ICO Decision: NHS Trust failed to respond to FOI request
The ICO has issued a decision notice finding that Guy's and St Thomas' NHS Foundation Trust failed to respond to a Freedom of Information (FOI) request within the statutory 20-working day period. The Trust is required to provide a substantive response to the request.
ICO Decision: Sheffield City Council breached EIR on Montague Street closure request
The UK's Information Commissioner's Office (ICO) has ruled that Sheffield City Council breached Environmental Information Regulations (EIR) by failing to respond to a request about the Montague Street closure. The Council is required to provide a substantive response to the complainant.
ICO Decision Notice: FOI exemption for parking machine data upheld
The UK's Information Commissioner's Office (ICO) has issued a decision notice regarding a Freedom of Information (FOI) complaint against East Riding of Yorkshire Council. The ICO found that the council correctly applied the law enforcement exemption (FOI 31(1)(a)) to withhold parking machine data, and the public interest favors maintaining this exemption.
ICO rules Council FOI request not vexatious, orders fresh response
The UK's Information Commissioner's Office (ICO) has ruled that Westmorland and Furness Council wrongly claimed a Freedom of Information (FOI) request regarding an external consultant report was vexatious. The ICO has ordered the Council to issue a fresh response within 30 days.
ICO Decision: St. Werburgh’s C. E. Primary School FOI Complaint Upheld
The Information Commissioner's Office (ICO) has upheld a complaint against St. Werburgh’s C. E. Primary School for failing to respond to a Freedom of Information request within the statutory 20 working days. The school is now required to provide a response within 30 calendar days.
Rotherham Council Failed FOI Request Response Time
The ICO has issued a decision notice against Rotherham Metropolitan Borough Council for failing to respond to a Freedom of Information (FOI) request within the statutory 20 working days. The Council is now required to provide a response within 30 calendar days.
ICO Decision Notice: Cabinet Office FOI Refusal Upheld
The UK's Information Commissioner's Office (ICO) has upheld the Cabinet Office's refusal to confirm or deny holding records related to the potential proscription of Palestine Action. This decision relates to a Freedom of Information request and the application of section 35(3) of FOIA concerning ministerial communications.
ICO Decision Notice: Kensington and Chelsea FOI Breach
The UK's Information Commissioner's Office (ICO) issued a decision notice against the Royal Borough of Kensington and Chelsea for breaching Section 10 of the Freedom of Information Act. The authority failed to respond to a request for information within the statutory 20 working days.
Home Office ordered to reply to FOI request
The ICO has ordered the Home Office to respond to a Freedom of Information (FOI) request that was not answered within the statutory 20-day period. The Home Office must now provide a response to the complainant within 30 calendar days.
NIST CSWP 37A Automation of the Cryptographic Module Validation Program
NIST has published CSWP 37A, detailing the automation of the Cryptographic Module Validation Program (CMVP). This white paper reports on the progress of the Automated Cryptographic Module Validation Project (ACMVP) and outlines planned next steps for improving the efficiency of FIPS 140-3 validation processes.
AEPD Spain: GDPR Fine of €4M for Data Information Failure
The Spanish Data Protection Agency (AEPD) has issued a €4 million fine to SERVICIOS INMOBILIARIOS Y GESTIÓN RCL-MADRID, S.L. for failing to provide requested information during an investigation. This action stems from a complaint regarding potential GDPR violations.
AEPD Resolution on GDPR Rights Procedure
The Spanish Data Protection Agency (AEPD) has issued a resolution regarding a procedure for handling GDPR rights. The resolution addresses a complaint where a data subject exercised their right of access, and the respondent failed to provide a legally established response within the stipulated timeframe. This action initiates a formal procedure against the respondent for non-compliance.