Utah Businesses Guided on Cash Rounding During Penny Shortage
The Utah Division of Consumer Protection has issued guidance to businesses on how to handle cash rounding during a national penny shortage. The guidance recommends a specific rounding methodology for cash-only transactions after taxes are calculated and requires businesses to provide notice of their chosen method.
FTC, States Reach $100M Settlement with Walmart Over Deception
The FTC and a bipartisan group of state attorneys general have reached a $100 million multistate settlement with Walmart over allegations of deceiving drivers and customers in its Spark Driver Program. The settlement resolves claims that Walmart misrepresented driver pay and customer tips, with $89 million for consumer restitution and $11 million in penalties to states.
Mercedes-Benz USA Settles with 50 States for $149.6M Over Emissions Defeat Devices
Utah and 50 other states have reached a $149.6 million settlement with Mercedes-Benz USA and Daimler AG for using illegal emissions defeat devices in over 211,000 diesel vehicles. The settlement addresses deceptive practices related to circumventing emissions standards and misleading consumers about environmental compliance.
Utah AG Secures $7.9M Judgment Against Amazon Store Scammer
The Utah Division of Consumer Protection secured a $7.9 million judgment and permanent ban against Parker J. Wilde for a deceptive Amazon e-commerce store scheme that defrauded over 200 consumers. Wilde is prohibited from participating in money-making schemes and telemarketing in Utah.
Utah Division of Consumer Protection Fines Maintenance Funding Providers
The Utah Division of Consumer Protection has concluded an audit of maintenance funding providers (MFPs), identifying over 600 violations of the Maintenance Funding Practices Act. This has resulted in nearly $100,000 in fines levied against 14 providers for issues including failure to register, improper disclosures, and inappropriate referral practices.
Apple Buffer Overflow Vulnerability Fixed in Safari, iOS, macOS
CISA has added a buffer overflow vulnerability (CVE-2025-31277) affecting Apple products to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, which allows for memory corruption via maliciously crafted web content, has been addressed by Apple in recent software updates.
Craft CMS Remote Code Execution Vulnerability Fixed
CISA has updated its Known Exploited Vulnerabilities (KEV) catalog to include CVE-2025-32432, a critical remote code execution vulnerability in Craft CMS. The vulnerability affects versions 3.x, 4.x, and 5.x and has been patched by the vendor. Organizations are urged to update their Craft CMS instances to the latest versions to mitigate this risk.
Apple Products Memory Corruption Vulnerability
CISA has updated its Known Exploited Vulnerabilities (KEV) catalog to include CVE-2025-43510, a memory corruption vulnerability affecting various Apple products. The vulnerability, which could allow a malicious application to cause unexpected memory changes, has been addressed by Apple in recent software updates.
Livewire v3.6.3 Remote Command Execution Vulnerability Patched
CISA has issued a notice regarding a critical remote command execution vulnerability (CVE-2025-54068) in Livewire v3 up to v3.6.3. The vulnerability, which affects specific configurations and does not require authentication, has been patched in version 3.6.4.
CISA: Apple Products Memory Corruption Vulnerability Addressed
CISA has issued an advisory regarding a memory corruption vulnerability (CVE-2025-43520) affecting various Apple products. The vulnerability, which could allow a malicious application to cause system termination or write kernel memory, has been addressed by Apple through software updates.
CISA Adds Five Known Exploited Vulnerabilities to Catalog
CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. These vulnerabilities pose significant risks to the federal enterprise and CISA urges all organizations to prioritize their remediation.
Atlassian Bamboo Data Center Vulnerability Allows Code Execution
CERT-Bund has issued a security advisory regarding a vulnerability in Atlassian Bamboo Data Center versions prior to 9.6.24, 10.2.16, and 12.1.3. The vulnerability allows remote, authenticated attackers to execute arbitrary code, posing a high risk.
Langflow Vulnerability Allows Remote Code Execution
CERT-Bund has issued a security advisory for Langflow, detailing a critical vulnerability that allows remote code execution. The advisory affects versions prior to 1.9.0 and impacts Linux, UNIX, and Windows operating systems. Mitigation measures are available.
VMware Tanzu Spring Boot Actuator Vulnerabilities
CERT-Bund has issued a security advisory for VMware Tanzu Spring Boot Actuator, detailing vulnerabilities that allow remote attackers to bypass security measures. The advisory affects multiple versions of VMware Tanzu Spring Boot prior to specific patch levels and includes a high CVSS base score.
Oracle Fusion Middleware Vulnerability Allows Code Execution
CERT-Bund has issued a security advisory for Oracle Fusion Middleware Identity Manager and Web Services Manager versions prior to 12.2.1.4.0 and 14.1.2.1.0. A critical vulnerability (CVSS 9.8) allows remote attackers to execute arbitrary code, potentially leading to full system compromise.
Google Chrome Vulnerabilities (CVSS 8.8)
CERT-Bund has issued a security advisory for Google Chrome, detailing multiple vulnerabilities with a CVSS Base Score of 8.8. These vulnerabilities could allow remote attackers to execute code, bypass security measures, cause denial-of-service, or manipulate data. Affected versions include Google Chrome prior to 146.0.7680.153 and 146.0.7680.154 on Linux, MacOS X, and Windows.
Critical Azure Vulnerabilities: Remote Attack, Privilege Escalation
CERT-Bund has issued a security advisory regarding critical vulnerabilities in Microsoft Azure DevOps, Data Factory, and Cloud Shell. These vulnerabilities allow remote attackers to escalate privileges, manipulate data, and disclose sensitive information, with a CVSS base score of 10.0.
Kubernetes ingress-nginx Vulnerability Allows Code Execution and Info Disclosure
CERT-Bund has issued a security advisory for Kubernetes ingress-nginx, detailing a vulnerability that allows authenticated remote attackers to execute arbitrary code and disclose sensitive information. The advisory affects versions prior to 1.13.9, 1.14.5, and 1.15.1, with a high CVSS base score of 8.8.
Microsoft 365 Copilot Vulnerabilities Advisory
CERT-Bund has issued an advisory regarding multiple vulnerabilities in Microsoft 365 Copilot, with a CVSS base score of 8.9. These vulnerabilities could allow remote attackers to disclose information, manipulate data, and gain elevated privileges. Mitigation measures are available.
VMware Tanzu Spring Security Vulnerability
CERT-Bund has issued a security advisory for VMware Tanzu Spring Security, detailing a critical vulnerability (CVSS 9.1) that allows remote attackers to bypass security controls and potentially access confidential information. The advisory affects multiple versions of the Spring Security framework.
Netwrix Password Secure Vulnerabilities Allow Code Execution and DoS
CERT-Bund has issued a security advisory for Netwrix Password Secure, detailing multiple vulnerabilities that could allow for code execution and denial-of-service attacks. The advisory affects versions prior to 26.3.100 and is rated as high severity.
European Data Protection Authorities Focus on Transparency Obligations
European data protection authorities, coordinated by the EDPB, will focus on transparency and information obligations under GDPR for the year 2026. This initiative aims to ensure data controllers provide clear, accessible information to individuals regarding the processing of their personal data.
Multiple vulnerabilities in Elastic products
CERT-FR has issued an advisory regarding multiple vulnerabilities discovered in various Elastic products, including Elasticsearch, Kibana, Logstash, Metricbeat, and Packetbeat. These vulnerabilities could allow remote attackers to execute arbitrary code, compromise data confidentiality, and bypass security policies.
Oracle Identity Manager and Web Services Manager Vulnerability
CERT-FR has issued a security advisory regarding a critical vulnerability in Oracle Identity Manager and Web Services Manager. The vulnerability, identified as CVE-2026-21992, allows for remote arbitrary code execution. Affected versions require immediate patching.
Ubuntu Linux Kernel Vulnerabilities Identified by CERT-FR
CERT-FR has issued a notice regarding multiple vulnerabilities discovered in the Linux kernel used by Ubuntu. These vulnerabilities could allow attackers to gain elevated privileges, compromise data confidentiality, and impact data integrity. Users are advised to consult Ubuntu's security bulletins for patch information.
Debian LTS Linux Kernel Vulnerabilities Affecting Confidentiality, Denial of Service, Privilege Escalation
CERT-FR has issued an advisory regarding multiple vulnerabilities discovered in the Linux kernel used in Debian LTS systems. These vulnerabilities could lead to data confidentiality breaches, denial of service, and privilege escalation. Users are advised to consult Debian's security bulletins for patch information.
Microsoft Product Vulnerability CVE-2026-3731
CERT-FR has issued an advisory regarding a vulnerability (CVE-2026-3731) discovered in Microsoft products, specifically affecting azl3 libssh versions prior to 0.10.6-6. The advisory directs users to Microsoft's security bulletin for patch information.
Multiple Vulnerabilities in Traefik Software
CERT-FR has issued an advisory regarding multiple vulnerabilities discovered in Traefik software, affecting versions prior to v2.11.41, v3.6.11, and v3.7.0-ea.2. These vulnerabilities could lead to data confidentiality breaches and security policy bypasses. Users are advised to consult the publisher's security bulletins for patch information.
Red Hat Linux Kernel Vulnerabilities
CERT-FR has issued a notice regarding multiple vulnerabilities discovered in the Red Hat Linux kernel. These vulnerabilities could allow attackers to achieve arbitrary code execution, privilege escalation, and data confidentiality breaches. Affected systems require patching as detailed in Red Hat's security bulletin.
SUSE Linux Kernel Vulnerabilities Identified by CERT-FR
CERT-FR has issued an advisory regarding multiple vulnerabilities discovered in SUSE Linux kernel versions. These vulnerabilities could lead to data confidentiality breaches and denial-of-service attacks. Affected systems include various SUSE Linux Enterprise and openSUSE Leap installations.
IBM Products Vulnerabilities
CERT-FR has issued an advisory regarding multiple vulnerabilities discovered in various IBM products, including Cloud Pak for Security, Informix Dynamic Server, and QRadar SIEM. These vulnerabilities could allow attackers to execute arbitrary code remotely, cause denial of service, or compromise data confidentiality.
VMware Products Vulnerabilities Advisory
CERT-FR has issued an advisory regarding multiple vulnerabilities discovered in various VMware products. These vulnerabilities could allow an attacker to cause unspecified security issues. Affected users are advised to consult VMware's security bulletins for patch information.
Goldheart Jewelry Data Breach Decision
Singapore's Personal Data Protection Commission has issued a decision against Goldheart Jewelry Pte. Ltd. for a data breach affecting 41,379 individuals. The breach resulted from insufficient security measures, including a failure to implement adequate patch management and access controls, leading to unauthorized access and disclosure of personal data.
PDPC Decision on Institute of Mental Health Data Consent
The Singapore Personal Data Protection Commission (PDPC) amended a previous decision concerning the Institute of Mental Health (IMH). The amendment clarifies the factual background regarding IMH's use of patient data for research study recruitment, specifically addressing implied consent and the visibility of a notification to patients.
PDPC Decision on Data Protection Breach by People Central Pte. Ltd.
Singapore's Personal Data Protection Commission (PDPC) issued a decision against People Central Pte. Ltd. for breaching data protection obligations. The company experienced an unauthorized access and deletion of client employee data due to insufficient security arrangements, including SQL injection vulnerabilities and weak access controls. The decision was handled under an expedited procedure due to the organization's admission of facts and breach.
Marina Bay Sands Data Breach Penalty Decision
Singapore's Personal Data Protection Commission has issued a decision against Marina Bay Sands Pte. Ltd. for a data breach affecting approximately 665,495 members. The breach resulted from insufficient security arrangements and a failure to mitigate risks of human error, leading to unauthorized access and disclosure of personal data. A financial penalty has been imposed.
PDPC Decision on Data Protection and Accountability
Singapore's Personal Data Protection Commission (PDPC) issued a decision against Air Sino-Euro Associates Travel Pte. Ltd. for failing to protect customer data, resulting in unauthorized access and disclosure. The organization also failed to appoint a data protection officer and implement internal policies.
CISA KEV: Cisco FMC Vulnerability Allows Root Java Code Execution (CVE-2026-20131)
CISA has added a critical vulnerability in Cisco Secure Firewall Management Center (FMC) Software to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability (CVE-2026-20131) allows unauthenticated remote attackers to execute arbitrary Java code as root. Organizations are required to address this vulnerability by April 4, 2026.
EU Regulators Focus on Cross-Regulatory Cooperation for Digital Laws
The European Data Protection Board (EDPB) is increasing focus on cross-regulatory cooperation for EU digital laws, including the GDPR, AI Act, and Digital Markets Act. The EDPB is developing joint guidance with the European Commission on these interactions and on data protection and competition, aiming for consistent interpretation and enforcement.
Senator Blackburn Proposes AI Framework for Child Safety and Copyright
U.S. Senator Marsha Blackburn has introduced a discussion draft for a federal AI policy framework focusing on children's online safety and copyright protection. The proposal aims to establish national standards, incorporating elements from the Kids Online Safety Act and the NO FAKES Act, and includes provisions for a private right of action for child harms.
China PIPL Compliance Audit Guidance and Enforcement Trends
China's Personal Information Protection Law (PIPL) requires organizations to audit personal information processing for compliance. Recent regulatory developments, particularly concerning minors' data, indicate an increasing expectation for audits to be repeatable, verifiable, and evidence-backed, with a focus on demonstrating consistent implementation and technical reality.
EDPB-EDPS Joint Opinion on Cybersecurity Act 2 and NIS 2 Directive Amendments
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have issued a joint opinion on proposed amendments to the Cybersecurity Act 2 and the NIS 2 Directive. This opinion provides recommendations on the legislative proposals concerning cybersecurity certification and network and information security.
EDPB Report on Anonymisation and Pseudonymisation Stakeholder Event
The European Data Protection Board (EDPB) has published a report detailing discussions from a stakeholder event on anonymisation and pseudonymisation techniques. The report summarizes key takeaways and perspectives shared during the event.
GDPR Rights Procedure Resolution - Spanish DPA
The Spanish Data Protection Agency (AEPD) issued a resolution regarding a data subject's right to erasure request against UPTA-CLM. The agency found issues with the contact information provided by the organization, including a non-functional data protection officer email address.
EDPB Announces 2026 GDPR Transparency Measure
The European Data Protection Board (EDPB) announced its 2026 Coordinated Enforcement Framework (CEF) measure, focusing on transparency and information obligations under the GDPR. The Austrian Data Protection Authority will participate in this coordinated action.