CISA Adds CVE-2026-33017 to Known Exploited Vulnerabilities Catalog
CISA has added CVE-2026-33017, a Langflow Code Injection Vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Federal Civilian Executive Branch (FCEB) agencies are required by Binding Operational Directive (BOD) 22-01 to remediate these vulnerabilities.
Multiple vulnerabilities found in F5 products
CERT-FR has issued an advisory regarding multiple vulnerabilities discovered in F5 products, including Nginx Open Source and NGINX Plus. These vulnerabilities could allow for remote arbitrary code execution, denial of service, and data breaches.
Multiple Squid Vulnerabilities Affect Data Confidentiality and Availability
CERT-FR has issued an advisory regarding multiple vulnerabilities discovered in Squid software, affecting versions prior to 7.5. These vulnerabilities can lead to remote denial-of-service attacks and data confidentiality breaches. Users are advised to consult the vendor's security bulletins for patch information.
Tenable OT Platform Vulnerability Allows Data Confidentiality Breach
CERT-FR has issued a security advisory regarding a vulnerability in Tenable OT Platform. The vulnerability, identified as CVE-2026-4433, can lead to a breach of data confidentiality. Affected systems are versions prior to 4.2.40 without the specific security patch.
Citrix XenServer Vulnerability Allows Data Confidentiality Breach
CERT-FR has issued an advisory regarding a vulnerability in Citrix XenServer (CVE-2026-4397) that could lead to a data confidentiality breach. The advisory affects XenServer versions 8.4 without the latest security patch and directs users to Citrix's security bulletin for remediation.
GitLab Vulnerabilities Pose Data Integrity and XSS Risks
CERT-FR has issued a security advisory regarding multiple vulnerabilities discovered in GitLab Community and Enterprise Editions. These vulnerabilities could allow attackers to compromise data integrity, execute cross-site scripting (XSS) attacks, and cause remote denial of service.
ISC Kea Vulnerability Allows Remote Denial of Service
CERT-FR has issued an advisory regarding a remote denial-of-service vulnerability (CVE-2026-3608) in ISC Kea software. Affected versions include Kea 2.6.x prior to 2.6.5 and 3.0.x prior to 3.0.3. Users are advised to consult the vendor's security bulletin for patch information.
Apple Products Multiple Vulnerabilities
CERT-FR has issued a security advisory regarding multiple vulnerabilities discovered in various Apple products, including iOS, iPadOS, macOS, and Safari. These vulnerabilities could allow attackers to elevate privileges, cause remote denial-of-service, and compromise data confidentiality.
Mozilla Products Vulnerabilities
CERT-FR has issued a security advisory regarding multiple vulnerabilities discovered in Mozilla products, including Firefox ESR, Firefox, and Thunderbird. These vulnerabilities could allow attackers to execute arbitrary code, elevate privileges, or cause a denial of service.
Multiple Zabbix Vulnerabilities Disclosed
CERT-FR has issued an advisory regarding multiple vulnerabilities discovered in Zabbix software. These vulnerabilities could allow remote code execution, data breaches, and SQL injection. Affected versions include specific releases of Zabbix 6.0, 7.0, 7.2, and 7.4.
Quatrro Data Breach Notification and Credit Monitoring Offer
Quatrro Business Support Services, Inc. is issuing a data breach notification to affected individuals, offering a complimentary 24-month membership to credit monitoring services provided by Kroll. The notice details the incident, the services offered, and steps individuals can take to protect themselves.
Law Offices of James Scott Farrin Data Security Event Notification
The Law Offices of James Scott Farrin is notifying individuals of a data security event that occurred on September 8, 2025, involving the unauthorized acquisition of personal information, including names and Social Security numbers. Affected individuals are offered free credit monitoring and fraud assistance services.
Glasshouse Media Data Breach Notification
Glasshouse Media is issuing a data breach notification dated March 23, 2026, to affected individuals. The incident involved the inadvertent receipt of an internal file containing employee names and Social Security numbers. The company is offering 24 months of complimentary identity protection services through Experian IdentityWorks.
Colaberry Inc. Data Breach Notification
Colaberry Inc. has issued a data breach notification to Massachusetts residents whose 2025 Form W-2 information may have been compromised. The company is offering 24 months of complimentary credit monitoring and identity theft protection services through Cyberscout.
Massachusetts Breach Notification: Obtaining Free Credit Reports
This document provides guidance to Massachusetts residents on how to obtain free credit reports from major credit reporting companies. It outlines the process for requesting reports and what steps to take if discrepancies or suspicious activity are found, including contacting law enforcement and the FTC.
Mark Leyden & Associates Data Breach Notification
Mark Leyden & Associates, LLC is notifying individuals of a data breach that may have exposed personal information. The company is offering complimentary credit monitoring and identity theft protection services through IDX. Affected individuals are advised to enroll by June 20, 2026.
Massachusetts DOR Data Breach Notification
The Massachusetts Department of Revenue issued a sample data breach notification letter to inform individuals about an unauthorized disclosure of personal information due to employee error. The notice outlines the rights of affected individuals, including placing a security freeze, and offers 24 months of free credit monitoring services.
Tower FCU Data Breach Notification
Tower Federal Credit Union has issued a data breach notification following an inadvertent employee error that sent a member's personal information, including Social Security number and date of birth, to another member. The credit union has updated its internal processes and provided credit monitoring services to affected individuals.
MedPeds Data Breach Notification
MEDPEDS, a healthcare provider, is notifying patients of a data breach that occurred on September 2, 2025, due to a virus that encrypted data and allowed unauthorized access. Patient information including name, date of birth, address, phone number, and medical records may have been viewed. MEDPEDS has improved security measures and contacted the FBI.
Massachusetts Data Breach Notification Requirements for Consumers
The Massachusetts Attorney General's office has issued a notice detailing data breach notification requirements for consumers. This notice outlines the information consumers must provide to verify their identity and address potential identity theft, including specific documentation and procedures for placing and managing security freezes on credit reports.
Hightower Holding LLC Data Breach Notification
Hightower Holding LLC is notifying individuals of a data breach that occurred between January 8-9, 2026, and January 19-20, 2026, due to compromised user accounts. The breach resulted in unauthorized access and download of files containing personal information. The company is offering complimentary credit monitoring services.
Connell Family Office Data Breach Notification
Connell Family Office & Management, Inc. is notifying individuals of a data breach that may have impacted personal information, including names. While no misuse is indicated, the company is offering complimentary credit monitoring and identity restoration services through Experian. Affected individuals must enroll by June 30, 2026.
Harbor Vulnerability Allows Information Disclosure
CERT-Bund has issued a security advisory for Harbor, a Docker distribution registry, detailing a vulnerability that allows information disclosure. The advisory affects specific versions of Open Source Harbor and provides mitigation information.
ImageMagick Vulnerabilities Allow Denial of Service Attacks
CERT-Bund has issued a security advisory regarding multiple vulnerabilities in ImageMagick versions prior to 7.1.2-18 and 6.9.13-43. These vulnerabilities can be exploited by local or remote attackers to conduct denial-of-service attacks. Mitigation is available.
Apple Safari Vulnerabilities Allow Bypass, DoS, Disclosure, XSS
CERT-Bund has issued a security advisory regarding multiple vulnerabilities in Apple Safari, identified by WID-SEC-2026-0848. These vulnerabilities have a high CVSS Base Score of 8.3 and could allow attackers to bypass security measures, perform denial-of-service attacks, disclose information, or execute cross-site scripting attacks.
Netty Vulnerabilities Allow Bypass and Denial of Service
CERT-Bund has issued a security advisory regarding multiple vulnerabilities in the Netty network application framework. These vulnerabilities, with a CVSS Base Score of 7.5, allow remote attackers to bypass security measures and cause denial of service. Affected versions include Open Source Netty prior to 4.2.11 and 4.1.132.
Hitachi Ops Center Vulnerabilities Allow Remote Attacks, XSS
CERT-Bund has issued a security advisory for Hitachi Ops Center, detailing vulnerabilities that allow remote attacks and cross-site scripting. The advisory affects versions prior to Hitachi Ops Center Administrator <11.0.8 and Analyzer <11.0.5-00. Mitigation measures are available.
Ubiquiti UniFi Network Server Vulnerability
CERT-Bund has issued a security advisory for Ubiquiti UniFi Network Server versions prior to 10.1.89. A vulnerability allows remote attackers to bypass security measures, with a CVSS base score of 8.8. Mitigation is available.
Langflow Vulnerability Allows Code Execution
CERT-Bund has issued a security advisory for Langflow, a tool for creating LLM-based applications. A vulnerability (CVSS 8.8) allows remote attackers to execute arbitrary code on affected systems running versions prior to 1.9.0. Mitigation measures are available.
TIBCO ActiveMatrix Vulnerability Allows Data Disclosure and Manipulation
CERT-Bund has issued a security advisory for TIBCO ActiveMatrix and TIBCO Administrator, detailing a critical vulnerability (CVSS 9.9) that allows remote authenticated attackers to disclose and manipulate data. The advisory affects specific versions of TIBCO ActiveMatrix BusinessWorks and TIBCO Administrator Enterprise.
Node.js Vulnerabilities Allow DoS, Bypass, Info Disclosure
CERT-Bund has issued a security advisory for Node.js, detailing multiple vulnerabilities that could allow attackers to cause denial of service, bypass security measures, and disclose information. The advisory affects various versions of Open Source Node.js and provides mitigation information.
IBM WebSphere Liberty Vulnerabilities Allow Privilege Escalation
CERT-Bund has issued a security advisory for IBM WebSphere Application Server Liberty, detailing vulnerabilities that allow privilege escalation, security bypass, and information disclosure. The advisory affects versions prior to 26.0.0.4 and provides mitigation information.
GitLab Vulnerabilities Allow File Manipulation, Bypass, DoS, Info Disclosure, XSS
CERT-Bund has issued a security advisory for GitLab, detailing multiple vulnerabilities that could allow attackers to manipulate files, bypass security measures, conduct denial-of-service attacks, disclose information, and perform cross-site scripting attacks. The advisory affects open-source GitLab versions prior to 18.10.1, 18.9.3, and 18.8.7.
IBM InfoSphere Server Vulnerabilities Allow Remote Attacks
CERT-Bund has issued a security advisory for IBM InfoSphere Information Server, detailing multiple vulnerabilities with a critical CVSS Base Score of 9.1. These vulnerabilities can be exploited by remote attackers to bypass security measures, cause denial of service, and manipulate data.
Xen Vulnerability Allows Security Bypass
CERT-Bund has issued a security advisory regarding a vulnerability in Xen, a virtual machine monitor, that allows local attackers from a guest VM to bypass security measures. The advisory, dated March 24, 2026, notes a CVSS base score of 6.7 and indicates that mitigation is available.
OpenClaw Vulnerabilities
CERT-Bund has issued a security advisory for OpenClaw, detailing multiple critical vulnerabilities with a CVSS score of 9.9. These vulnerabilities allow for remote code execution, privilege escalation, data manipulation, and denial-of-service attacks. A mitigation is available.
Zabbix Vulnerabilities Allow Remote Attacks
CERT-Bund has issued a security advisory for Zabbix, detailing multiple vulnerabilities with a CVSS base score of 8.8. These vulnerabilities affect various Zabbix versions and allow remote attackers to disclose information, inject shell commands, perform SQL injection, and cause denial of service.
NATS Server Vulnerabilities Allow Remote Attackers to Disclose/Manipulate Info, Cause DoS
CERT-Bund has issued a security advisory regarding multiple vulnerabilities in NATS Server versions prior to 2.12.6 and 2.11.15. These vulnerabilities, with a CVSS base score of 8.6, allow remote attackers to disclose or manipulate information, cause denial-of-service, and bypass security mechanisms.
Apple Xcode Vulnerabilities Allow Information Disclosure, Denial of Service
CERT-Bund has issued a security advisory for Apple Xcode, detailing multiple vulnerabilities that could allow remote attackers to disclose information or cause a denial of service. The advisory notes a CVSS Base Score of 5.5 (medium) and affects versions prior to 26.4 on MacOS X.
NGINX Plus and NGINX Vulnerabilities
CERT-Bund has issued a security advisory regarding multiple vulnerabilities in NGINX and NGINX Plus, with a CVSS base score of 8.2. The vulnerabilities affect Linux, UNIX, and Windows operating systems and can be exploited remotely to cause denial of service, data manipulation, bypass security measures, and potentially execute arbitrary code.
Linux Kernel Vulnerabilities Allow DoS, Code Execution
CERT-Bund has issued a security advisory regarding multiple critical vulnerabilities in the Linux Kernel, with a CVSS base score of 9.8. These vulnerabilities can allow attackers to cause denial of service, bypass security measures, disclose information, and potentially execute code remotely. Mitigation measures are available.
Squid Vulnerabilities Allow Denial of Service Attacks
CERT-Bund has issued a security advisory regarding multiple vulnerabilities in Squid, an open-source web proxy cache. These vulnerabilities, with a CVSS base score of 8.6, can be exploited by remote attackers to cause a Denial of Service. The advisory applies to Squid versions prior to 7.5 on Linux, UNIX, and Windows systems.
macOS Vulnerabilities Allow Privilege Escalation and Data Manipulation
CERT-Bund has issued a security advisory for Apple macOS, detailing multiple vulnerabilities with a high CVSS base score of 8.3. These vulnerabilities can be exploited remotely to bypass security measures, conduct denial-of-service attacks, disclose information, manipulate files, and escalate privileges. Affected versions include macOS Sonoma <14.8.5, Sequoia <15.7.5, and Tahoe <26.4.
Apple iOS/iPadOS Vulnerabilities Allow Bypass, DoS, Info Disclosure
CERT-Bund has issued a security advisory regarding multiple vulnerabilities in Apple iOS and iPadOS. These vulnerabilities, with a CVSS base score of 8.3, can allow attackers to bypass security measures, perform denial-of-service attacks, disclose information, and conduct cross-site scripting attacks. Affected versions include iOS and iPadOS prior to specific updates.
Mozilla Firefox and Thunderbird Multiple Vulnerabilities
CERT-Bund has issued a security advisory regarding multiple vulnerabilities in Mozilla Firefox and Mozilla Thunderbird. These vulnerabilities, with a CVSS base score of 8.8, could allow remote attackers to execute arbitrary code, cause denial of service, or disclose information. Affected versions include Firefox <149, Firefox ESR <115.34 and <140.9, and Thunderbird <149 and ESR <140.9.
PCPD Joins Global Network Examining Children's Apps
The Privacy Commissioner's Office of Hong Kong joined 26 global privacy authorities in the 2025 Global Privacy Enforcement Network (GPEN) Sweep focused on children's privacy. The exercise examined nearly 900 websites and apps, finding an increase in mandatory data collection and third-party sharing compared to a 2015 sweep, though some platforms showed improved age assurance measures.
Fifth Circuit Hears NetChoice v. Fitch Age Verification Case
The Fifth Circuit heard oral arguments in NetChoice v. Fitch, a challenge to Mississippi's child age verification law. This case examines the constitutionality of laws requiring platforms to verify user ages, potentially impacting online anonymity.
IAPP Survey on Digital Governance Complexity
The IAPP is launching its 2026 Governance Survey to gather insights on privacy, AI, and digital governance amidst increasing regulatory complexity and geopolitical tensions. The survey aims to benchmark organizational practices and inform international digital policy development.
CJEU Decision on DSARs and Compensation Eligibility
The Court of Justice of the European Union (CJEU) ruled on the interpretation of Article 12(5) of the GDPR concerning Data Subject Access Requests (DSARs). The decision clarifies that a single DSAR can be considered excessive or abusive, and controllers may rely on publicly available information to assess such claims, impacting how organizations handle and potentially refuse DSARs.
CSA Security Bulletin: NIST NVD Vulnerabilities
The Cyber Security Agency of Singapore (CSA) has issued a security bulletin detailing critical vulnerabilities identified in the past week from the NIST National Vulnerability Database (NVD). The bulletin categorizes vulnerabilities by severity using CVSSv3 scores and provides specific details on several critical CVEs affecting various software and hardware components.
ICO Decision on Police Conduct Reports
The ICO issued a decision regarding a Freedom of Information request for police conduct reports concerning a former Metropolitan Police officer. The ICO upheld the exemption under section 30(1)(a)(i) FOIA, finding that investigations and proceedings information should remain withheld.
Rotherham Council FOI Exemption Upheld by ICO
The UK's Information Commissioner's Office (ICO) has decided that Rotherham Metropolitan Borough Council correctly applied the section 43(2) exemption under the Freedom of Information Act (FOIA) to withhold information regarding operator costs at Forge Island. The ICO found that the public interest favoured maintaining this exemption.
ICO Decision on Southern Water EIR Request
The UK's Information Commissioner's Office (ICO) issued a decision regarding Southern Water's handling of an Environmental Information Regulations (EIR) request. While Southern Water was permitted to withhold some information related to a sewer level monitor, the ICO found that the company failed to respond within the required statutory timescales.
ICO Decision Notice: Dordon Parish Council FOI Request Failure
The UK's Information Commissioner's Office (ICO) has issued a decision notice against Dordon Parish Council for failing to respond to a Freedom of Information (FOI) request within the statutory 20-working-day period. The ICO requires the council to provide a response to the complainant within 30 calendar days.
ICO Upholds FOI 17, Finds HMRC in Breach of Section 17
The UK's Information Commissioner's Office (ICO) has issued a decision notice regarding a Freedom of Information (FOI) request made to HM Revenue and Customs (HMRC). The ICO upheld HMRC's decision to neither confirm nor deny holding information about a specific individual and property, citing section 44(2) of FOI. However, the ICO found HMRC in breach of section 17 of FOI for its handling of the request.
ICO upholds FOI exemption for Rural Services Delivery Grant
The UK's Information Commissioner's Office (ICO) has upheld the Ministry of Housing, Communities and Local Government's decision to withhold information regarding the withdrawal of the Rural Services Delivery Grant. The ICO found that the exemption under section 35(1)(a) of the Freedom of Information Act 2000 was correctly applied.
Electoral Commission FOI Breach Decision
The UK's Information Commissioner's Office (ICO) issued a decision notice finding the Electoral Commission breached Section 10 of the Freedom of Information Act (FOIA) by failing to respond to a request within the statutory 20-day period. The Electoral Commission is required to provide a substantive response to the complainant.
ICO Decision Notice: Shropshire ICS Failed to Respond to FOI Request
The UK's Information Commissioner's Office (ICO) has issued a decision notice against Shropshire, Telford and Wrekin Integrated Care System (ICS) for failing to respond to a Freedom of Information (FOI) request within the statutory 20-day period. The ICO requires the ICS to provide a response to the complainant within 30 calendar days.
NCSC CEO Urges AI Coding Safeguards for Secure Software
The UK's National Cyber Security Centre (NCSC) CEO, Dr. Richard Horne, is urging the international security community to develop safeguards for AI-generated code ('vibe coding'). While acknowledging the risks of propagating vulnerabilities, the NCSC highlights the opportunity to improve software security by design through well-trained AI tools.
NIST Cybersecurity Framework 2.0 Quick-Start Guide Published
NIST has published a Quick-Start Guide for its Cybersecurity Framework 2.0, focusing on integrating cybersecurity, enterprise risk management, and workforce management. The guide aims to help organizations improve communication about cybersecurity risks and align workforce decisions with risk realities.
AEPD Spain: Appeal REPOSICION-PA-00034-2024 Inadmitted
The Spanish Data Protection Agency (AEPD) has inadmitted an appeal (REPOSICION-PA-00034-2024) filed by A.A.A. against a resolution dated January 16, 2026. The inadmission is based on the appellant's lack of standing as an interested party in the initiated procedure, as per Article 62.5 of the LPACAP.
AEPD Finds RUBICOR FITNESS Infringed GDPR Article 17
The Spanish Data Protection Agency (AEPD) has issued a resolution finding RUBICOR FITNESS in violation of GDPR Article 17 (Right to Erasure). The agency initiated proceedings after the complainant's request for erasure was not adequately addressed by the company. RUBICOR FITNESS failed to provide the required response and justification during the administrative process.