Critical Authentication Bypass Vulnerability in Anritsu Remote Spectrum Monitor
CISA ICS-CERT published advisory ICSA-26-090-01 disclosing CVE-2026-3356, a critical authentication bypass vulnerability (CVSS 9.8) affecting all versions of Anritsu Remote Spectrum Monitor models MS27100A, MS27101A, MS27102A, and MS27103A. The vendor has no plans to remediate the vulnerability, which allows unauthorized network attackers to access and manipulate the device management interface. CISA recommends network isolation and secure deployment practices as mitigation.
Critical Authentication Bypass in PX4 Autopilot MAVLink Protocol
CISA ICS-CERT published advisory ICSA-26-090-02 disclosing CVE-2026-1579, a critical vulnerability (CVSS 9.8) in PX4 Autopilot v1.16.0 affecting the MAVLink communication protocol. The flaw allows unauthenticated remote attackers to execute arbitrary shell commands via the MAVLink interface when message signing is not enabled. CISA and the vendor recommend enabling MAVLink 2.0 message signing on all non-USB communication links as the primary remediation.
IBM DataPower Gateway Multiple Vulnerabilities Allow DoS and Data Manipulation
CERT-Bund issued security advisory WID-SEC-2026-0924 disclosing multiple vulnerabilities in IBM DataPower Gateway with CVSS Base Score 6.5 (medium) and CVSS Temporal Score 5.7 (medium). Affected versions include DataPower Gateway prior to 11.0.0.0, 10.6.0.9, 10.6.6.0, and 10.5.0.21. Remote attackers can exploit these flaws to conduct denial of service attacks and manipulate data. Mitigation measures are available.
Kyocera Printer Critical Vulnerabilities CVSS 9.8 Remote Attack
CERT-Bund issued security advisory WID-SEC-2026-0915 alerting to multiple critical vulnerabilities in Kyocera TASKalfa and ECOSYS printers. The vulnerabilities carry a CVSS Base Score of 9.8 (critical) and enable remote attacks without user interaction. Organizations using affected Kyocera printers should apply available mitigations immediately.
IBM App Connect Enterprise Multiple DoS Vulnerabilities
CERT-Bund issued a security advisory (WID-SEC-2026-0903) disclosing multiple denial-of-service vulnerabilities in IBM App Connect Enterprise with a CVSS Base Score of 7.5 (high) and Temporal Score of 6.5 (medium). Affected versions are those prior to 12.0.12.24 and 13.0.7.0. Remote, unauthenticated attackers can exploit these vulnerabilities to conduct DoS attacks against affected installations.
GNU libc Denial of Service Vulnerability
CERT-Bund issued advisory WID-SEC-2026-0918 warning of a denial of service vulnerability in GNU libc versions up to 2.43 (CVSS 7.5). The vulnerability allows remote anonymous attackers to cause service disruption. Mitigation measures are available.
Symantec Data Loss Prevention Privilege Escalation Vulnerability
CERT-Bund issued security advisory WID-SEC-2026-0921 warning of a local privilege escalation vulnerability in Symantec Data Loss Prevention products. The vulnerability carries a CVSS Base Score of 7.8 (high). Affected versions include DLP releases prior to 16.0 RU1 MP1 HF12, 16.0 RU2 HF9, 16.1 MP2, 25.1 MP1, and 16.0 MP2 HF15. Mitigations are available.
Apache Airflow Security Bypass Vulnerability
CERT-Bund issued advisory WID-SEC-2026-0916 identifying a security vulnerability in Apache Airflow Provider for Databricks (versions prior to 1.12.0) that allows attackers to bypass security controls. The vulnerability has a CVSS Base Score of 7.3 (high) and supports remote attack vectors. Organizations using affected versions should update immediately to version 1.12.0 or later.
MongoDB DoS Vulnerability Advisory - CVSS 5.3
CERT-Bund issued security advisory WID-SEC-2026-0920 disclosing a denial of service vulnerability in MongoDB with CVSS Base Score 5.3 (medium) and Temporal Score 4.6 (medium). The vulnerability affects MongoDB versions prior to 8.3.0-rc0, 8.2.2, 8.0.18, and 7.0.31 across Linux, UNIX, and Windows platforms. A remote, authenticated attacker can exploit this flaw to conduct a DoS attack; mitigations are available.
Elastic OpenTelemetry Java Remote Code Execution Vulnerability
CERT-FR issued a security advisory warning of a critical remote code execution vulnerability (CVE-2026-33701) in Elastic OpenTelemetry Java affecting versions prior to 1.10.0. The vulnerability allows remote attackers to execute arbitrary code on affected systems. Organizations using the affected software should apply the vendor patch immediately.
FoxIT PDF Editor and Reader Multiple Vulnerabilities
CERT-FR published an advisory warning of 7 multiple vulnerabilities (CVE-2026-3774 through CVE-2026-3780) in FoxIT PDF Editor and Reader software. These vulnerabilities affect Windows and Mac versions prior to 13.2.3, 14.0.3, and 2026.1. Exploitation risks include arbitrary code execution, privilege escalation, data confidentiality breach, and denial of service. Organizations using affected products should update immediately.
Multiple Vulnerabilities in Microsoft Products
CERT-FR issued a security advisory (CERTFR-2026-AVI-0381) detailing 5 CVEs affecting Microsoft products and related open-source libraries. The vulnerabilities impact azl3 python-requests, cbl2 kernel, cbl2 libpng, and cbl2 plexus-utils. Organizations using these components should consult Microsoft security bulletins and apply available patches.
Multiple Edge Vulnerabilities Prior to 146.0.3856.84
CERT-FR issued an advisory alerting that multiple unspecified vulnerabilities were discovered in Microsoft Edge affecting versions prior to 146.0.3856.84. The vulnerabilities could allow an attacker to cause an unspecified security issue. Two CVEs are referenced: CVE-2026-4676 and CVE-2026-4678. Users are advised to update to the patched version.
Papercut Vulnerabilities Expose Data Confidentiality, Enable Remote XSS
CERT-FR issued a security advisory warning of multiple vulnerabilities in Papercut MF and NG (versions prior to 25.0.10). The flaws enable data confidentiality breaches and remote indirect cross-site scripting (XSS) attacks. Organizations running affected Papercut versions should update to 25.0.10 immediately to mitigate exploitation risk.
Symantec DLP Privilege Escalation Vulnerability
CERT-FR published a security advisory warning of a privilege escalation vulnerability (CVE-2026-3991) in Symantec Data Loss Prevention affecting five version branches: 16.0 MP2, 16.0 RU1 MP1, 16.0 RU2, 16.1 MP2, and 25.1 MP1. Broadcom released security bulletin 37306 with patches. Organizations using affected versions should update immediately.
CNPD and Luxembourg AI Factory Host RE.M.I. AI Session
The CNPD and Luxembourg AI Factory co-hosted a RE.M.I. (Regulation Meets Innovation) plenary session at Belval on March 17, 2026, bringing together researchers, regulators, businesses, and innovation support organizations. The event featured presentations on deepfake detection, AI Act transparency obligations, and concrete AI applications in road safety, along with updates from working groups developing tools for model selection, note-taking, and email sorting.
libarchive Remote Code Execution Vulnerability
CERT-Bund issued Security Advisory WID-SEC-2026-0923 warning of a high-severity remote code execution vulnerability in libarchive, a C library used for reading and creating archive formats including tar, cpio, zip, and ISO. The vulnerability has a CVSS Base Score of 7.3 and affects systems running Linux, UNIX, and Windows. Organizations using libarchive should apply available mitigations immediately.
Docker Desktop Model Runner SSRF Vulnerability Advisory
CERT-Bund issued a security advisory regarding a Server-Side Request Forgery (SSRF) vulnerability in Docker Desktop Model Runner (versions prior to 1.1.25) and Docker Desktop (versions prior to 4.67.0). The vulnerability carries a CVSS Base Score of 7.4 (high) and allows remote anonymous attackers to disclose confidential information.
Asterisk security advisory, XSS, root code execution
Asterisk security advisory, XSS, root code execution
Synacor Zimbra vulnerability bypasses security, manipulates data
Synacor Zimbra vulnerability bypasses security, manipulates data
IBM Semeru Runtime Critical Vulnerability - Arbitrary Code Execution
CERT-Bund issued a critical security advisory (WID-SEC-2026-0929) warning of a vulnerability in IBM Semeru Runtime and IBM DB2. The vulnerability has a CVSS Base Score of 9.8 (critical) and CVSS Temporal Score of 8.5 (high). A remote, anonymous attacker can exploit this flaw to execute arbitrary code. Affected versions: IBM Semeru Runtime prior to 21.0.10.0 and IBM DB2 version 12.1.4. Mitigation measures are available.
Checkmk Critical XSS Vulnerabilities
CERT-Bund issued a critical security advisory (WID-SEC-2026-0928) regarding multiple Cross-Site Scripting (XSS) vulnerabilities in Checkmk IT monitoring software. The vulnerabilities affect versions prior to 2.6.0b1 and 2.5.0b2, with a CVSS Base Score of 9.0 (critical). Organizations running affected Checkmk deployments should apply mitigations immediately.
NoMachine Remote Desktop Privilege Escalation Vulnerabilities
CERT-Bund issued security advisory WID-SEC-2026-0927 identifying multiple vulnerabilities in NoMachine remote desktop software (versions prior to 9.4.14) with CVSS Base Score 7.8 (high). Attackers can exploit these vulnerabilities to manipulate files and escalate privileges. Organizations using NoMachine should apply available patches.
ESET PROTECT Vulnerability Allows Adjacent Network Information Disclosure
CERT-Bund issued a security advisory regarding an unpatched vulnerability in ESET PROTECT on-prem (advisory WID-SEC-2026-0926). The flaw, with CVSS Base Score 4.3 (medium) and Temporal Score 4.0 (medium), allows remote attackers from adjacent networks to disclose information. No vendor mitigation is currently available.
Foxit PDF Editor/Reader Multiple Vulnerabilities CVSS 7.8
CERT-Bund issued a security advisory (WID-SEC-2026-0934) disclosing multiple vulnerabilities in Foxit PDF Editor and Reader affecting Windows, Linux, and UNIX systems prior to version 2026.1. The vulnerabilities carry a CVSS Base Score of 7.8 (high), potentially enabling information disclosure, denial of service, and code execution attacks. Users are advised to update to version 2026.1 to mitigate the risks.
OpenClaw vulnerabilities, CVSS 9.8 critical, 30th Mar
OpenClaw vulnerabilities, CVSS 9.8 critical, 30th Mar
PowerDNS Multiple Vulnerabilities - Remote Code Execution Risk
CERT-Bund issued security advisory WID-SEC-2026-0932 disclosing multiple vulnerabilities in PowerDNS DNS server software affecting versions prior to 1.9.12 and 2.0.3. The vulnerabilities carry a CVSS Base Score of 8.1 (high) and a Temporal Score of 7.1, enabling remote attackers to execute code, cause denial of service, disclose information, and bypass security controls. Organizations running affected PowerDNS installations on Linux, UNIX, Windows, or other platforms should apply available mitigations or updates immediately.
nginx-ui Critical Remote Code Execution Vulnerabilities
CERT-Bund issued security advisory WID-SEC-2026-0931 warning of critical vulnerabilities in nginx-ui versions below 2.3.4. Multiple CVSS 9.8-rated flaws allow remote, authenticated attackers to execute arbitrary code, gain administrator privileges, manipulate data, bypass security controls, or cause denial-of-service conditions. Organizations running affected nginx-ui deployments should update to version 2.3.4 or later immediately.
IBM App Connect Enterprise Critical Vulnerabilities CVSS 9.8
CERT-Bund issued security advisory WID-SEC-2026-0933 disclosing multiple critical vulnerabilities in IBM App Connect Enterprise affecting versions prior to 13.0.7.0. The vulnerabilities carry a CVSS Base Score of 9.8 (critical) and CVSS Temporal Score of 8.5 (high), with remote attack capability confirmed. Organizations using this software should apply mitigations immediately.
EDPB Coordinated Enforcement Framework 2026 Transparency Action
The European Data Protection Board (EDPB) launched its 2026 Coordinated Enforcement Framework (CEF) action, focusing on compliance with GDPR transparency and information obligations under Articles 12, 13, and 14. Twenty-five Data Protection Authorities (DPAs) across Europe will conduct enforcement actions and fact-finding exercises targeting data controllers from various sectors throughout 2026, with findings to be consolidated in an EDPB report and followed by targeted enforcement at national and EU levels.
Citrix NetScaler CVE-2026-3055 Critical Memory Overread Vulnerability
CISA added CVE-2026-3055 to the Known Exploited Vulnerabilities catalog. This critical memory overread vulnerability (CVSS 9.3) affects Citrix NetScaler ADC and Gateway when configured as SAML IDP. Affected versions include 14.1 before 66.59 and 13.1 before 62.23. CISA confirms active exploitation with automatable attack capability and total system impact potential.
Age Assurance Technologies and Privacy Obligations Guidance
The OAIC published guidance on age assurance technologies clarifying expectations for entities conducting age checks online. The guidance emphasizes necessity and proportionality, data minimization, transparency, and strong vendor controls. The publication supports compliance with the Social Media Minimum Age scheme and eSafety Age-Restricted Material Codes requirements.
Children's Online Privacy Code Exposure Draft
The Office of the Australian Information Commissioner (OAIC) has published an exposure draft of the Children's Online Privacy Code for public consultation. The draft code introduces new obligations requiring agencies and organisations to consider children's best interests before collecting, using, or disclosing personal information, including requirements for targeted advertising consent and data deletion rights. The 60-day consultation opens March 31, 2026, with the Code expected to take effect in December 2026.
Global Privacy Sweep Finds Rising Privacy Risks for Children Online
The OAIC published results from the 2025 Global Privacy Enforcement Network sweep, examining 900 websites and apps used by children. The sweep found 59% require email collection, 71% lack child-tailored privacy controls, and 36% lack accessible account deletion. Compared to a 2015 baseline, data collection practices have increased, raising privacy risks for child users.
MOD Withheld Intelligence Services Bill File, Exemption Upheld
The Information Commissioner's Office issued a Decision Notice on 26 March 2026 in case IC-393615-M4Q4, upholding the Ministry of Defence's refusal to disclose file DEFE 68/1153 (Intelligence Services Bill) under section 23(1) FOIA. The complainant's challenge was not upheld, and the security bodies exemption was sustained.
DHSC Ambulance Review FOIA Decision - Legal Privilege and Personal Data
The Information Commissioner's Office issued Decision Notice IC-407317-D5F4 regarding a Freedom of Information complaint against the Department of Health and Social Care (DHSC). The ICO found that DHSC properly withheld information under section 40(1) FOIA (personal data exemption) and had communicated all non-exempt information it holds. The legal professional privilege claim under section 42(1) was not upheld, but the information remains exempt under section 40(1). No further steps are required from DHSC.
FCDO mining FOI cost limit defence upheld
The ICO issued Decision Notice IC-407227-D6N2 upholding the Foreign, Commonwealth & Development Office's refusal of mining-related Freedom of Information requests. The FCDO successfully relied on section 12(2) FOIA (cost limit) and regulation 12(4)(b) EIR (manifestly unreasonable) to refuse the requests. The complaint was not upheld.
Cabinet Office FOIA case, section 36(2)(c) exemption upheld
The Information Commissioner's Office issued a Decision Notice in case IC-373252-Y7J5, finding that the Cabinet Office correctly relied on section 36(2)(c) of the Freedom of Information Act 2000 to withhold information about email addresses directly accessed by or assigned to the Cabinet Secretary. The ICO upheld the exemption citing prejudice to the effective conduct of public affairs. This decision provides guidance on the application of this exemption in FOIA requests involving senior government officials.
Home Office FOIA exemption upheld, late response breach
The Information Commissioner's Office issued a Decision Notice finding that the Home Office correctly withheld information about Palestinian Action under section 35(1)(a) FOIA (formulation or development of government policy), with the public interest favoring the exemption. The ICO also found the Home Office breached section 10 FOIA by failing to respond within 20 working days. No remedial steps required.
University of Exeter FOI Section 32(1) Court Records Exemption Decision
The ICO issued a Decision Notice finding that the University of Exeter cannot withhold information related to a First-tier Tribunal appeal under section 32(1) FOIA (court records exemption). The exemption claim was not upheld. The Commissioner does not require further steps from Exeter.
GLA FOI complaint upheld, must respond in 30 days
The Information Commissioner's Office issued a Decision Notice upholding a Freedom of Information Act complaint against the Greater London Authority. The GLA failed to respond to an FOI request within the statutory 20 working day timeframe. The ICO ordered the GLA to provide a complete response to the complainant within 30 calendar days or face further enforcement action.
MOD withheld Falkland invasion file, FOI not upheld
MOD withheld Falkland invasion file, FOI not upheld
Lambeth Council Ordered to Respond to EIR Request
The ICO issued a decision notice finding that the London Borough of Lambeth failed to respond to an Environmental Information Regulations (EIR) request within the required 20 working days. The ICO ordered the council to provide a response to the complainant within 30 calendar days. This is a binding compliance order under EIR 5(2).
Public Services Ombudsman for Wales - FOIA Information Request Breach
The ICO issued a decision notice finding that the Public Services Ombudsman for Wales (PSOW) breached section 10(1) of FOIA by failing to acknowledge it held information requested by a complainant. The ICO determined that PSOW did hold the information for FOIA purposes, contradicting PSOW's position. No further action or penalties were required of PSOW.