Critical Axios Supply Chain Compromise via npm
CSA issued an advisory on a critical supply chain compromise affecting Axios JavaScript HTTP client versions 1.14.1 and 0.30.4. Threat actors compromised a maintainer's npm account to inject a Remote Access Trojan (RAT) targeting Windows, macOS, and Linux systems. Affected organizations should immediately downgrade to safe versions (axios@1.14.0 or 0.30.3) and remove the malicious plain-crypto-js@4.2.1 package.
CVE-2026-5281 Google Dawn Use-After-Free Added to KEV Catalog
CISA added CVE-2026-5281, a Google Dawn Use-After-Free vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The vulnerability poses significant risks to federal enterprise networks. BOD 22-01 establishes remediation requirements for Federal Civilian Executive Branch (FCEB) agencies.
European Complaint Handling Workshop on GDPR Cooperation
CNPD Luxembourg hosted a 3-day European workshop (March 25-27, 2026) on data protection complaint handling, bringing together representatives from the EDPB and 24 EU data protection authorities. The workshop focused on harmonizing complaint handling procedures under the GDPR through shared best practices.
Guide on Recording Workplace Meetings Legally
CNPD Luxembourg published thematic guidance clarifying the legality of audio recording workplace meetings in the private sector. The guide addresses frequently asked questions about using recordings to facilitate minute-taking and ensure accurate transcription of discussions. This guidance applies to companies, associations, and private organizations but explicitly excludes public sector entities.
CNPD Sponsors EschTechWeek 2026 AI Event in Esch-sur-Alzette
The Luxembourg Commission nationale pour la protection des données (CNPD) sponsored EschTechWeek 2026, held March 23-28, 2026 in Esch-sur-Alzette. As an official sponsor, the CNPD participated in activities including a mock Tech Supreme Court on AI ethics, a youth workshop on AI risks and promises, and a facility tour highlighting its data protection mission. The event focused on responsible AI development and digital trust.
Joomla! Multiple Vulnerabilities - SQL Injection and XSS
CERT-FR issued an advisory warning of multiple vulnerabilities in Joomla! CMS versions 5.x prior to 5.4.4 and 6.x prior to 6.0.4. The vulnerabilities include SQL injection (SQLi), indirect cross-site scripting (XSS), arbitrary file deletion, and improper access checks in web service endpoints. Six CVEs are referenced: CVE-2026-21629, CVE-2026-21630, CVE-2026-21631, CVE-2026-21632, CVE-2026-23898, and CVE-2026-23899.
Multiple Vulnerabilities in SonicWall Email Security
CERT-FR issued an advisory identifying three vulnerabilities (CVE-2026-3468, CVE-2026-3469, CVE-2026-3470) in SonicWall Email Security versions prior to 10.0.35.8405. The vulnerabilities expose affected systems to remote data integrity compromise, denial of service attacks, and cross-site scripting (XSS). Organizations using this product should apply vendor patches immediately.
Multiples vulnérabilités dans les produits Microsoft
CERT-FR issued advisory CERTFR-2026-AVI-0386 notifying of 14 Microsoft vulnerabilities affecting multiple software packages including bind, flannel, libssh, ocaml, telegraf, trident, nodejs18, and systemd-bootstrap. French organizations are advised to consult Microsoft's security bulletins and apply available patches. The vulnerabilities could allow attackers to cause unspecified security issues.
Chrome Vulnerabilities - Actively Exploited CVE-2026-5281
CERT-FR issued advisory CERTFR-2026-AVI-0385 on 2026-04-01 detailing multiple vulnerabilities in Google Chrome affecting versions prior to 146.0.7680.177/178 on Linux, Windows, and Mac. CVE-2026-5281 is confirmed to be actively exploited. Google released the security patch on March 31, 2026. Users and organizations should update Chrome immediately to mitigate risk.
Joomla CMS Critical Vulnerabilities CVSS 9.8
CERT-Bund published security advisory WID-SEC-2026-0936 identifying critical vulnerabilities in Joomla CMS with CVSS Base Score 9.8. Affected versions include Open Source Joomla CMS prior to 5.4.4 and 6.0.4 across Windows and UNIX systems. An attacker can exploit these vulnerabilities remotely to bypass security controls, execute SQL injection attacks, manipulate data, or perform cross-site scripting.
Critical cPanel Vulnerability Enables Remote Code Execution
CERT-Bund issued a critical security advisory (WID-SEC-2026-0939) regarding a remote code execution vulnerability in cPanel cPanel/WHM software. The vulnerability in perl-YAML-Syck component carries a CVSS Base Score of 9.1. Affected versions include cPanel/WHM versions prior to 110.0.93, 126.0.50, and 134.0.13. A remote, unauthenticated attacker can exploit this flaw to execute arbitrary code or cause denial of service.
Critical xz Utils Vulnerability Enables Remote Code Execution
CERT-Bund issued a critical security advisory regarding a remote code execution vulnerability in XZ Utils (CVE, CVSS Base Score 9.8). The flaw affects versions prior to 5.8.3 on Linux, UNIX, and related operating systems. Organizations are advised to update immediately as mitigation measures are required to prevent exploitation.
Vim Vulnerability - Arbitrary Code Execution Risk
CERT-Bund issued security advisory WID-SEC-2026-0940 warning of a high-severity vulnerability in Vim (Vi IMproved) text editor versions prior to 9.2.0276. The vulnerability carries a CVSS Base Score of 8.2 and allows remote anonymous attackers to execute arbitrary code. Mitigation is available; users should upgrade to the latest version.
Critical CVSS 9.8 Vulnerabilities in Red Hat Ansible Allow Remote Code Execution
CERT-Bund issued a critical security advisory regarding multiple vulnerabilities (CVSS 9.8) in Red Hat Ansible Automation Platform versions prior to 2.5 and 2.6. The vulnerabilities allow remote attackers to execute arbitrary code, conduct denial of service attacks, bypass security controls, manipulate data, disclose confidential information, and perform cross-site scripting attacks. Organizations using affected versions should immediately apply patches and implement mitigation measures.
gdk-pixbuf Vulnerability - Denial of Service and Remote Code Execution Risk
CERT-Bund issued security advisory WID-SEC-2026-0945 warning of a high-severity vulnerability in gdk-pixbuf versions prior to 2.44.6. The vulnerability carries a CVSS Base Score of 7.5 (high) and enables remote attackers to perform denial of service attacks and potentially execute arbitrary code. Affected systems include UNIX operating systems running the GNOME image loading library.
ZScaler Client Connector Data Manipulation Vulnerability
CERT-Bund published security advisory WID-SEC-2026-0938 disclosing a data manipulation vulnerability in ZScaler Client Connector. Affected versions prior to 4.8.0.63 and 4.7.0.141 on Windows systems have a CVSS Base Score of 5.4 (medium). A remote, anonymous attacker can exploit this flaw to manipulate data.
CUPS Multiple Vulnerabilities Allow Remote Code Execution
CERT-Bund issued security advisory WID-SEC-2026-0947 warning of multiple vulnerabilities in CUPS (Common Unix Printing System) versions below 2.4.17. The vulnerabilities carry a CVSS Base Score of 7.6 (high) and enable remote attackers to execute arbitrary code, bypass security controls, gain elevated privileges, manipulate data, or cause denial of service. Affected platforms include UNIX and Windows systems running the vulnerable print spooler.
MediaWiki vulnerabilities, CVSS 9.1 critical, DoS attacks
MediaWiki vulnerabilities, CVSS 9.1 critical, DoS attacks
IBM Verify Access Critical Flaws Allow Admin Access and Code Execution
CERT-Bund issued advisory WID-SEC-2026-0949 identifying multiple critical vulnerabilities in IBM Security Verify Access (versions prior to 10.0.9.1 IF1) with a CVSS Base Score of 9.8. The flaws allow remote attackers to gain administrator privileges, execute arbitrary code, bypass security controls, perform cross-site scripting attacks, and modify or disclose data. A mitigation is available.
OpenClaw Multiple Critical Vulnerabilities - Remote Code Execution
CERT-Bund issued security advisory WID-SEC-2026-0948 disclosing critical vulnerabilities in OpenClaw (open source version prior to 2026.3.31). Multiple vulnerabilities with CVSS Base Score 9.8 (critical) and Temporal Score 8.5 (high) enable remote attackers to execute arbitrary code, escalate privileges, bypass security controls, and disclose or manipulate data. Organizations using OpenClaw should immediately apply available mitigations.
Linux Kernel Multiple Vulnerabilities Advisory
CERT-Bund issued security advisory WID-SEC-2026-0950 disclosing multiple vulnerabilities in the Linux Kernel. The vulnerabilities carry a CVSS Base Score of 7.8 (high) and a Temporal Score of 6.8 (medium). Threat actors could exploit these flaws to execute arbitrary code, launch denial-of-service attacks, bypass security controls, or manipulate data. Mitigations are available.
Google Chrome Vulnerabilities - Code Execution Risk
CERT-Bund issued a security advisory (WID-SEC-2026-0937) warning of multiple high-severity vulnerabilities in Google Chrome versions prior to 146.0.7680.177/178, with CVSS Base Score 8.8. The vulnerabilities affect Chrome on Windows, macOS, and Linux, allowing remote attackers to potentially execute code, bypass security measures, cause denial of service, disclose information, and manipulate data. Users are advised to update immediately.
Information Leaflet on eHealth Patient Data Privacy for Healthcare Professionals
The Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong published an information leaflet to assist healthcare providers and professionals in complying with the Personal Data (Privacy) Ordinance (PDPO) when handling patient data through the eHealth System. The leaflet covers requirements for data collection, accuracy, security, direct marketing prohibitions, and data access requests, with practical guidance and recommended good practices.
AI Security and Cybersecurity Summit for Enterprises
The Privacy Commissioner for Personal Data Hong Kong and HKIRC co-hosted an AI Security and Cybersecurity Summit on March 31, 2026, attracting over 620 corporate representatives. Government officials delivered opening remarks on Hong Kong's AI development strategy and governance framework, including the Ethical Artificial Intelligence Framework and Generative AI Technical Guideline.
Proposed FOIA and Privacy Act Regulations
The Office of the National Cyber Director (ONCD) published a notice of proposed rulemaking establishing its first Freedom of Information Act (FOIA) and Privacy Act regulations. These regulations will govern ONCD's procedures for processing public records requests and handling personal data under the Privacy Act. Public comments are accepted until May 15, 2026.
GDPR Appeal Inadmitted - Complainant Lacks Standing
The AEPD issued Resolution EXP202500572 declaring a recurso de reposición inadmissible because the appellant, as a mere complainant under Article 77.2 GDPR, lacked the legal standing to appeal. The decision cites Supreme Court precedent establishing that complainants have neither subjective rights nor legitimate interests in obtaining sanctions against those they denounce.
First FOIA and Privacy Act Regulations
The Office of the National Cyber Director (ONCD) has released its first proposed Freedom of Information Act (FOIA) and Privacy Act regulations for public comment. The regulations establish ONCD's procedures for processing FOIA requests and managing Privacy Act records. Comments on the proposed rule are due May 15, 2026.
NCSC Warns of Russia Actors Targeting Messaging Apps
The UK NCSC and international partners issued a joint advisory warning that Russia-based actors are actively targeting high-risk individuals through messaging apps including WhatsApp, Messenger, and Signal. The advisory documents specific attack vectors: social engineering for login codes, unauthorized device linking, undetected group chat access, impersonation, and QR code phishing. High-risk individuals include government officials, political staff, journalists, and others with sensitive information.