Microsoft Edge Multiple Security Vulnerabilities Advisory
CERT-FR issued an advisory covering 18 CVEs (CVE-2026-5272 through CVE-2026-5292) in Microsoft Edge, with CVE-2026-5281 confirmed as actively exploited. Affected versions are prior to 136.0.3856.97. Organizations should apply Microsoft's security patches immediately to mitigate risk of remote code execution and security bypass.
SUSE Linux Kernel Multiple Vulnerabilities Advisory
CERT-FR issued advisory CERTFR-2026-AVI-0398 alerting to 14 SUSE security bulletins covering multiple vulnerabilities in SUSE Linux kernel. Affected systems include SUSE Linux Enterprise Server, Live Patching, Real Time, and openSUSE Leap 15.6. Attackers could exploit these flaws to achieve data confidentiality breaches, data integrity compromise, security policy bypass, denial of service, and privilege escalation.
Multiple Ubuntu Linux Kernel Vulnerabilities Allow Arbitrary Code Execution
CERT-FR issued an advisory reporting multiple kernel vulnerabilities affecting Ubuntu Linux versions 14.04 ESM through 25.10. The vulnerabilities allow attackers to achieve arbitrary code execution, privilege escalation, data confidentiality breaches, and denial of service. The advisory references 12 Ubuntu security bulletins (USN-8094-5 through USN-8149-1) and multiple CVEs including CVE-2021-47142, CVE-2021-47145, and CVE-2024-36903. Organizations running affected Ubuntu systems should immediately apply patches referenced in the Ubuntu security bulletins.
Red Hat Linux Kernel Multiple Vulnerabilities Advisory
CERT-FR issued advisory CERTFR-2026-AVI-0396 alerting to multiple vulnerabilities in the Red Hat Linux kernel affecting Red Hat Enterprise Linux and CodeReady Linux Builder products across ARM64, IBM z Systems, Power, and x86_64 architectures. The vulnerabilities expose affected systems to data confidentiality breaches, security policy bypass, remote denial of service, and privilege escalation risks. Organizations running affected Red Hat products should apply the referenced security patches from Red Hat.
Multiple IBM Vulnerabilities Data Integrity Confidentiality Risks
CERT-FR issued advisory CERTFR-2026-AVI-0395 warning of multiple critical vulnerabilities in IBM products affecting QRadar SIEM, Storage Protect Plus Server, WebSphere Automation, and WebSphere eXtreme Scale. Vulnerabilities include remote code execution, privilege escalation, denial of service, and data integrity and confidentiality breaches. French organizations using these products are advised to apply patches immediately.
Multiple Vulnerabilities in VMware Tanzu MySQL Kubernetes
CERT-FR issued a security advisory reporting multiple vulnerabilities in VMware Tanzu MySQL for Kubernetes affecting versions prior to 2.0.2. Ten CVEs are referenced including CVE-2025-14831, CVE-2025-15281, CVE-2025-15366, CVE-2025-15367, CVE-2025-9820, CVE-2026-0861, CVE-2026-0865, CVE-2026-0915, CVE-2026-1299, and CVE-2026-4111. Organizations using affected versions should apply the vendor-provided patches.
Synology Mail Station Vulnerability Advisory
CERT-FR issued a security advisory warning of a vulnerability in Synology Mail Station (versions prior to 30000001.3.19-20332 for DSM). The vulnerability, tracked as CVE-2026-5129, allows attackers to compromise data confidentiality and integrity. Users are advised to apply the vendor patch referenced in Synology security advisory Synology_SA_26_04.
EU Digital Wallet Certification Scheme Public Consultation
ENISA launched a public consultation on the draft candidate EU Digital Wallet (EUDIW) certification scheme on 3 April 2026. The scheme, developed under the Cybersecurity Act to support the European Digital Identity Framework, aims to verify that digital wallets meet high security requirements. Comments must be submitted by 30 April 2026, with a webinar scheduled for 8 April 2026. ENISA also signed a €1.6 million contribution agreement with the European Commission to support Member States in developing national certification schemes.
TrueConf Client Vulnerability - Arbitrary Code Execution via Updates
CISA added CVE-2026-3502 to the Known Exploited Vulnerabilities catalog. The vulnerability allows remote attackers to execute arbitrary code via unverified software updates in TrueConf Client versions 8.1.0 through 8.5.2. The flaw has a CVSS score of 7.8 (HIGH) and is classified as actively exploited with total technical impact.
Mass Disclosure of Personal Data and Privacy Lessons from Slovakia and the EU
IAPP published an analysis examining EU court decisions on data disclosure requirements. The analysis covers Slovakia's Constitutional Court striking down an NGO donor disclosure law, CJEU rulings invalidating public access to Ultimate Beneficial Owner registries (C-37/20, C-601/20), and annulment of the Data Retention Directive (C-293/12, C-594/12). The piece emphasizes that blanket transparency obligations must be proportionate to privacy rights.
Draft Children's Online Privacy Code for Online Services
Australia's OAIC released an exposure draft of the Children's Online Privacy Code, proposing new obligations for online services to protect children's data. The code requires consent before targeted advertising using children's data, grants children rights to request data deletion, and mandates notifications when parents consent on behalf of children or when geolocation is being tracked. Public consultation runs for 60 days, with the code set to become law in December 2026.
California Higher CCPA Fines Age Assurance Enforcement Ramp-up
California Privacy Protection Agency and state attorneys general indicated increased enforcement activity at IAPP Global Summit 2026. CalPrivacy is considering higher CCPA fines following $4 million in total settlements from five cases. The California AG's office is preparing rulemaking on age verification requirements under the Protecting Our Kids from Social Media Addiction Act. Enforcement priorities include data minimization and purpose limitation principles.
ISO 20022 CBPR+ Address Structuring Deadline November 2026
SWIFT announced that the CBPR+ ISO 20022 migration achieved 97% adoption as of November 2025. A new requirement mandates removal of unstructured postal addresses from CBPR+ payment messages by November 2026. After this date, only fully structured or hybrid postal addresses will be accepted; payments with non-compliant addresses may be rejected or delayed by PSPs. Standards Release 2026 Usage Guidelines were published February 20, 2026.