UFP Technologies Cybersecurity Incident Disclosure
UFP Technologies filed a Form 8-K with the SEC disclosing a cybersecurity incident pursuant to Regulation S-K Item 1.05. The disclosure notifies investors of a material cybersecurity event that has occurred at the company. As a public company, UFP Technologies is subject to SEC cybersecurity disclosure requirements that mandate timely reporting of material cybersecurity incidents.
IBM Tivoli Network Manager Critical Vulnerabilities CVSS 9.8
CERT-Bund disclosed multiple critical vulnerabilities in IBM Tivoli Network Manager IP Edition below version 4.2.0.24 affecting Linux, UNIX, and Windows platforms. The vulnerabilities carry a CVSS Base Score of 9.8 (critical) and enable remote attackers to execute arbitrary code, conduct denial of service attacks, disclose information, and bypass security mechanisms. Mitigation measures are available.
Kibana Multiple Vulnerabilities, CVSS 7.7, Info Disclosure DoS
Kibana Multiple Vulnerabilities, CVSS 7.7, Info Disclosure DoS
libTIFF Vulnerability Enables Code Execution and Denial of Service
CERT-Bund issued security advisory WID-SEC-2026-1031 regarding a vulnerability in libTIFF, an open-source software library for processing Tag Image File Format (TIFF) images. The vulnerability carries a CVSS Base Score of 7.8 (high) and a Temporal Score of 6.8 (medium). A remote anonymous attacker could exploit this flaw to execute arbitrary code or cause a denial-of-service condition. Affected platforms include Linux, UNIX, Windows, Debian Linux, and Open Source libTIFF. Remote attack capability is not present. Mitigation measures are available.
Federal Plan Modernizes, Preempts US Financial Privacy Rules
A discussion draft released by the House Committee on Financial Services proposes modernizing the Gramm-Leach-Bliley Act with data minimization provisions, updated sensitive data definitions covering geolocation and biometrics, and AI disclosure requirements. The draft would shift GLBA from a federal floor to a federal ceiling, preempting state financial privacy laws. Most state comprehensive privacy laws currently exempt GLBA-covered financial institutions from their requirements.
OPC Loblaw Decision: Key Privacy Anonymization Lessons
IAPP published an opinion piece analyzing a recent Office of the Privacy Commissioner of Canada finding on Loblaw's Optimum loyalty program, highlighting three key anonymization lessons under PIPEDA. The OPC confirmed that secondary uses of data are permissible, that anonymization requires eliminating only the serious possibility of re-identification rather than zero risk, and that independent third-party review of anonymization processes is expected.
OPNsense Firewall Vulnerability Allows Remote Information Disclosure (CVSS 8.2)
CERT-Bund has issued a security advisory (WID-SEC-2026-1044) regarding a vulnerability in OPNsense, an open-source firewall distribution based on FreeBSD. The vulnerability, with a CVSS Base Score of 8.2 (high), allows remote, anonymous attackers to disclose sensitive information. Affected versions include OPNsense prior to version 26.1.6. A mitigation measure is available as of April 10, 2026.
MediaWiki Extensions XSS Vulnerability, CVSS 8.3
CERT-Bund issued security advisory WID-SEC-2026-1043 warning of multiple cross-site scripting (XSS) vulnerabilities in MediaWiki extensions. Affected versions include MediaWiki prior to 1.43.7, 1.44.4, and 1.45.2, along with 8 extensions including Wikilove, ProofreadPage, Cargo, ReportIncident, GrowthExperiments, CampaignEvents, Score, and CentralAuth. The vulnerability has a CVSS Base Score of 8.3 (high) and temporal score of 7.2 (high). Remote attack is possible.
Apache Airflow Critical Flaws, CVSS 9.1, Security Bypass
Apache Airflow Critical Flaws, CVSS 9.1, Security Bypass
Multiple Critical Vulnerabilities in MISP Threat Intelligence Platform
CERT-Bund issued security advisory WID-SEC-2026-1045 warning of multiple critical vulnerabilities in Open Source MISP (threat intelligence sharing platform) versions prior to 2.5.36. The vulnerabilities carry a CVSS Base Score of 9.6 (critical) and Temporal Score of 8.3 (high). Attackers can exploit these flaws to bypass security measures, conduct Cross-Site-Scripting attacks, and cause unspecified impacts via remote attack.
ICO Guidance on Personal Data Use in UK Local Elections
The ICO published guidance on 10 April 2026 explaining how UK voters can expect their personal data to be handled during the May 2026 local elections in England and Parliamentary elections in Scotland and Wales. The guidance addresses profiling techniques, social media advertising transparency, and data use in petitions and surveys by political parties. Political parties are reminded that they must provide clear privacy information and opportunities for voters to object to data profiling.