EDPB Adopts DPIA Template for Harmonised EU Compliance
The European Data Protection Board has adopted a template for Data Protection Impact Assessments (DPIA) to help organisations structure, harmonise and evidence their DPIA reporting processes under the GDPR. The template, which is not mandatory for organisations to use, includes predefined fields and a supporting explainer document with concise explanations. The template is subject to public consultation until 9 June 2026, after which EU Data Protection Authorities will adopt it either as their sole standard or as a 'meta-template' for national alignment.
FCDO fails FOI response deadline, ICO upholds complaint
FCDO fails FOI response deadline, ICO upholds complaint
Crown Prosecution Service Withholds Text Messages, FOI Appeal Not Upheld
The Information Commissioner's Office has issued a Decision Notice in case IC-419334-F5H6 dated 7 April 2026. The Crown Prosecution Service withheld copies of text messages considered as evidence in criminal proceedings, citing FOIA section 30(1)(c) (criminal proceedings) and section 40(2) (personal information). The ICO determined that CPS correctly relied on section 30(1)(c) to withhold the requested information. No further steps are required of the CPS.
University of Bradford FOI 10 Upheld, 30-Day Response Required
The ICO has upheld a Freedom of Information complaint against the University of Bradford. The public authority failed to respond to the complainant's FOI request within the statutory 20 working days under FOIA. The ICO requires the university to provide a substantive response to the request within 30 calendar days.
FCDO FOI Complaint Upheld, Response Required
The ICO has upheld a Freedom of Information complaint against the Foreign, Commonwealth and Development Office (FCDO). The public authority failed to respond to an FOI request within the statutory 20 working day period required under FOIA. The Commissioner requires FCDO to provide the complainant with a response within 30 calendar days of this decision notice.
Brighton & Hove City Council Breaches FOIA on Drive Request
The ICO has issued a Decision Notice finding that Brighton & Hove City Council breached FOIA requirements when handling an information request about a drive at a specific address. The council processed the request under FOIA section 21 (information accessible by other means) when it should have been handled under the Environmental Information Regulations (EIR). The ICO upheld complaints under EIR regulation 5(1) and regulation 14(1). The council is required to reconsider the request under the EIR and issue a fresh response to the complainant.
Kent County Council FOIA 10 Upheld
The ICO issued a decision notice finding Kent County Council in breach of FOIA for failing to respond to a freedom of information request within the statutory 20 working day timeframe. The council must now provide a substantive response to the original request within 30 calendar days of the decision.
Birmingham City Council FOI 12 Upheld
The ICO has upheld a complaint against Birmingham City Council regarding a Freedom of Information Act request. The Council cited section 12 (appropriate limit) to refuse providing information about invoices paid from April 2019. The ICO determined the Council is not entitled to rely on section 12. The Council must now issue a fresh response to the request without relying on section 12(1) of FOIA.
Metropolitan Police NCND FOI 40 Complaint Not Upheld
The Information Commissioner's Office has issued a Decision Notice in case IC-469364-Q5L0 concerning a Freedom of Information complaint against the Metropolitan Police Service. The complainant requested information about whether a named individual worked for the MPS. The MPS responded using 'neither confirm nor deny' (NCND) under section 40(5B)(a)(i) of FOIA. The ICO determined that the MPS was entitled to apply the NCND exemption and the complaint was not upheld.
Northumbria Police Operation Eustace FOI Complaint Not Upheld
The Information Commissioner's Office issued a Decision Notice regarding a Freedom of Information complaint against Northumbria Police concerning Operation Eustace. The ICO determined that on the balance of probabilities, Northumbria Police does not hold information within the scope of the request. The Commissioner does not require Northumbria Police to take any steps.
RCVS VCMS FOI Complaint Not Upheld - Info Not Held
The Information Commissioner's Office issued a decision notice regarding a Freedom of Information complaint against the Royal College of Veterinary Surgeons (RCVS). The complainant requested information about complaints handled by the Veterinary Client Mediation Service (VCMS). The ICO determined that on the balance of probabilities, RCVS does not hold the requested information. The complaint was not upheld and no further steps are required.
Castle Point Borough Council - FOI Complaint Partly Upheld
The ICO issued a Decision Notice concerning Castle Point Borough Council's handling of a Freedom of Information request. For part 1 of the request (emails between named individuals), the ICO found the council does not hold the requested information. For part 2 (email chains), the ICO determined the council is entitled to withhold personal data under section 40 for Email Chain 1 and part of Email Chain 2, but must disclose remaining information in Email Chain 2 since no exemption was cited.
Newham Council Stratford One Complaint Details Withheld Under EIR
The Information Commissioner's Office has issued a decision notice regarding a complaint against the London Borough of Newham concerning requests for information about Stratford One student accommodation complaints. The Council relied on regulation 12(5)(b) of the Environmental Information Regulations (EIR) — adverse effect on the course of justice — to withhold the information. The ICO determined that the Council correctly applied this exemption and no further compliance steps are required.
Multiple Vulnerabilities in Synology SSL VPN Client Prior to 1.4.5-0684
CERT-FR published advisory CERTFR-2026-AVI-0431 alerting to multiple vulnerabilities in Synology SSL VPN Client affecting versions prior to 1.4.5-0684. The vulnerabilities could allow attackers to compromise data confidentiality and integrity. The advisory references Synology security bulletin Synology_SA_26_05 and two CVEs (CVE-2021-47960 and CVE-2021-47961). Organizations using the affected product should consult the vendor's security bulletin for patch information.
Multiple Vulnerabilities in Python Allowing Remote Code Execution
CERT-FR issued advisory CERTFR-2026-AVI-0430 warning of multiple vulnerabilities in Python/CPython affecting systems without latest security patches. Two CVEs are referenced: CVE-2026-4786 and CVE-2026-6100. The vulnerabilities allow remote code execution and other unspecified security issues. Organizations running CPython should consult vendor security bulletins for patches.
Multiple Microsoft Product Vulnerabilities, 4 CVEs
CERT-FR issued advisory CERTFR-2026-AVI-0435 warning of four unpatched vulnerabilities (CVE-2026-27456, CVE-2026-3184, CVE-2026-34933, CVE-2026-4878) in Microsoft products affecting azl3 and cbl2 system versions. The vulnerabilities allow attackers to cause unspecified security issues. Organizations running affected azl3 versions of avahi, libcap, and util-linux, or cbl2 versions of avahi and libcap, should apply patches per Microsoft security bulletins.
Multiple Vulnerabilities in SAP Products Allow Remote Code Execution
CERT-FR published advisory CERTFR-2026-AVI-0434 alerting organizations that multiple vulnerabilities have been discovered in SAP products. Affected systems span SAP NetWeaver Application Server ABAP and Java, S/4HANA, BusinessObjects, and numerous other SAP platforms across versions 700-816. The vulnerabilities expose organizations to remote code execution, SQL injection, cross-site scripting, denial of service, and data confidentiality breaches.
Multiple Schneider Electric Vulnerabilities, Data Integrity and Confidentiality Risk
CERT-FR published advisory CERTFR-2026-AVI-0433 disclosing multiple vulnerabilities in Schneider Electric industrial control products. Affected products include Easergy MiCOM protection relays (multiple models), EcoStruxure Control Expert, Connexium Managed Switches, and Modicon Redundancy Switches. The vulnerabilities enable remote denial of service, data confidentiality breaches, data integrity compromise, and security policy bypass. Organizations should refer to vendor security bulletins for patches.
Multiple Vulnerabilities in Siemens Products Allow Remote Code Execution
CERT-FR issued security advisory CERTFR-2026-AVI-0432 detailing multiple vulnerabilities in Siemens industrial automation products including SCALANCE W-700, SIMATIC CN/Field/IPC series, and related industrial computing devices. The vulnerabilities enable remote code execution, privilege escalation, denial of service, cross-site scripting, and data confidentiality breaches. Affected parties should immediately consult Siemens security bulletins SSA-019200 and SSA-628843 for available patches and apply mitigations.
Apple Collects Street Images in Luxembourg April 8 - May 7, 2026
The CNPD informs the public that Apple will collect street-level imagery in Luxembourg from April 8 to May 7, 2026, for its Apple Maps service. Apple will automatically blur faces and license plates on published images. Individuals with questions about image processing or who wish to request additional blur may contact Apple directly.
SAP Patchday April 2026: 13 Kritische Schwachstellen, CVSS 9.9
CERT-Bund published security advisory WID-SEC-2026-1078 disclosing 13 critical vulnerabilities in SAP Software affecting multiple operating systems (Linux, UNIX, Windows, and others). The vulnerabilities have a CVSS Base Score of 9.9 (critical) and Temporal Score of 8.6 (high), with remote attack capability confirmed. Attackers can exploit these flaws to conduct SQL injection, gain elevated privileges, execute arbitrary code, bypass security controls, perform cross-site scripting, manipulate data, or disclose confidential information.
Apache Airflow Vulnerabilities Allow Code Execution
Apache Airflow Vulnerabilities Allow Code Execution
MinIO Object Storage Multiple Authentication Bypass Vulnerabilities - CVSS 8.2
CERT-Bund issued security advisory WID-SEC-2026-1081 identifying multiple vulnerabilities in MinIO object storage software with CVSS Base Score 8.2 (High) and Temporal Score 7.1 (High). Remote anonymous attackers can exploit these flaws to bypass authentication and manipulate data. Affected version: Open Source MinIO prior to 2026-04-11T03-20-12Z.
ESRI ArcGIS Multiple Vulnerabilities, CVSS 9.8 (Critical)
CERT-Bund issued a security advisory about multiple critical vulnerabilities in ESRI ArcGIS geographic information system software (versions 11.5 and 12.0) with a CVSS Base Score of 9.8 (critical) and Temporal Score of 8.5 (high). An attacker can exploit these vulnerabilities remotely to elevate privileges or bypass security measures. Organizations using affected ArcGIS products should apply available mitigations.
XWiki Multiple Vulnerabilities - DoS and XSS Attacks (WID-SEC-2026-1089)
CERT-Bund issued security advisory WID-SEC-2026-1089 identifying critical vulnerabilities (CVSS Base Score 9.6) in XWiki open-source wiki software. Affected versions include those prior to 16.10.16, 17.4.8, and 17.10.1. An attacker can exploit these vulnerabilities to conduct denial of service attacks and cross-site scripting (XSS) attacks. Mitigations are available.
Microsoft Windows Host Process for Windows Tasks Privilege Escalation Vulnerability CVE-2025-60710
CISA added CVE-2025-60710 to the Known Exploited Vulnerabilities catalog on 2026-04-13. The vulnerability is an improper link resolution flaw in Host Process for Windows Tasks enabling local privilege escalation. CVSS 3.1 score is 7.8 (HIGH). Exploitation is active but not automatable per SSVC v2.0.3.
CVE-2023-21529: Microsoft Exchange Server RCE Vulnerability Added to Known Exploited Vulnerabilities Catalog
CISA added CVE-2023-21529, a Microsoft Exchange Server remote code execution vulnerability, to the Known Exploited Vulnerabilities (KEV) catalog. The vulnerability carries a CVSS 3.1 score of 8.8 (HIGH) and is attributed to CWE-502 (Deserialization of Untrusted Data). Exploitation is assessed as 'active' with total technical impact and no automatable exploitation vector. Affected versions span Exchange Server 2016 and 2019 across multiple build ranges. Federal agencies are subject to BOD 22-01 remediation requirements for KEV catalog entries.
Windows Common Log File System Driver Elevation of Privilege Vulnerability CVE-2023-36424
CISA has added CVE-2023-36424 to its Known Exploited Vulnerabilities catalog. The vulnerability is a Windows Common Log File System Driver elevation of privilege flaw with a CVSS 3.1 score of 7.8 (HIGH). It affects numerous Windows versions including Windows 10, 11, Server 2019-2022, and legacy systems. CISA has determined this vulnerability has been actively exploited in the wild, triggering remediation requirements for federal agencies under Binding Operational Directive 22-01.
Adobe Acrobat Use-After-Free Vulnerability CVE-2020-9715
CISA added CVE-2020-9715 to the Known Exploited Vulnerabilities (KEV) catalog. The vulnerability is a use-after-free flaw in Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier. Successful exploitation could lead to arbitrary code execution. The SSVC assessment rates exploitation as 'active' with total technical impact.
CVE-2026-21643: FortiClientEMS SQL Injection Vulnerability
CISA has added CVE-2026-21643 to the Known Exploited Vulnerabilities (KEV) catalog. The vulnerability is a SQL injection flaw in Fortinet FortiClientEMS 7.4.4 allowing unauthenticated remote code execution via crafted HTTP requests. Exploitation is confirmed active, automatable, and achieving total technical impact. CVSS score is 9.1 (CRITICAL). Federal agencies are subject to remediation requirements under Binding Operational Directive 22-01.
Adobe Acrobat Code Execution Vulnerability, CVSS 8.6
CISA added CVE-2026-34621 to its Known Exploited Vulnerabilities (KEV) catalog on April 13, 2026. The vulnerability affects Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier, with a CVSS score of 8.6. Successful exploitation allows arbitrary code execution via a malicious PDF file through prototype pollution. Federal agencies are subject to Binding Operational Directive 22-01 remediation timelines.
CVE-2012-1854: VBA Insecure Library Loading Vulnerability
CISA has cataloged CVE-2012-1854, an untrusted search path vulnerability in VBE6.dll affecting Microsoft Office 2003 SP3, 2007 SP2/SP3, and 2010 Gold/SP1; Microsoft Visual Basic for Applications (VBA); and Summit Microsoft Visual Basic for Applications SDK. The vulnerability allows local users to gain privileges via a Trojan horse DLL in the current working directory. CISA confirms this vulnerability was exploited in the wild in July 2012. CVSS 3.1 score is 7.8 (HIGH) with exploitation status marked as 'active' in the KEV catalog.
EANI School Walking Route EIR Complaint Not Upheld
The Information Commissioner's Office issued a Decision Notice on 9 April 2026 regarding an Environmental Information Regulations complaint against the Education Authority Northern Ireland (EANI). The complainant requested information relating to an assessment of a school walking route between two postcodes. The ICO determined that, on the balance of probabilities, EANI does not hold any additional information falling within the scope of the request and does not require further steps. The complaint was not upheld.
FOI Cost Limit Refusal Not Upheld - Middleton Cheney Parish Council
The ICO has issued a Decision Notice regarding Middleton Cheney Parish Council's refusal of an FOI request under section 12(1) (cost limit exemption). The Commissioner determined that the Council was entitled to refuse the request on cost grounds and found that the Council complied with its section 16 obligations to offer advice and assistance. No further action is required from the Council.
NHS Trust Upheld for Late Supplier Payment FOIA Breach
The Information Commissioner's Office issued a decision notice finding that The Queen Elizabeth Hospital King's Lynn NHS Foundation Trust breached section 10 of the Freedom of Information Act 2000 by failing to respond to an information request within 20 working days. The complaint concerned the Trust's failure to pay suppliers on time and related late payment compensation. The ICO ordered the public authority to provide a substantive response to the original request.
FOI 10 Breach Upheld, City of Wolverhampton Council
The ICO has upheld a breach of section 10 of the Freedom of Information Act 2000 against the City of Wolverhampton Council. The Council failed to provide a substantive response to an FOI request within the required 20 working days. The ICO has ordered the Council to issue a substantive response within 30 calendar days of the decision notice date.
Rushcliffe Borough Council EIR Planning Information Not Held
The Information Commissioner's Office issued a Decision Notice finding that Rushcliffe Borough Council correctly applied the Environmental Information Regulations exception at regulation 12(4)(a). The Council stated that requested planning application information was not held, and the Commissioner determined on the balance of probabilities that the information is indeed not held by the Council.
Black Country Healthcare NHS Foundation Trust FOI Complaint Upheld
The Information Commissioner's Office has upheld a Freedom of Information complaint against Black Country Healthcare NHS Foundation Trust. The Trust failed to respond to the complainant's FOI request within the statutory 20 working days required under FOIA. The ICO has issued a Decision Notice requiring the Trust to provide a substantive response to the outstanding request within 30 calendar days.
London Borough of Southwark Upheld for FOIA Response Failure
The ICO has upheld a complaint against London Borough of Southwark for failing to respond to a Freedom of Information request within the statutory 20 working day timeframe. The Commissioner has ordered the authority to provide a substantive response to the complainant within 30 calendar days in compliance with its FOIA obligations.
Royal Borough of Greenwich - FOIA Request Non-Compliance Upheld
The ICO has upheld a complaint against the Royal Borough of Greenwich for failing to respond to a Freedom of Information Act request within the statutory 20 working day timeframe. The Commissioner has ordered the public authority to provide a substantive response to the complainant within 30 calendar days of the decision.
The Open University FOI Complaint Upheld, Must Issue Fresh Response
The ICO upheld a complaint against The Open University regarding a Freedom of Information Act request for data security and cybersecurity information. The university had refused to comply, citing section 14 of FOIA (vexatious request). The ICO determined the university is not entitled to rely on section 14. The ICO requires the university to issue a fresh response that does not rely on section 14 of FOIA.
Wandsworth Borough Council FOI Complaint Not Upheld
The Information Commissioner's Office has issued a Decision Notice regarding a Freedom of Information Act complaint against Wandsworth Borough Council. The complaint concerned the council's handling of a request for information about Wandsworth Information, Advice and Support Service. The ICO determined that the council's refusal to confirm or deny holding information under sections 40(5B) and 31(3) of FOIA was justified, and that on the balance of probabilities, the council does not hold any further information within scope of the request. No further action is required of the council.
Police FOI complaint: 10(1) upheld, 12(1) not upheld
Police FOI complaint: 10(1) upheld, 12(1) not upheld
Red Hat Enterprise Linux Multiple Vulnerabilities, Remote Attack
Red Hat Enterprise Linux Multiple Vulnerabilities, Remote Attack
Critical Remote Code Execution Vulnerability in Red Hat Enterprise Linux Cockpit
CERT-Bund, operating under the German Federal Office for Information Security (BSI), issued a critical security advisory regarding a remote code execution vulnerability in Red Hat Enterprise Linux Cockpit. The vulnerability carries a CVSS Base Score of 9.8 (critical) and a Temporal Score of 8.5 (high). Affected versions include Red Hat Enterprise Linux 9.6 and Red Hat Enterprise Linux 10. Organizations using these systems should apply available mitigations immediately.
Red Hat OpenShift AI Vulnerability Enables Information Disclosure and Privilege Escalation
CERT-Bund issued a security advisory regarding a vulnerability in Red Hat OpenShift AI (affecting versions 2.16.4, 2.25.4, 3.3.1, and 3.2). The vulnerability, with a CVSS Base Score of 8.5 (high) and Temporal Score of 7.4 (high), allows a remote, authenticated attacker to exploit the flaw to disclose confidential information and potentially escalate privileges. Mitigation measures are available.
OpenClaw Multiple Critical Vulnerabilities Allow Remote Code Execution
CERT-Bund issued security advisory WID-SEC-2026-1065 alerting to multiple critical vulnerabilities in OpenClaw, a personal AI assistant for local devices. The flaws carry a CVSS Base Score of 8.8 (high) and enable remote attackers to gain administrator privileges, execute arbitrary code, bypass security controls, and disclose or manipulate data. The affected version is Open Source OpenClaw prior to version 2026.3.25. Users are advised to apply available mitigations and update to the patched release.