Mattermost Server Multiple Vulnerabilities - Data Integrity, CSRF, Policy Bypass
CERT-FR published security advisory CERTFR-2026-AVI-0446 identifying 20 multiple vulnerabilities in Mattermost Server affecting versions 10.11.x before 10.11.14, 11.3.x before 11.3.3, 11.4.x before 11.4.4, and 11.5.x before 11.5.2. Exploitation could result in data integrity compromise, CSRF injection, and security policy bypass. Refer to vendor security bulletins for patches.
Drupal Vulnerabilities Allow RCE, SQL Injection, XSS
Drupal Vulnerabilities Allow RCE, SQL Injection, XSS
Multiple Vulnerabilities in Google Chrome
CERT-FR published advisory CERTFR-2026-AVI-0448 notifying users of multiple vulnerabilities in Google Chrome affecting versions prior to 147.0.7727.101 for Linux and 147.0.7727.101/102 for Windows and Mac. The advisory references 32 CVEs (CVE-2026-6296 through CVE-2026-6364) and recommends users apply patches available in Google's security bulletin dated April 15, 2026.
Multiple Vulnerabilities in Cisco ISE and Webex Products
CERT-FR published an advisory about multiple vulnerabilities affecting Cisco ISE, ISE-PIC, and Webex products. The vulnerabilities enable remote code execution (CVE-2026-20147, CVE-2026-20148, CVE-2026-20180, CVE-2026-20186) and security policy bypass (CVE-2026-20184). Affected organizations should apply vendor patches as referenced in Cisco security bulletins.
Apache Kafka Vulnerability CVE-2026-35554 Affects Data Confidentiality and Integrity
CERT-FR issued advisory CERTFR-2026-AVI-0449 alerting organizations to a vulnerability in Apache Kafka Clients (CVE-2026-35554). Affected versions include 2.8.x through 3.9.x (prior to 3.9.2), 4.0.x (prior to 4.0.2), and 4.1.x (prior to 4.1.2). The vulnerability allows attackers to compromise data confidentiality and integrity. Organizations are advised to obtain patches from the vendor security bulletin.
Multiples vulnérabilités dans les produits Splunk, risque d'exécution de code arbitraire
CERT-FR a publié un avis signalant plusieurs vulnérabilités critiques dans les produits Splunk, notamment Splunk Cloud Platform, Splunk Enterprise, Splunk ITSI, Splunk MCP Server et Splunk Universal Forwarder. Certaines de ces vulnérabilités permettent à un attaquant d'obtenir une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données. Les organisations utilisant ces produits doivent consulter les bulletins de sécurité Splunk référencés pour obtenir les correctifs.
Europrivacy European Data Protection Seal Approved as Appropriate Safeguard for International Data Transfers
The European Data Protection Board adopted two Article 64 GDPR opinions approving the first certification instruments for international data transfers. The Europrivacy European Data Protection Seal can now be used as an appropriate safeguard for international data transfers under Articles 42 and 46 GDPR. The certification scheme has been extended to include organizations established outside the EEA but subject to GDPR under Article 3(2).
Kyverno Multiple Vulnerabilities, CVSS 8.1, Remote Attack, Privilege Escalation
CERT-Bund published security advisory WID-SEC-2026-1152 identifying multiple vulnerabilities in Kyverno, an open-source policy engine for Kubernetes. The vulnerabilities carry a CVSS Base Score of 8.1 (high) and a CVSS Temporal Score of 7.3 (high), with remote attack capability confirmed. An authenticated remote attacker can exploit these flaws to disclose information, bypass security controls, manipulate data, and elevate privileges. Affected versions are Open Source Kyverno <=1.17.0 and <1.16.4. Mitigations are available.
Apache ActiveMQ Multiple Vulnerabilities - CVSS 8.8 Remote Attack
CERT-Bund issued security advisory WID-SEC-2026-0991 regarding multiple vulnerabilities in Apache ActiveMQ (CVSS Base Score 8.8). Affected products include Client, Broker, and Web components prior to versions 5.19.3 and 6.2.2 (also 5.19.4 and 6.2.3). Remote authenticated attackers can exploit these vulnerabilities to manipulate files or execute arbitrary code on vulnerable systems.
Bouncy Castle BC-JAVA Critical Flaws Allow Security Bypass
CERT-Bund issued security advisory WID-SEC-2026-1129 identifying multiple critical vulnerabilities (CVSS Base Score 9.0) in Bouncy Castle BC-JAVA cryptographic library versions prior to 1.84. Attackers could exploit these flaws to bypass cryptographic security measures, disclose confidential information, or cause denial-of-service conditions. The vulnerabilities affect systems running Linux, macOS X, UNIX, Windows, and other operating systems that implement the affected library.
Fortinet FortiAnalyzer und FortiManager: Mehrere Schwachstellen CVSS 8.1
CERT-Bund, operated by the German Federal Office for Information Security (BSI), published security advisory WID-SEC-2026-1093 warning of multiple vulnerabilities in Fortinet FortiAnalyzer and FortiManager products. Affected versions include FortiManager below 7.4.8/7.4.9/7.6.5 and FortiAnalyzer below 7.4.8/7.4.9/7.6.5, with Cloud variants also affected. The vulnerabilities carry a CVSS Base Score of 8.1 (high) and enable remote attackers to manipulate files, perform SQL injection, and execute arbitrary code.
Cisco Identity Services Engine Critical Vulnerabilities - CVSS 9.9
CERT-Bund issued security advisory WID-SEC-2026-1146 identifying critical vulnerabilities (CVSS Base Score 9.9) in Cisco Identity Services Engine (ISE). Multiple attack vectors allow remote attackers to conduct cross-site scripting, escalate privileges, execute arbitrary code, and disclose information. Organizations running Cisco ISE should apply mitigations immediately.
Flowise <3.1.0 Critical Flaws Allow Arbitrary Code Execution
CERT-Bund issued security advisory WID-SEC-2026-1145 warning of multiple critical vulnerabilities in Flowise, an open-source user interface for creating LLMs, affecting versions prior to 3.1.0. The flaws carry a CVSS Base Score of 9.9 (critical) and temporal score of 8.9 (high), with remote attack capability confirmed. Attackers can exploit these vulnerabilities to execute arbitrary code, bypass security controls, disclose information, and manipulate files.
Rapid7 Velociraptor Multiple Vulnerabilities, CVSS 8.5
CERT-Bund issued security advisory WID-SEC-2026-1141 disclosing multiple vulnerabilities in Rapid7 Velociraptor (endpoint detection and response/EDR tool) affecting versions prior to 0.76.3 and 0.76.2. The vulnerabilities carry a CVSS Base Score of 8.5 (high) and Temporal Score of 7.4 (high). A remote, authenticated attacker can exploit these flaws to bypass security measures, manipulate data, or potentially execute arbitrary code. Mitigation measures are available.
GIMP Multiple Vulnerabilities Allow Code Execution and Information Disclosure
CERT-Bund issued a security advisory (WID-SEC-2026-1144) identifying multiple vulnerabilities in GIMP (GNU Image Manipulation Program) with a CVSS Base Score of 7.3 (high) and Temporal Score of 6.7 (medium). The vulnerabilities affect versions running on Windows, UNIX, and Linux operating systems. An attacker could exploit these flaws to potentially execute arbitrary code, disclose confidential information, manipulate data, or cause a denial-of-service condition.
Google Chrome Multiple Critical Vulnerabilities CVSS 9.8
CERT-Bund issued a critical security advisory for Google Chrome versions prior to 147.0.7727.101 (Windows) and 147.0.7727.102 (Linux/MacOS). The vulnerabilities carry a CVSS Base Score of 9.8 (critical) and Temporal Score of 8.5 (high). Attackers can exploit these flaws for potential remote code execution, security measure bypass, denial-of-service, and data manipulation or disclosure. Mitigation is available via update to the patched version.
Sonatype Nexus Repository Manager Critical Flaw Allows Code Execution
Sonatype Nexus Repository Manager Critical Flaw Allows Code Execution
Rsync Flaw Enables Security Bypass CVSS 7.4 High
CERT-Bund published security advisory WID-SEC-2026-1156 disclosing a high-severity vulnerability in Rsync versions 3.0.1 through 3.4.1. The flaw carries a CVSS Base Score of 7.4 and allows a remote, authenticated attacker to bypass security measures. Affected systems include Linux and UNIX operating systems. No mitigation is currently available from CERT-Bund.
Apache Airflow Flaw Enables Information Disclosure
Apache Airflow Flaw Enables Information Disclosure
Mattermost Multiple Vulnerabilities CVSS 7.3 High
CERT-Bund published security advisory WID-SEC-2026-1154 warning of multiple vulnerabilities in Mattermost Server and Plugins affecting versions prior to 11.4.4, 10.11.14, 10.5.2, and 11.6.0. The vulnerabilities have a CVSS Base Score of 7.3 (High) and CVSS Temporal Score of 6.4 (Medium), with remote attack capability confirmed. Affected platforms include Linux, UNIX, Windows, and other operating systems. Organizations using Mattermost should review and implement available mitigations.
Microsoft Defender Privilege Escalation Vulnerability WID-SEC-2026-1155
CERT-Bund issued security advisory WID-SEC-2026-1155 regarding a privilege escalation vulnerability in Microsoft Defender for Windows. A local attacker can exploit the flaw to elevate their privileges on the affected system. The vulnerability carries a CVSS Base Score of 7.8 (High) and a Temporal Score of 7.4 (High). Remote attack is not possible. No patch or mitigation is currently available as of the advisory date.
IBM App Connect Enterprise Critical Vulnerabilities, CVSS 10.0
CERT-Bund issued critical vulnerability advisory WID-SEC-2026-1157 for IBM App Connect Enterprise. Multiple versions including Certified Container <12.0 LTS, <12.0.12.24, <12.21.0, and <13.0.7.0 contain flaws with CVSS Base Score 10.0 and Temporal Score 8.7. Attackers can exploit these vulnerabilities to execute arbitrary code, bypass security controls, perform cross-site scripting, and manipulate data.
EU Digital Omnibus Makes Deidentification Statements Inevitable
IAPP published an analysis examining how the proposed EU Digital Omnibus regulation would codify Recital 26's anonymization standard into binding Article 4 definitions. The analysis notes the regulation shifts responsibility to organizations, requiring them to document and demonstrate why they cannot re-identify individuals from deidentified datasets — effectively requiring companies to prove a negative regarding identification capabilities.
EU Age Verification App Technically Ready, Rollout Soon
The European Commission announced 15 April 2026 that its age verification app is technically ready and will soon be available for citizens. The app is built on the European Digital Identity Wallet framework and aims to provide privacy-preserving, anonymous age verification for online services. Commission President Ursula von der Leyen emphasized the app's open-source, user-friendly design and stated it supports Digital Services Act implementation and broader children's protection goals.
xAI Sues California AG Over AI Training Data Transparency Law
xAI filed a lawsuit against California Attorney General Rob Bonta challenging AB 2013, the state's generative AI training data transparency law that took effect January 1, 2026. The law requires developers of generative AI systems made available to California residents to publicly disclose 12 categories of information about their training datasets, including data sources, size, copyright status, and personal information content. The District Court denied xAI's motion for preliminary injunction, and xAI has appealed to the 9th Circuit.
Critical Vulnerabilities in Fortinet FortiSandbox
CSA has issued Alert AL-2026-038 advising users to immediately update FortiSandbox products following the discovery of critical vulnerabilities CVE-2026-39808 and CVE-2026-39813. CVE-2026-39808 is an OS command injection vulnerability potentially allowing unauthenticated remote code execution via crafted HTTP requests. CVE-2026-39813 is an authentication bypass vulnerability in the FortiSandbox JRPC API. Affected versions include FortiSandbox 4.44.4.0 through 4.4.8 and FortiSandbox 5.05.0.0 through 5.0.5.
Critical Vulnerability in Axios Library Requires Immediate Update
CSA Singapore has issued an alert regarding a critical security vulnerability (CVE-2026-40175) in the Axios JavaScript library. The vulnerability carries a CVSS v3.1 score of 10 out of 10 and affects all versions below 1.13.2. Successful exploitation could allow unauthenticated remote attackers to perform server-side request forgery attacks, potentially leading to remote code execution and full cloud compromise. Users and administrators are advised to update to the latest version immediately.
Microsoft Defender Privilege Escalation Vulnerability WID-SEC-2026-1099
CERT-Bund issued advisory WID-SEC-2026-1099 reporting a vulnerability in Microsoft Defender Antimalware Platform enabling local privilege escalation to Administrator rights. The flaw carries a CVSS Base Score of 7.8 (high) and Temporal Score of 7.2 (high). Remote attack is not possible. Mitigations are available.
Azure Privilege Escalation, CVSS 8.8, 14th Apr
Azure Privilege Escalation, CVSS 8.8, 14th Apr
Fortinet FortiSandbox Critical Vulnerabilities CVSS 9.8 Remote Attack
CERT-Bund issued security advisory WID-SEC-2026-1094 disclosing critical vulnerabilities in Fortinet FortiSandbox with CVSS Base Score 9.8. Multiple flaws allow remote attackers to conduct cross-site scripting attacks, disclose information, bypass security measures, and execute code. Affected versions include FortiSandbox below 5.0.5 and below 4.4.9.
Adobe FrameMaker Arbitrary Code Execution Vulnerabilities
CERT-Bund issued security advisory WID-SEC-2026-1108 identifying multiple vulnerabilities in Adobe FrameMaker versions prior to 2026 and prior to 2022 Update 9. The vulnerabilities carry a CVSS Base Score of 8.6 (high). A local attacker could exploit these flaws to execute arbitrary code or disclose confidential information. Mitigation measures are available.
Adobe Connect Multiple Critical Vulnerabilities Allowing Arbitrary Code Execution, CVSS 9.6
CERT-Bund issued a security advisory warning of multiple critical vulnerabilities in Adobe Connect (CVSS Base Score 9.6). Affected versions include Adobe Connect below version 12.11 and Adobe Connect Desktop Application below version 2025.9. Remote anonymous attackers can exploit these flaws to execute arbitrary code or conduct cross-site scripting attacks.
Froxlor Server Management Software Multiple Vulnerabilities CVSS 9.9
CERT-Bund issued security advisory WID-SEC-2026-1124 identifying critical vulnerabilities in Open Source Froxlor server management software versions prior to 2.3.6. The flaws carry a CVSS Base Score of 9.9 (critical) and CVSS Temporal Score of 8.9 (high). Attackers can exploit these vulnerabilities to execute arbitrary code remotely, bypass security measures, and manipulate files on affected systems running Linux or UNIX.
Italian DPA Newsletter No. 546: Eni Fined €96k, Remote Exam FAQs, FaceBoarding Non-Compliance
The Italian DPA (Garante) published Newsletter No. 546 covering five items. The Garante fined Eni €96,000 for a GDPR violation. The DPA also issued FAQs on remote proctoring systems for online exams and training courses, clarified employees' right to access personal emails after employment ends, found Milano Linate Airport's FaceBoarding facial recognition system non-compliant with GDPR, and approved the MIM Ministry's AscoltaMi listening service.
Live Nation/Ticketmaster Found Illegal Monopoly by Jury
Colorado AG Phil Weiser announced that a jury found Live Nation and Ticketmaster liable as an illegal monopoly in the live entertainment and ticketing industry. Colorado and other states rejected a settlement reached between the Justice Department and Live Nation and continued the antitrust lawsuit through trial in New York federal court. The jury verdict found Live Nation violated state and federal antitrust laws by monopolizing the market.