Multiples vulnérabilités dans IBM QRadar - Avis CERT-FR-2026-AVI-0455
CERT-FR issued advisory CERTFR-2026-AVI-0455 disclosing multiple vulnerabilities in IBM QRadar SOAR Plugin version 5.3.1 prior to 5.6.4. The vulnerabilities (CVE-2025-66418, CVE-2025-66471, CVE-2026-21441) allow remote attackers to cause denial of service. Organizations using affected versions should apply patches per IBM security bulletins 7269734 and 7269736.
Multiples vulnérabilités dans le noyau Linux de SUSE - CERTFR-2026-AVI-0454
CERT-FR issued an advisory warning of multiple vulnerabilities in the SUSE Linux kernel. The vulnerabilities, aggregating 45+ SUSE security bulletins from April 10-15 2026 (SUSE-SU-2026:1242-1 through SUSE-SU-2026:1342-1), affect 32 SUSE product lines including openSUSE Leap 15.3-15.6 and SUSE Linux Enterprise Server 12 SP5 through 15 SP7. Attackers could exploit these vulnerabilities to cause unspecified security issues. CERT-FR directs affected parties to consult SUSE security bulletins for available patches.
Multiple Vulnerabilities in Red Hat Linux Kernel Allow Code Execution
CERT-FR issued an advisory warning of multiple vulnerabilities in Red Hat Linux kernel affecting multiple product versions. Four CVEs are referenced: CVE-2025-71238, CVE-2026-23144, CVE-2026-23171, and CVE-2026-23204. The vulnerabilities expose affected systems to arbitrary code execution, privilege escalation, data confidentiality breaches, security policy bypass, and denial of service. Organizations using Red Hat Enterprise Linux or CodeReady Linux Builder on ARM 64, IBM z Systems, Power (little endian), and x86_64 architectures should apply vendor patches from RHSA-2026:8342.
Multiples vulnérabilités dans les produits Microsoft
CERT-FR issued a security advisory informing of multiple vulnerabilities in Microsoft products affecting azl3 containerd2 (versions prior to 2.0.0-19) and cbl2 rubygem-rdiscount (versions prior to 2.2.0.2-4). The vulnerabilities, tracked as CVE-2026-35201 and CVE-2026-35469, could allow an attacker to cause an unspecified security issue. Affected parties are advised to refer to Microsoft security bulletins for patches.
Multiple Linux Kernel Vulnerabilities in Ubuntu, Privilege Escalation and Data Breach Risk
CERT-FR issued an advisory warning of multiple vulnerabilities discovered in the Ubuntu Linux kernel. The vulnerabilities affect Ubuntu versions 14.04 ESM through 25.10 and could enable attackers to achieve privilege escalation, compromise data confidentiality, damage data integrity, or cause denial of service. The advisory references 15 Ubuntu security bulletins and 45+ CVE identifiers including CVE-2025-39869 and CVE-2025-38591.
EDPB Guidelines on Scientific Research Data Processing Public Consultation
The European Data Protection Board (EDPB) has adopted Guidelines on processing personal data for scientific research purposes, with input from the Italian Data Protection Authority (Garante). The guidelines clarify the definition of 'scientific research' and confirm that personal data may be reused for research even if initially collected for different purposes, provided an adequate legal basis is respected. The consultation runs until June 25, 2026.
Hashicorp Vault Vulnerabilities CVSS 8.1 Data Manipulation DoS Information Disclosure
BSI-CERT (CERT-Bund) published security advisory WID-SEC-2026-1164 identifying multiple vulnerabilities in Hashicorp Vault (Community and Enterprise editions) with CVSS Base Score 8.1. Affected versions include Vault below 2.0.0 and Enterprise below 1.21.5, 1.20.10, and 1.19.16. Remote attackers can exploit these flaws to manipulate data, cause denial-of-service conditions, or disclose confidential information potentially enabling privilege escalation. Mitigation measures are available.
Angular Security Flaw Enables Remote Information Disclosure
CERT-Bund issued a security advisory warning of a vulnerability in Angular framework versions prior to 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8. A remote, anonymous attacker can exploit this flaw to disclose information. The vulnerability affects applications running on Angular across Linux, UNIX, Windows, and other operating systems, with a CVSS Base Score of 8.6 (high) and Temporal Score of 7.5 (high).
GnuTLS Vulnerability Allows Denial of Service Attacks, No Fix Available
CERT-Bund published security advisory WID-SEC-2026-1165 warning of a vulnerability in GnuTLS (GNU Transport Layer Security Library) that allows remote attackers to conduct Denial of Service attacks. The vulnerability has a CVSS Base Score of 7.5 (high) and Temporal Score of 7.1 (high). No mitigation or fix is currently available. Affected products include Open Source GnuTLS running on Linux, UNIX, and Windows operating systems.
Budibase Critical Vulnerability Allows Security Bypass (CVSS 9.1)
CERT-Bund issued a security advisory regarding a critical vulnerability in Budibase, an open-source low-code platform for building internal applications. The vulnerability (CVSS Base Score 9.1) allows remote anonymous attackers to bypass security controls. Affected systems include Linux, UNIX, and other operating systems running Budibase versions prior to 3.35.4. Organizations using this platform should update to version 3.35.4 immediately.
Microsoft Developer Tools Multiple Vulnerabilities CVSS 7.8
CERT-Bund published advisory WID-SEC-2026-1100 disclosing multiple vulnerabilities in Microsoft Visual Studio, .NET Framework, .NET, PowerShell, and Visual Studio Code. CVSS Base Score is 7.8 (high); CVSS Temporal Score is 6.8 (medium). Affected products span .NET Framework 3.5 through 10.0, PowerShell 7.4 and 7.5, Visual Studio 2017 through 2022, and Visual Studio Code CoPilot Chat Extension across Linux, macOS, and Windows platforms. An attacker could exploit these flaws to disclose confidential information, conduct spoofing attacks, cause denial-of-service conditions, bypass security measures, or potentially execute arbitrary code. Remote attack capability is noted as no.
Cisco WebEx Multiple Critical Vulnerabilities CVSS 9.8
CERT-Bund issued a critical security advisory for Cisco WebEx vulnerabilities (WID-SEC-2026-1132) with CVSS Base Score 9.8 affecting WebEx Contact Center and WebEx Services. Multiple cross-site scripting vulnerabilities and security bypass flaws affect Windows, Linux, UNIX, and other operating systems. Remote attackers can exploit these flaws to perform XSS attacks and circumvent security measures.
Red Hat Enterprise Linux and Satellite High-Severity Security Vulnerabilities (CVSS 8.1)
CERT-Bund issued security advisory WID-SEC-2026-1160 alerting to multiple high-severity vulnerabilities in Red Hat Enterprise Linux 9 and Red Hat Satellite 6.18. The vulnerabilities carry a CVSS Base Score of 8.1 (High) and Temporal Score of 7.1 (High). Remote attackers can exploit these flaws to disclose information or execute arbitrary code. Mitigation measures are available.
Apache Kafka Multiple Vulnerabilities CVSS 7.5
CERT-Bund published a security advisory (WID-SEC-2026-1166) disclosing multiple vulnerabilities in Apache Kafka with a CVSS Base Score of 7.5 (high) and Temporal Score of 6.5 (medium). Affected versions include Apache Kafka prior to 4.1.2, 4.2.0, 3.9.2, and 4.0.1. Remote attackers can exploit these vulnerabilities to bypass security controls and disclose information. Mitigations are available.
Sparx Enterprise Architect Multiple Vulnerabilities Allow Security Bypass
CERT-Bund issued security advisory WID-SEC-2026-1163 regarding multiple vulnerabilities in Sparx Systems Enterprise Architect (versions prior to 17.1) affecting Linux, UNIX, and Windows platforms. CVSS Base Score is 6.1 (medium) with CVSS Temporal Score of 5.3 (medium). Remote attack is not possible; mitigation is available. Attackers can exploit these vulnerabilities to bypass security measures and disclose information.
OpenClaw Multiple Critical Vulnerabilities CVSS 9.8
CERT-Bund issued a critical security advisory for OpenClaw, an open-source personal AI assistant for self-hosted deployment. Multiple vulnerabilities with a CVSS Base Score of 9.8 (critical) and Temporal Score of 8.5 (high) affect OpenClaw versions prior to 2026.4.15. Remote attackers can exploit these flaws to gain elevated privileges, execute arbitrary code, bypass security controls, or disclose/manipulate data. Mitigation measures are available.
CISA Adds Apache ActiveMQ Code Injection Vulnerability CVE-2026-34197 to Known Exploited Vulnerabilities Catalog
CISA added CVE-2026-34197, an Apache ActiveMQ code injection vulnerability, to its Known Exploited Vulnerabilities catalog on April 16, 2026. The vulnerability, rated HIGH at CVSS 8.8 with active exploitation status, allows authenticated attackers to achieve arbitrary code execution through the Jolokia JMX-HTTP bridge. Affected versions include Apache ActiveMQ before 5.19.4 and from 6.0.0 before 6.2.3. Federal civilian agencies are required to remediate per BOD 22-01 remediation timelines.
EU Commissioner McGrath Outlines Digital Fairness Act, EU Inc. Initiative
European Commissioner Michael McGrath discussed upcoming EU digital legislation including the Digital Fairness Act, expected to be released as a draft by year-end, and the EU Inc. initiative for streamlined cross-border company formation. The Digital Fairness Act aims to extend digital consumer protections beyond current DSA scope and address enforcement gaps, particularly regarding children's data. The EU-U.S. Data Privacy Framework remains intact despite ongoing EU-U.S. tensions over digital regulation and trade.
Dutch Authorities Call for Complete EU Ban on AI Nudify Apps Without Exceptions
The Dutch data protection authority (AP), ACM, ATKM, Dutch Media Authority, police, and Public Prosecution Service have jointly called for a complete European ban on AI nudify tools. Current EU plans would permit these apps if the person depicted gives consent, but the authorities want the ban without exceptions. Under existing legislation, only individual perpetrators creating and distributing non-consensual intimate images can be prosecuted, not the tools themselves. The exact form and timeline of any ban remains under negotiation at EU level.
Critical Vulnerabilities in Cisco ISE and Webex Services
The Cyber Security Agency of Singapore issued an alert advising users and administrators to immediately update Cisco Identity Services Engine (ISE) and Webex Services to address multiple critical security vulnerabilities. Affected CVEs include CVE-2026-20147, CVE-2026-20180, CVE-2026-20186 (CVSSv3.1: 9.9) in Cisco ISE, and CVE-2026-20184 (CVSSv3.1: 9.8) in Webex Services. The vulnerabilities could allow authenticated remote attackers to gain root access and execute arbitrary commands, or unauthenticated attackers to impersonate users and access legitimate Webex services.
Critical Vulnerability in Nginx UI Actively Exploited (CVE-2026-33032)
The Cyber Security Agency of Singapore (CSA) issued an alert regarding a critical vulnerability (CVE-2026-33032) in Nginx-UI with Model Context Protocol (MCP) support. The vulnerability has a CVSS v3.1 score of 9.8 out of 10 and is being actively exploited in the wild with a public proof-of-concept exploit available. Successful exploitation allows network attackers to invoke all MCP tools without authentication and achieve complete NGINX service takeover.
Anviz CX2 Lite, CX7, CrossChex Access Control Devices Multiple Critical and High Vulnerabilities
CISA ICS-CERT published an advisory detailing 12 critical and high-severity vulnerabilities affecting Anviz biometric access control devices (CX2 Lite, CX7, and CrossChex). The vulnerabilities include missing authentication, command injection, hardcoded cryptographic keys, and unauthenticated firmware uploads, with CVSS scores ranging from 5.3 to 9.8. Anviz did not respond to CISA's coordination attempts, leaving no vendor-provided patches available.
AVEVA Pipeline Simulation Missing Authorization Vulnerability ICSA-26-106-04
CISA ICS-CERT published advisory ICSA-26-106-04 disclosing a critical missing authorization vulnerability (CVE-2026-5387) in AVEVA Pipeline Simulation versions <=2025_SP1_build_7.1.9497.6351. The flaw carries a CVSS v3.1 score of 9.1 (Critical) and allows unauthenticated attackers to modify simulation parameters, training configuration, and training records through privilege escalation. The vendor has released a fix in version 2025 SP1 P01 (build 7.1.9580.8513).
CVE-2026-34197 Apache ActiveMQ Improper Input Validation Vulnerability Added to KEV Catalog
CISA has added CVE-2026-34197 (Apache ActiveMQ Improper Input Validation) to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. This vulnerability poses significant risks to the federal enterprise as improper input validation is a frequent attack vector for malicious cyber actors. Binding Operational Directive 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by specified due dates. CISA strongly urges all organizations to prioritize timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice.
Delta Electronics ASDA-Soft Stack-Based Buffer Overflow Vulnerability
CISA ICS-CERT published advisory ICSA-26-106-01 disclosing a stack-based buffer overflow vulnerability (CVE-2026-5726) in Delta Electronics ASDA-Soft versions 7.2.0.0 through 7.2.2.0. Successful exploitation could allow an attacker to execute arbitrary code on affected systems. Delta Electronics has released version 7.2.6.0 as the vendor fix. The vulnerability has a CVSS v3.1 base score of 7.8 (HIGH severity) and affects the Critical Manufacturing sector worldwide.
Horner Automation Cscape and XL4, XL7 PLC Weak Password Vulnerability
CISA ICS-CERT published an advisory for Horner Automation Cscape and XL4, XL7 PLCs (CVSS 9.1 CRITICAL) identifying weak password requirements vulnerability. Affected versions include Cscape v10.0, XL7 PLC v15.60, and XL4 PLC v16.32.0. An attacker with network access could brute force discover passwords to gain unauthorized access to systems and services. Vendor fix is available: update to Cscape v10.2 SP2 or later and latest firmware.
Firmware-Based Monitoring for Bus-Based Computer Systems
NIST published a technical white paper (CSWP 52) describing design mechanisms for firmware-based monitoring of bus-based computer systems. The paper details how distributed forensic units can passively observe bus traffic and employ consensus-building algorithms to collaboratively detect compromised nodes within zero trust architectures. The research targets future system defense solutions for embedded and distributed hardware systems.
Opinion 14/2026 Europrivacy Certification Criteria GDPR Seal Approval
The European Data Protection Board (EDPB) issued Opinion 14/2026 regarding Europrivacy certification criteria under Article 42.5 GDPR. The opinion addresses whether the Europrivacy certification scheme meets requirements for approval as an official European Data Protection Seal. Certification bodies and data controllers operating in EU member states will need to consider this guidance when implementing or obtaining data protection certifications.
Opinion 15/2026 on Europrivacy Certification Criteria for European Data Protection Seal
The European Data Protection Board adopted Opinion 15/2026 regarding the Europrivacy certification criteria for approval as a European Data Protection Seal. The opinion assesses whether the criteria meet requirements under Articles 42 and 46 GDPR for use as a transfer mechanism. This certification provides organizations with an approved tool to demonstrate adequate safeguards for international personal data transfers.
Vim vulnerability allows arbitrary code execution, CVSS 6.6
Vim vulnerability allows arbitrary code execution, CVSS 6.6
IBM Spectrum Protect Plus Denial of Service Vulnerability - CVSS 8.6
CERT-Bund issued security advisory WID-SEC-2026-1148 identifying a high-severity denial of service vulnerability in IBM Spectrum Protect Plus. The flaw carries a CVSS Base Score of 8.6 and a Temporal Score of 7.5, with confirmed remote exploitability by an unauthenticated attacker. Affected versions include IBM Spectrum Protect Plus prior to version 10.1.18, running on Linux, UNIX, or Windows operating systems. Mitigation measures are available.
Cisco Unity Connection Multiple Vulnerabilities, CVSS 6.5
CERT-Bund published security advisory WID-SEC-2026-1149 disclosing multiple vulnerabilities in Cisco Unity Connection (CVSS Base Score 6.5, medium). Affected versions include Cisco Unity Connection prior to 14SU6, 15SU4, and 14SU5. An attacker can exploit these flaws to conduct cross-site scripting attacks, redirect users to malicious websites, manipulate data, and disclose confidential information. Mitigations are available.
Dell Storage Manager Privilege Escalation Vulnerability, CVSS 7.3
CERT-Bund issued a security advisory regarding a privilege escalation vulnerability (CVE) in Dell Storage Manager affecting Dell Storage Manager Replay Manager versions prior to 8.0.3. The flaw carries a CVSS base score of 7.3 (high severity) with a temporal score of 6.4 (medium). A local attacker with access to the affected Windows system can exploit this vulnerability to escalate privileges. Mitigation measures are available.
Multiple XSS Vulnerabilities Drupal Core, Severity Medium
CERT-Bund issued a security advisory regarding multiple cross-site scripting (XSS) vulnerabilities in Drupal Core affecting versions prior to 10.5.9, 10.6.7, 11.2.11, and 11.3.7. The vulnerability carries a CVSS Base Score of 5.7 (Medium) and CVSS Temporal Score of 5.0 (Medium). An attacker can exploit these vulnerabilities to conduct cross-site scripting attacks and potentially execute arbitrary code remotely. Mitigations are available.
Guidelines 1/2026 on Processing Personal Data for Scientific Research Purposes
The European Data Protection Board has opened a public consultation on Guidelines 1/2026 addressing the processing of personal data for scientific research purposes under the GDPR. The guidelines cover topics including legal basis, consent requirements, and data subject rights in research contexts. Comments may be submitted until 25 June 2026, after which submitted responses will be published on the EDPB website.