critical security updates Archives

Tech Optimizer

May 23, 2026

CVE-2026-9082: Critical Drupal Core SQLi Flaw

Drupal has issued critical security updates for a vulnerability in Drupal Core, identified as CVE-2026-9082, which affects sites using PostgreSQL databases. This flaw allows anonymous attackers to exploit the system through arbitrary SQL injection, posing risks such as sensitive information disclosure, privilege escalation, and remote code execution. The vulnerability is rated 20 out of 25 by Drupal and 6.5 out of 10 by CVE.org. It specifically impacts the database abstraction API, which fails to properly sanitize queries. The fixed versions include 11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, and 10.4.10, with best-effort patches available for unsupported versions 9.5 and 8.9. Organizations are advised to inventory their Drupal installations, verify PostgreSQL usage, and prioritize patching for public-facing sites.

Tech Optimizer

May 21, 2026

Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks

Drupal has announced critical security updates for a vulnerability in Drupal Core, identified as CVE-2026-9082, which allows attackers to execute remote code, escalate privileges, or disclose sensitive information. The vulnerability has a CVSS score of 6.5 and affects only sites using PostgreSQL databases. It can be exploited by anonymous users and is rooted in a database abstraction API used for query validation and SQL injection prevention. Updates have been released for the following versions: - Drupal 11.3.10 - Drupal 11.2.12 - Drupal 11.1.10 - Drupal 10.6.9 - Drupal 10.5.10 - Drupal 10.4.10 Drupal 7 is not impacted by this vulnerability. Users on unsupported versions 9 and 8 can access manual patches for: - Drupal 9.5 - Drupal 8.9 Drupal has stated that versions 11.1.x, 11.0.x, and 10.4.x and below are end-of-life and do not receive security coverage, and that both Drupal 8 and 9 have reached end-of-life status. Patches for unsupported versions are provided as a best effort, but users should be aware of potential other vulnerabilities.

Tech Optimizer

May 21, 2026

PostgreSQL Flaws Expose Databases to Remote Code Execution and SQL Injection

PostgreSQL has released versions 18.4, 17.10, 16.14, 15.18, and 14.23 to address 11 security vulnerabilities and over 60 bugs. The vulnerabilities affect PostgreSQL versions 14 through 18 and include issues such as remote code execution, SQL injection, and denial-of-service risks. Specific vulnerabilities include: - CVE-2026-6472: Missing authorization in CREATE TYPE allows query hijacking. - CVE-2026-6473: Integer wraparound leads to out-of-bounds writes and server crashes. - CVE-2026-6474: Format string issue leaks server memory. - CVE-2026-6475: Symlink attack allows overwriting arbitrary files. - CVE-2026-6476: SQL injection allows execution of arbitrary SQL as superuser. - CVE-2026-6477: Memory buffer overwrite via libpq lo_* functions. - CVE-2026-6478: Timing attack exposes MD5-hashed passwords. - CVE-2026-6479: SSL/GSS recursion flaw allows denial-of-service. - CVE-2026-6575: Buffer over-read leaks memory data (PostgreSQL 18 only). - CVE-2026-6637: Refint module enables stack overflow and SQL injection, leading to possible RCE. - CVE-2026-6638: SQL injection in REFRESH PUBLICATION via table names. Organizations are advised to upgrade to the latest versions, avoid MD5 password authentication, restrict privileges, audit extensions, and monitor for abnormal activity. PostgreSQL 14 will reach its end-of-life on November 12, 2026.

Tech Optimizer

May 20, 2026

Critical PostgreSQL Flaws Enable Code Execution and SQL Injection

On May 14, 2026, PostgreSQL released critical security updates for versions 18.4, 17.10, 16.14, 15.18, and 14.23, addressing 11 Common Vulnerabilities and Exposures (CVEs) related to stack buffer overflows, SQL injection, memory disclosure, and denial-of-service vulnerabilities. The most critical vulnerability, CVE-2026-6637, has a CVSS score of 8.8 and allows remote, unprivileged database users to execute arbitrary code. Other notable vulnerabilities include CVE-2026-6473, which affects memory allocation leading to potential memory corruption, and CVE-2026-6475, which allows overwriting sensitive OS-level files. Additional vulnerabilities include SQL injection flaws and authentication issues, with various CVSS scores ranging from 3.7 to 7.5. The updates can be implemented without a database dump, and PostgreSQL 14 will reach its end-of-life on November 12, 2026.

Winsage

February 24, 2026

Support for Windows Server 2016 is coming to an end

Microsoft has announced the end of support for several Windows products launched in 2016, including Windows Server 2016, Windows 10 Enterprise 2016 LTSB, and Windows IoT Enterprise LTSB 2016. Windows Server 2016 has been in the extended support phase since January 2022, with security updates available until January 12, 2027. Windows 10 Enterprise 2016 LTSB and Windows IoT Enterprise LTSB 2016 will reach the end of their extended support on October 13, 2026. Microsoft offers the Extended Security Updates (ESU) program for these products, allowing critical security updates for a fee, with costs for Windows 10 Enterprise 2016 LTSB set to increase annually per device. ESU will also be available for Windows Server 2016, but pricing details are not yet released. Windows IoT Enterprise LTSB 2016 will receive extended support through hardware manufacturers, with terms and costs varying by supplier. Microsoft emphasizes that using unsupported software increases risks and that migrating to a newer version of Windows is the only long-term solution.

Winsage

February 19, 2026

Firefox is finally ending support for Windows 7, 8, and 8.1, and urges users to upgrade or switch to Linux

Mozilla has announced that "Firefox version 115 is the last supported Firefox version for users of Windows 7, Windows 8, and Windows 8.1." Support for these operating systems began phasing out in January 2023, with access to the Extended Support Release (ESR) for critical security updates available until the end of February 2023. Firefox will continue to support Windows 10 for the foreseeable future, but transitioning to Windows 11 may present challenges due to hardware requirements. Mozilla suggests considering a shift to a Linux-based operating system for users whose hardware cannot accommodate Windows 10 or higher, as most Linux distributions come with Firefox as the default browser.

Winsage

February 16, 2026

Microsoft changes how it manages MILLIONS of old printers

Microsoft has stopped distributing V3 and V4 printer drivers through Windows Update as of last month, affecting printers up to 12 years old. Support for these drivers will end in January 2026, as they were marked as deprecated in September 2023. Users with printers relying on these drivers may experience functionality issues after support ends. Printer manufacturers are now responsible for providing driver updates via their websites, but existing drivers will remain operational. Microsoft confirmed that vendor-supplied drivers can still be installed using separate packages. Most modern printers do not use V3 and V4 drivers, as they are typically over a decade old. Microsoft aims to enhance system security and streamline the printing process by phasing out outdated drivers. After July 2026, Windows will prioritize built-in printer drivers during installation, and from July 2027, manufacturers will no longer be able to submit driver updates to Windows, although Microsoft will continue to provide critical security updates for existing drivers.

Winsage

January 16, 2026

Easterly helms RSAC, Windows update problems, Police Copilot gaffe

Jen Easterly has been appointed as the new Chief Executive Officer of the RSA Conference. She is a cybersecurity expert and former Director of the Cybersecurity and Infrastructure Security Agency (CISA). Palo Alto Networks has released security updates for a vulnerability (CVE-2026-0227) with a CVSS score of 7.7 affecting its GlobalProtect Gateway and Portal, which can cause a denial-of-service condition in PAN-OS software. The January 2026 security update from Microsoft has caused connection and authentication failures in Azure Virtual Desktop and Windows 365, affecting users across various Windows versions. Microsoft is working on a resolution. The chief constable of West Midlands Police acknowledged an error by Microsoft’s Copilot AI in generating a fictional intelligence report. Microsoft has not confirmed Copilot's involvement. Britain’s National Cyber Security Centre (NCSC) has collaborated with Five Eyes partners to provide guidance on securing industrial operational technology, highlighting risks associated with remotely monitored systems. Kyowon, a South Korean conglomerate, confirmed a ransomware attack on January 10 that may have compromised customer information, affecting approximately 5.5 million members. Researchers at Varonis have identified a new attack technique called "Reprompt" that allows data exfiltration from Microsoft Copilot via a malicious link, exploiting a Parameter 2 Prompt (P2P) injection technique. Central Maine Healthcare is notifying over 145,000 patients about a data breach that compromised personal, treatment, and health insurance information, discovered on June 1.

Winsage

January 16, 2026

Windows Remote Assistance Vulnerability Allow Attacker to Bypass Security Features

Critical security updates have been released to address CVE-2026-20824, a vulnerability in Windows Remote Assistance that allows attackers to bypass the Mark of the Web (MOTW) defense system. This affects various Windows platforms, including Windows 10 and Windows Server 2025, and is rated with an Important severity level. The flaw enables unauthorized local attackers to circumvent MOTW defenses, posing risks to confidentiality. The vulnerability requires local access and user interaction for exploitation, often using social engineering tactics. Microsoft has issued security updates for 29 Windows configurations, including specific KB articles for affected versions of Windows 10, Windows 11, and Windows Server. Users are advised to apply the necessary patches, which are classified as “Required” customer actions. The vulnerability remains unexploited in the wild and was not publicly disclosed before the patches were released. Microsoft’s assessment categorizes it as “Exploitation Less Likely.”

Winsage

January 13, 2026

New Windows updates replace expiring Secure Boot certificates

Microsoft is enhancing security for Windows 11 24H2 and 25H2 users by automatically replacing expiring Secure Boot certificates on eligible devices. Secure Boot protects against malicious software by ensuring only trusted bootloaders are executed during startup. Many Secure Boot certificates are set to expire starting in June 2026, which could jeopardize secure booting capabilities if not updated. The update includes a mechanism to identify devices eligible for automatic receipt of new Secure Boot certificates. IT administrators are advised to install the new certificates to maintain Secure Boot functionality and prevent loss of security updates. Organizations can also deploy Secure Boot certificates through various methods. IT administrators should inventory their devices, verify Secure Boot status, and apply necessary firmware updates before installing Microsoft's certificate updates.