What you need to know today.

Microsoft ships fixes for four critical CVSS 10.0 cloud flaws. CVE-2026-47280 (Azure Resource Manager), CVE-2026-42901 (Entra ID), CVE-2026-41104 (Planetary Computer Pro), and CVE-2026-40412 (Azure Orbital Spatio) each carry a perfect 10.0 CVSS score. The ARM and Entra ID bugs are authentication bypasses that allow privilege escalation over the network; the Planetary Computer Pro issue is an untrusted deserialization leading to information disclosure; and the Azure Orbital Spatio flaw permits unrestricted file upload that can lead to remote code execution. None have public PoCs or active exploitation reports yet, but the CVSS 10.0 rating and cloud-scale attack surface make these emergency-patch items for any organization using Azure. Microsoft has not indicated whether these were disclosed through a coordinated bug bounty or internally discovered.

CISA warns of hard-coded VNC password in Eppendorf BioFlo 320 bioreactors. CVE-2026-7251 carries a 9.8 CVSS and affects the BioFlo 320, a laboratory fermentation and cell-culture device widely used in biopharma and research. The VNC server ships with a hard-coded password, meaning any attacker who can reach the device on the network can take full control of the user interface — including changing setpoints, stopping processes, or exfiltrating data. As CISA's advisory notes, this is an ICS medical advisory, placing the device in a safety-critical context. There is no fix available; CISA recommends isolating the devices behind firewalls and VPNs, and warns they should not be directly connected to the internet.

IBM Aspera High-Speed Transfer hit by critical buffer overflow. CVE-2026-8175 (CVSS 9.8) affects asperahttpd in IBM Aspera High-Speed Transfer Endpoint and Server versions 3.7.4 through 4.4.7 Fix Pack 1. Aspera is widely used in media, entertainment, and life sciences for moving large files at high speed. The buffer overflow can be triggered remotely without authentication, making it a prime candidate for wormable exploitation. IBM has released Fix Pack 2; organizations still running Aspera on exposed infrastructure should prioritize this patch given the product's history of being targeted in data-exfiltration campaigns.

Four WordPress plugins disclosed with critical privilege-escalation and file-upload flaws. CVE-2026-42758 and CVE-2026-42757 affect WebinarIgnition (versions below 4.08.253) — the first is a privilege-escalation bug (CVSS 9.8), the second a path-traversal vulnerability (CVSS 9.9). CVE-2026-42756 (CVSS 9.9) is a path-traversal flaw in QuickWebP — Compress/Optimize Images & Convert WebP. CVE-2026-42748 (CVSS 9.9) in WPify Woo Czech allows unrestricted file upload, enabling attackers to drop a web shell on the server. CVE-2026-42731 (CVSS 9.8) in the miniOrange OTP Verification plugin allows privilege escalation. All five plugins have patches available in their latest versions. Given the volume of WordPress-based attacks and the ease of scanning for unpatched plugins, these should be updated immediately.

Joomla discloses four critical vulnerabilities across core components. CVE-2026-48904, CVE-2026-48899, and CVE-2026-48898 are improper access-check bugs in com_users that allow privilege escalation — two via the batch task endpoint, one via the group-editing webservice. CVE-2026-40383 is a local file inclusion vulnerability from improper input validation. CVE-2026-35222 is a SQL injection in com_tags caused by improperly validated order clauses. All five carry CVSS 9.8 scores. Joomla sites should update to the latest release. The concentration of critical bugs in the user-management component is particularly concerning, as privilege escalation from a low-privilege account can lead to full site takeover.

Delta Electronics DIAView mitigation bypass, Lumiverse MCP injection, and FastNetMon heap overflow round out the critical list. CVE-2026-9642 (CVSS 9.8) is an incomplete fix for CVE-2025-62582 in Delta Electronics DIAView, leaving unauthenticated remote database access still exploitable. CVE-2026-44450 (CVSS 9.9) in Lumiverse (pre-0.9.7) allows command injection through the MCP server creation endpoint — the command field is validated against an allowlist but the args array is passed unfiltered to the child process. CVE-2026-48689 (CVSS 9.8) in FastNetMon Community Edition through 1.2.9 is an off-by-one heap buffer overflow in the dynamic_binary_buffer_t class that can be triggered remotely. Patches are available for Lumiverse and FastNetMon; DIAView users should check with Delta for an updated fix.