What you need to know today.

ShinyHunters weaponized an Oracle PeopleSoft zero-day against more than 100 organizations, forcing an emergency out-of-band patch from Oracle. CVE-2026-35273 is a critical, unauthenticated remote code execution vulnerability in PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. As The Register reported, the ShinyHunters group exploited this flaw to breach universities and other institutions, stealing sensitive data. Mandiant confirmed active exploitation targeting the education sector, and BleepingComputer noted Oracle released an out-of-band security alert to mitigate the attacks. Organizations running PeopleSoft should treat this as an emergency patching priority given the confirmed, widespread in-the-wild exploitation.

Microsoft shipped its largest Patch Tuesday on record, addressing 206 CVEs including six zero-days, with one bug already under active attack. CVE-2026-45657 is a critical use-after-free in the Windows Kernel that allows unauthenticated remote code execution over the network and is being actively exploited, as BleepingComputer and The Record reported. CVE-2026-47291 is a critical integer overflow in Windows HTTP.sys enabling network-based RCE. CVE-2026-42904 is a critical heap-based buffer overflow in Windows TCP/IP that allows privilege escalation over an adjacent network. The Hacker News and Dark Reading both attributed the record volume in part to AI-assisted fuzzing. Rapid7 and CrowdStrike urged prioritizing the actively exploited kernel flaw above all others.

Adobe disclosed 25 vulnerabilities across its product portfolio, including critical flaws in ColdFusion and Campaign Classic that require no user interaction. CVE-2026-47928 is a critical improper input validation bug in ColdFusion 2023.19, 2025.8, and earlier that leads to arbitrary code execution. In Adobe Campaign Classic (ACC), CVE-2026-48303 (CVSS 10.0) is an incorrect authorization flaw enabling code execution in the current user's context, while CVE-2026-47938 (CVSS 10.0) is a server-side request forgery (SSRF) that can result in privilege escalation. As Vypr Intelligence noted, none of these require user interaction, making them attractive targets for initial access. ColdFusion and ACC administrators should prioritize these patches given the CVSS 10.0 severity and the lack of authentication requirements.

Splunk patched a critical unauthenticated file-creation flaw in its PostgreSQL sidecar service that could allow arbitrary file operations. CVE-2026-20253 (CVSS 9.8) affects Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14. An unauthenticated attacker can create or truncate arbitrary files through the PostgreSQL sidecar endpoint. SecurityWeek and Cyber Security News both highlighted this as a critical risk for Splunk deployments, as file-creation primitives can often be chained into remote code execution or configuration tampering. Teams running self-hosted Splunk should update immediately.

Roxy-WI, a popular web interface for managing HAProxy, Nginx, and Apache, disclosed 14 vulnerabilities including three critical CVSS 9.9 flaws. CVE-2026-45552 allows authentication bypass because the install blueprint only applies JWT checks at the blueprint level while individual routes lack enforcement. CVE-2026-45556 is a path traversal via the config_file_name parameter in the WAF rule-save endpoint. CVE-2026-45558 is an arbitrary file-write in the HAProxy section-save endpoints. Vypr Intelligence reported that these flaws can be chained to achieve unauthenticated remote code execution. Organizations using Roxy-WI to manage load balancers should treat this as an emergency upgrade given the trivial exploitation path.

CISA released two ICS advisories warning of hard-coded credentials and platform-wide signing keys in consumer IoT devices. CVE-2026-10557 affects Yarbo Android and iOS applications, which embed identical MQTT broker credentials in every app binary, as detailed in CISA's advisory. CVE-2026-28742 affects Naxclow devices, which use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in firmware, per CISA's advisory. Both flaws allow remote attackers to impersonate legitimate devices or users, potentially enabling unauthorized control or data access. These are supply-chain level weaknesses that cannot be fixed by end-users alone and require firmware updates from the respective vendors.

Additional critical vulnerabilities surfaced across infrastructure and open-source projects. CVE-2026-9170 in IBM HTTP Server 8.5 and 9.0 allows unauthenticated remote code execution via improper input validation, as Vypr Intelligence reported. CVE-2026-45777 and CVE-2026-45779 in Open XDMoD (versions prior to 11.0.3 and 10.0.3 respectively) enable unauthenticated SQL injection and remote command execution on HPC web servers. CVE-2026-30141 in bitbank2 AnimatedGIF v2.2.0 is a buffer overflow in the DecodeLZW function that can be triggered by a crafted GIF file. CVE-2026-38581 is an SQL injection in the damasac thaipalliative_lte application. CVE-2026-7852 in Limatek LimRAD NAC (before 5.5.7.3.9) allows unrestricted file upload leading to remote code inclusion. CVE-2025-6254 in the Doctreat Core WordPress plugin (up to 1.6.8) allows privilege escalation during registration.