What you need to know today.

Microsoft Patch Tuesday fixes 200+ flaws, including three zero-days and a critical VS Code privilege escalation. CVE-2026-47281 is a critical improper input validation vulnerability in Visual Studio Code that allows an unauthenticated attacker to elevate privileges over a network, as BleepingComputer reported. The June 2026 update addresses 198–200 vulnerabilities total, with three zero-days among them, per Cyber Security News and Rapid7. Teams should prioritize the VS Code fix given its network-based attack vector and critical severity rating.

Adobe discloses 25 vulnerabilities across ColdFusion and other products, including critical RCEs. CVE-2026-47928 (CVSS 9.6) is an improper input validation flaw in ColdFusion 2023.19, 2025.8 and earlier that enables arbitrary code execution without user interaction, as Vypr Intelligence detailed. Two additional ColdFusion bugs — CVE-2026-47931 (improper input validation, CVSS 8.4) and CVE-2026-47929 (incorrect authorization, CVSS 8.4) — also lead to code execution, while CVE-2026-47932 (path traversal, CVSS 8.8) allows security feature bypass. Organizations running ColdFusion should apply the latest patches immediately.

Apache ActiveMQ Artemis carries a critical unauthenticated remote code execution flaw. CVE-2026-27446 (CVSS 9.8) is a missing authentication vulnerability in Apache Artemis and ActiveMQ Artemis that lets an unauthenticated attacker use the Core protocol to force a target broker to establish an outbound Core federation connection, potentially leading to full compromise. The CISA ICS advisory notes this affects Siemens Opcenter RDnL as well. Given the critical CVSS score and unauthenticated network vector, this should be treated as emergency-patch priority.

Netty discloses six high-severity CVEs spanning DNS cache poisoning, IPv6 bypass, and memory leaks. CVE-2026-47691 and CVE-2026-45674 (both CVSS 8.7) involve insufficient bailiwick validation of NS and CNAME records in Netty's DnsResolveContext, enabling DNS cache poisoning attacks, as Vypr Intelligence reported. CVE-2026-44249 (CVSS 8.1) allows attackers to bypass IPv6 subnet rules due to incorrect masking in IP filtering. These flaws affect all Netty versions prior to 4.1.135.Final and 4.2.15.Final. The DNS cache poisoning CVEs are particularly concerning for any application relying on Netty's DNS resolver for service discovery or load balancing.

GitLab EE patches a high-severity vulnerability allowing unauthorized project access. CVE-2026-10087 (CVSS 8.7) affects GitLab EE versions 17.1 through 19.0.1 and could allow an authenticated user with developer-role permissions to access resources beyond their authorization under certain conditions, per the GitLab security release and Vypr Intelligence. GitLab 19.0.2, 18.11.5, and 18.10.8 contain the fix. Self-managed instances should upgrade promptly given the potential for lateral movement by low-privileged users.

Multiple embedded and IoT devices disclose critical RCE and command injection flaws. CVE-2026-5482 (CVSS critical, no CVSS score) affects Trippo's Responsive FileManager, allowing unauthenticated arbitrary file upload and remote code execution via the dialog.php endpoint — the project is unmaintained, so no patch exists. CVE-2026-31196 and CVE-2026-31195 (both CVSS 8.8) are OS command injection vulnerabilities in the traceroute and ping diagnostic handlers of ALTICE LABS/SFR France GR140DG Fibre Router firmware versions 3GN8020801R13, 3GN8020802R0A, and 3GN8020803R0A. CVE-2026-54410 (CVSS 8.6) is an off-by-one buffer overflow in nanoMODBUS through v1.23.0 allowing remote attackers to write one byte past a 260-byte receive buffer. These flaws highlight the continued risk in consumer routers and industrial protocol libraries that lack vendor maintenance.

OTRS database layer SQL injection enables unauthenticated authentication bypass. CVE-2026-48188 (CVSS 9.1) is an improper input validation vulnerability in OTRS and ((OTRS)) Community Edition's database layer module that allows unauthenticated SQL injection, leading to authentication bypass. The issue only affects systems using MySQL/MariaDB backends. Given the critical CVSS score and the fact that OTRS is widely deployed in enterprise service desk environments, teams should verify their database backend and patch immediately.

Chargeover redoc prototype pollution allows arbitrary code execution. CVE-2024-39011 (CVSS 9.8) affects chargeover redoc v2.0.9-rc.69, where prototype pollution in the mergeObjects function enables attackers to execute arbitrary code or cause denial of service. While this is a 2024 CVE, its critical severity and the continued use of redoc in API documentation tooling warrant attention from development teams.

WebGPU out-of-bounds write in Chrome/Chromium GPU GLES render process. CVE-2026-41157 (CVSS 9.8) allows a web page with unusual WebGPU content to trigger an out-of-bounds write in the GPU user-space driver, leading to memory corruption and potential browser or GPU process crash. This affects any Chromium-based browser on systems using the GLES render path for WebGPU. Users should ensure their browser is updated to the latest version.

JMESPath for Ruby deserialization vulnerability. CVE-2022-32511 (CVSS 9.8) affects jmespath.rb before version 1.6.1, which uses JSON.load instead of JSON.parse, enabling arbitrary object deserialization. While this is an older CVE, it serves as a reminder to audit Ruby dependencies for unsafe JSON deserialization patterns.

Driftregion ISO 14229 UDS library contains integer underflow and OOB read. CVE-2026-54413 (CVSS 8.2) affects driftregion iso14229 through v0.9.0, where an integer underflow and downstream out-of-bounds read in the Handle_0x27_SecurityAccess() function allows a remote unauthenticated attacker to crash a UDS server and potentially leak memory. This is relevant for automotive and industrial control systems using the Unified Diagnostic Services protocol.

LiamBindle MQTT-C heap OOB read and integer underflow. CVE-2026-54412 (CVSS 8.2) affects MQTT-C through v1.1.6, where a heap-based out-of-bounds read and integer underflow in the mqtt_unpack_publish_response() function allows a remote attacker controlling an MQTT broker to crash clients or leak memory. IoT deployments using this lightweight MQTT library should update or implement network-level protections.