What you need to know today.

A 25-year-old cURL vulnerability has finally been patched, affecting an estimated 30 billion devices. CVE-2026-8927 and CVE-2026-9080, disclosed in the cURL library, have been addressed after decades of exposure. As Cyber Security News reported, the flaw's age and the library's ubiquity — embedded in virtually every Linux distribution, macOS, IoT firmware, and cloud infrastructure — make this a watershed moment for supply-chain hygiene. SecurityWeek noted that the vulnerability could enable remote code execution or data exfiltration under specific conditions. Organizations should prioritize updating cURL/libcurl to the latest patched version immediately, as exploit development is likely given the broad attack surface.

CISA published seven ICS advisories covering critical and high-severity flaws across industrial control systems from EV charging infrastructure to building automation. The EVoke Systems Charging Station Management System (CSMS) leads the pack with CVE-2026-40702 (CVSS 9.4), a critical authentication bypass in WebSocket endpoints that allows attackers to impersonate charging stations and access sensitive data. Three additional CSMS flaws — CVE-2026-54479 (predictable session identifiers), CVE-2026-50176 (missing rate limiting enabling brute-force attacks), and CVE-2026-44622 (publicly exposed authentication identifiers via mapping platforms) — compound the risk, as CISA detailed. Together, these vulnerabilities could enable large-scale compromise of EV charging networks, affecting session hijacking, denial-of-service, and credential theft.

OpenAM disclosed two critical unauthenticated remote vulnerabilities that together could enable full server compromise. CVE-2026-45052 is an improper authorization flaw in the Liberty Web Services SOAP receiver that lets an unauthenticated attacker write persistent entries into any user's LDAP Discovery store. CVE-2026-45051 is a deserialization-of-untrusted-data bug in the WebAuthn authentication module that can lead to arbitrary code execution. Both carry a risk score of 0.59 (high). OpenAM is widely deployed as a single sign-on solution in government and enterprise environments; an attacker chaining these flaws could achieve persistent backdoor access across federated identity systems. Patches should be applied as emergency change windows.

Daktronics Controller Firmware and DMP-5000 devices are under active advisory from CISA for multiple high-severity flaws. CVE-2026-31928 (CVSS 8.1) describes a default administrative web account with weak authentication that provides full system access on DMP-5000 units. CVE-2026-33560 (CVSS 7.1) exposes authenticated arbitrary file upload without validation on the same platform. Meanwhile, CVE-2026-28701 (CVSS 7.7) affects Daktronics Controller Firmware, allowing both authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths, as CISA noted. These flaws are particularly dangerous because Daktronics scoreboards and displays are deployed in stadiums, transportation hubs, and public venues where availability and integrity are critical.

Schneider Electric PowerLogic P7 and H.View IP camera advisories reveal command injection and denial-of-service risks in building and industrial systems. CVE-2026-9717 (CVSS 7.2) is an OS command injection vulnerability in PowerLogic P7 that allows unauthorized command execution with elevated privileges. CVE-2026-9716 (CVSS 7.5) is a NULL pointer dereference that renders the device's HMI and configuration functionality unavailable, as CISA detailed. Separately, H.View HV-500S6 IP cameras contain CVE-2026-55975 (CVSS 7.2), an XML injection flaw in certificate generation, and CVE-2026-56414 (CVSS 7.2), an arbitrary file upload vulnerability in certificate-related interfaces, per CISA's advisory. Both product families are exposed on operational networks where patching is often delayed.

Multiple ICS deserialization and memory-corruption flaws affect engineering workstation software from Delta Electronics, Horner Automation, and AzeoTech. CVE-2026-12578 (CVSS 7.8) in Delta Electronics DTM Soft allows arbitrary code execution via deserialization of untrusted data. CVE-2026-12897 (CVSS 7.8) in Horner Automation Cscape (versions prior to 10.2 SP3) is an out-of-bounds read vulnerability exploitable through parsing CSP files, leading to information disclosure and potential code execution, as CISA reported. CVE-2026-12921 (CVSS 7.8) in AzeoTech DAQFactory (versions 21.1 and prior) is a use-after-free flaw triggered by specially crafted .ctl files, also enabling code execution, per CISA's update. These engineering tools are used to configure and program PLCs and HMIs; successful exploitation could allow attackers to pivot from the workstation into the operational technology environment.

A medium-severity argument-injection flaw in an unnamed executor (CVE-2026-53541) allows bypassing input filtering for arguments starting with "ot_". The filterToDefinedArgumentsOnly function is designed to discard undefined arguments, but a special case permits any argument whose name begins with ot_ to pass through unfiltered. While the risk score is low (0.19), this type of logic bypass in CI/CD or automation executors can be leveraged for privilege escalation or lateral movement if the executor runs with elevated permissions. Organizations using the affected executor should review their action configurations and apply the vendor patch.