What you need to know today.

Apache Shiro's "remember me" functionality is vulnerable to replay attacks due to a server-side verification flaw in cookie age checking. This allows attackers to intercept and reuse valid cookies indefinitely, bypassing expiration. The vulnerability, CVE-2026-56130, affects all versions of Apache Shiro and could lead to unauthorized access if a valid cookie is captured. Patches are available from the vendor.

A critical authentication bypass vulnerability exists in Apache Shiro when integrated with the shiro-guice module in a web servlet context. A specially crafted HTTP request can exploit this flaw, allowing unauthenticated attackers to gain access. This issue, CVE-2026-56091, is similar to a previously disclosed vulnerability and poses a significant risk to applications using this configuration.

The nghttpx proxy in nghttp2, up to version 1.69.0, has a vulnerability where it forwards HTTP/1.1 Upgrade requests with a Content-Length header and body to backend connections. This can lead to unexpected behavior and potential security issues by re-adding headers and passing content. CVE-2026-58055 highlights the need for careful handling of these types of requests in proxying scenarios.

GPAC Project's MP4Box, prior to version 26.02.0, contains two use-after-free vulnerabilities in its handling of MPEG-2 TS and other media files. These flaws, CVE-2025-60464 and CVE-2025-60465, can be triggered by specially crafted files, leading to denial-of-service conditions. Users should update to the latest version to mitigate these risks.

Libais through version 0.15 has a vulnerability where an unchecked sentinel value is used as a vector index when processing AIS sentences with invalid sequential message IDs. This can lead to crashes in services or vessel systems when remote attackers send crafted AIS sentences. CVE-2026-56770 requires updating to a patched version to prevent these denial-of-service attacks.

Libssh2 versions up to 1.11.1 contain vulnerabilities related to the handling of publickey lists and attribute counts. CVE-2026-58051 involves uninitialized memory in the publickey list cleanup path, while CVE-2026-58050 has an integer overflow in attribute count allocation on 32-bit systems. Both can lead to crashes or potential exploitation. Updating libssh2 is recommended.

Patool versions before 4.0.5 are vulnerable to path traversal when extracting archives, particularly on Python versions before 3.12. The is_within_directory helper function's use of os.path.commonprefix is insufficient for character sanitization, allowing attackers to write files outside the intended extraction directory. CVE-2026-29509 necessitates updating Patool for secure archive handling.

Canonical LXD versions 4.12 through 6.9 have a Server-Side Request Forgery (SSRF) vulnerability in their image import functionality. Authenticated users with specific entitlements can exploit CVE-2026-28385 to interact with internal network infrastructure, posing a significant security risk. Updates are available to address this SSRF flaw.

A broken access control vulnerability in Canonical LXD's devLXDInstancePatchHandler component allows an untrusted guest to mount, read, and overwrite another guest's storage volumes. This is possible via a crafted device PATCH request when security features are not properly enforced. CVE-2026-12411 requires updating LXD to patch this critical access control issue.

Google Chrome on Android versions prior to 149.0.7827.201 contain multiple high-severity vulnerabilities. CVE-2026-13281 is an integer overflow in Mojo that could lead to a sandbox escape, while CVE-2026-13283 is a use-after-free in AdFilter exploitable via crafted HTML. Additionally, CVE-2026-13282 is a use-after-free in Payments exploitable with physical access. Users should update Chrome immediately.