VYPR
AI Brief2026-07-08· generated Jul 8, 2026

What you need to know today.

Critical vulnerabilities in Hydro-Québec and Labcenter software, alongside issues in Digi International devices, pose significant risks of privilege escalation and code execution.

Critical vulnerabilities in Hydro-Québec's charging station backend could allow for privilege escalation and denial-of-service attacks. CVE-2026-20744 specifically enables privilege escalation by accepting unauthenticated connections to the websocket endpoint. Additionally, CVE-2026-44383 permits attackers to deploy multiple malicious OCPP clients by allowing multiple connections with the same charging station ID, potentially overwhelming the backend. CVE-2026-42952 addresses a lack of throttling on repeated authentication attempts, which could facilitate DoS attacks. These issues highlight significant security gaps in the operational technology infrastructure.

Labcenter's Proteus software is affected by multiple high-severity vulnerabilities, including stack-based buffer overflows, use-after-free, and out-of-bounds writes, all of which could lead to arbitrary code execution. CVE-2026-49033 describes a stack-based buffer overflow, while CVE-2026-42958 details a use-after-free vulnerability that can cause memory corruption when parsing specially crafted files. Furthermore, CVE-2026-42953 involves an out-of-bounds write, allowing attackers to write data past allocated buffer boundaries, potentially leading to code execution. These flaws present a severe risk to users of the Proteus software, as detailed in CISA ICS Advisory ICSA-26-188-06.

Digi International devices, including the PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA, are susceptible to authentication bypass and cross-site scripting vulnerabilities. CVE-2026-12352 allows unauthenticated actors to bypass security controls and access restricted resources. In parallel, CVE-2026-12948, a stored XSS vulnerability in the web management interface, permits authenticated administrators to inject scripts into system configurations, potentially leading to unauthorized actions or information disclosure. These issues are outlined in CISA ICS Advisory ICSA-26-188-07.

Several important vulnerabilities have been identified in identity and access management systems. In 389 Directory Server (389-ds-base), a heap buffer overflow in sasl_io_recv() via padded SASL UNBIND (CVE-2026-11610) poses a risk. Additionally, the SSSD (System Security Services Daemon) is affected by two vulnerabilities: CVE-2026-14474, where the sudo LDAP provider's default behavior of searching the entire directory tree for sudoRole objects can lead to privilege escalation, and CVE-2026-14476, a GPO cache path traversal vulnerability that could enable Kerberos authentication bypass.

Hitachi Energy's PROMOD V is flagged for using insecure HTTP communication instead of HTTPS, a vulnerability stemming from the lack of HTTPS support from the third-party Digipede server (CVE-2026-10763). This insecure data transmission could expose sensitive information. Separately, Mendix Studio Pro versions are affected by a vulnerability where project files are not properly validated or sanitized during the build pipeline (CVE-2026-48192), potentially allowing malicious project files to be processed. These are detailed in CISA ICS Advisories and ICSA-26-188-04 respectively.

Multiple low-severity vulnerabilities have been disclosed across various software, including Debian's pydantic-settings (CVE-2026-58203) related to secret value handling in nested directories, and Perl's Mojo::JSON (CVE-2026-14803) which suffers from memory exhaustion due to unbounded recursion in its JSON decoder. Additionally, the radareorg radare2 tool (CVE-2026-14787, CVE-2026-14761, CVE-2026-14786, CVE-2026-14789, CVE-2026-14758) has several reported integer overflow vulnerabilities in various components, including command handlers and string manipulation functions. While individually low-risk, the proliferation of such issues warrants attention.

Synthesized by Vypr AI
Hydro-Québec, Labcenter Flaws Lead To Critical Exploits · VYPR