Stories that broke today.

The maintainers of Spring have released security fixes addressing several serious vulnerabilities in Spring components that could allow attackers to manipulate server behavior and compromise applications. Affected CVEs include CVE-2026-41003 (cross-site scripting via Spring Security form rendering), CVE-2026-40999 (outbound request handling that can enable SSRF-style access to internal targets), and CVE-2026-40998 (XML external entity-related attack surface due to unsafe expression evaluation). Enterprise teams should upgrade to the corrected Spring versions (7.0.6 or 6.5.11) as soon as possible to reduce the risk of active exploitation.

Google has released Chrome 149.0.7827.114/.115 for Windows and Mac (and 149.0.7827.114 for Linux) to address 28 security vulnerabilities. The update includes multiple critical use-after-free issues in components such as Core, DigitalCredentials, WebMIDI, and Media, tracked as CVE-2026-12007, CVE-2026-12008, CVE-2026-12011, and CVE-2026-12013, along with CVE-2026-12009 (Accessibility input validation) and CVE-2026-12010 (GPU heap buffer overflow). Because these flaws could enable crashes or code execution, updating promptly matters for users and organizations running Chrome.

Ubiquiti has disclosed multiple critical vulnerabilities in UniFi OS affecting several products, including UDM, UDR, UNVR, and Express network models. Tracked CVE IDs include CVE-2026-47367, CVE-2026-47369, CVE-2026-47370, CVE-2026-47368, and CVE-2026-48610, with issues ranging from command injection to path traversal and broken access control. Because attackers may achieve high-impact control such as remote exploitation, privilege escalation, or unauthorized configuration changes, administrators should update UniFi OS Server to version 5.1.15 and UID Enterprise Agent to version 1.61.4 as soon as possible.

AMD has released updates addressing multiple hardware security vulnerabilities that can weaken isolation and allow unauthorized access in certain scenarios. The advisories cover issues tracked as CVE-2025-54509 (related to cache coherency behavior impacting secure memory checks) and CVE-2025-10263 (a translation/memory-access flaw with a high severity CVSS), impacting affected AMD platform firmware/BIOS components—especially on selected EPYC generations. This matters because successful exploitation could enable an attacker to bypass intended protections and potentially access or run untrusted code.

Apache Answer has released security fixes for several high-impact flaws, including CVE-2026-25688, CVE-2026-25700, CVE-2026-25699, CVE-2026-33582, and CVE-2026-34033. The issues include cross-site scripting, improper handling of security tokens after profile changes, private data exposure via the Timeline API, a crash caused by malicious TIFF uploads, and HTML injection into email alerts. Organizations using Apache Answer should update promptly to reduce risks to user data, account access, and service availability.

Check Point Research reports three flaws in LangGraph’s persistence layer (checkpointers), impacting the SQLite checkpointer (CVE-2025-67644 and CVE-2026-28277) and the Redis checkpointer (CVE-2026-27022). In the SQLite path, a filter-related SQL injection can be chained with unsafe msgpack deserialization to reach remote code execution, since attacker-supplied checkpoint data is deserialized during state history retrieval. This matters most for teams self-hosting LangGraph and exposing getstatehistory() with a user-controlled filter; LangChain’s managed LangSmith Deployment using PostgreSQL is not affected. Fixes are available in langgraph-checkpoint-sqlite 3.0.1+, langgraph 1.0.10+, and langgraph-checkpoint-redis 1.0.2+.

A public release of the Miasma supply-chain attack toolkit (assessed as a variant of the Shai-Hulud worm) has been linked to credential theft affecting software ecosystems across PyPI, npm, RubyGems, JFrog Artifactory, GitHub repositories and GitHub Actions, with follow-on evolution toward a Python variant called Hades. The same roundup also highlights “Ghost-Sender” email spoofing risks in certain Microsoft Exchange configurations and “Pinchy” AI email-agent phishing weaknesses in OpenClaw that can trick agents into forwarding sensitive AWS IAM keys, database passwords, and SSH access. No specific CVE IDs were provided in the report, but the incidents matter because they target identities, build pipelines, and autonomous agent workflows where traditional defenses can lag.

Microsoft has released Patch Tuesday updates to address an Exchange Server vulnerability that is already being exploited in the wild, tracked as CVE-2026-42897. The flaw affects Exchange Server Subscription Edition, 2016, and 2019, and could be triggered via a specially crafted email leading to spoofing and cross-site scripting that allows JavaScript execution in a victim’s browser context. CISA added CVE-2026-42897 to its Known Exploited Vulnerabilities (KEV) catalog, requiring remediation by May 29, underscoring the urgency for organizations using affected Exchange deployments to apply the June 9 patches.

Oracle has issued an emergency update for a PeopleSoft remote code execution vulnerability that can be triggered over the network without authentication. The issue affects PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 and is tracked as CVE-2026-35273 (CVSS 9.8), enabling attackers with HTTP access to take over systems, alter databases, and execute arbitrary commands. Organizations running affected deployments should apply Oracle’s patched update immediately and validate that exposed instances are remediated.

Dahua’s advisory DHCC-SA-202606-001 reports multiple severe security issues across certain Dahua IP cameras (IPC), PTZ cameras (SD), network video recorders (NVR), and related hardware. The affected CVE IDs are CVE-2026-29114 (certificate trust chain weakness), CVE-2026-29115 (authenticated remote denial of service), and CVE-2026-29116 (unauthenticated remote denial of service via specially crafted packets). These flaws matter because they can enable attackers to undermine certificate-based trust and repeatedly disrupt surveillance availability, putting enterprise physical security networks at risk.

A proof-of-concept for an ITScape KVM escape issue has been publicly released, tracked as CVE-2026-46316. The flaw impacts KVM/arm64 environments by enabling untrusted guest virtual machines to break isolation and execute commands on the host with kernel (root) privileges. Because the bug resides in-kernel KVM and can be triggered from guest-side actions, it significantly raises risk for multi-tenant public cloud providers and tenants running affected kernel versions.

A new Jenkins security advisory released in 2026 reports several high-impact issues affecting Jenkins, including remote code execution and data exposure via deserialization (CVE-2026-53435) and additional open redirect and XSS-related weaknesses (CVE-2026-53436, CVE-2026-53437, CVE-2026-53441). The advisory also addresses missing authorization checks and information leakage that can let attackers disrupt job queues, view sensitive user data, and extract plaintext secrets from POST config.xml submissions (CVE-2026-53438, CVE-2026-53439, CVE-2026-53442). Because these flaws can be exploited against CI/CD deployments, Jenkins administrators should apply the published patches immediately—upgrading to version 2.568 for weekly releases or 2.555.3 for LTS.