Adobe patches a critical PDF flaw exploited for months, allowing attackers to bypass sandbox protections and deliver malware. Users urged to update now.

The post Adobe Issues Emergency Patch for Critical PDF Flaw Exploited For Months appeared first on TechRepublic.

GitLab has rolled out a major security update to address a series of vulnerabilities impacting both its Community Edition (CE) and Enterprise Edition (EE) platforms. The GitLab security update resolves multiple flaws, including high-severity issues that could be exploited to disrupt services or gain unintended access to system functionality. This update is particularly critical for organizations operating in self-managed GitLab environments, where administrators are responsible for applying patches and maintaining system security.  Delaying the deployment of this GitLab security update could leave systems exposed to known threats, including the actively addressed CVE-2026-5173 vulnerability. The patch release not only strengthens access controls but also mitigates risks tied to denial-of-service attacks, data exposure, and improper authorization checks. As a result, GitLab is strongly urging all affected users to upgrade to the latest versions immediately to ensure their environments remain protected against potential exploitation. 

Critical GitLab Security Update Targets High-Severity Flaws 

GitLab security update covers a high-severity vulnerability tracked as CVE-2026-5173, which impacts websocket connections. This flaw could allow an authenticated attacker to bypass access controls and invoke unintended server-side methods. With a CVSS score of 8.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), the issue represents a serious risk to affected environments.  The vulnerability was discovered internally by GitLab team member Simon Tomlinson. It affects GitLab CE/EE versions from 16.9.6 prior to 18.8.9, version 18.9 before 18.9.5, and version 18.10 before 18.10.3. The latest security patch resolves this issue along with several others. 

Patch Releases and Affected Versions 

The GitLab security update includes patched versions 18.10.3, 18.9.5, and 18.8.9. According to the official release statement:  “Today, we are releasing versions 18.10.3, 18.9.5, 18.8.9 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately.”  GitLab confirmed that users of GitLab.com and GitLab Dedicated services are already protected and do not need to take action. 

Twelve Vulnerabilities Addressed 

This GitLab security update resolves a total of twelve vulnerabilities, ranging from high to low severity. Alongside CVE-2026-5173, several denial-of-service (DoS) vulnerabilities were identified: 

• CVE-2026-1092: A DoS issue in the Terraform state lock API caused by improper JSON validation (CVSS 7.5).  
• CVE-2025-12664: A DoS vulnerability in the GraphQL API that could be triggered through repeated queries (CVSS 7.5).  
• CVE-2026-1403: A CSV import flaw allowing authenticated users to disrupt Sidekiq workers (CVSS 6.5).  
• CVE-2026-1101: A GraphQL SBOM API issue affecting GitLab EE, also enabling DoS attacks (CVSS 6.5).  

In addition to these, multiple medium-severity flaws were patched: 

• CVE-2026-1516: A code injection issue in Code Quality reports that could expose user IP addresses (CVSS 5.7).  
• CVE-2026-4332: A cross-site scripting vulnerability in analytics dashboards (CVSS 5.4).  
• CVE-2026-2619: Incorrect authorization in the vulnerability flags AI detection API (CVSS 4.3).  
• CVE-2025-9484: Information disclosure via GraphQL queries (CVSS 4.3).  
• CVE-2026-1752: Improper access control in the Environments API (CVSS 4.3).  
• CVE-2026-2104: Information disclosure through CSV export (CVSS 4.3).  

A low-severity issue, CVE-2026-4916, was also addressed, involving missing authorization checks in custom role permissions (CVSS 2.7). Many of these vulnerabilities were reported through GitLab’s HackerOne bug bounty program, highlighting contributions from researchers such as a92847865, foxribeye, sim4n6, maksyche, go7f0, and others. 

Bug Fixes and Stability Improvements 

Beyond security fixes, the update also includes a wide range of bug fixes across all three versions. These improvements address issues such as failed Git operations for deploy keys on Geo sites, performance optimizations in migration helpers, and compatibility fixes for Amazon Linux 2023.  Other fixes include resolving flaky test cases, improving dependency proxy access, and addressing regressions in project archiving and deletion workflows. These updates aim to enhance overall platform stability alongside the security patch. 

Upgrade Guidance and Deployment Notes 

GitLab emphasized that no new migrations are included in these releases, meaning multi-node deployments should not require downtime. However, by default, Omnibus packages will stop services, run migrations, and restart during upgrades unless configured otherwise via the /etc/gitlab/skip-auto-reconfigure file.  The company also noted that certain package builds, such as SLES 12.5 for versions 18.10.3 and 18.9.5, are not included in this release. Additionally, GitLab confirmed that version numbers 18.10.2, 18.9.4, and 18.8.8 were skipped, with no patches issued under those versions. 

Microsoft releases an out-of-band hotpatch for critical Windows 11 RRAS vulnerabilities that could allow remote code execution through malicious remote servers.

The post Microsoft Issues Emergency Patch for Critical Windows 11 RRAS Vulnerabilities appeared first on TechRepublic.

Google patches two actively exploited Chrome vulnerabilities that could allow attackers to crash browsers or run malicious code. Billions of users urged to update.

The post Critical Chrome Security Flaws Threaten Billions of Users Worldwide appeared first on TechRepublic.

An important Veeam security patch to address multiple vulnerabilities in its Backup & Replication platform that potentially allowed attackers to execute malicious code remotely, has been released. The flaws, tracked as CVE-2026-21666 and CVE-2026-21667, were identified as critical and could enable remote code execution on affected systems ,if successfully exploited.  The vulnerabilities impact Veeam Backup & Replication 12.3.2.4165 and all earlier version 12 builds, prompting the company to release fixes in version 12.3.2.4465. The security update was published on March 12, 2026, under KB ID: 4830, and addresses a total of seven security issues affecting the backup platform.  In its advisory, the company emphasized the urgency of applying the update, noting that threat actors often analyze security patches to identify weaknesses in systems that have not yet been updated.  The official notice states, “It’s important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software. This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay.” 

The Veeam Security Patch Includes

Among the vulnerabilities fixed in the Veeam security patch, two of the most severe are CVE-2026-21666 and CVE-2026-21667. Both issues received a CVSS v3.1 score of 9.9, indicating critical severity. 

CVE-2026-21666 

The vulnerability CVE-2026-21666 allows an authenticated domain user to trigger remote code execution on a Veeam Backup Server. If exploited, an attacker with domain-level authentication could run arbitrary commands on the server hosting backup services. 

• Severity: Critical 
• CVSS v3.1 Score: 9.9 
• Reported via: HackerOne 

CVE-2026-21667 

Another major flaw, CVE-2026-21667, similarly enables an authenticated domain user to achieve remote code execution on the Backup Server. 

• Severity: Critical 
• CVSS v3.1 Score: 9.9 
• Source: Discovered during internal testing 

Both vulnerabilities demonstrate how attackers with valid credentials could compromise backup infrastructure, potentially gaining control of systems responsible for storing critical data. 

Additional Vulnerabilities Fixed in the Update 

Beyond CVE-2026-21666 and CVE-2026-21667, the Veeam security patch resolves several other high-impact security issues affecting the Backup & Replication platform. 

CVE-2026-21668 

This vulnerability allows an authenticated domain user to bypass restrictions and manipulate arbitrary files stored within a Backup Repository. 

• Severity: High 
• CVSS v3.1 Score: 8.8 
• Source: Discovered during internal testing 

CVE-2026-21672 

The flaw CVE-2026-21672 could allow attackers to escalate privileges locally on Windows-based Veeam Backup & Replication servers. 

• Severity: High 
• CVSS v3.1 Score: 8.8 
• Reported through: HackerOne 

CVE-2026-21708 

Another critical vulnerability enables a user with the Backup Viewer role to perform remote code execution as the postgres user. 

• Severity: Critical 
• CVSS v3.1 Score: 9.9 
• Source: Discovered during internal testing 

These vulnerabilities highlight multiple ways attackers could potentially abuse authentication, permissions, or internal components to compromise backup infrastructure. 

Other Security Improvements Included 

Alongside fixes for remote code execution vulnerabilities such as CVE-2026-21666 and CVE-2026-21667, the update also introduces a configuration change for Veeam Agent for Linux. The software now opens firewall ports 2500–3300, aligning its port range with other Veeam products.  While not directly tied to a CVE identifier, the change aims to standardize network behavior across Veeam tools and improve operational consistency. 

Additional Fixes Introduced in Newer Versions 

The company also addressed more vulnerabilities in Backup & Replication 13.0.1.2067. In addition to CVE-2026-21672 and CVE-2026-21708, two additional critical issues were fixed: 

• CVE-2026-21669 (CVSS score: 9.9): Allows an authenticated domain user to perform remote code execution on the Backup Server. 
• CVE-2026-21671 (CVSS score: 9.1): Allows an authenticated user with the Backup Administrator role to execute code in high availability (HA) deployments of Veeam Backup & Replication. 

These issues further demonstrate the potential impact of credentialed attacks against backup systems if vulnerabilities remain unpatched.  Backup systems are frequently targeted by attackers because they contain copies of critical organizational data. Exploiting flaws such as CVE-2026-21666 or CVE-2026-21667 could allow adversaries to run code directly on backup servers, potentially tampering with stored backups or gaining broader access to enterprise infrastructure.  Security experts often warn that once vendors publish patches, threat actors begin analyzing them to identify exploitable weaknesses in systems that have not yet been updated. 

Microsoft released an emergency Office patch to fix an actively exploited zero-day flaw that lets attackers bypass security via malicious files.

The post Microsoft Issues Emergency Patch for Active Office Zero-Day appeared first on TechRepublic.