CVE-2026-8532 is an XML integer overflow in Google Chrome prior to 148.0.7778.168 that can lead to arbitrary code execution inside the sandbox; reported ~2 hours ago, apply vendor updates and follow incident playbooks.

azureauthextension Authenticate fails to validate bearer tokens, allowing replay of any Azure access token against OpenTelemetry receivers when a matching Host header is chosen.

Exim before 4.99.3 has a GnuTLS use-after-free triggered by a TLS close_notify mid-body during BDAT chunking, enabling potential remote code execution; patch and isolate mail hosts immediately.

A blind SQL injection in the APIExperts Square for WooCommerce WordPress plugin was reported ~34 minutes ago; site owners should inventory, isolate, patch or remove the plugin and follow ISO-aligned controls.

Magic Link in WSO2 Identity Server can be driven to consume all memory and cause service unavailability; immediate checks, rate limiting and vendor contact advised.

ShinyHunters claim a ransom after a reported breach of Canvas affecting roughly 275 million students and 9,000 institutions; immediate supplier engagement, forced credential resets and ISO-aligned steps advised.

ShinyHunters claimed responsibility for a Canvas incident affecting almost 9,000 schools, with outages and personally identifying information reported; urgent supplier checks, log preservation and backup testing are immediate priorities.