A malicious Nx Console update exposed developer credentials and led to the loss of 3,800 GitHub internal repos; practical, Monday morning actions and ISO fit.

A libzypp plugin loading flaw (CVE-2026-44933) can make chroot to ‘/’ a no-op, allowing plugin paths to execute host binaries like /bin/bash with root privileges; reported 57 minutes ago.

MLflow 3.9.0’s Assistant /ajax-api improper origin validation lets a malicious webpage enable full access and execute arbitrary commands via the Claude Code sub-agent; fixed in 3.10.0, patch now.

Creartia’s ICMS has a critical authorisation bypass (CVE-2026-4320) that could let attackers manipulate HTTP redirect headers to gain unauthorised admin access; patch, isolate and audit immediately.

CVE-2026-8719 in AI Engine 3.4.9 allows authenticated Subscriber+ users to escalate to Administrator via missing capability checks in the MCP OAuth bearer-token path; check versions, revoke tokens, patch or remove the plugin.

CVE-2026-45672: Open WebUI’s /api/v1/utils/code/execute allows arbitrary Python execution even when ENABLE_CODE_EXECUTION=false; fixed in 0.8.12.

CVE-2026-8532 is an XML integer overflow in Google Chrome prior to 148.0.7778.168 that can lead to arbitrary code execution inside the sandbox; reported ~2 hours ago, apply vendor updates and follow incident playbooks.