#patch management
25 stories taggedpatch management.
Oracle E-Business Suite Payments Bug Hits CVSS 9.8, Already Being Hit
CVE-2026-46817 lets unauthenticated attackers take over Oracle Payments. Exploitation is happening now.
The Patch Cycle Won't Survive Machine-Speed Adversaries
Defenders measured dwell time in days. Agentic attack pipelines are about to measure it in minutes.
Cisco Unified CM SSRF Flaw Hits Active Exploitation Three Weeks After Patch Drop
A file-write chain rooted in CVE-2026-20230 is now being probed in the wild. PoC was already public when Cisco shipped the fix.
Five Eyes to CSOs: AI Has Already Changed Your Threat Model — Act Now
A joint advisory from CISA and four allied agencies demands strategic action on AI-amplified threats. Experts say the advice is late, vague, and misses the real risk sitting inside your own network.
June Patch Tuesday Breaks OLE Automation, Leaves Word and Excel Silent on Failure
A Windows update shipped June 9 quietly severed the OLE bridge between Office apps and dozens of third-party tools. No error message. Just nothing.
Splunk Enterprise RCE Flaw Under Active Exploitation, CISA Gives Feds 72 Hours
CVE-2026-20253 allows unauthenticated remote code execution in Splunk Enterprise. Attackers didn't wait long.
Twenty-Five Orgs Are Quietly Triaging Open-Source Vulns Before You Hear About Them
A coalition called Athena is building shared infrastructure to find, fix, and harden OSS projects in the window between discovery and public disclosure.
Langflow's Unauthenticated File-Write Flaw Is Being Exploited — Patch Dropped 73 Days Ago
CVE-2026-5027 lets attackers write files to arbitrary paths on exposed servers, and because Langflow ships with login disabled by default, exploitation requires exactly zero credentials.
CISA Gives Agencies 72 Hours on Ivanti Sentry Bug Under New Emergency Directive
BOD 26-04 sets a sharper clock for actively exploited flaws. First target: an Ivanti Sentry vulnerability already in attackers' hands.
ServiceNow's Unauthenticated API Endpoint Left Tenant Data Exposed for Months
An API resource shipped with authentication disabled by default. Now enterprises are asking whether the 'security researcher' explanation fully covers what got accessed.
Patch Tuesday-Adjacent: FortiSandbox, Ivanti, and SAP Ship Fixes for Critical Bugs
A 9.1-rated command injection in FortiSandbox headlines a busy week of vendor advisories. Most of these land squarely on platform teams.
FFmpeg Gets 21 New Bugs from an AI Fuzzer; Chrome 149 Ships a Record 429 Fixes
An autonomous agent dug up zero-days in the codec library that ships in everything. Google's browser shipped its largest single security release on record. Same week.
Inspector General Pins NVD Backlog on NIST Mismanagement — But the Real Problem Runs Deeper
A Commerce Department IG report calls out strategic failures, duplicated work, and severity scores that matched only 12% of the time. Budget cuts and genAI-driven vuln volume tell the rest of the story.
CISA Adds Two-Year-Old Oracle WebLogic Flaw to KEV, Gives Feds Four Days to Patch
CVE-2024-21182 sat quietly at CVSS 7.3 for two years before threat actors noticed the unpatched stragglers. Now federal agencies have until Thursday.
Android June 2026 Bulletin: 124 Fixes, One Framework Bug Already Being Exploited
CVE-2025-48595 is a no-interaction privilege escalation in the Android Framework. Google says it's seen in the wild.