The Security Brief

nginx runs in front of a large share of the world's websites and applications, which is exactly why a flaw that sat untouched inside it for 18 years deserves attention this week. CVE-2026-42945, now named NGINX Rift, began life as a heap overflow that could crash a worker process. A public proof-of-concept has since turned it into unauthenticated remote code execution triggered by a single HTTP request. What Happened Researchers at depthfirst found a heap buffer overflow in..

Two vulnerabilities in Microsoft Defender — the antivirus software running on nearly every Windows endpoint — are being actively exploited in the wild. Microsoft confirmed the flaws on 19 May, and CISA added both to its Known Exploited Vulnerabilities catalogue the following day, setting a 3 June deadline for US federal agencies to patch or drop the product entirely. If your organisation runs Windows, this one demands your attention. What Happened CVE-2026-41091 (CVSS 7.8) is

Cisco has patched a flaw in its Catalyst SD-WAN Controller that carries the worst score the CVSS scale can give: a clean 10.0. Tracked as CVE-2026-20182, it lets an unauthenticated attacker bypass authentication entirely and take administrative control of the device. Cisco confirmed the flaw was already being exploited before the fix was available. What Happened The vulnerability sits in the peering authentication mechanism of Cisco Catalyst SD-WAN Controller (formerly vSmart