Citrix NetScaler ADC / Gateway's CVSS 9.3 out-of-bounds read in SAML IdP configurations is already being scanned by attackers looking for authentication-flow enumeration opportunities.
Three independent vulnerabilities were disclosed in LangChain Core and LangGraph: deserialization that can leak secrets, SQL injection that exposes conversation history, and path traversal that allows arbitrary file reads.
In the same week, CISA's KEV catalog gained a Chromium CSS engine UAF, a Roundcube RCE that hid for over a decade, a BeyondTrust RCE abused by ransomware, and a Dagu RCE due to no default authentication. All four require immediate patching.
In its February 2026 KEV catalog update, CISA added four vulnerabilities, including a Google Chrome use-after-free flaw (CVE-2026-2441). One of them dates back 17 years.
A high-severity stack buffer overflow was found in OpenSSL 3.0 through 3.6. The CMS AuthEnvelopedData path can be attacked without authentication. Update now.
Node.js security patches that had been delayed since December 2025 were finally released. This article summarizes the eight vulnerability fixes, including three High-severity issues.
The Node.js security release originally planned for December 15, 2025 was delayed four times and is now scheduled for January 13, 2026. The release will include fixes for three High-severity vulnerabilities.
