Threat Alerts

A high-severity vulnerability tracked as CVE-2026-8053 (CVSS 8.7) has been disclosed in MongoDB Server, affecting multiple supported versions of the database platform. The flaw is an out-of-bounds memory write vulnerability in the implementation of MongoDB time-series collections, caused by inconsistencies in the internal mapping of field names to indices within the time-series bucket catalog.

According to MongoDB, an authenticated user with write privileges could exploit the vulnerability to trigger memory corruption within the mongod process. Under specific conditions, successful exploitation may result in arbitrary code execution, potentially allowing attackers to compromise affected database servers and impact the confidentiality, integrity, and availability of hosted data.

SAP has released multiple security patches addressing several vulnerabilities across its enterprise ecosystem, including three particularly severe flaws affecting SAP S/4HANA, SAP Commerce Cloud, and SAP Forecasting & Replenishment environments. The vulnerabilities could enable SQL injection, remote code execution, unauthorized access, and operating system command execution, potentially leading to data theft, application crashes, system compromise, and operational disruption. Given the widespread use of SAP platforms, these vulnerabilities present a significant risk to organizations operating internet-facing or business-critical SAP systems.

The most critical vulnerability, CVE-2026-34260 (CVSS 9.6), affects SAP S/4HANA Enterprise Search for ABAP and stems from insufficient input validation that enables authenticated attackers to inject malicious SQL statements into backend database queries. Successful exploitation could expose or manipulate sensitive enterprise data and potentially disrupt SAP applications. SAP also patched CVE-2026-34263 (CVSS 9.6), a missing authentication vulnerability in SAP Commerce Cloud caused by improper Spring Security configuration. The flaw allows unauthenticated attackers to upload malicious configurations and achieve arbitrary server-side code execution, posing a serious risk to internet-facing e-commerce environments. In addition, SAP addressed CVE-2026-34259 (CVSS 8.2), an OS command injection vulnerability in SAP Forecasting & Replenishment that could allow privileged attackers to execute arbitrary commands on underlying operating systems, potentially enabling host compromise and lateral movement within enterprise networks. SAP has not reported active exploitation at this stage; however, due to the low attack complexity and critical nature of the flaws, organizations are advised to prioritize patching immediately.

Multiple security vulnerabilities have been disclosed in NGINX Open Source and Plus, including the critical flaw CVE-2026-42945 (CVSS 9.2), dubbed NGINX Rift, which could allow unauthenticated remote attackers to achieve remote code execution or trigger denial-of-service conditions. Affecting one of the world’s most widely deployed web server platforms, the vulnerability significantly increases risk for internet-facing environments where vulnerable configurations are exposed. Additional security issues were also addressed as part of the same release, reinforcing the need for timely remediation across affected deployments.

The primary issue stems from a heap buffer overflow in the NGINX rewrite module, triggered under specific configurations involving rewrite directives, unnamed PCRE captures and crafted replacement strings. An unauthenticated attacker can exploit this by sending specially crafted HTTP requests that corrupt worker process memory, potentially enabling arbitrary code execution on systems lacking exploit mitigations such as ASLR or repeatedly crashing worker processes to create sustained denial-of-service conditions. Because the overflow is directly influenced by attacker-controlled input, exploitation reliability is significantly increased compared to non-deterministic memory corruption flaws. Given NGINX’s widespread use in enterprise web infrastructure, reverse proxies and application delivery environments, immediate patching is critical to reduce exposure to potential compromise and service disruption.

GitLab has released security updates addressing multiple vulnerabilities across its Community and Enterprise editions, including high-severity flaws that could allow unauthenticated attackers to compromise user sessions and perform unauthorized actions. As a widely deployed software development and DevOps platform, GitLab represents a high-value target due to its access to source code, CI/CD workflows, and developer credentials. The most critical issues create opportunities for attackers to abuse browser-based interactions to escalate access, manipulate platform configurations, and potentially compromise development environments if left unpatched.

The most severe vulnerability, CVE-2026-4922 (CVSS 8.1), is a cross-site request forgery flaw in the GraphQL API that allows unauthenticated attackers to execute GraphQL mutations on behalf of authenticated users due to insufficient CSRF protections. A second high-severity issue, CVE-2026-5816 (CVSS 8.0), stems from improper path handling in Web IDE assets, enabling arbitrary JavaScript execution within a victim’s browser session, potentially leading to session hijacking, credential theft, and unauthorized actions performed in the context of the affected user. Although no active exploitation has been reported, the presence of unauthenticated attack paths affecting a widely used development platform makes timely patching critical to reduce the risk of account compromise and platform abuse.

A critical vulnerability (CVE-2026-8043, CVSS Score 9.6) affecting Ivanti Xtraction before version 2026.2 exposes systems to significant risk through external control of a file name. A remote authenticated attacker can exploit this flaw to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and potential client-side attacks.

At its core, the vulnerability stems from the application processing user-supplied input intended for a file name without sufficient validation or sanitization. This allows an attacker to manipulate the intended file path, directing the application to access files outside its intended scope or write content to arbitrary locations. Two critical outcomes emerge from this: sensitive files can be read from the system, potentially exposing configuration data or credentials, and arbitrary HTML content can be written into web-accessible directories, opening the door to website defacement or client-side attacks such as cross-site scripting (XSS) against other users.

Exploitation begins with authentication to the application, after which an attacker identifies an input field where a file name is externally controlled. By crafting specific input — such as directory traversal sequences or absolute paths — they can force the application to retrieve files that should otherwise be inaccessible.

Microsoft has confirmed active exploitation of CVE-2026-42897, a high-severity Cross-Site Scripting (XSS) vulnerability affecting on-premises Microsoft Exchange Server Outlook Web Access (OWA) deployments. The vulnerability, carrying a CVSS score of 8.1, stems from improper neutralization of user-controlled input during web page generation, enabling attackers to execute malicious JavaScript within a victim’s authenticated OWA session. The flaw emerged shortly after Microsoft’s May 2026 Patch Tuesday release, but did not initially include a permanent fix for this Exchange issue. Microsoft has stated that the vulnerability is being actively exploited in the wild, increasing the urgency for organizations operating exposed Exchange infrastructure.

The attack chain leverages a stored XSS condition within the OWA component, where specially crafted email content is insufficiently sanitized before rendering inside a user’s browser session. A remote attacker can send a malicious email to a target user without requiring authentication or malware delivery. Once the victim opens the email through OWA and the required interaction conditions are met, embedded JavaScript executes within the trusted Exchange session context. Successful exploitation may enable session hijacking, spoofing of legitimate Exchange content, mailbox access, credential theft, email exfiltration, or unauthorized mailbox actions performed as the victim user. Because the attack operates entirely through browser-session abuse rather than executable payload deployment, malicious activity may initially evade traditional endpoint security controls and remain difficult to detect during early stages of compromise.