Vendors
-
Oracle issues emergency fix for critical Identity Manager and Web Services Manager RCE
Oracle issued an out-of-schedule patch for CVE-2026-21992, a critical unauthenticated remote code execution flaw in Identity Manager and Web Services Manager with a CVSS score of 9.8. Customers are urged to patch immediately.
-
Navia discloses data breach affecting nearly 2.7 million people
A U.S. benefits administrator reported a breach exposing personal data for nearly 2.7 million people after systems were accessed between December 22, 2025 and January 15, 2026. Affected people are being offered free identity monitoring.
-
Aura confirms breach exposed nearly 900,000 marketing contacts
Aura confirmed a breach that exposed nearly 900,000 marketing contacts, including names and emails. The company says 35,000 were customers and that SSNs and financial data were not compromised.
-
CVE-2026-3888 in Ubuntu Desktop allows local users to escalate to root
A high severity flaw in default Ubuntu Desktop installs of 24.04 and later allows a local unprivileged user to escalate to root. The issue is CVE-2026-3888 and patches for snapd are available for affected releases.
-
Attack on Stryker erased nearly 80,000 employee devices, company says
Stryker says an attack limited to its internal Microsoft environment erased nearly 80,000 employee devices on March 11. Medical products remain safe but ordering systems are offline and orders must be placed manually while recovery continues.
-
Android 17 Beta 2 blocks non-accessibility apps from accessibility API while Advanced Protection Mode is active
Android 17 Beta 2 tests a restriction that blocks non-accessibility apps from the accessibility services API while Advanced Protection Mode is enabled and revokes existing permissions to reduce misuse of the API.
-
Storm-2561 uses SEO poisoning to deliver trojan VPN clients that steal credentials
Microsoft disclosed a credential theft campaign that used SEO poisoning to deliver digitally signed trojan VPN clients that harvest credentials. The activity was observed in mid-January 2026 and is linked to Storm-2561.
-
Google patches two Chrome zero-days exploited in the wild
Google released Chrome updates to fix two high severity zero-days exploited in the wild. Both are scored 8.8. Users should update Chrome to the listed versions on Windows macOS and Linux to reduce risk.
-
Starbucks says 889 Partner Central accounts were compromised in employee data breach
Attackers accessed 889 Starbucks Partner Central accounts used by employees. Exposed data includes names, Social Security numbers, dates of birth, and bank account information. Impacted partners are being offered two years of identity theft protection and credit monitoring.
-
Loblaw notifies customers after breach exposes names and contact details
Loblaw notified customers this week that a breach of a contained part of its IT network exposed names phone numbers and email addresses. The company logged customers out and there was no evidence that financial or health data were accessed.
