On May 4, 2026, Wietse Venema released Postfix 3.11.2, 3.10.9, 3.9.10, and 3.8.16. If you run a mail server, this is the update you actually want to read — not because the CVSS score is alarming (it isn’t), but because one of the bugs patched in this release has been sitting in the codebase since 2005. The CVE Worth Knowing About CVE-2026-43964 is an off-by-one error in how Postfix handles enhanced status codes. If an SMTP access table, policy server, DNSBL response, or milter returns a bare status code — something like 5.7.2 without any text following it — the daemon reads past the end of the allocated buffer. The result is a process crash. ...

A memory-corruption bug in Apache HTTP Server’s HTTP/2 implementation was publicly disclosed this week, and the details are ugly enough that you should stop reading this sentence and go check your Apache version right now. Done? Good. Let’s talk about what’s actually going on. The Bug CVE-2026-23918 is a double-free vulnerability in mod_http2, specifically in the stream cleanup path of Apache httpd 2.4.66. A double-free happens when code tries to release the same chunk of memory twice — a classic mistake that corrupts internal allocator state and typically leads to crashes, and sometimes worse. ...

Turkey’s .tr domain namespace crossed the 1.3 million active registrations mark this month, according to data released by the Information and Communication Technologies Authority (BTK). Daily Sabah also reported on the milestone as part of a broader story about steady growth in Turkey’s digital infrastructure. The number is worth pausing on — not because round numbers deserve celebration parties, but because it represents a genuine structural shift in how the Turkish domain namespace works. ...

On April 28, 2026, cPanel released an emergency patch for CVE-2026-41940 — a CVSS 9.8 authentication bypass that, as it turned out, attackers had been quietly exploiting since approximately February 23. That is roughly two months of zero-day exposure across an estimated 1.5 million internet-facing cPanel & WHM instances. CISA promptly added it to its Known Exploited Vulnerabilities catalog, which is the agency’s way of saying: stop reading and go patch. ...

In late March, the Dovecot team published advisory OXDC-ADV-2026-0001 — a bundle of eight CVEs covering everything from pre-authentication path traversal to SQL injection to multiple denial-of-service vectors. If Dovecot is the IMAP daemon on your mail server (it almost certainly is), this deserves your attention. Here is a breakdown of what matters, in roughly descending order of alarm. The Serious Ones CVE-2026-24031 — SQL injection auth bypass (CVSS 7.7, HIGH) ...