Patch

A heap buffer overflow in MariaDB’s JSON_SCHEMA_VALID() function went unnoticed for years — until AI-assisted code analysis flagged it earlier this year. The flaw, now tracked as CVE-2026-32710, was disclosed on March 19, 2026, and patches landed the same day. If your server runs MariaDB 11.4.x or 11.8.x and you haven’t applied the update yet, this is the one to prioritise this week. What the Bug Actually Does The problem lives in json_get_normalized_string() inside sql/json_schema_helper.cc. The function allocates a fixed 128-byte heap buffer and then copies a JSON string value into it using strncpy — without first checking whether the value fits. If an attacker crafts a JSON schema with a string field longer than that buffer, the heap overflows. ...

On May 4, 2026, Wietse Venema released Postfix 3.11.2, 3.10.9, 3.9.10, and 3.8.16. If you run a mail server, this is the update you actually want to read — not because the CVSS score is alarming (it isn’t), but because one of the bugs patched in this release has been sitting in the codebase since 2005. The CVE Worth Knowing About CVE-2026-43964 is an off-by-one error in how Postfix handles enhanced status codes. If an SMTP access table, policy server, DNSBL response, or milter returns a bare status code — something like 5.7.2 without any text following it — the daemon reads past the end of the allocated buffer. The result is a process crash. ...

On April 28, 2026, cPanel released an emergency patch for CVE-2026-41940 — a CVSS 9.8 authentication bypass that, as it turned out, attackers had been quietly exploiting since approximately February 23. That is roughly two months of zero-day exposure across an estimated 1.5 million internet-facing cPanel & WHM instances. CISA promptly added it to its Known Exploited Vulnerabilities catalog, which is the agency’s way of saying: stop reading and go patch. ...

In late March, the Dovecot team published advisory OXDC-ADV-2026-0001 — a bundle of eight CVEs covering everything from pre-authentication path traversal to SQL injection to multiple denial-of-service vectors. If Dovecot is the IMAP daemon on your mail server (it almost certainly is), this deserves your attention. Here is a breakdown of what matters, in roughly descending order of alarm. The Serious Ones CVE-2026-24031 — SQL injection auth bypass (CVSS 7.7, HIGH) ...