|
|
DAILY BRIEF · APRIL 24, 2026
|
|
Two CVSS 10.0 bugs from Microsoft landed today, neither exploited in the wild yet, but both ugly. CVE-2026-35431 is an unauthenticated SSRF in Entra ID Entitlement Management that lets an attacker trick the server into making internal requests on their behalf. CVE-2026-33819 is unauthenticated RCE in Bing via a deserialization bug. Both are cloud-side, so check your exposure and watch for Microsoft's mitigation guidance closely.
|
|
TOP THREAT TODAY
|
|
An attacker can hit Microsoft Entra ID Entitlement Management with a server-side request forgery (SSRF) over the network, no authentication required. SSRF means the attacker tricks the server into making requests on their behalf, potentially reaching internal services or spoofing identity data. CVSS 10.0, so Microsoft is rating this as bad as it gets, though no exploitation in the wild has been reported yet.
Who's affected: Anyone using Microsoft Entra ID Entitlement Management (formerly Azure AD Entitlement Management)
| |
Patch immediately.
Apply the latest Microsoft security update for Entra ID Entitlement Management as soon as it's available; since this is a cloud service, confirm with Microsoft that your tenant has been patched.
|
|
|
|
CVE-2026-33819
CVSS 10.0
|
CRITICAL
|
An unauthenticated attacker can get remote code execution on Microsoft Bing infrastructure by sending crafted serialized data over the network. Deserialization bugs like this are a favorite for attackers because they often give full control of the target system. CVSS 10.0, no known exploitation yet.
Affects: Microsoft Bing service operators and anyone running Bing-related backend components on-prem or in hybrid deployments
| |
Patch immediately.
Apply the Microsoft security update immediately; if this is a cloud-side Bing service, verify with Microsoft that the fix has been deployed to your environment.
|
|
|
CVE-2026-40472
CVSS 9.9
|
CRITICAL
|
Hackage-server (the package repository for Haskell) renders user-supplied metadata from .cabal files straight into HTML links without sanitizing it. A malicious package maintainer can inject stored XSS that fires whenever someone views the package page, potentially stealing session cookies or performing actions as the victim. CVSS 9.9, not yet exploited in the wild.
Affects: Anyone running a self-hosted hackage-server instance
| |
Patch within 24 hours.
Upgrade hackage-server to the latest patched version and audit recently uploaded .cabal metadata for suspicious href content.
|
|
|
CVE-2026-40470
CVSS 9.9
|
CRITICAL
|
Hackage-server serves uploaded HTML and JavaScript files on the main hackage.haskell.org domain with no sandboxing. A malicious package maintainer can upload docs containing JavaScript that runs in the context of any logged-in user who views the page. That means full session hijack: uploading packages, changing maintainers, the works. CVSS 9.9.
Affects: Anyone running a self-hosted hackage-server instance, and users of hackage.haskell.org who have upload or maintainer privileges
| |
Patch within 24 hours.
Upgrade hackage-server to the patched version, and serve user-uploaded documentation from a separate domain or sandbox origin to prevent cookie theft.
|
|
|
CVE-2026-1952
CVSS 9.8
|
CRITICAL
|
Delta Electronics AS320T NAS devices have an undocumented subfunction that lets an attacker crash the device remotely, causing a denial of service. No authentication appears to be required. CVSS 9.8, so this is trivially exploitable over the network.
Affects: Anyone running Delta Electronics AS320T NAS devices, especially if they're network-accessible
| |
Patch immediately.
Apply the latest firmware update from Delta Electronics for the AS320T, and restrict network access to the device's management interface with firewall rules until the patch is confirmed.
|
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
