PatchDay Alert
Subscribe →

A sample of today's digest

JUN 5 · Nº032
Patch now From JUN 5 · Nº032
CVE-2026-48567 10.0 Azure HorizonDB

An attacker can bypass authentication in Azure HorizonDB by spoofing credentials and escalate privileges, all over the network with no prior access required.

The call: Apply the latest Microsoft security update for Azure HorizonDB as soon as it is available.

Sources: NVD Read the full call

Plus 4 more calls in this morning's issue. See the whole thing

01

Source-linked

Every verdict links to a primary source.

NVD, CISA KEV, MSRC, GHSA, or a vendor PSIRT. Skeptical readers can click through to verify in place.

02

Human-reviewed

A working sysadmin edits before it ships.

Issues are reviewed and edited before they go out, not auto-published from a feed. CVEs that aren’t actionable before standup don’t make the cut.

03

Editorial verdicts

One call per CVE. Four minutes total.

Patch now, patch this week, track, or doesn’t apply. These reviews are editorial and unpaid.

Today's digest, in full

The other 4 calls for Friday, June 5.

Read the issue
01 Patch this week CVE-2026-45497 Microsoft Copilot An authenticated user of Microsoft Copilot can inject commands and execute arbitrary code remotely. The call: Apply the latest Microsoft security update for Copilot. CVSS 7.7 02 Patch this week CVE-2026-11296 Google Chrome A bug in Chrome's ImageCapture API lets an attacker who has already compromised the renderer process escalate privileges via a crafted HTML page. The call: Update Chrome to version 149.0.7827.53 or later. CVSS 7.5 03 Patch now CVE-2019-25738 WordPress The Hybrid Composer plugin (version 1.4.6) for WordPress lets unauthenticated attackers change any WordPress option by hitting the admin-ajax.php endpoint. The call: Remove or update the Hybrid Composer plugin immediately. CVSS 9.8 04 Patch this week CVE-2025-71316 SQLite The sqldiff.exe tool bundled with SQLite on Windows mishandles Unicode-to-ANSI conversion in command line arguments. The call: Update SQLite to the version released on or after 2025-12-26. CVSS 9.8

The four-verdict model

Every CVE gets one of these four calls.

No CVSS-jargon dump, no “threat actor postulated to leverage” sentences. You read the verdict, then the one-line action, then move on.

  1. Patch now

    Exploited in the wild, or exposed and trivially exploitable. Today’s change window.

  2. Patch this week

    Real risk, no active exploitation yet. Slot it into your next maintenance window.

  3. Track

    Worth knowing about. No action needed today; check back if the advisory changes.

  4. Doesn't apply

    Affected versions you don’t run, or a vendor branch you’ll never see. Skip with confidence.

Who reads this

Built for IT teams who do their own patching.

For sysadmins

The lone admin running fifty servers.

You don’t have time to read three feeds and a Discord. One email, one verdict per CVE, before standup.

Built for this

For MSPs

Twenty clients, twenty stacks.

Each CVE is tagged by vendor and product, so a quick scan picks out what matters to your fleet. Forward the digest to whoever’s on rotation.

Built for this

For IT managers

Brief leadership in one paragraph.

The intro summarizes what shipped, what’s on fire, and what to ignore. Forwardable in one click to whoever signs off on the change window.

Built for this

For lean IT teams

No Tenable, no Qualys, no full-time analyst.

The digest is the triage layer you don’t have to staff.

Built for this

The archive

Recent digests.

Full archive
Nº032 JUN 5

A perfect 10 in Azure HorizonDB and a Copilot RCE you shouldn't ignore

CVE-2026-48567 is a CVSS 10.0 unauthenticated auth bypass in Azure HorizonDB. Also today: authenticated RCE in Microsoft Copilot (7.7), a Chrome sandbox escape via ImageCapture (7.5), a WordPress site-takeover in Hybrid Composer (9.8), and a DLL-loading trick in SQLite's sqldiff on Windows (9.8).

5 CVEs
3 Crit
0 KEV
4 min
Nº031 JUN 4

OpenShift ClusterRole blows wide open, Cisco UCM goes from SSRF to root

A CVSS 9.6 privilege escalation in OpenShift Pipelines hands any authenticated user write access to Kueue and cert-manager secrets. Plus a Cisco Unified Communications Manager SSRF-to-root chain (CVSS 8.6) and an overprivileged AWS IAM issue in OpenShift Cloud Credential Operator.

5 CVEs
1 Crit
0 KEV
4 min
Nº030 JUN 3

A 9.8 WordPress site takeover, a healthcare RCE, and two NI driver bugs

ARMember Premium lets unauthenticated attackers reset any admin password (CVSS 9.8). Spacelabs Sentinel has a file-write-to-webshell path on port 8989 (CVSS 9.8). NI-PAL driver flaws give local users a privesc and a blue-screen. LibreChat lets any logged-in user hijack another user's API keys.

5 CVEs
2 Crit
0 KEV
4 min
Nº029 JUN 2

SharePoint deser RCE, OpenShift HAProxy injection, and a WordPress SQLi from 2018

CVE-2026-47294 lets any authenticated SharePoint user run code on your server (CVSS 8.0). CVE-2026-1784 turns OpenShift Route objects into HAProxy config injection (CVSS 8.8). Plus an ancient unauthenticated SQLi in WP AutoSuggest finally gets a CVE.

5 CVEs
0 Crit
0 KEV
4 min

From the blog

Playbooks the digest can't fit.

Visit the blog
JUN 5 · Field Note · Colten Anderson

Three June 30 Microsoft 365 retirements that fail silently

A printer stops scanning to email, a conference-room keyboard's mute key dies, a town hall won't schedule. None of these will announce themselves on June 30, 2026.

Read JUN 5 · Field Note · Colten Anderson

Promtail is end-of-life: your Loki shipper just lost its support floor

If Promtail still ships your logs to Loki, the agent reading every log file on the host has had no upstream remediation path since March 2, 2026. The migration to Alloy is mostly mechanical, except for the one file that decides whether you get duplicates or a gap.

Read JUN 5 · Field Note · Colten Anderson

One cookie to your storefront homepage is shell. CVE-2026-45247 has a Saturday deadline.

An unauthenticated RCE in the Mirasvit Cache Warmer extension is already being hit at scale, and CISA's federal patch deadline is essentially now. If you run Magento, you act today.

Read

Get the cheat sheet and the digest

CVE triage for sysadmins in five minutes.

What to patch now. What can wait. What you can ignore.

  1. 01 The CVE triage cheat sheet, a one-page printable decision tree, in the welcome email.
  2. 02 The weekday digest, one email each morning, around four minutes to read.

Free. Unsubscribe anytime.