PatchDay Alert
APR 29, 2026 Subscribe →
Daily Digest By Colten Anderson

Two perfect 10s: Entra ID SSRF and Bing RCE, both unauth, both wide open

Microsoft Entra ID Entitlement Management has a CVSS 10.0 SSRF that needs no login, and Bing has a CVSS 10.0 deserialization RCE in the same boat. Hackage-server adds two 9.9 stored XSS bugs, plus a 9.8 crasher in Delta Electronics NAS gear.

Patch now
3
Within 24h
2
This week
0
Exploited
0
MicrosoftWindows

Two CVSS 10.0 bugs from Microsoft landed today, neither exploited in the wild yet, but both ugly. CVE-2026-35431 is an unauthenticated SSRF in Entra ID Entitlement Management that lets an attacker trick the server into making internal requests on their behalf. CVE-2026-33819 is unauthenticated RCE in Bing via a deserialization bug. Both are cloud-side, so check your exposure and watch for Microsoft's mitigation guidance closely.

Today's CVEs

Sorted by urgency
01

CVE-2026-35431

NVD
10.0
CVSS
CRITICAL
MicrosoftWindows

An attacker can hit Microsoft Entra ID Entitlement Management with a server-side request forgery (SSRF) over the network, no authentication required. SSRF means the attacker tricks the server into making requests on their behalf, potentially reaching internal services or spoofing identity data. CVSS 10.0, so Microsoft is rating this as bad as it gets, though no exploitation in the wild has been reported yet.

Affected estate
Anyone using Microsoft Entra ID Entitlement Management (formerly Azure AD Entitlement Management)
How to check
Check inventory, endpoint management, or the vendor console for affected Microsoft versions.
Action
Apply the latest Microsoft security update for Entra ID Entitlement Management as soon as it's available; since this is a cloud service, confirm with Microsoft that your tenant has been patched.
Urgency
Patch immediately
Why it matters
An attacker can hit Microsoft Entra ID Entitlement Management with a server-side request forgery (SSRF) over the network, no authentication required
Source
NVD
02

CVE-2026-33819

NVD
10.0
CVSS
CRITICAL
MicrosoftWindows

An unauthenticated attacker can get remote code execution on Microsoft Bing infrastructure by sending crafted serialized data over the network. Deserialization bugs like this are a favorite for attackers because they often give full control of the target system. CVSS 10.0, no known exploitation yet.

Affected estate
Microsoft Bing service operators and anyone running Bing-related backend components on-prem or in hybrid deployments
How to check
Check inventory, endpoint management, or the vendor console for affected Microsoft versions.
Action
Apply the Microsoft security update immediately; if this is a cloud-side Bing service, verify with Microsoft that the fix has been deployed to your environment.
Urgency
Patch immediately
Why it matters
An unauthenticated attacker can get remote code execution on Microsoft Bing infrastructure by sending crafted serialized data over the network
Source
NVD
03

CVE-2026-40472

NVD
9.9
CVSS
CRITICAL

Hackage-server (the package repository for Haskell) renders user-supplied metadata from .cabal files straight into HTML links without sanitizing it. A malicious package maintainer can inject stored XSS that fires whenever someone views the package page, potentially stealing session cookies or performing actions as the victim. CVSS 9.9, not yet exploited in the wild.

Affected estate
Anyone running a self-hosted hackage-server instance
How to check
Check inventory, endpoint management, or the vendor console for affected product versions.
Action
Upgrade hackage-server to the latest patched version and audit recently uploaded .cabal metadata for suspicious href content.
Urgency
Patch within 24 hours
Why it matters
Hackage-server (the package repository for Haskell) renders user-supplied metadata from
Source
NVD
04

CVE-2026-40470

NVD
9.9
CVSS
CRITICAL

Hackage-server serves uploaded HTML and JavaScript files on the main hackage.haskell.org domain with no sandboxing. A malicious package maintainer can upload docs containing JavaScript that runs in the context of any logged-in user who views the page. That means full session hijack: uploading packages, changing maintainers, the works. CVSS 9.9.

Affected estate
Anyone running a self-hosted hackage-server instance, and users of hackage.haskell.org who have upload or maintainer privileges
How to check
Check inventory, endpoint management, or the vendor console for affected product versions.
Action
Upgrade hackage-server to the patched version, and serve user-uploaded documentation from a separate domain or sandbox origin to prevent cookie theft.
Urgency
Patch within 24 hours
Why it matters
Hackage-server serves uploaded HTML and JavaScript files on the main hackage
Source
NVD
05

CVE-2026-1952

NVD
9.8
CVSS
CRITICAL

Delta Electronics AS320T NAS devices have an undocumented subfunction that lets an attacker crash the device remotely, causing a denial of service. No authentication appears to be required. CVSS 9.8, so this is trivially exploitable over the network.

Affected estate
Anyone running Delta Electronics AS320T NAS devices, especially if they're network-accessible
How to check
Check inventory, endpoint management, or the vendor console for affected product versions.
Action
Apply the latest firmware update from Delta Electronics for the AS320T, and restrict network access to the device's management interface with firewall rules until the patch is confirmed.
Urgency
Patch immediately
Why it matters
Delta Electronics AS320T NAS devices have an undocumented subfunction that lets an attacker crash the device remotely, causing a denial of service
Source
NVD