A perfect 10 in Azure HorizonDB and a Copilot RCE you shouldn't ignore

An authenticated user of Microsoft Copilot can inject commands and execute arbitrary code remotely. The attacker needs valid credentials first, which lowers the blast radius, but any compromised or malicious insider account could use this to run code on the backend. CVSS 7.7.

Included because

authenticated; network-accessible; command injection; common product

Affected estate

Microsoft Copilot deployments, all versions until a fix is confirmed

How to check

Confirm whether your tenant has Copilot enabled in the Microsoft 365 admin center. Check Microsoft's advisory for affected versions or service tiers.

Action

Apply Microsoft's security update for Copilot. Audit user access and review logs for unusual activity.

Urgency

Patch this week

Why it matters

A compromised or malicious authenticated user could execute arbitrary code on the Copilot backend.

Source

Microsoft Security Advisory

A bug in Chrome's ImageCapture API lets an attacker who has already compromised the renderer process escalate privileges via a crafted HTML page. This is a sandbox escape scenario, but it requires the renderer to be compromised first, which significantly raises the bar. Chromium rates this low severity. CVSS 7.5.

Included because

requires prior renderer compromise; privilege escalation; widely deployed browser

Affected estate

Google Chrome and Chromium-based browsers prior to version 149.0.7827.53

How to check

Open chrome://version or check your software management console for Chrome versions below 149.0.7827.53.

Action

Update Chrome to 149.0.7827.53 or later across managed endpoints.

Urgency

Patch this week

Why it matters

A pre-compromised renderer can escalate privileges, though the prerequisite limits real-world risk.

Source

Chromium Security Advisory

The Hybrid Composer plugin (version 1.4.6) for WordPress lets unauthenticated attackers change any WordPress option by hitting the admin-ajax.php endpoint. The practical attack is simple: enable user registration, set the default role to administrator, register an account, and take over the site. No login required. CVSS 9.8.

Included because

unauthenticated; internet-facing; full site takeover; CVSS 9.8

Affected estate

WordPress sites with the Hybrid Composer plugin version 1.4.6 or earlier installed

How to check

Check wp-content/plugins/hybrid-composer/ for existence and version. Run: wp plugin list | grep hybrid-composer, or check the Plugins page in the WordPress admin.

Action

Update or remove the Hybrid Composer plugin. Audit user accounts for unauthorized administrators. Verify that 'anyone can register' is disabled and the default role is set to 'subscriber.'

Urgency

Patch immediately

Why it matters

Unauthenticated attackers can take over the entire WordPress site by creating admin accounts with a single POST request.

Source

NVD

The sqldiff.exe tool bundled with SQLite on Windows mishandles Unicode-to-ANSI conversion in command line arguments. An attacker can craft a command line string that tricks the -L option into loading an arbitrary DLL. Exploitation requires getting a user to run sqldiff with a malicious argument, so there's a user-interaction component here. CVSS 9.8.

Included because

DLL loading via argument injection; user interaction required; Windows-specific; CVSS 9.8

Affected estate

Windows systems with SQLite's sqldiff.exe installed, any version prior to the 2025-12-26 fix

How to check

Search for sqldiff.exe on Windows systems. Check the SQLite version: sqlite3 --version. Compare against the fixed release date of 2025-12-26.

Action

Update SQLite to the fixed version. Remove sqldiff.exe from systems where it is not needed.

Urgency

Patch this week

Why it matters

An attacker who can influence sqldiff command line arguments can load an arbitrary DLL and execute code on the system.

Source

SQLite project advisory / NVD