PatchDayAlert
Daily Digest · 2 min read · 5 CVEs · Issue 57 By PatchDayAlert

CoreWCF auth bypass scores a perfect 10, Chrome sandbox escape close behind

A broken SAML token check in CoreWCF (CVE-2026-54782, CVSS 10.0) lets anyone forge tokens and impersonate users. Chrome on Android has a 9.6 use-after-free sandbox escape via Autofill, plus a NATS Server auth skip (8.8), a GStreamer DTLS stack overflow (7.5), and a Dynamics 365 XSS (9.3).

Patch now
2
Within 24h
1
This week
1
Exploited
0
CoreWCF.NETWindowsLinuxNATS ServerGStreamerGoogle ChromeAndroidMicrosoft Dynamics 365Dynamics 365 Customer VoiceCloud

Two big ones today, neither exploited yet, but both worth your attention right now. CoreWCF's SAML token validation is completely broken: attackers can forge tokens and impersonate any federated user without authentication (CVE-2026-54782, CVSS 10.0). On top of that, a Chrome sandbox escape on Android (CVSS 9.6) is exactly the kind of bug that gets weaponized fast.


Today's CVEs

Sorted by urgency

02

CVE-2026-58253

NVD
8.8
CVSS
Patch within 24h HIGH
NATS ServerLinuxWindows

When NATS Server has no_auth_user configured, a parser shortcut meant for regular client connections accidentally applies to route and leafnode listeners too. That means an unauthenticated peer can skip inter-server CONNECT authentication and get the full privileges of a route or leafnode connection. CVSS 8.8. If your NATS cluster is reachable by untrusted hosts, this is an easy privilege escalation path.

Affected estate
Anyone running NATS Server with no_auth_user enabled, especially clusters where route or leafnode ports are network-accessible
How to check
Run 'nats-server --version' and review your server config for the no_auth_user directive. If it's present and you're on a vulnerable version, you're exposed.
Included because
unauthenticated; network-accessible; authentication bypass on inter-server connections; CVSS 8.8
Action
Upgrade to 2.14.0, 2.12.7, or 2.11.16. As a temporary mitigation, restrict network access to route and leafnode ports to trusted hosts only.
Why it matters
An unauthenticated peer can join your cluster as a trusted route or leafnode, giving it full inter-server privileges.
Source
NATS project advisory

Evidence trail

03

CVE-2026-59692

NVD
7.5
CVSS
Patch this week HIGH
GStreamerLinux

GStreamer's DTLS plugin copies the peer certificate's Subject Distinguished Name into a fixed 2048-byte stack buffer with no bounds check during the handshake. A remote unauthenticated attacker can send a certificate with an oversized Subject DN to overflow the buffer and crash the process. This is a denial-of-service bug (CVSS 7.5), not confirmed for code execution, but any GStreamer pipeline using DTLS (common in WebRTC scenarios) is vulnerable.

Affected estate
Anyone running GStreamer pipelines that use the DTLS plugin, particularly WebRTC media servers and endpoints
How to check
Run 'gst-inspect-1.0 dtls' to check if the DTLS plugin is present, then check your GStreamer package version against your distro's security tracker.
Included because
unauthenticated; remote; stack overflow; denial of service; common in WebRTC deployments
Action
Update the GStreamer DTLS plugin package to the patched version. If no patch is available yet, restrict DTLS endpoints to trusted peers or disable the plugin if not needed.
Why it matters
A remote attacker can crash any GStreamer process using DTLS with a single malformed certificate, taking down media streams.
Source
GStreamer project advisory

Evidence trail

04

CVE-2026-15113

NVD
9.6
CVSS
Patch now CRITICAL
Google ChromeAndroid

A use-after-free bug in Chrome's Autofill feature on Android can let an attacker escape the browser sandbox through a crafted web page. CVSS 9.6. No user interaction beyond visiting the page is needed. Sandbox escapes are rare and serious: if exploited, the attacker gets access beyond the browser process itself. No exploitation in the wild yet, but this is the kind of bug that gets weaponized fast.

Affected estate
Anyone managing Chrome on Android devices, including MDM-managed fleets and BYOD environments
How to check
Open Chrome on the device, go to Settings > About Chrome, and check the version number. In MDM, query for Chrome browser versions below 150.0.7871.115.
Included because
unauthenticated; remote; sandbox escape; CVSS 9.6; no user interaction beyond visiting a page
Action
Force a Chrome update to 150.0.7871.115 or later through your MDM or instruct users to update via the Play Store.
Why it matters
A sandbox escape means a malicious web page can break out of Chrome's security boundary and potentially compromise the device.
Source
Chromium security advisory

Evidence trail

05

CVE-2026-47646

NVD
9.3
CVSS
Track CRITICAL
Microsoft Dynamics 365Dynamics 365 Customer VoiceCloud

A cross-site scripting (XSS) vulnerability in Microsoft Dynamics 365 Customer Voice lets an unauthorized attacker inject malicious content and spoof pages over the network. CVSS 9.3. This is a cloud service, so you can't patch it yourself, but you should verify your tenant is updated and watch for any indicators of spoofing or phishing through Customer Voice surveys.

Affected estate
Teams using Microsoft Dynamics 365 Customer Voice for surveys and feedback collection
How to check
Check the Microsoft 365 admin center or Service Health dashboard for advisories related to Dynamics 365 Customer Voice. Microsoft typically patches cloud services server-side.
Included because
unauthenticated; network-accessible; XSS with spoofing; CVSS 9.3; cloud-hosted service
Action
Verify the fix is applied in your tenant via the admin center. Alert users who manage Customer Voice surveys to watch for unusual or spoofed content.
Why it matters
Attackers can spoof survey pages to phish your customers or internal users through a trusted Microsoft domain.
Source
Microsoft Security Response Center

Evidence trail


One email, every Wednesday morning.

Subscribe