Security News & Updates
Security news, release announcements, and security advisories for DevOps and infrastructure teams - tracked and explained by the Private DevOps team so you know what to act on.
22 updates in this topic
If You Use Gravity SMTP On WordPress Rotate Your Email API Keys Now
CVE-2026-4020 in the Gravity SMTP WordPress plugin (about 100,000 installs) lets an unauthenticated attacker pull your email provider API keys straight off the site, and bots are mass-exploiting it. It is rated CVSS 7.5 (High). Here is what leaks, why it deserves immediate attention, and the patch-and-rotate steps.
Read updateTwo Critical NGINX Bugs Dropped This Week And Who Is Actually At Risk
F5 shipped out-of-band patches on June 17, 2026 for two critical NGINX flaws, CVE-2026-42530 and CVE-2026-42055, both CVSS 9.2 and both unauthenticated. The headline is scary, but the exploitable surface is narrow. Here is which versions and configs are at risk, why it is a denial of service for most rather than code execution, and what to do.
Read updateGitHub's July 15 OIDC Change Will Not Break Your Existing AWS Deploys
GitHub is rolling out immutable OIDC subject claims on July 15, 2026, and plenty of posts warn it will break your GitHub Actions to AWS deploys. For existing repositories left alone, it will not. Here is what actually changes, the three things that do flip you to the new format, and how to future-proof your IAM trust policy now.
Read updateOpenSSL 3.0 Stops Getting Security Fixes in September and You Probably Still Ship It
OpenSSL 3.0 stops receiving all fixes, including security fixes, after September 7, 2026, and the 3.4 line follows on October 22. For most teams the distro backports cover it, but self-compiled, vendored, and container-bundled OpenSSL go quietly unpatched. Here is who is actually exposed and how to check.
Read updateFrom September 11 the EU Cyber Resilience Act Puts a 24-Hour Clock on Exploited Vulnerabilities and Most Makers Have No Runbook
From 11 September 2026, Article 14 of the EU Cyber Resilience Act forces makers of products with digital elements to report actively exploited vulnerabilities within 24 hours, with a 72-hour follow-up and a 14-day final report. It is the first binding CRA deadline, and the hard part is operational: detecting, triaging, and filing a conformant report inside a single day.
Read updateAn Ansible Privilege Escalation Bug And Who Actually Needs To Worry
CVE-2026-11837, published June 10, 2026, is a local privilege escalation flaw in the Ansible ansible.posix authorized_key module. It is not remote, so the real exposure is narrow. Here is exactly who is at risk and what to do now.
Read updatenpm v12 Will Stop Running Install Scripts By Default So Prepare Your CI
GitHub announced on June 9, 2026 that npm v12, due around July, will stop running preinstall, install, postinstall and prepare scripts by default. It closes the biggest supply-chain hole and it will break some CI builds. Here is how to get ready.
Read updateWhat The New Spectra RCE Means For Multi Author WordPress Sites
Wordfence disclosed CVE-2026-7465 on May 30, 2026, a remote code execution flaw in the Spectra Gutenberg Blocks plugin (versions up to 2.19.25, fixed in 2.19.26). It needs only Contributor access, so the real exposure is sites with open registration or many low-trust authors. Who is at risk and how to close it.
Read updateHow npm's New Staged Publishing Closes the Stolen CI Token Window
npm shipped staged publishing in CLI v11.15.0 on May 22, 2026. Adopted publishes now require a human 2FA approval that no OIDC token, automation token, or stolen CI credential can satisfy. Here is how it works and the CI changes it requires.
Read updateHow a TanStack npm Compromise Got Grafana's GitHub Codebase Stolen
Grafana Labs confirmed that attackers downloaded source code from its GitHub environment after a TanStack npm package compromise leaked one developer's GitHub workflow token. One token missed in the rotation, in one of the better-instrumented companies on the internet.
Read updateTeamPCP Breaches GitHub via Poisoned Nx Console Extension
TeamPCP exfiltrated about 3,800 GitHub-internal repositories after a poisoned Nx Console VS Code extension reached a GitHub employee. The full supply-chain chain, and what to do.
Read updateMini Shai-Hulud Worm Hits Microsoft's durabletask PyPI
TeamPCP's Mini Shai-Hulud worm backdoored durabletask v1.4.1-1.4.3 on PyPI, stealing AWS, GitHub and Vault secrets and spreading via SSM and kubectl exec.
Read updatessh-keysign-pwn (CVE-2026-46333): Kernel Secret Leak
CVE-2026-46333 (ssh-keysign-pwn) lets any local Linux user read SSH host keys and /etc/shadow via a kernel ptrace exit race. Who is exposed and how to fix it.
Read updateApple's M5 Memory Integrity Enforcement Bypassed in Five Days with AI Help
Researchers built the first public macOS kernel exploit on Apple M5 silicon, defeating Memory Integrity Enforcement in five days with Claude Mythos. The real story is the velocity.
Read updateGoogle GTIG Confirms the First AI-Developed Zero-Day Used in the Wild
On May 11, 2026, Google's Threat Intelligence Group published the first confirmed evidence of a criminal group using AI to build a working zero-day. Here is what it means for your threat model.
Read updateNGINX Rift (CVE-2026-42945) - An 18-Year-Old RCE in the World's Most Deployed Web Server
NGINX Rift (CVE-2026-42945) is a CVSS 9.2 heap overflow in the nginx rewrite module. A single unauthenticated request can reach RCE. PoC is public. Here is who is exposed and how to patch.
Read updateFragnesia (CVE-2026-46300) - The Linux Kernel LPE That the Dirty Frag Patch Created
Fragnesia is a new Linux kernel local privilege escalation introduced by the Dirty Frag patch itself. Public PoC is out. Ubuntu still unpatched. Here is the mitigation playbook.
Read updateMay 2026 Linux and cPanel CVE Storm: What to Patch Now
Three high-severity Linux kernel CVEs and a critical cPanel authentication bypass are being actively exploited in May 2026. Here is what to patch and how.
Read updateDirty Frag (CVE-2026-43500) - Linux Kernel RxRPC Root Escalation, Public Exploit Out
Dirty Frag (CVE-2026-43500) is a high-severity Linux kernel local privilege escalation in the RxRPC subsystem. Public exploit is already out - the disclosure embargo broke. Patch and mitigation playbook below.
Read updateCopy Fail (CVE-2026-31431) - Patch Every Linux Server You Run
Copy Fail (CVE-2026-31431) is a Linux kernel local privilege escalation that turns any local account into root in seconds. Every major distribution is affected. This is the patch and mitigation playbook.
Read updateMajor Vercel Breach Disclosed - Rotate Every Token Now
A high-impact supply chain breach hit Vercel customers in April 2026. Plaintext environment variables - API keys, database credentials, signing keys - were exposed. This is the rotation playbook.
Read updateOpenSSL CVE-2024-12797 - Raw Public Key TLS Authentication Bypass Patched
OpenSSL has patched CVE-2024-12797, a high-severity TLS authentication flaw that lets a server bypass Raw Public Key verification without aborting the handshake. Affects OpenSSL 3.2, 3.3, and 3.4. Update immediately.
Read update