Overview
CrowdStrike has released security updates for a critical vulnerability in LogScale. This vulnerability allows remote attacker to read any file from the server filesystem without authentication if a specific cluster API endpoint is exposed. CrowdStrike has advised that users should update to a patched version immediately.
- CVE-2026-40050: Unauthenticated Path Traversal Vulnerability in LogScale (CVSSv3 9.8). Affected Versions: LogScale Self-Hosted 1.224.0 – 1.234.0 (Inclusive), LogScale Self-Hosted LTS 1.228.0 – 1.228.1
Cisco has released advisories for multiple critical vulnerabilities in Cisco ISE and Cisco ISE-PIC. These vulnerabilities could enable the execution or arbitrary commands on the underlying operating system of an impacted device by a remote, authenticated attacker. To exploit these vulnerabilities, the attacker must either have valid administrative credentials or at least Read Only Admin credentials.
- CVE-2026-20147: Improper Neutralization of Special Elements used in a Command Vulnerability (CVSSv3 9.9). Affected Versions: All configurations of Cisco ISE and Cisco ISE-PIC
- CVE-2026-20186: Improper Neutralization of Special Elements used in a Command Vulnerability (CVSSv3 9.9). Affected Versions: All configurations of Cisco ISE
- CVE-2026-20180: Improper Limitation of a Pathname to a Restricted Directory Vulnerability (CVSSv3 9.9). Affected Versions: All configurations of Cisco ISE
Wordfence has released a number of advisories for critical vulnerabilities in WordPress plugins. The Sendmachine plugin contains an authorisation bypass flaw that could let unauthenticated attackers intercept outgoing emails. The Create DB Tables plugin has a similar flaw that may allow authenticated attackers to create or delete database tables, potentially breaking the entire site. The Breeze Cache plugin is vulnerable to arbitrary file upload, which could let unauthenticated attackers upload malicious files and potentially achieve remote code execution.
- CVE-2026-6235: Unauthenticated SMTP Hijack to Privilege Escalation (CVSSv3 9.8). Affected Versions: <= 1.0.20
- CVE-2026-4119: Missing Authorisation to Authenticated (Subscriber+) Arbitrary Database Table Creation/Deletion (CVSSv3 9.1). Affected Versions: <= 1.2.1
- CVE-2026-3844: Unauthenticated Arbitrary File Upload (CVSSv3 9.8). Affected Versions: <= 2.4.4
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
CrowdStrike - CrowdStrike LogScale Unauthenticated Path Traversal
Cisco - Security Advisories
Wordfence - WordPress Vulnerability Database
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.