Overview
Fortinet has published an advisory for a critical SQL injection vulnerability in FortiClient Endpoint Management Server (FortiClientEMS). The issue could allow an unauthenticated remote attacker to send specially crafted HTTP requests that result in unauthorised code or command execution, potentially leading to full compromise of the management server.
- CVE-2026-21643: FortiClientEMS SQL Injection in Administrative Interface (CVSSv3 9.1). Affected versions = 7.4.4
Ivanti has issued an advisory for Endpoint Manager (EPM) addressing vulnerabilities that could allow attackers to expose sensitive information from the EPM environment. One issue could allow an unauthenticated attacker to bypass authentication controls and access stored credential data, while the other could allow an authenticated attacker to read arbitrary data from the EPM database.
- CVE-2026-1603: Ivanti Endpoint Manager Authentication Bypass (CVSSv3 8.6). Affected versions <= 2024 SU4 SR1
- CVE-2026-1602: Ivanti Endpoint Manager SQL Injection (CVSSv3 6.5).
Affected versions <= 2024 SU4 SR1
Wordfence has disclosed several high-impact vulnerabilities in popular WordPress plugins, which could allow attackers to upload malicious files, install arbitrary plugins, or gain elevated privileges (including administrator access) depending on the affected component and configuration. These issues may lead to a full site compromise if exploited, so site administrators should ensure affected plugins are updated promptly.
- CVE-2026-1357: WPvivid Backup & Migration – Unauthenticated Arbitrary File Upload (CVSSv3 9.8). Affected versions <= 0.9.123
- CVE-2026-1490: Spam protection, Anti-Spam, FireWall by CleanTalk – Authorization Bypass to Unauthenticated Arbitrary Plugin Installation (CVSSv3 9.8). Affected versions <= 6.71
- CVE-2025-8572: Truelysell Core – Unauthenticated Privilege Escalation via Registration (CVSSv3 9.8). Affected versions <= 1.8.7
Google has released a high‑severity Google Chrome vulnerability that is already being exploited in the wild. The flaw is in Chrome’s handling of CSS and could allow an attacker to run code within the browser’s sandbox if a user visits a specially crafted webpage. Organisations are encouraged to apply the stable channel updates as soon as possible.
- CVE-2026-2441: Google Chrome Use‑After‑Free in CSS (CVSSv3 8.8). Affected versions: Windows < 145.0.7632.75/76, macOS < 145.0.7632.75/76, and Linux < 144.0.7559.75.
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
Fortinet – PSIRT | FortiGuard Labs
Ivanti – Security Advisory EPM February 2026 for EPM 2024
Wordfence – WordPress Vulnerability Database
Google – Chrome Releases: Stable Channel Update for Desktop
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.