Overview
Google has released critical vulnerabilities affecting Chrome/Chromium. One that allows out-of-bounds memory writes when a user visits a malicious page and could enable memory corruption or code execution within the renderer. The other stemming from an inappropriate implementation that could let a remote attacker execute code inside the sandbox via a crafted HTML page.
- CVE-2026-3909: Google Skia Out-of-Bounds Write (CVSSv3 8.8). Affected versions: from 146.0.7680.75 before 146.0.7680.75
- CVE-2026-3910: Google Chromium V8 Improper Restriction of Operations Within the Bounds of a Memory Buffer (CVSSv3 8.8). Affected versions: from 146.0.7680.75 before 146.0.7680.75
Ivanti has released a security update for a high severity vulnerability in the Ivanti Endpoint Manager (EPM). This vulnerability could allow an unauthenticated remote attacker to leak specific stored credential data.
- CVE-2026-1603: Ivanti EPM Authentication Bypass (CVSSv3 8.6). Affected versions: < 2024 SU5
Wordfence has released a patch for a critical vulnerability. The vulnerability affects the Pix for WooCommerce plugin for WordPress due to missing capability checks and missing file type validation. This makes it possible for unauthenticated attackers to upload arbitrary files on the server enabling the possibility of remote code execution.
- CVE-2026-3891: Unauthenticated Arbitrary File Upload (CVSSv3 9.8). Affected versions: <= 1.5.0
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
Google - Chrome Releases: Stable Channel Update for Desktop
Ivanti - Security Advisory EPM
Wordfence - Pix for WooCommerce <= 1.5.0 - Unauthenticated Arbitrary File Upload
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.