Weekly CVE triage for IT teams

CVE triage for sysadmins in five minutes.

What to patch now. What can wait. What you can ignore.

New subscribers get the CVE triage cheat sheet, a one-page printable, in the welcome email. The weekly digest lands every Wednesday. Free, unsubscribe anytime.

Source-linked. Human-reviewed. Wednesday mornings.

A sample of the latest issue

JUN 28 · Nº048

Patch now From JUN 28 · Nº048

CVE-2026-52916 9.8 Linux Kernel

A bug in the batman-adv kernel module lets an attacker send a crafted unicast fragment nested inside another fragment, triggering memory corruption.

The call: Update the azl3 kernel package past 6.6.141.1-1 using your package manager and reboot.

Sources: MSRC Read the full call

Plus 4 more calls in the latest issue. See the whole thing

Source-linked

Every verdict links to a primary source.

NVD, CISA KEV, MSRC, GHSA, or a vendor PSIRT. Skeptical readers can click through to verify in place.

Human-reviewed

A working sysadmin edits before it ships.

Issues are reviewed and edited before they go out, not auto-published from a feed. CVEs that aren’t actionable before standup don’t make the cut.

Editorial verdicts

One call per CVE. Four minutes total.

Patch now, patch this week, track, or doesn’t apply. These reviews are editorial and unpaid.

Today's digest, in full

The other 4 calls for Sunday, June 28.

Read the issue

01 Patch now CVE-2026-55200 libssh2 An out-of-bounds write in libssh2's transport layer lets an attacker send a packet with an unchecked length field, writing past the buffer boundary. The call: Update libssh2 (and libssh and nmap if installed) to the latest patched versions in the azl3 repo. CVSS 8.1 02 Patch this week CVE-2026-9697 Node.js When Node.js's undici HTTP client connects through a SOCKS5 proxy, it silently drops the TLS certificate validation settings. The call: Update the azl3 nodejs package past 24.14.1-3 and verify your apps' proxy configurations. CVSS 7.4 03 Patch this week CVE-2026-57456 Vim Opening a specially crafted file in Vim and triggering Python omni-completion can execute arbitrary code through malicious docstrings. The call: Update the azl3 vim package past 9.2.0620-1. CVSS 7.8 04 Patch this week CVE-2026-3195 QEMU A heap buffer overflow in QEMU's virtio-snd audio device (the PCM input callback) lets a guest VM corrupt host memory. The call: Update the azl3 qemu package past 9.1.0-8. CVSS 7.4

The four-verdict model

Every CVE gets one of these four calls.

No CVSS-jargon dump, no “threat actor postulated to leverage” sentences. You read the verdict, then the one-line action, then move on.

Patch now
Exploited in the wild, or exposed and trivially exploitable. Today’s change window.
Patch this week
Real risk, no active exploitation yet. Slot it into your next maintenance window.
Track
Worth knowing about. No action needed today; check back if the advisory changes.
Doesn't apply
Affected versions you don’t run, or a vendor branch you’ll never see. Skip with confidence.

Who reads this

Built for IT teams who do their own patching.

For sysadmins

The lone admin running fifty servers.

You don’t have time to read three feeds and a Discord. One email, one verdict per CVE, before standup.

Built for this

For MSPs

Twenty clients, twenty stacks.

Each CVE is tagged by vendor and product, so a quick scan picks out what matters to your fleet. Forward the digest to whoever’s on rotation.

Built for this

For IT managers

Brief leadership in one paragraph.

The intro summarizes what shipped, what’s on fire, and what to ignore. Forwardable in one click to whoever signs off on the change window.

Built for this

For lean IT teams

No Tenable, no Qualys, no full-time analyst.

The digest is the triage layer you don’t have to staff.

Built for this

The archive

Recent digests.

Full archive

Nº048 JUN 28

A 9.8 kernel memory corruption, a libssh2 buffer overwrite, and broken TLS in Node.js undici

batman-adv mesh networking has a remotely exploitable fragment-nesting bug (CVE-2026-52916, CVSS 9.8). libssh2 and Node.js undici also need patches, plus a Vim code execution trick and a QEMU guest escape retry.

KubeVirt live migration opens an unauth backdoor, plus plaintext OAuth tokens in OpenProject

A disabled-TLS footgun in KubeVirt (CVSS 8.5) lets any pod on the cluster network send raw libvirt commands to another tenant's VM. OpenProject stores SharePoint/OneDrive OAuth tokens in plaintext in Rails.cache (CVSS 8.2). Also: a GPU shader compiler OOB write, an Envoy zstd decompression bomb, and a Budibase account-linking CSRF.

Keycloak token forgery, KubeVirt auth bypass, and a 9.1 Perl heap read

Keycloak's JWT algorithm confusion lets attackers impersonate any federated user (CVE-2026-11800, CVSS 8.1). KubeVirt's disableTLS flag silently strips all migration auth, exposing raw libvirt RPC to the pod network (CVE-2026-13325, CVSS 8.5). Apicurio Registry has two SSRF bugs, and Perl's Socket module has a 9.1 heap read with near-zero exploit probability.

Flowise leaks your OAuth secrets unauthenticated, n8n hides SQL injection in column names

5 CVEs today. Flowise exposes SSO client secrets (including Azure and GitHub) to any anonymous GET request (CVSS 7.5). n8n's database nodes let authenticated users inject SQL through table and column identifiers (CVSS 8.2). Also: a Keras path traversal at CVSS 8.1, a Warp terminal command injection under WSL, and a Linux kernel nftables offset bug.

From the blog

Playbooks the digest can't fit.

Visit the blog

JUN 26 · Analysis · Colten Anderson

Start here

The ones worth reading first.

All posts

Get the cheat sheet and the digest